diff options
Diffstat (limited to 'docs/htmldocs')
371 files changed, 62300 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/2000users.html b/docs/htmldocs/Samba3-ByExample/2000users.html new file mode 100644 index 0000000000..0615582d53 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/2000users.html @@ -0,0 +1,1000 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="2000users.html#id355265">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355290">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id355347">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355593">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id356417">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id356432">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id359591">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id359730">Questions and Answers</a></span></dt></dl></div><p> +There is something indeed mystical about things that are +big. Large networks exhibit a certain magnetism and exude a sense of +importance that obscures reality. You and I know that it is no more +difficult to secure a large network than it is a small one. We all +know that over and above a particular number of network clients, the +rules no longer change; the only real dynamic is the size of the domain +(much like a kingdom) over which the network ruler (oops, administrator) +has control. The real dynamic then transforms from the technical to the +political. Then again, that point is often reached well before the +kingdom (or queendom) grows large. +</p><p> +If you have systematically worked your way to this chapter, hopefully you +have found some gems and techniques that are applicable in your +world. The network designs you have worked with in this book have their +strong points as well as weak ones. That is to be expected given that +they are based on real business environments, the specifics of which are +molded to serve the purposes of this book. +</p><p> +This chapter is intent on wrapping up issues that are central to +implementation and design of progressively larger networks. Are you ready +for this chapter? Good, it is time to move on. +</p><p> +In previous chapters, you made the assumption that your network +administration staff need detailed instruction right down to the +nuts and bolts of implementing the solution. That is still the case, +but they have graduated now. You decide to document only those issues, +methods, and techniques that are new or complex. Routine tasks such as +implementing a DNS or a DHCP server are under control. Even the basics of +Samba are largely under control. So in this section you focus on the +specifics of implementing LDAP changes, Samba changes, and approach and +design of the solution and its deployment. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id355265"></a>Introduction</h2></div></div></div><p> +Abmas is a miracle company. Most businesses would have collapsed under +the weight of rapid expansion that this company has experienced. Samba +is flexible, so there is no need to reinstall the whole operating +system just because you need to implement a new network design. In fact, +you can keep an old server running right up to the moment of cutover +and then do a near-live conversion. There is no need to reinstall a +Samba server just to change the way your network should function. +</p><p> +<a class="indexterm" name="id355280"></a> +Network growth is common to all organizations. In this exercise, +your preoccupation is with the mechanics of implementing Samba and +LDAP so that network users on each network segment can work +without impediment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355290"></a>Assignment Tasks</h3></div></div></div><p> + Starting with the configuration files for the server called + <code class="constant">MASSIVE</code> in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you now deal with the + issues that are particular to large distributed networks. Your task + is simple identify the challenges, consider the + alternatives, and then design and implement a solution. + </p><p> + <a class="indexterm" name="id355315"></a> + Remember, you have users based in London (UK), Los Angeles, + Washington. DC, and, three buildings in New York. A significant portion + of your workforce have notebook computers and roam all over the + world. Some dial into the office, others use VPN connections over the + Internet, and others just move between buildings.i + </p><p> + What do you say to an employee who normally uses a desktop + system but must spend six weeks on the road with a notebook computer? + She is concerned about email access and how to keep coworkers current + with changing documents. + </p><p> + To top it all off, you have one network support person and one + help desk person based in London, a single person dedicated to all + network operations in Los Angeles, five staff for user administration + and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for + Washington. + </p><p> + You have outsourced all desktop deployment and management to + DirectPointe. Your concern is server maintenance and third-level + support. Build a plan and show what must be done. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id355347"></a>Dissection and Discussion</h2></div></div></div><p> +<a class="indexterm" name="id355354"></a> +<a class="indexterm" name="id355361"></a> +In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented an LDAP server that provided the +<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You +explored ways to accelerate Windows desktop profile handling and you +took control of network performance. +</p><p> +<a class="indexterm" name="id355384"></a> +<a class="indexterm" name="id355391"></a> +<a class="indexterm" name="id355398"></a> +<a class="indexterm" name="id355405"></a> +The implementation of an LDAP-based passdb backend (known as +<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database +that can be distributed, is essential to permit the deployment of Samba +Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem +is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not +lend itself to being replicated. The older plain-text-based +<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated +using a tool such as <code class="literal">rsync</code>, but +<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not +support the range of account facilities demanded by modern network +managers. +</p><p> +<a class="indexterm" name="id355440"></a> +<a class="indexterm" name="id355446"></a> +The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality +that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of +distributed infrastructure sorely limits the scope for its +deployment. This raises the following questions: Why can't I just use +an XML-based backend, or for that matter, why not use an SQL-based +backend? Is support for these tools broken? Answers to these +questions require a bit of background.</p><p> +<a class="indexterm" name="id355467"></a> +<a class="indexterm" name="id355474"></a> +<a class="indexterm" name="id355480"></a> +<a class="indexterm" name="id355487"></a> +<span class="emphasis"><em>What is a directory?</em></span> A directory is a +collection of information regarding objects that can be accessed to +rapidly find information that is relevant in a particular and +consistent manner. A directory differs from a database in that it is +generally more often searched (read) than updated. As a consequence, the +information is organized to facilitate read access rather than to +support transaction processing.</p><p> +<a class="indexterm" name="id355504"></a> +<a class="indexterm" name="id355513"></a> +<a class="indexterm" name="id355520"></a> +<a class="indexterm" name="id355527"></a> +The Lightweight Directory Access Protocol (LDAP) differs +considerably from a traditional database. It has a simple search +facility that uniquely makes a highly preferred mechanism for managing +user identities. LDAP provides a scalable mechanism for distributing +the data repository and for keeping all copies (slaves) in sync with +the master repository.</p><p> +<a class="indexterm" name="id355540"></a> +<a class="indexterm" name="id355547"></a> +<a class="indexterm" name="id355554"></a> +Samba is a flexible and powerful file and print sharing +technology. It can use many external authentication sources and can be +part of a total authentication and identity management +infrastructure. The two most important external sources for large sites +are Microsoft Active Directory and LDAP. Sites that specifically wish to +avoid the proprietary implications of Microsoft Active Directory +naturally gravitate toward OpenLDAP.</p><p> +<a class="indexterm" name="id355567"></a> +In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you had to deal with a locally routed +network. All deployment concerns focused around making users happy, +and that simply means taking control over all network practices and +usage so that no one user is disadvantaged by any other. The real +lesson is one of understanding that no matter how much network +bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must +function. In particular, you must be concerned with users who move +between offices. You must take into account the way users need to +access information globally. And you must make the network robust +enough so that it can sustain partial breakdown without causing loss of +productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355593"></a>Technical Issues</h3></div></div></div><p> + There are at least three areas that need to be addressed as you + approach the challenge of designing a network solution for the newly + expanded business: + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id355607"></a> + User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id355630"></a>User Needs</h4></div></div></div><p> + The new company has three divisions. Staff for each division are spread across + the company. Some staff are office-bound and some are mobile users. Mobile + users travel globally. Some spend considerable periods working in other offices. + Everyone wants to be able to work without constraint of productivity. + </p><p> + The challenge is not insignificant. In some parts of the world, even dial-up + connectivity is poor, while in other regions political encumbrances severely + curtail user needs. Parts of the global Internet infrastructure remain shielded + off for reasons outside the scope of this discussion. + </p><p> + <a class="indexterm" name="id355649"></a> + Decisions must be made regarding where data is to be stored, how it will be + replicated (if at all), and what the network bandwidth implications are. For + example, one decision that can be made is to give each office its own master + file storage area that can be synchronized to a central repository in New + York. This would permit global data to be backed up from a single location. + The synchronization tool could be <code class="literal">rsync,</code> run via a cron + job. Mobile users may use off-line file storage under Windows XP Professional. + This way, they can synchronize all files that have changed since each logon + to the network. + </p><p> + <a class="indexterm" name="id355670"></a> + <a class="indexterm" name="id355680"></a> + No matter which way you look at this, the bandwidth requirements + for acceptable performance are substantial even if only 10 percent of + staff are global data users. A company with 3,500 employees, + 280 of whom are mobile users who use a similarly distributed + network, found they needed at least 2 Mb/sec connectivity + between the UK and US offices. Even over 2 Mb/sec bandwidth, this + company abandoned any attempt to run roaming profile usage for + mobile users. At that time, the average roaming profile took 480 + KB, while today the minimum Windows XP Professional roaming + profile involves a transfer of over 750 KB from the profile + server to and from the client. + </p><p> + <a class="indexterm" name="id355695"></a> + Obviously then, user needs and wide-area practicalities dictate the economic and + technical aspects of your network design as well as for standard operating procedures. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id355706"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p> + <a class="indexterm" name="id355714"></a> + Network logons that include roaming profile handling requires from 140 KB to 2 MB. + The inclusion of support for a minimal set of common desktop applications can push + the size of a complete profile to over 15 MB. This has substantial implications + for location of user profiles. Additionally, it is a significant factor in + determining the nature and style of mandatory profiles that may be enforced as + part of a total service-level assurance program that might be implemented. + </p><p> + <a class="indexterm" name="id355730"></a> + <a class="indexterm" name="id355737"></a> + One way to reduce the network bandwidth impact of user logon + traffic is through folder redirection. In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you + implemented this in the new Windows XP Professional standard + desktop configuration. When desktop folders such as <span class="guimenu">My + Documents</span> are redirected to a network drive, they should + also be excluded from synchronization to and from the server on + logon or logout. Redirected folders are analogous to network drive + connections. + </p><p><a class="indexterm" name="id355761"></a> + Of course, network applications should only be run off + local application servers. As a general rule, even with 2 Mb/sec + network bandwidth, it would not make sense at all for someone who + is working out of the London office to run applications off a + server that is located in New York. + </p><p> + <a class="indexterm" name="id355774"></a> + When network bandwidth becomes a precious commodity (that is most + of the time), there is a significant demand to understand network + processes and to mold the limits of acceptability around the + constraints of affordability. + </p><p> + When a Windows NT4/200x/XP Professional client user logs onto + the network, several important things must happen. + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id355793"></a> + The client obtains an IP address via DHCP. (DHCP is + necessary so that users can roam between offices.) + </p></li><li><p> + <a class="indexterm" name="id355805"></a> + <a class="indexterm" name="id355812"></a> + The client must register itself with the WINS and/or DNS server. + </p></li><li><p> + <a class="indexterm" name="id355824"></a> + The client must locate the closest domain controller. + </p></li><li><p> + The client must log onto a domain controller and obtain as part of + that process the location of the user's profile, load it, connect to + redirected folders, and establish all network drive and printer connections. + </p></li><li><p> + The domain controller must be able to resolve the user's + credentials before the logon process is fully implemented. + </p></li></ul></div><p> + Given that this book is about Samba and that it implements the Windows + NT4-style domain semantics, it makes little sense to compare Samba with + Microsoft Active Directory insofar as the logon protocols and principles + of operation are concerned. The following information pertains exclusively + to the interaction between a Windows XP Professional workstation and a + Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS. + </p><p> + As soon as the Windows workstation starts up, it obtains an + IP address. This is immediately followed by registration of its + name both by broadcast and Unicast registration that is directed + at the WINS server. + </p><p> + <a class="indexterm" name="id355862"></a> + <a class="indexterm" name="id355868"></a><a class="indexterm" name="id355878"></a> + Given that the client is already a domain member, it then sends + a directed (Unicast) request to the WINS server seeking the list of + IP addresses for domain controllers (NetBIOS name type 0x1C). The + WINS server replies with the information requested.</p><p> + <a class="indexterm" name="id355890"></a> + <a class="indexterm" name="id355899"></a> + <a class="indexterm" name="id355906"></a> + The client sends two netlogon mailslot broadcast requests + to the local network and to each of the IP addresses returned by + the WINS server. Whichever answers this request first appears to + be the machine that the Windows XP client attempts to use to + process the network logon. The mailslot messages use UDP broadcast + to the local network and UDP Unicast directed at each machine that + was listed in the WINS server response to a request for the list of + domain controllers. + </p><p> + <a class="indexterm" name="id355920"></a> + <a class="indexterm" name="id355929"></a> + <a class="indexterm" name="id355936"></a> + The logon process begins with negotiation of the SMB/CIFS + protocols that are to be used; this is followed by an exchange of + information that ultimately includes the client sending the + credentials with which the user is attempting to logon. The logon + server must now approve the further establishment of the + connection, but that is a good point to halt for now. The priority + here must center around identification of network infrastructure + needs. A secondary fact we need to know is, what happens when + local domain controllers fail or break? + </p><p> + <a class="indexterm" name="id355951"></a> + <a class="indexterm" name="id355958"></a> + <a class="indexterm" name="id355964"></a> + <a class="indexterm" name="id355971"></a> + Under most circumstances, the nearest domain controller + responds to the netlogon mailslot broadcast. The exception to this + norm occurs when the nearest domain controller is too busy or is out + of service. Herein lies an important fact. This means it is + important that every network segment should have at least two + domain controllers. Since there can be only one PDC, all additional + domain controllers are by definition BDCs. + </p><p> + <a class="indexterm" name="id355984"></a> + <a class="indexterm" name="id355991"></a> + The provision of sufficient servers that are BDCs is an + important design factor. The second important design factor + involves how each of the BDCs obtains user authentication + data. That is the subject of the next section, which involves key + decisions regarding Identity Management facilities. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id356003"></a>Identity Management Needs</h4></div></div></div><p> + <a class="indexterm" name="id356011"></a> + <a class="indexterm" name="id356017"></a> + <a class="indexterm" name="id356024"></a> + <a class="indexterm" name="id356031"></a> + Network managers recognize that in large organizations users + generally need to be given resource access based on needs, while + being excluded from other resources for reasons of privacy. It is + therefore essential that all users identify themselves at the + point of network access. The network logon is the principal means + by which user credentials are validated and filtered and appropriate + rights and privileges are allocated. + </p><p> + <a class="indexterm" name="id356045"></a> + <a class="indexterm" name="id356052"></a> + <a class="indexterm" name="id356058"></a> + Unfortunately, network resources tend to have their own Identity + Management facilities, the quality and manageability of which varies + from quite poor to exceptionally good. Corporations that use a mixture + of systems soon discover that until recently, few systems were + designed to interoperate. For example, UNIX systems each have an + independent user database. Sun Microsystems developed a facility that + was originally called <code class="constant">Yellow Pages</code>, and was renamed + when a telephone company objected to the use of its trademark. + What was once called <code class="constant">Yellow Pages</code> is today known + as <code class="constant">Network Information System</code> (NIS). + </p><p> + <a class="indexterm" name="id356084"></a> + NIS gained a strong following throughout the UNIX/VMS space in a short + period of time and retained that appeal and use for over a decade. + Security concerns and inherent limitations have caused it to enter its + twilight. NIS did not gain widespread appeal outside of the UNIX world + and was not universally adopted. Sun updated this to a more secure + implementation called NIS+, but even it has fallen victim to changing + demands as the demand for directory services that can be coupled with + other information systems is catching on. + </p><p> + <a class="indexterm" name="id356103"></a> + <a class="indexterm" name="id356110"></a> + <a class="indexterm" name="id356116"></a> + Nevertheless, both NIS and NIS+ continue to hold ground in + business areas where UNIX still has major sway. Examples of + organizations that remain firmly attached to the use of NIS and + NIS+ include large government departments, education institutions, + and large corporations that have a scientific or engineering + focus. + </p><p> + <a class="indexterm" name="id356129"></a> + <a class="indexterm" name="id356136"></a> + Today's networking world needs a scalable, distributed Identity + Management infrastructure, commonly called a directory. The most + popular technologies today are Microsoft Active Directory service + and a number of LDAP implementations. + </p><p> + <a class="indexterm" name="id356148"></a> + The problem of managing multiple directories has become a focal + point over the past decade, creating a large market for + metadirectory products and services that allow organizations that + have multiple directories and multiple management and control + centers to provision information from one directory into + another. The attendant benefit to end users is the promise of + having to remember and deal with fewer login identities and + passwords.</p><p> + <a class="indexterm" name="id356162"></a> + The challenge of every large network is to find the optimum + balance of internal systems and facilities for Identity + Management resources. How well the solution is chosen and + implemented has potentially significant impact on network bandwidth + and systems response needs.</p><p> + <a class="indexterm" name="id356177"></a> + <a class="indexterm" name="id356184"></a> + <a class="indexterm" name="id356193"></a> + In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented a single LDAP server for the + entire network. This may work for smaller networks, but almost + certainly fails to meet the needs of large and complex networks. The + following section documents how you may implement a single + master LDAP server with multiple slave servers.</p><p> + What is the best method for implementing master/slave LDAP + servers within the context of a distributed 2,000-user network is a + question that remains to be answered.</p><p> + <a class="indexterm" name="id356218"></a> + <a class="indexterm" name="id356225"></a> + One possibility that has great appeal is to create a single, + large distributed domain. The practical implications of this + design (see <a href="2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">???</a>) demands the placement of + sufficient BDCs in each location. Additionally, network + administrators must make sure that profiles are not transferred + over the wide-area links, except as a totally unavoidable + measure. Network design must balance the risk of loss of user + productivity against the cost of network management and + maintenance. + </p><p> + <a class="indexterm" name="id356246"></a> + The network design in <a href="2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">???</a> takes the approach + that management of networks that are too remote to be managed + effectively from New York ought to be given a certain degree of + autonomy. With this rationale, the Los Angeles and London networks, + though fully integrated with those on the East Coast, each have their + own domain name space and can be independently managed and controlled. + One of the key drawbacks of this design is that it flies in the face of + the ability for network users to roam globally without some compromise + in how they may access global resources. + </p><p> + <a class="indexterm" name="id356271"></a> + Desk-bound users need not be negatively affected by this design, since + the use of interdomain trusts can be used to satisfy the need for global + data sharing. + </p><p> + <a class="indexterm" name="id356282"></a> + <a class="indexterm" name="id356289"></a> + <a class="indexterm" name="id356298"></a> + When Samba-3 is configured to use an LDAP backend, it stores the domain + account information in a directory entry. This account entry contains the + domain SID. An unintended but exploitable side effect is that this makes it + possible to operate with more than one PDC on a distributed network. + </p><p> + <a class="indexterm" name="id356311"></a> + <a class="indexterm" name="id356318"></a> + <a class="indexterm" name="id356324"></a> + How might this peculiar feature be exploited? The answer is simple. It is + imperative that each network segment have its own WINS server. Major + servers on remote network segments can be given a static WINS entry in + the <code class="filename">wins.dat</code> file on each WINS server. This allows + all essential data to be visible from all locations. Each location would, + however, function as if it is an independent domain, while all sharing the + same domain SID. Since all domain account information can be stored in a + single LDAP backend, users have unfettered ability to roam. + </p><p> + <a class="indexterm" name="id356345"></a> + <a class="indexterm" name="id356354"></a> + This concept has not been exhaustively validated, though we can see no reason + why this should not work. The important facets are the following: The name of + the domain must be identical in all locations. Each network segment must have + its own WINS server. The name of the PDC must be the same in all locations; this + necessitates the use of NetBIOS name aliases for each PDC so that they can be + accessed globally using the alias and not the PDC's primary name. A single master + LDAP server can be based in New York, with multiple LDAP slave servers located + on every network segment. Finally, the BDCs should each use failover LDAP servers + that are in fact slave LDAP servers on the local segments. + </p><p> + <a class="indexterm" name="id356370"></a> + <a class="indexterm" name="id356379"></a> + <a class="indexterm" name="id356386"></a> + <a class="indexterm" name="id356395"></a> + With a single master LDAP server, all network updates are effected on a single + server. In the event that this should become excessively fragile or network + bandwidth limiting, one could implement a delegated LDAP domain. This is also + known as a partitioned (or multiple partition) LDAP database and as a distributed + LDAP directory. + </p><p> + As the LDAP directory grows, it becomes increasingly important + that its structure is implemented in a manner that mirrors + organizational needs, so as to limit network update and + referential traffic. It should be noted that all directory + administrators must of necessity follow the same standard + procedures for managing the directory, because retroactive correction of + inconsistent directory information can be exceedingly difficult. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356417"></a>Political Issues</h3></div></div></div><p> + As organizations grow, the number of points of control increases + also. In a large distributed organization, it is important that the + Identity Management system be capable of being updated from + many locations, and it is equally important that changes made should + become usable in a reasonable period, typically + minutes rather than days (the old limitation of highly manual + systems). + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id356432"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id356439"></a> + <a class="indexterm" name="id356446"></a> + <a class="indexterm" name="id356453"></a> + <a class="indexterm" name="id356460"></a> + Samba-3 has the ability to use multiple password (authentication and + identity resolution) backends. The diagram in <a href="2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">???</a> + demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system + password database. The diagram only documents the mechanisms for + authentication and identity resolution (obtaining a UNIX UID/GID) + using the specific systems shown. + </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id356519"></a> + <a class="indexterm" name="id356526"></a> + <a class="indexterm" name="id356532"></a> + <a class="indexterm" name="id356539"></a> + <a class="indexterm" name="id356546"></a> + <a class="indexterm" name="id356553"></a> + <a class="indexterm" name="id356560"></a> + Samba is capable of using the <code class="constant">smbpasswd</code>, + <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>, + and <code class="constant">mysqlsam</code> authentication databases. The SMB + passwords can, of course, also be stored in an LDAP ldapsam + backend. LDAP is the preferred passdb backend for distributed network + operations. + </p><p> + <a class="indexterm" name="id356586"></a> + Additionally, it is possible to use multiple passdb backends + concurrently as well as have multiple LDAP backends. As a result, you + can specify a failover LDAP backend. The syntax for specifying a + single LDAP backend in <code class="filename">smb.conf</code> is: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz +... +</pre><p> + This configuration tells Samba to use a single LDAP server, as shown in <a href="2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">???</a>. + </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div></div><p><br class="figure-break"> + <a class="indexterm" name="id356654"></a> + <a class="indexterm" name="id356663"></a> + The addition of a failover LDAP server can simply be done by adding a + second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em> + entry, as shown here (note the particular use of the double quotes): +</p><pre class="screen"> +... +passdb backend = ldapsam:"ldap://master.abmas.biz \ + ldap://slave.abmas.biz" +... +</pre><p> + This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary, + as shown in <a href="2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">???</a>. + </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div></div><p><br class="figure-break"> + </p><p> + Some folks have tried to implement this without the use of double quotes. This is the type of entry they + created: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz \ + ldapsam:ldap://slave.abmas.biz +... +</pre><p> + <a class="indexterm" name="id356743"></a> + The effect of this style of entry is that Samba lists the users + that are in both LDAP databases. If both contain the same information, + it results in each record being shown twice. This is, of course, not the + solution desired for a failover implementation. The net effect of this + configuration is shown in <a href="2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">???</a> + </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div></div><br class="figure-break"><p> + If, however, each LDAP database contains unique information, this may + well be an advantageous way to effectively integrate multiple LDAP databases + into one seemingly contiguous directory. Only the first database will be updated. + An example of this configuration is shown in <a href="2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">???</a>. + </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div></div><br class="figure-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + When the use of ldapsam is specified twice, as shown here, it is imperative + that the two LDAP directories must be disjoint. If the entries are for a + master LDAP server as well as its own slave server, updates to the LDAP + database may end up being lost or corrupted. You may safely use multiple + LDAP backends only if both are entirely separate from each other. + </p></div><p> + It is assumed that the network you are working with follows in a + pattern similar to what was covered in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. The following steps + permit the operation of a master/slave OpenLDAP arrangement. + </p><div class="procedure"><a name="id356873"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol type="1"><li><p> + <a class="indexterm" name="id356884"></a> + <a class="indexterm" name="id356891"></a> + Log onto the master LDAP server as <code class="constant">root</code>. + You are about to change the configuration of the LDAP server, so it + makes sense to temporarily halt it. Stop OpenLDAP from running on + SUSE Linux by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap stop +</pre><p> + On Red Hat Linux, you can do this by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap stop +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id356933"></a> + Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it + matches the content of <a href="2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">???</a>. + </p></li><li><p> + Create a file called <code class="filename">admin-accts.ldif</code> with the following contents: +</p><pre class="screen"> +dn: cn=updateuser,dc=abmas,dc=biz +objectClass: person +cn: updateuser +sn: updateuser +userPassword: not24get + +dn: cn=sambaadmin,dc=abmas,dc=biz +objectClass: person +cn: sambaadmin +sn: sambaadmin +userPassword: buttercup +</pre><p> + </p></li><li><p> + Add an account called “<span class="quote">updateuser</span>” to the master LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id357002"></a> + <a class="indexterm" name="id357009"></a> + Change directory to a suitable place to dump the contents of the + LDAP server. The dump file (and LDIF file) is used to preload + the slave LDAP server database. You can dump the database by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt +</pre><p> + Each record is written to the file. + </p></li><li><p> + <a class="indexterm" name="id357039"></a> + Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended + slave LDAP server. A good location could be in the directory + <code class="filename">/etc/openldap/preload</code>. + </p></li><li><p> + Log onto the slave LDAP server as <code class="constant">root</code>. You can + now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code> + file matches the content of <a href="2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">???</a>. + </p></li><li><p> + Change directory to the location in which you stored the + <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>). + While in this directory, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt +</pre><p> + If all goes well, the following output confirms that the data is being loaded + as intended: +</p><pre class="screen"> +added: "dc=abmas,dc=biz" (00000001) +added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002) +added: "cn=updateuser,dc=abmas,dc=biz" (00000003) +added: "ou=People,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Computers,dc=abmas,dc=biz" (00000006) +added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007) +added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008) +added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a) +added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b) +added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c) +added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d) +added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e) +added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f) +added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010) +added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011) +added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012) +added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) +</pre><p> + </p></li><li><p> + Now start the LDAP server and set it to run automatically on system reboot by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + On Red Hat Linux, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id357178"></a> + <a class="indexterm" name="id357184"></a> + <a class="indexterm" name="id357191"></a> + Go back to the master LDAP server. Execute the following to start LDAP as well + as <code class="literal">slurpd</code>, the synchronization daemon, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> rcslurpd start +<code class="prompt">root# </code> chkconfig slurpd on +</pre><p> + <a class="indexterm" name="id357235"></a> + On Red Hat Linux, check the equivalent command to start <code class="literal">slurpd</code>. + </p></li><li><p> + <a class="indexterm" name="id357255"></a> + On the master LDAP server you may now add an account to validate that replication + is working. Assuming the configuration shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop +</pre><p> + </p></li><li><p> + On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>. + There should now be a file called <code class="filename">replogfile</code>. If replication worked + as expected, the content of this file should be: +</p><pre class="screen"> +time: 1072486403 +dn: uid=fruitloop,ou=People,dc=abmas,dc=biz +changetype: modify +replace: sambaProfilePath +sambaProfilePath: \\MASSIVE\profiles\fruitloop +- +replace: sambaHomePath +sambaHomePath: \\MASSIVE\homes +- +replace: entryCSN +entryCSN: 2003122700:43:38Z#0x0005#0#0000 +- +replace: modifiersName +modifiersName: cn=Manager,dc=abmas,dc=biz +- +replace: modifyTimestamp +modifyTimestamp: 20031227004338Z +- +</pre><p> + </p></li><li><p> + Given that this first slave LDAP server is now working correctly, you may now + implement additional slave LDAP servers as required. + </p></li><li><p> + On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in + <a href="2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File Part A + B + C</a> and + on BDCs the <a href="2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File Part A + + B + C</a> execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w buttercup +</pre><p> + This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to + manage (write to) the LDAP Master server to perform account updates. + </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +replica host=lapdc.abmas.biz:389 + suffix="dc=abmas,dc=biz" + binddn="cn=updateuser,dc=abmas,dc=biz" + bindmethod=simple credentials=not24get + +access to attrs=sambaLMPassword,sambaNTPassword + by dn="cn=sambaadmin,dc=abmas,dc=biz" write + by * none + +replogfile /var/lib/ldap/replogfile + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +access to * + by dn=cn=updateuser,dc=abmas,dc=biz write + by * read + +updatedn cn=updateuser,dc=abmas,dc=biz +updateref ldap://massive.abmas.biz + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id357485"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id357497"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id357510"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id357522"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id357535"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id357548"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id357560"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id357573"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id357585"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id357598"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id357611"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id357623"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id357636"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357649"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357662"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id357674"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id357687"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357701"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357714"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357727"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id357740"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id357753"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id357766"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id357778"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id357791"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id357803"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id357816"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id357828"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id357841"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id357854"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id357866"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id357879"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id357892"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id357904"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id357917"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id357930"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id357942"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id357955"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id357968"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id358013"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id358035"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id358047"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id358060"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id358081"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id358094"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id358106"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id358128"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id358141"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id358153"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id358175"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id358187"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id358200"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id358212"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id358234"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id358246"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id358259"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358272"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358284"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id358330"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id358343"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id358355"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id358368"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id358389"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id358402"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id358414"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id358427"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358440"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id358461"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id358474"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id358486"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id358499"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id358520"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id358533"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id358546"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id358558"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id358580"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id358592"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id358605"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id358618"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id358667"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id358679"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id358692"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id358704"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id358717"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id358730"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id358742"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id358755"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id358768"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id358780"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id358793"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id358805"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id358818"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id358830"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id358843"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id358856"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id358868"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358881"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id358893"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id358906"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id358919"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id358931"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id358944"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id358957"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id358969"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id358982"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id358995"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359007"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id359020"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id359033"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id359045"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id359067"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id359079"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id359092"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id359113"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id359126"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id359138"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id359184"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id359197"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id359210"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id359231"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id359244"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id359256"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id359269"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id359290"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id359303"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id359315"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359328"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359340"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id359362"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id359375"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id359387"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id359400"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id359421"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id359434"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id359446"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359459"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id359480"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id359493"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id359506"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id359518"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id359540"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id359552"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id359565"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id359578"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id359591"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id359602"></a><a class="indexterm" name="id359608"></a> + Where Samba-3 is used as a domain controller, the use of LDAP is an + essential component to permit the use of BDCs. + </p></li><li><p> + <a class="indexterm" name="id359620"></a> + Replication of the LDAP master server to create a network of BDCs + is an important mechanism for limiting WAN traffic. + </p></li><li><p> + Network administration presents many complex challenges, most of which + can be satisfied by good design but that also require sound communication + and unification of management practices. This can be highly challenging in + a large, globally distributed network. + </p></li><li><p> + Roaming profiles must be contained to the local network segment. Any + departure from this may clog wide-area arteries and slow legitimate network + traffic to a crawl. + </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology 2000 User Complex Design A</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div></div><br class="figure-break"><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology 2000 User Complex Design B</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id359730"></a>Questions and Answers</h2></div></div></div><p> + There is much rumor and misinformation regarding the use of MS Windows networking protocols. + These questions are just a few of those frequently asked. + </p><div class="qandaset"><dl><dt> <a href="2000users.html#id359747"> + + + Is it true that DHCP uses lots of WAN bandwidth? + </a></dt><dt> <a href="2000users.html#id359868"> + + + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </a></dt><dt> <a href="2000users.html#id359925"> + LDAP has a database. Is LDAP not just a fancy database front end? + </a></dt><dt> <a href="2000users.html#id359981"> + + Can Active Directory obtain account information from an OpenLDAP server? + </a></dt><dt> <a href="2000users.html#id360014"> + What are the parts of a roaming profile? How large is each part? + </a></dt><dt> <a href="2000users.html#id360155"> + Can the My Documents folder be stored on a network drive? + </a></dt><dt> <a href="2000users.html#id360199"> + + + + How much WAN bandwidth does WINS consume? + </a></dt><dt> <a href="2000users.html#id360276"> + How many BDCs should I have? What is the right number of Windows clients per server? + </a></dt><dt> <a href="2000users.html#id360304"> + + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </a></dt><dt> <a href="2000users.html#id360334"> + Can I use NIS in place of LDAP? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id359747"></a><a name="id359749"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359753"></a> + <a class="indexterm" name="id359760"></a> + Is it true that DHCP uses lots of WAN bandwidth? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359776"></a> + <a class="indexterm" name="id359785"></a> + <a class="indexterm" name="id359792"></a> + It is a smart practice to localize DHCP servers on each network segment. As a + rule, there should be two DHCP servers per network segment. This means that if + one server fails, there is always another to service user needs. DHCP requests use + only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network + routers. This makes it possible to run fewer DHCP servers. + </p><p> + <a class="indexterm" name="id359808"></a> + <a class="indexterm" name="id359817"></a> + A DHCP network address request and confirmation usually results in about six UDP packets. + The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP + clients and that uses a 24-hour IP address lease. This means that all clients renew + their IP address lease every 24 hours. If we assume an average packet length equal to the + maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, + how significant would the DHCP traffic be if all of it were to use DHCP Relay? + </p><p> + I must stress that this is a bad design, but here is the calculation: +</p><pre class="screen"> +Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) + x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day. + +DHCP traffic: 300 (clients) x 6 (packets) + x 512 (bytes/packet) = 0.9 Mbytes/day. +</pre><p> + From this can be seen that the traffic impact would be minimal. + </p><p> + <a class="indexterm" name="id359847"></a> + <a class="indexterm" name="id359856"></a> + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, + the impact of the update is no more than the DHCP IP address renewal traffic and thus + still insignificant for most practical purposes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id359868"></a><a name="id359870"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359874"></a> + <a class="indexterm" name="id359881"></a> + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359900"></a> + The process that controls the replication of data from the master LDAP server to the slave LDAP + servers is called <code class="literal">slurpd</code>. The <code class="literal">slurpd</code> remains nascent (quiet) + until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) + two user accounts requires less than 10KB traffic. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id359925"></a><a name="id359927"></a></td><td align="left" valign="top"><p> + LDAP has a database. Is LDAP not just a fancy database front end? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359938"></a> + <a class="indexterm" name="id359945"></a> + <a class="indexterm" name="id359954"></a> + <a class="indexterm" name="id359961"></a> + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific + data storage system. This type of database is indexed so that records can be rapidly located, but the + database is not generic and can be used only in particular pre-programmed ways. General external + applications do not gain access to the data. This type of database is used also by SQL servers. Both + an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional + orientation and typically allows external programs to perform ad hoc queries, even across data tables. + An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific + simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id359981"></a><a name="id359983"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id359988"></a> + Can Active Directory obtain account information from an OpenLDAP server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360002"></a> + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP + database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface + to OpenLDAP using standard LDAP queries and updates. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360014"></a><a name="id360016"></a></td><td align="left" valign="top"><p> + What are the parts of a roaming profile? How large is each part? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360026"></a> + A roaming profile consists of + </p><div class="itemizedlist"><ul type="disc"><li><p> + Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>, + <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>, + <code class="constant">Cookies</code>, <code class="constant">Application Data</code>, + <code class="constant">Local Settings,</code> and more. See <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>. + </p><p> + <a class="indexterm" name="id360085"></a> + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all + such folders can be redirected to network drive resources. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a> + for more information regarding folder redirection. + </p></li><li><p> + A static or rewritable portion that is typically only a few files (2-5 KB of information). + </p></li><li><p> + <a class="indexterm" name="id360109"></a> + <a class="indexterm" name="id360116"></a> + The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is + the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB. + </p></li></ul></div><p> + <a class="indexterm" name="id360137"></a> + Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code> + folder. It can be up to 2 GB in size per PST file. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360155"></a><a name="id360157"></a></td><td align="left" valign="top"><p> + Can the <code class="constant">My Documents</code> folder be stored on a network drive? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360172"></a> + <a class="indexterm" name="id360178"></a> + Yes. More correctly, such folders can be redirected to network shares. No specific network drive + connection is required. Registry settings permit this to be redirected directly to a UNC (Universal + Naming Convention) resource, though it is possible to specify a network drive letter instead of a + UNC name. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360199"></a><a name="id360202"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360206"></a> + <a class="indexterm" name="id360213"></a> + <a class="indexterm" name="id360222"></a> + How much WAN bandwidth does WINS consume? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360236"></a> + <a class="indexterm" name="id360245"></a> + <a class="indexterm" name="id360252"></a> + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. + This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS + server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, + was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total + of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. + Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication + traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection + that aggregated the branch office connections plus an Internet connection. + </p><p> + In conclusion, the total load afforded through WINS traffic is again marginal to total operational + usage as it should be. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360276"></a><a name="id360278"></a></td><td align="left" valign="top"><p> + How many BDCs should I have? What is the right number of Windows clients per server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + It is recommended to have at least one BDC per network segment, including the segment served + by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the + load demand pattern of client usage. I have seen sites that function without problem with 200 + clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular + company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print + server; and an application server. While all three were BDCs, typically only the print server would + service network logon requests after the first 10 users had started to use the network. This was + a reflection of the service load placed on both the application server and the data server. + </p><p> + As unsatisfactory as the answer might sound, it all depends on network and server load + characteristics. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360304"></a><a name="id360306"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360310"></a><a class="indexterm" name="id360315"></a> + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The correct answer to both questions is yes. But do understand that an LDAP server has + a configurable schema that can store far more information for many more purposes than + just NIS. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360334"></a><a name="id360337"></a></td><td align="left" valign="top"><p> + Can I use NIS in place of LDAP? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360348"></a> + <a class="indexterm" name="id360354"></a> + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal + with the types of data necessary for interoperability with Microsoft Windows networking. The use + of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also + a Samba-specific schema extension. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/Big500users.html b/docs/htmldocs/Samba3-ByExample/Big500users.html new file mode 100644 index 0000000000..f65bb01d73 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/Big500users.html @@ -0,0 +1,1164 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. The 500-User Office</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="secure.html" title="Chapter 3. Secure Office Networking"><link rel="next" href="happy.html" title="Chapter 5. Making Happy Users"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. The 500-User Office</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="secure.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="happy.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Big500users"></a>Chapter 4. The 500-User Office</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Big500users.html#id338164">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338194">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338275">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338303">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id338479">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338499">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339213">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339728">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id342792">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id342844">Questions and Answers</a></span></dt></dl></div><p> + The Samba-3 networking you explored in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> covers the finer points of + configuration of peripheral services such as DHCP and DNS, and WINS. You experienced + implementation of a simple configuration of the services that are important adjuncts + to successful deployment of Samba. + </p><p> + An analysis of the history of postings to the Samba mailing list easily demonstrates + that the two most prevalent Samba problem areas are + </p><div class="itemizedlist"><ul type="disc"><li><p> + Defective resolution of a NetBIOS name to its IP address + </p></li><li><p> + Printing problems + </p></li></ul></div><p> + The exercises + so far in this book have focused on implementation of the simplest printing processes + involving no print job processing intelligence. In this chapter, you maintain + that same approach to printing, but <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> presents an opportunity + to make printing more complex for the administrator while making it easier for the user. + </p><p> + <a class="indexterm" name="id338110"></a> + <a class="indexterm" name="id338117"></a> + <a class="indexterm" name="id338124"></a> + <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> demonstrates operation of a DHCP server and a DNS server + as well as a central WINS server. You validated the operation of these services and + saw an effective implementation of a Samba domain controller using the + <em class="parameter"><code>tdbsam</code></em> passdb backend. + </p><p> + The objective of this chapter is to introduce more complex techniques that can be used to + improve manageability of Samba as networking needs grow. In this chapter, you implement + a distributed DHCP server environment, a distributed DNS server arrangement, a centralized + WINS server, and a centralized Samba domain controller. + </p><p> + A note of caution is important regarding the Samba configuration that is used in this + chapter. The use of a single domain controller on a routed, multisegment network is + a poor design choice that leads to potential network user complaints. + This chapter demonstrates some successful + techniques in deployment and configuration management. This should be viewed as a + foundation chapter for complex Samba deployments. + </p><p> + As you master the techniques presented here, you may find much better methods to + improve network management and control while reducing human resource overheads. + You should take the opportunity to innovate and expand on the methods presented + here and explore them to the fullest. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338164"></a>Introduction</h2></div></div></div><p> + Business continues to go well for Abmas. Mr. Meany is driving your success and the + network continues to grow thanks to the hard work Christine has done. You recently + hired Stanley Soroka as manager of information systems. Christine recommended Stan + to the role. She told you Stan is so good at handling Samba that he can make a cast + iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You + need skills like his. Christine and Stan get along just fine. Let's see what + you can get out of this pair as they plot the next-generation networks. + </p><p> + Ten months ago Abmas closed an acquisition of a property insurance business. The + founder lost interest in the business and decided to sell it to Mr. Meany. Because + they were former university classmates, the purchase was concluded with mutual assent. + The acquired business is located at the other end of town in much larger facilities. + The old Abmas building has become too small. Located on the same campus as the newly + acquired business are two empty buildings that are ideal to provide Abmas with + opportunity for growth. + </p><p> + Abmas has now completed the purchase of the two empty buildings, and you are + to install a new network and relocate staff in nicely furnished new facilities. + The new network is to be used to fully integrate company operations. You have + decided to locate the new network operations control center in the larger building + in which the insurance group is located to take advantage of an ideal floor space + and to allow Stan and Christine to fully stage the new network and test it before + it is rolled out. Your strategy is to complete the new network so that it + is ready for operation when the old office moves into the new premises. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338194"></a>Assignment Tasks</h3></div></div></div><p> + The acquired business had 280 network users. The old Abmas building housed + 220 network users in unbelievably cramped conditions. The network that + initially served 130 users now handles 220 users quite well. + </p><p> + The two businesses will be fully merged to create a single campus company. + The Property Insurance Group (PIG) houses 300 employees, the new Accounting + Services Group (ASG) will be in a small building (BLDG1) that houses 50 + employees, and the Financial Services Group (FSG) will be housed in a large + building that has capacity for growth (BLDG2). Building 2 houses 150 network + users. + </p><p> + You have decided to connect the building using fiber optic links between new + routers. As a backup, the buildings are interconnected using line-of-sight + high-speed infrared facilities. The infrared connection provides a + secondary route to be used during periods of high demand for network + bandwidth. + </p><p> + The Internet gateway is upgraded to 15 Mb/sec service. Your ISP + provides on your premises a fully managed Cisco PIX firewall. You no longer need + to worry about firewall facilities on your network. + </p><p> + Stanley and Christine have purchased new server hardware. Christine wants to + roll out a network that has whistles and bells. Stan wants to start off with + a simple to manage, not-too-complex network. He believes that network + users need to be gradually introduced to new features and capabilities and not + rushed into an environment that may cause disorientation and loss of productivity. + </p><p> + Your intrepid network team has decided to implement a network configuration + that closely mirrors the successful system you installed in the old Abmas building. + The new network infrastructure is owned by Abmas, but all desktop systems + are being procured through a new out-source services and leasing company. Under + the terms of a deal with Mr. M. Proper (CEO), DirectPointe, Inc., provides + all desktop systems and includes full level-one help desk support for + a flat per-machine monthly fee. The deal allows you to add workstations on demand. + This frees Stan and Christine to deal with deeper issues as they emerge and + permits Stan to work on creating new future value-added services. + </p><p> + DirectPointe Inc. receives from you a new standard desktop configuration + every four months. They automatically roll that out to each desktop system. + You must keep DirectPointe informed of all changes. + </p><p><a class="indexterm" name="id338250"></a> + The new network has a single Samba Primary Domain Controller (PDC) located in the + Network Operation Center (NOC). Buildings 1 and 2 each have a local server + for local application servicing. It is a domain member. The new system + uses the <em class="parameter"><code>tdbsam</code></em> passdb backend. + </p><p> + Printing is based on raw pass-through facilities just as it has been used so far. + All printer drivers are installed on the desktop and notebook computers. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338275"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id338283"></a> + The example you are building in this chapter is of a network design that works, but this + does not make it a design that is recommended. As a general rule, there should be at least + one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind + this recommendation is that correct operation of MS Windows clients requires rapid + network response to all SMB/CIFS requests. The same rule says that if there are more than + 50 clients per domain controller, they are too busy to service requests. Let's put such + rules aside and recognize that network load affects the integrity of domain controller + responsiveness. This network will have 500 clients serviced by one central domain + controller. This is not a good omen for user satisfaction. You, of course, address this + very soon (see <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338303"></a>Technical Issues</h3></div></div></div><p> + Stan has talked you into a horrible compromise, but it is addressed. Just make + certain that the performance of this network is well validated before going live. + </p><p> + Design decisions made in this design include the following: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id338323"></a> + <a class="indexterm" name="id338329"></a> + <a class="indexterm" name="id338336"></a> + A single PDC is being implemented. This limitation is based on the choice not to + use LDAP. Many network administrators fear using LDAP because of the perceived + complexity of implementation and management of an LDAP-based backend for all user + identity management as well as to store network access credentials. + </p></li><li><p> + <a class="indexterm" name="id338350"></a> + <a class="indexterm" name="id338356"></a> + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the + only choice that makes sense with 500 users is to use the tdbsam passwd backend. + This type of backend is not receptive to replication to BDCs. If the tdbsam + <code class="filename">passdb.tdb</code> file is replicated to BDCs using + <code class="literal">rsync</code>, there are two potential problems: (1) data that is in + memory but not yet written to disk will not be replicated, and (2) domain member + machines periodically change the secret machine password. When this happens, there + is no mechanism to return the changed password to the PDC. + </p></li><li><p> + All domain user, group, and machine accounts are managed on the PDC. This makes + for a simple mode of operation but has to be balanced with network performance and + integrity of operations considerations. + </p></li><li><p> + <a class="indexterm" name="id338390"></a> + A single central WINS server is being used. The PDC is also the WINS server. + Any attempt to operate a routed network without a WINS server while using NetBIOS + over TCP/IP protocols does not work unless on each client the name resolution + entries for the PDC are added to the <code class="filename">LMHOSTS</code>. This file is + normally located on the Windows XP Professional client in the + <code class="filename">C:\WINDOWS\SYSTEM32\ETC\DRIVERS</code> directory. + </p></li><li><p> + At this time the Samba WINS database cannot be replicated. That is + why a single WINS server is being implemented. This should work without a problem. + </p></li><li><p> + <a class="indexterm" name="id338422"></a> + BDCs make use of <code class="literal">winbindd</code> to provide + access to domain security credentials for file system access and object storage. + </p></li><li><p> + <a class="indexterm" name="id338440"></a> + <a class="indexterm" name="id338450"></a> + Configuration of Windows XP Professional clients is achieved using DHCP. Each + subnet has its own DHCP server. Backup DHCP serving is provided by one + alternate DHCP server. This necessitates enabling of the DHCP Relay agent on + all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the + network directed at the backup DHCP server. + </p></li><li><p> + All network users are granted the ability to print to any printer that is + network-attached. All printers are available from each server. Print jobs that + are spooled to a printer that is not on the local network segment are automatically + routed to the print spooler that is in control of that printer. The specific details + of how this might be done are demonstrated for one example only. + </p></li><li><p> + The network address and subnetmask chosen provide 1022 usable IP addresses in + each subnet. If in the future more addresses are required, it would make sense + to add further subnets rather than change addressing. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338479"></a>Political Issues</h3></div></div></div><p> + This case gets close to the real world. You and I know the right way to implement + domain control. Politically, we have to navigate a minefield. In this case, the need is to + get the PDC rolled out in compliance with expectations and also to be ready to save the day + by having the real solution ready before it is needed. That real solution is presented in + <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338499"></a>Implementation</h2></div></div></div><p> + The following configuration process begins following installation of Red Hat Fedora Core2 on the + three servers shown in the network topology diagram in <a href="Big500users.html#chap05net" title="Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.">???</a>. You have + selected hardware that is appropriate to the task. + </p><div class="figure"><a name="chap05net"></a><p class="title"><b>Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap5-net.png" width="270" alt="Network Topology 500 User Network Using tdbsam passdb backend."></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5-dnshcp-setup"></a>Installation of DHCP, DNS, and Samba Control Files</h3></div></div></div><p> + Carefully install the configuration files into the correct locations as shown in + <a href="Big500users.html#ch5-filelocations" title="Table 4.1. Domain: MEGANET, File Locations for Servers">???</a>. You should validate that the full file path is + correct as shown. + </p><p> + The abbreviation shown in this table as <code class="constant">{VLN}</code> refers to + the directory location beginning with <code class="filename">/var/lib/named</code>. + </p><div class="table"><a name="ch5-filelocations"></a><p class="title"><b>Table 4.1. Domain: <code class="constant">MEGANET</code>, File Locations for Servers</b></p><div class="table-contents"><table summary="Domain: MEGANET, File Locations for Servers" border="1"><colgroup><col align="left"><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th colspan="2" align="center">File Information</th><th colspan="3" align="center">Server Name</th></tr><tr><th align="center">Source</th><th align="center">Target Location</th><th align="center">MASSIVE</th><th align="center">BLDG1</th><th align="center">BLDG2</th></tr></thead><tbody><tr><td align="left"><a href="Big500users.html#ch5-massivesmb" title="Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-dc-common" title="Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf">???</a></td><td align="left"><code class="filename">/etc/samba/dc-common.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-commonsmb" title="Example 4.3. Common Samba Configuration File: /etc/samba/common.conf">???</a></td><td align="left"><code class="filename">/etc/samba/common.conf</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#ch5-bldg1-smb" title="Example 4.4. Server: BLDG1 (Member), File: smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-bldg2-smb" title="Example 4.5. Server: BLDG2 (Member), File: smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">No</td><td align="center">No</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#ch5-dommem-smb" title="Example 4.6. Common Domain Member Include File: dom-mem.conf">???</a></td><td align="left"><code class="filename">/etc/samba/dommem.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#massive-dhcp" title="Example 4.7. Server: MASSIVE, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg1dhcp" title="Example 4.8. Server: BLDG1, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg2dhcp" title="Example 4.9. Server: BLDG2, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">No</td><td align="center">No</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#massive-nameda" title="Example 4.10. Server: MASSIVE, File: named.conf, Part: A">???</a></td><td align="left"><code class="filename">/etc/named.conf (part A)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#massive-namedb" title="Example 4.11. Server: MASSIVE, File: named.conf, Part: B">???</a></td><td align="left"><code class="filename">/etc/named.conf (part B)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#massive-namedc" title="Example 4.12. Server: MASSIVE, File: named.conf, Part: C">???</a></td><td align="left"><code class="filename">/etc/named.conf (part C)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#abmasbizdns" title="Example 4.13. Forward Zone File: abmas.biz.hosts">???</a></td><td align="left"><code class="filename">{VLN}/master/abmas.biz.hosts</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#abmasusdns" title="Example 4.14. Forward Zone File: abmas.biz.hosts">???</a></td><td align="left"><code class="filename">{VLN}/master/abmas.us.hosts</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg12nameda" title="Example 4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A">???</a></td><td align="left"><code class="filename">/etc/named.conf (part A)</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#bldg12namedb" title="Example 4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B">???</a></td><td align="left"><code class="filename">/etc/named.conf (part B)</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left"><code class="filename">{VLN}/localhost.zone</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left"><code class="filename">{VLN}/127.0.0.zone</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left"><code class="filename">{VLN}/root.hint</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339213"></a>Server Preparation: All Servers</h3></div></div></div><p> + The following steps apply to all servers. Follow each step carefully. + </p><div class="procedure"><a name="id339223"></a><p class="title"><b>Procedure 4.1. Server Preparation Steps</b></p><ol type="1"><li><p> + Using the UNIX/Linux system tools, set the name of the server as shown in the network + topology diagram in <a href="Big500users.html#chap05net" title="Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.">???</a>. For SUSE Linux products, the tool + that permits this is called <code class="literal">yast2</code>; for Red Hat Linux products, + you can use the <code class="literal">netcfg</code> tool. + Verify that your hostname is correctly set by running: +</p><pre class="screen"> +<code class="prompt">root# </code> uname -n +</pre><p> + An alternate method to verify the hostname is: +</p><pre class="screen"> +<code class="prompt">root# </code> hostname -f +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339284"></a> + <a class="indexterm" name="id339290"></a> + Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system is able to resolve all its own names to the IP address prior to + startup of the DNS server. You should check the startup order of your system. If the + CUPS print server is started before the DNS server (<code class="literal">named</code>), you + should also include an entry for the printers in the <code class="filename">/etc/hosts</code> file. + </p></li><li><p> + <a class="indexterm" name="id339325"></a> + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> so it has the following + content: +</p><pre class="screen"> +search abmas.us abmas.biz +nameserver 127.0.0.1 +</pre><p> + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. + </p></li><li><p> + <a class="indexterm" name="id339354"></a> + <a class="indexterm" name="id339360"></a> + Add the <code class="constant">root</code> user to the password backend: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +<code class="prompt">root# </code> +</pre><p> + The <code class="constant">root</code> account is the UNIX equivalent of the Windows domain administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + </p></li><li><p> + <a class="indexterm" name="id339402"></a> + <a class="indexterm" name="id339409"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + Configure all network-attached printers to have a fixed IP address. + </p></li><li><p> + Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> + in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> + and in the reverse lookup database for the network segment that the printer is + located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>. + </p></li><li><p> + Follow the instructions in the printer manufacturer's manuals to permit printing + to port 9100. Use any other port the manufacturer specifies for direct mode, + raw printing. This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id339489"></a> + <a class="indexterm" name="id339496"></a> + </p></li><li><p> + <a class="indexterm" name="id339509"></a> + Only on the server to which the printer is attached configure the CUPS Print + Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id339543"></a> + This step creates the necessary print queue to use no assigned print filter. This + is ideal for raw printing, that is, printing without use of filters. + The name <em class="parameter"><code>printque</code></em> is the name you have assigned for + the particular printer. + </p></li><li><p> + Print queues may not be enabled at creation. Make certain that the queues + you have just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + Even though your print queue may be enabled, it is still possible that it + does not accept print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queue is + set to accept incoming jobs by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339615"></a> + <a class="indexterm" name="id339622"></a> + <a class="indexterm" name="id339629"></a> + This step, as well as the next one, may be omitted where CUPS version 1.1.18 + or later is in use. Although it does no harm to follow it anyway, and may + help to avoid time spent later trying to figure out why print jobs may be + disappearing without a trace. Look at these two steps as <span class="emphasis"><em>insurance</em></span> + against lost time. Edit file <code class="filename">/etc/cups/mime.convs</code> to + uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339661"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Refer to the CUPS printing manual for instructions regarding how to configure + CUPS so that print queues that reside on CUPS servers on remote networks + route print jobs to the print server that owns that queue. The default setting + on your CUPS server may automatically discover remotely installed printers and + may permit this functionality without requiring specific configuration. + </p></li><li><p> + As part of the roll-out program, you need to configure the application's + server shares. This can be done once on the central server and may then be + replicated using a tool such as <code class="literal">rsync</code>. Refer to the man + page for <code class="literal">rsync</code> for details regarding use. The notes in + <a href="secure.html#ch4appscfg" title="Application Share Configuration">???</a> may help in your decisions to use an application + server facility. + </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent + processes to automap Windows client drives to an application server that is nearest to the client. This + is considerably more difficult when a single PDC is used on a routed network. It can be done, but not + as elegantly as you see in the next chapter. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339728"></a>Server-Specific Preparation</h3></div></div></div><p> + There are some steps that apply to particular server functionality only. Each step is critical + to correct server operation. The following step-by-step installation guidance will assist you + in working through the process of configuring the PDC and then both BDC's. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id339740"></a>Configuration for Server: <code class="constant">MASSIVE</code></h4></div></div></div><p> + The steps presented here attempt to implement Samba installation in a generic manner. While + some steps are clearly specific to Linux, it should not be too difficult to apply them to + your platform of choice. + </p><div class="procedure"><a name="id339753"></a><p class="title"><b>Procedure 4.2. Primary Domain Controller Preparation</b></p><ol type="1"><li><p> + <a class="indexterm" name="id339764"></a> + <a class="indexterm" name="id339771"></a> + The host server acts as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding be enabled. This can be + achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute + that command manually also. This setting permits the Linux system to act as a router. + </p></li><li><p> + This server is dual hosted (i.e., has two network interfaces) one goes to the Internet + and the other to a local network that has a router that is the gateway to the remote networks. + You must therefore configure the server with route table entries so that it can find machines + on the remote networks. You can do this using the appropriate system tools for your Linux + server or using static entries that you place in one of the system startup files. It is best + to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the + best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat, + this is best done using the graphical system configuration tools (see the Red Hat documentation). + An example of how this may be done manually is as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128 +<code class="prompt">root# </code> route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128 +</pre><p> + If you just execute these commands manually, the route table entries you have created are + not persistent across system reboots. You may add these commands directly to the local + startup files as follows: (SUSE) <code class="filename">/etc/rc.d/boot.local</code>, (Red Hat) + <code class="filename">/etc/rc.d/init.d/rc.local</code>. + </p></li><li><p> + <a class="indexterm" name="id339849"></a> + The final step that must be completed is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339876"></a> + Create and map Windows domain groups to UNIX groups. A sample script is provided in + <a href="Big500users.html#ch5-initgrps" title="Example 4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh">???</a>. Create a file containing this script. You called yours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed + and then execute the script. An example of the execution of this script as well as its + validation are shown in Section 4.3.2, Step 5. + </p></li><li><p> + <a class="indexterm" name="id339904"></a> + <a class="indexterm" name="id339911"></a> + <a class="indexterm" name="id339920"></a> + For each user who needs to be given a Windows domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + <code class="literal">smbpasswd</code> to create a domain user account. + </p><p> + <a class="indexterm" name="id339944"></a> + <a class="indexterm" name="id339951"></a> + <a class="indexterm" name="id339958"></a> + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code>, <code class="literal">adduser</code>, as well as a plethora of custom + tools. With the tool of your choice, create a home directory for each user. + </p></li><li><p> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control is based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that is to be mounted to provide + data storage for company files, in this case, the mount point indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required and mount the formatted + file system partition using appropriate system tools. + </p></li><li><p> + <a class="indexterm" name="id340016"></a> + Create the top-level file storage directories for data and applications as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,pidata} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bjordan:accounts /data/accounts +<code class="prompt">root# </code> chown -R bjordan:finsvcs /data/finsvcs +<code class="prompt">root# </code> chown -R bjordan:finsvcs /data/pidata +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share + that provides the application server infrastructure. + </p></li><li><p> + The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential + because desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/spool/samba +<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +<code class="prompt">root# </code> chown -R root:root /var/spool/samba +<code class="prompt">root# </code> chown -R root:root /var/lib/samba +<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba +</pre><p> + For each user account that is created on the system, the following commands should be + executed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id340209"></a> + <a class="indexterm" name="id340216"></a> + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (<code class="constant">unxi2dos</code> and <code class="constant">dos2unix</code>) are installed. + First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code> + with the following contents: +</p><pre class="screen"> +net time \\massive /set /yes +net use h: /home +</pre><p> + Convert the UNIX file to a DOS file: +</p><pre class="screen"> +<code class="prompt">root# </code> dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat +</pre><p> + </p></li><li><p> + There is one preparatory step without which you cannot have a working Samba network + environment. You must add an account for each network user. You can do this by executing + the following steps for each user: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em> +<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em> +Changing password for <em class="parameter"><code>username</code></em>. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user <em class="parameter"><code>username</code></em>. +</pre><p> + You do, of course, use a valid user login ID in place of <em class="parameter"><code>username</code></em>. + </p></li><li><p> + Follow the processes shown in <a href="Big500users.html#ch5-procstart" title="Process Startup Configuration">???</a> to start all services. + </p></li><li><p> + Your server is ready for validation testing. Do not proceed with the steps in + <a href="Big500users.html#ch5-domsvrspec" title="Configuration Specific to Domain Member Servers: BLDG1, BLDG2">???</a> until after the operation of the server has been + validated following the same methods as outlined in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, <a href="secure.html#ch4valid" title="Validation">???</a>. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch5-domsvrspec"></a>Configuration Specific to Domain Member Servers: <code class="constant">BLDG1, BLDG2</code></h4></div></div></div><p> + The following steps will guide you through the nuances of implementing BDCs for the broadcast + isolated network segments. Remember that if the target installation platform is not Linux, it may + be necessary to adapt some commands to the equivalent on the target platform. + </p><div class="procedure"><a name="id340388"></a><p class="title"><b>Procedure 4.3. Backup Domain Controller Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id340399"></a> + The final step that must be completed is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +passwd: files winbind +group: files winbind +hosts: files dns wins +</pre><p> + </p></li><li><p> + Follow the steps outlined in <a href="Big500users.html#ch5-procstart" title="Process Startup Configuration">???</a> to start all services. Do not + start Samba at this time. Samba is controlled by the process called <code class="literal">smb</code>. + </p></li><li><p> + <a class="indexterm" name="id340446"></a> + You must now attempt to join the domain member servers to the domain. The following + instructions should be executed to effect this: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id340476"></a> + You now start the Samba services by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service smb start +</pre><p> + </p></li><li><p> + Your server is ready for validation testing. Do not proceed with the steps in + <a href="Big500users.html#ch5-domsvrspec" title="Configuration Specific to Domain Member Servers: BLDG1, BLDG2">???</a> until after the operation of the server has been + validated following the same methods as outlined in <a href="secure.html#ch4valid" title="Validation">???</a>. + </p></li></ol></div></div></div><div class="example"><a name="ch5-massivesmb"></a><p class="title"><b>Example 4.1. Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id340558"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id340571"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id340583"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id340596"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340608"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id340621"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id340634"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id340646"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id340659"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id340672"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id340685"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id340698"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id340711"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340723"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340736"></a><em class="parameter"><code>include = /etc/samba/dc-common.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id340758"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id340770"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id340783"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id340804"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id340817"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id340829"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id340851"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id340864"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id340876"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-dc-common"></a><p class="title"><b>Example 4.2. Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/dc-common.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id340924"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id340937"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id340949"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id340962"></a><em class="parameter"><code>logon path = \%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id340975"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id340987"></a><em class="parameter"><code>logon home = \%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id341000"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341012"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341025"></a><em class="parameter"><code>include = /etc/samba/common.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id341046"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id341059"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id341072"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id341084"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id341106"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id341118"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id341131"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341144"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id341165"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id341178"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id341190"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id341203"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-commonsmb"></a><p class="title"><b>Example 4.3. Common Samba Configuration File: <code class="filename">/etc/samba/common.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id341247"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id341260"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id341272"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id341285"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id341297"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id341310"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id341322"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id341335"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341348"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id341360"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id341373"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id341386"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id341398"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341411"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341423"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id341436"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id341449"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr><tr><td><a class="indexterm" name="id341461"></a><em class="parameter"><code>include = </code></em></td></tr><tr><td># Share and Service Definitions are common to all servers</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id341487"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id341499"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id341512"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341524"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341537"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341549"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341562"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id341583"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id341596"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id341609"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id341621"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-bldg1-smb"></a><p class="title"><b>Example 4.4. Server: BLDG1 (Member), File: smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id341664"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id341677"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id341689"></a><em class="parameter"><code>include = /etc/samba/dom-mem.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-bldg2-smb"></a><p class="title"><b>Example 4.5. Server: BLDG2 (Member), File: smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id341732"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id341745"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id341757"></a><em class="parameter"><code>include = /etc/samba/dom-mem.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-dommem-smb"></a><p class="title"><b>Example 4.6. Common Domain Member Include File: dom-mem.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id341800"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id341813"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id341826"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id341839"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id341851"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id341864"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id341876"></a><em class="parameter"><code>include = /etc/samba/common.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="massive-dhcp"></a><p class="title"><b>Example 4.7. Server: MASSIVE, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style interim; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.1.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.1.0 172.16.2.255; + option subnet-mask 255.255.252.0; + option routers 172.16.0.1, 172.16.0.128; + allow unknown-clients; + } +subnet 172.16.4.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.7.0 172.16.7.254; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 172.16.8.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.11.0 172.16.11.254; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="bldg1dhcp"></a><p class="title"><b>Example 4.8. Server: BLDG1, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style ad-hoc; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.1.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.3.0 172.16.3.255; + option subnet-mask 255.255.252.0; + option routers 172.16.0.1, 172.16.0.128; + allow unknown-clients; + } +subnet 172.16.4.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.5.0 172.16.6.255; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="bldg2dhcp"></a><p class="title"><b>Example 4.9. Server: BLDG2, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style interim; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.8.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.9.0 172.16.10.255; + option subnet-mask 255.255.252.0; + option routers 172.16.8.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="massive-nameda"></a><p class="title"><b>Example 4.10. Server: MASSIVE, File: named.conf, Part: A</b></p><div class="example-contents"><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + 123.45.54.32; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 172.16.0.0/24; + 172.16.4.0/24; + 172.16.8.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="massive-namedb"></a><p class="title"><b>Example 4.11. Server: MASSIVE, File: named.conf, Part: B</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + all; + }; + allow-transfer { + seconddns; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="massive-namedc"></a><p class="title"><b>Example 4.12. Server: MASSIVE, File: named.conf, Part: C</b></p><div class="example-contents"><pre class="screen"> +zone "0.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.0.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "4.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.4.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "8.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.8.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="abmasbizdns"></a><p class="title"><b>Example 4.13. Forward Zone File: abmas.biz.hosts</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS massive.abmas.biz. + NS bldg1.abmas.biz. + NS bldg2.abmas.biz. + MX 10 massive.abmas.biz. +$ORIGIN abmas.biz. +massive A 172.16.0.1 +router0 A 172.16.0.128 +bldg1 A 172.16.4.1 +router4 A 172.16.4.128 +bldg2 A 172.16.8.1 +router8 A 172.16.8.128 +</pre></div></div><br class="example-break"><div class="example"><a name="abmasusdns"></a><p class="title"><b>Example 4.14. Forward Zone File: abmas.biz.hosts</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server +</pre></div></div><br class="example-break"><div class="example"><a name="bldg12nameda"></a><p class="title"><b>Example 4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A</b></p><div class="example-contents"><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 172.16.0.1; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 172.16.0.0/24; + 172.16.4.0/24; + 172.16.8.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="bldg12namedb"></a><p class="title"><b>Example 4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type slave; + file "/var/lib/named/slave/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "0.16.172.in-addr.arpa" { + type slave; + file "/var/lib/slave/master/172.16.0.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "4.16.172.in-addr.arpa" { + type slave; + file "/var/lib/named/slave/172.16.4.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "8.16.172.in-addr.arpa" { + type slave; + file "/var/lib/named/slave/172.16.8.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="ch5-initgrps"></a><p class="title"><b>Example 4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs +groupadd piops + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d +</pre></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5-procstart"></a>Process Startup Configuration</h3></div></div></div><p> + <a class="indexterm" name="id342162"></a> + <a class="indexterm" name="id342169"></a> + There are two essential steps to process startup configuration. A process + must be configured so that it is automatically restarted each time the server + is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that + created appropriate symbolic links from the master daemon control file that is + located in the <code class="filename">/etc/rc.d</code> directory to the <code class="filename">/etc/rc'x'.d</code> + directories. Links are created so that when the system run-level is changed, the + necessary start or kill script is run. + </p><p> + <a class="indexterm" name="id342201"></a> + In the event that a service is provided not as a daemon but via the internetworking + super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code> + tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory + and sends a hang-up (HUP) signal to the super daemon, thus forcing it to + re-read its control files. + </p><p> + Last, each service must be started to permit system validation to proceed. The following steps + are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you + are installing Samba. + </p><div class="procedure"><a name="id342240"></a><p class="title"><b>Procedure 4.4. Process Startup Configuration Steps</b></p><ol type="1"><li><p> + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example, + <a class="indexterm" name="id342253"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhpc on +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig swat on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342302"></a> + <a class="indexterm" name="id342309"></a> + <a class="indexterm" name="id342315"></a> + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + +</p><pre class="screen"> +<code class="prompt">root# </code> service dhcp restart +<code class="prompt">root# </code> service named restart +<code class="prompt">root# </code> service cups restart +<code class="prompt">root# </code> service smb restart +<code class="prompt">root# </code> service swat restart +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5wincfg"></a>Windows Client Configuration</h3></div></div></div><p> + The procedure for desktop client configuration for the network in this chapter is similar to + that used for the previous one. There are a few subtle changes that should be noted. + </p><div class="procedure"><a name="id342376"></a><p class="title"><b>Procedure 4.5. Windows Client Configuration Steps</b></p><ol type="1"><li><p> + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. + <a class="indexterm" name="id342388"></a> + <a class="indexterm" name="id342395"></a> + DHCP configures all Windows clients to use the WINS Server address that has been defined + for the local subnet. + </p></li><li><p> + Join the Windows domain <code class="constant">MEGANET</code>. Use the domain administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using the domain administrator account + (<code class="constant">root</code>). + </p></li><li><p> + Verify that the server called <code class="constant">MEGANET</code> is visible in <span class="guimenu">My Network Places</span>, + that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, + <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, + and that it is possible to open each share to reveal its contents. + </p></li><li><p> + Create a drive mapping to the <code class="constant">apps</code> share on a server. At this time, it does + not particularly matter which application server is used. It is necessary to manually + set a persistent drive mapping to the local applications server on each workstation at the time of + installation. This step is avoided by the improvements to the design of the network configuration + in the next chapter. + </p></li><li><p> + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you choose to run applications over the network, correct? + </p></li><li><p> + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint + scanners, and the like. Probably the most significant application to be locally installed + is antivirus software. + </p></li><li><p> + Now install all four printers onto the staging system. The printers you install + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you + also configure use of the identical printers that are located in the financial services department. + Install printers on each machine using the following steps: + + </p><div class="procedure"><a name="id342511"></a><p class="title"><b>Procedure 4.6. Steps to Install Printer Drivers on Windows Clients</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?</span>”, click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\BLDG1\hplj6a</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. Remember to install all + printers but to set the destination port for each to the server on the + local network. For example, a workstation in the accounting group should + have all printers directed at the server <code class="constant">BLDG1</code>. + You may elect to point all desktop workstation configurations at the + server called <code class="constant">MASSIVE</code> and then in your deployment + procedures, it would be wise to document the need to redirect the printer + configuration (as well as the applications server drive mapping) to the + server on the network segment on which the workstation is to be located. + </p></li></ol></div><p> + </p></li><li><p> + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system, and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + </p></li><li><p> + Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the + machine to a network share on the server. + </p></li><li><p> + You may now replicate the image using the appropriate Norton Ghost procedure to the target + machines. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. + </p></li><li><p> + Log onto the machine as the local Administrator (the only option), and join the machine to + the domain following the procedure set out in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. You must now set the + persistent drive mapping to the applications server that the user is to use. The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + </p></li><li><p> + Instruct all users to log onto the workstation using their assigned username and password. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id342792"></a>Key Points Learned</h3></div></div></div><p> + The network you have just deployed has been a valuable exercise in forced constraint. + You have deployed a network that works well, although you may soon start to see + performance problems, at which time the modifications demonstrated in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> + bring the network to life. The following key learning points were experienced: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The power of using <code class="filename">smb.conf</code> include files + </p></li><li><p> + Use of a single PDC over a routed network + </p></li><li><p> + Joining a Samba-3 domain member server to a Samba-3 domain + </p></li><li><p> + Configuration of winbind to use domain users and groups for Samba access + to resources on the domain member servers + </p></li><li><p> + The introduction of roaming profiles + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id342844"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="Big500users.html#id342860"> + The example smb.conf files in this chapter make use of the include facility. + How may I get to see what the actual working smb.conf settings are? + </a></dt><dt> <a href="Big500users.html#id342907"> + Why does the include file common.conf have an empty include statement? + </a></dt><dt> <a href="Big500users.html#id342964"> + I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam + passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. + I tried using rsync to replicate the passdb.tdb, and it seems to work fine! + So what is the problem? + </a></dt><dt> <a href="Big500users.html#id343014"> + You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? + </a></dt><dt> <a href="Big500users.html#id343039"> + How does the Windows client find the PDC? + </a></dt><dt> <a href="Big500users.html#id343058"> + Why did you enable IP forwarding (routing) only on the server called MASSIVE? + </a></dt><dt> <a href="Big500users.html#id343085"> + You did nothing special to implement roaming profiles. Why? + </a></dt><dt> <a href="Big500users.html#id343103"> + On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. + You did not configure any PAM settings. Is this an omission? + </a></dt><dt> <a href="Big500users.html#id343130"> + You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? + </a></dt><dt> <a href="Big500users.html#id343167"> + The domain controller has an auto-shutdown script. Isn't that dangerous? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id342860"></a><a name="id342862"></a></td><td align="left" valign="top"><p> + The example <code class="filename">smb.conf</code> files in this chapter make use of the <em class="parameter"><code>include</code></em> facility. + How may I get to see what the actual working <code class="filename">smb.conf</code> settings are? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You may readily see the net compound effect of the included files by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s | less +</pre><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id342907"></a><a name="id342909"></a></td><td align="left" valign="top"><p> + Why does the include file <code class="filename">common.conf</code> have an empty include statement? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of the empty include statement nullifies further includes. For example, let's say you + desire to have just an smb.conf file that is built from the array of include files of which the + master control file is called <code class="filename">master.conf</code>. The following command + produces a compound <code class="filename">smb.conf</code> file. +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s /etc/samba/master.conf > /etc/samba/smb.conf +</pre><p> + If the include parameter was not in the common.conf file, the final <code class="filename">smb.conf</code> file leaves + the include in place, even though the file it points to has already been included. This is a bug + that will be fixed at a future date. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id342964"></a><a name="id342966"></a></td><td align="left" valign="top"><p> + I accept that the simplest configuration necessary to do the job is the best. The use of <em class="parameter"><code>tdbsam</code></em> + passdb backend is much simpler than having to manage an LDAP-based <em class="parameter"><code>ldapsam</code></em> passdb backend. + I tried using <code class="literal">rsync</code> to replicate the <code class="filename">passdb.tdb</code>, and it seems to work fine! + So what is the problem? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Replication of the <em class="parameter"><code>tdbsam</code></em> database file can result in loss of currency in its + contents between the PDC and BDCs. The most notable symptom is that workstations may not be able + to log onto the network following a reboot and may have to rejoin the domain to recover network + access capability. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343014"></a><a name="id343016"></a></td><td align="left" valign="top"><p> + You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server + offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many + offers are made. Under normal operation, the client accepts the first offer it receives. + </p><p> + The only exception to this rule is when the client makes a directed request from a specific DHCP server + for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343039"></a><a name="id343041"></a></td><td align="left" valign="top"><p> + How does the Windows client find the PDC? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The Windows client obtains the WINS server address from the DHCP lease information. It also + obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast) + to register itself with the WINS server and to obtain enumeration of vital network information to + enable it to operate successfully. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343058"></a><a name="id343060"></a></td><td align="left" valign="top"><p> + Why did you enable IP forwarding (routing) only on the server called <code class="constant">MASSIVE</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The server called <code class="constant">MASSIVE</code> is acting as a router to the Internet. No other server + (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. + Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network + segments to the router that is its gateway to them. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343085"></a><a name="id343088"></a></td><td align="left" valign="top"><p> + You did nothing special to implement roaming profiles. Why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional + clients is to use roaming profiles. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343103"></a><a name="id343106"></a></td><td align="left" valign="top"><p> + On the domain member computers, you configured winbind in the <code class="filename">/etc/nsswitch.conf</code> file. + You did not configure any PAM settings. Is this an omission? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only + marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the domain + member servers using Windows networking usernames and passwords, it is necessary to configure PAM + to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name + service switch (NSS). + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343130"></a><a name="id343133"></a></td><td align="left" valign="top"><p> + You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed + in <span class="emphasis"><em>TOSHARG2</em></span>, which has a full chapter dedicated to the subject. While we are on the + subject, it should be noted that you should definitely not use SWAT on any system that makes use + of <code class="filename">smb.conf</code> <em class="parameter"><code>include</code></em> files because SWAT optimizes them out into an aggregated + file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to + handle this functionality gracefully. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id343167"></a><a name="id343169"></a></td><td align="left" valign="top"><p> + The domain controller has an auto-shutdown script. Isn't that dangerous? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="secure.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="happy.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Secure Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Making Happy Users</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/DMSMig.html b/docs/htmldocs/Samba3-ByExample/DMSMig.html new file mode 100644 index 0000000000..ec904f05cc --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/DMSMig.html @@ -0,0 +1,10 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Domain Members, Updating Samba and Migration</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"><link rel="next" href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Domain Members, Updating Samba and Migration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="2000users.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="unixclients.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="DMSMig"></a>Part II. Domain Members, Updating Samba and Migration</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id360384"></a>Domain Members, Updating Samba and Migration</h1></div></div></div><p> +This section <span class="emphasis"><em>Samba-3 by Example</em></span> covers two main topics: How to add +Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other +subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier +Samba version to environments that use the most recent Samba-3 release. +</p><p> +Those who are making use of the chapter on Adding UNIX clients and servers running Samba +to a Samba or a Windows networking domain may also benefit by referring to the book +<span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide.</em></span> +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="unixclients.html">7. Adding Domain Member Servers and Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="unixclients.html#id360510">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360558">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360587">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360610">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id361198">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id361279">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367699">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id367744">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="upgrades.html">8. Updating Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrades.html#id368817">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id368901">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370109">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370773">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id370982">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371166">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371543">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ntmigration.html">9. Migrating NT4 Domain to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntmigration.html#id371689">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371765">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id371815">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371970">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id372273">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id372293">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id375038">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id375074">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="nw4migration.html">10. Migrating NetWare Server to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="nw4migration.html#id375956">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376063">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376162">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376233">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376404">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376413">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="2000users.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="unixclients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. A Distributed 2000-User Network </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Adding Domain Member Servers and Clients</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/DomApps.html b/docs/htmldocs/Samba3-ByExample/DomApps.html new file mode 100644 index 0000000000..d6d0e5e08e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/DomApps.html @@ -0,0 +1,597 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Integrating Additional Services</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter 12. Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id385213">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385236">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385322">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385351">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id385497">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385511">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id387274">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id387329">Questions and Answers</a></span></dt></dl></div><p> + <a class="indexterm" name="id385169"></a> + <a class="indexterm" name="id385176"></a> + <a class="indexterm" name="id385183"></a> + <a class="indexterm" name="id385189"></a> + <a class="indexterm" name="id385196"></a> + You've come a long way now. You have pretty much mastered Samba-3 for + most uses it can be put to. Up until now, you have cast Samba-3 in the leading + role, and where authentication was required, you have used one or another of + Samba's many authentication backends (from flat text files with smbpasswd + to LDAP directory integration with ldapsam). Now you can design a + solution for a new Abmas business. This business is running Windows Server + 2003 and Active Directory, and these are to stay. It's time to master + implementing Samba and Samba-supported services in a domain controlled by + the latest Windows authentication technologies. Let's get started this is + leading edge. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385213"></a>Introduction</h2></div></div></div><p> + Abmas has continued its miraculous growth; indeed, nothing seems to be able + to stop its diversification into multiple (and seemingly unrelated) fields. + Its latest acquisition is Abmas Snack Foods, a big player in the snack-food + business. + </p><p> + With this acquisition comes new challenges for you and your team. Abmas Snack + Foods is a well-developed business with a huge and heterogeneous network. It + already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. + The network is mature and well-established, and there is no question of its chosen + user authentication scheme being changed for now. You need to take a wise new + approach. + </p><p> + You have decided to set the ball rolling by introducing Samba-3 into the network + gradually, taking over key services and easing the way to a full migration and, + therefore, integration into Abmas's existing business later. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385236"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id385243"></a> + <a class="indexterm" name="id385252"></a> + You've promised the skeptical Abmas Snack Foods management team + that you can show them how Samba can ease itself and other Open Source + technologies into their existing infrastructure and deliver sound business + advantages. Cost cutting is high on their agenda (a major promise of the + acquisition). You have chosen Web proxying and caching as your proving ground. + </p><p> + <a class="indexterm" name="id385268"></a> + <a class="indexterm" name="id385274"></a> + Abmas Snack Foods has several thousand users housed at its head office + and multiple regional offices, plants, and warehouses. A high proportion of + the business's work is done online, so Internet access for most of these + users is essential. All Internet access, including for all regional offices, + is funneled through the head office and is the job of the (now your) networking + team. The bandwidth requirements were horrific (comparable to a small ISP), and + the team soon discovered proxying and caching. In fact, they became one of + the earliest commercial users of Microsoft ISA. + </p><p> + <a class="indexterm" name="id385290"></a> + <a class="indexterm" name="id385296"></a> + <a class="indexterm" name="id385303"></a> + The team is not happy with ISA. Because it never lived up to its marketing promises, + it underperformed and had reliability problems. You have pounced on the opportunity + to show what Open Source can do. The one thing they do like, however, is ISA's + integration with Active Directory. They like that their users, once logged on, + are automatically authenticated against the proxy. If your alternative to ISA + can operate completely seamlessly in their Active Directory domain, it will be + approved. + </p><p> + This is a hands-on exercise. You build software applications so + that you obtain the functionality Abmas needs. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385322"></a>Dissection and Discussion</h2></div></div></div><p> + The key requirements in this business example are straightforward. You are not required + to do anything new, just to replicate an existing system, not lose any existing features, + and improve performance. The key points are: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Internet access for most employees + </p></li><li><p> + Distributed system to accommodate load and geographical distribution of users + </p></li><li><p> + Seamless and transparent interoperability with the existing Active Directory domain + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385351"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id385359"></a> + <a class="indexterm" name="id385366"></a> + <a class="indexterm" name="id385372"></a> + <a class="indexterm" name="id385379"></a> + <a class="indexterm" name="id385386"></a> + <a class="indexterm" name="id385393"></a> + <a class="indexterm" name="id385400"></a> + <a class="indexterm" name="id385406"></a> + <a class="indexterm" name="id385413"></a> + <a class="indexterm" name="id385420"></a> + <a class="indexterm" name="id385427"></a> + <a class="indexterm" name="id385434"></a> + <a class="indexterm" name="id385443"></a><a class="indexterm" name="id385449"></a> + Functionally, the user's Internet Explorer requests a browsing session with the + Squid proxy, for which it offers its AD authentication token. Squid hands off + the authentication request to the Samba-3 authentication helper application + called <code class="literal">ntlm_auth</code>. This helper is a hook into winbind, the + Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate + against Microsoft Windows domains, including Active Directory domains. As Active + Directory authentication is a modified Kerberos authentication, winbind is assisted + in this by local Kerberos 5 libraries configured to check passwords with the Active + Directory server. Once the token has been checked, a browsing session is established. + This process is entirely transparent and seamless to the user. + </p><p> + Enabling this consists of: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Preparing the necessary environment using preconfigured packages + </p></li><li><p> + Setting up raw Kerberos authentication against the Active Directory domain + </p></li><li><p> + Configuring, compiling, and then installing the supporting Samba-3 components + </p></li><li><p> + Tying it all together + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385497"></a>Political Issues</h3></div></div></div><p> + You are a stranger in a strange land, and all eyes are upon you. Some would even like to see + you fail. For you to gain the trust of your newly acquired IT people, it is essential that your + solution does everything the old one did, but does it better in every way. Only then + will the entrenched positions consider taking up your new way of doing things on a + wider scale. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385511"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id385519"></a> + First, your system needs to be prepared and in a known good state to proceed. This consists + of making sure that everything the system depends on is present and that everything that could + interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 + packages and updating them if necessary. If conflicting packages of these programs are installed, + they must be removed. + </p><p> + <a class="indexterm" name="id385533"></a> + The following packages should be available on your Red Hat Linux system: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id385547"></a> + <a class="indexterm" name="id385553"></a> + krb5-libs + </p></li><li><p> + krb5-devel + </p></li><li><p> + krb5-workstation + </p></li><li><p> + krb5-server + </p></li><li><p> + pam_krb5 + </p></li></ul></div><p> + <a class="indexterm" name="id385583"></a> + In the case of SUSE Linux, these packages are called: + </p><div class="itemizedlist"><ul type="disc"><li><p> + heimdal-lib + </p></li><li><p> + heimdal-devel + </p></li><li><p> + <a class="indexterm" name="id385606"></a> + heimdal + </p></li><li><p> + pam_krb5 + </p></li></ul></div><p> + If the required packages are not present on your system, you must install + them from the vendor's installation media. Follow the administrative guide + for your Linux system to ensure that the packages are correctly updated. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id385629"></a> + <a class="indexterm" name="id385636"></a> + <a class="indexterm" name="id385643"></a> + If the requirement is for interoperation with MS Windows Server 2003, it + will be necessary to ensure that you are using MIT Kerberos version 1.3.1 + or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires + updating. + </p><p> + <a class="indexterm" name="id385654"></a> + <a class="indexterm" name="id385661"></a> + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise + Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-Existing Conflicting RPMs</h3></div></div></div><p> + <a class="indexterm" name="id385682"></a> + If Samba and/or Squid RPMs are installed, they should be updated. You can + build both from source. + </p><p> + <a class="indexterm" name="id385693"></a> + <a class="indexterm" name="id385699"></a> + <a class="indexterm" name="id385706"></a> + Locating the packages to be un-installed can be achieved by running: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -qa | grep -i samba +<code class="prompt">root# </code> rpm -qa | grep -i squid +</pre><p> + The identified packages may be removed using: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -e samba-common +</pre><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385744"></a>Kerberos Configuration</h3></div></div></div><p> + <a class="indexterm" name="id385752"></a> + <a class="indexterm" name="id385759"></a> + <a class="indexterm" name="id385768"></a> + <a class="indexterm" name="id385775"></a> + The systems Kerberos installation must be configured to communicate with + your primary Active Directory server (ADS KDC). + </p><p> + Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, + although the current default Red Hat MIT version 1.2.7 gives acceptable results + unless you are using Windows 2003 servers. + </p><p> + <a class="indexterm" name="id385791"></a> + <a class="indexterm" name="id385797"></a> + <a class="indexterm" name="id385804"></a> + <a class="indexterm" name="id385811"></a> + <a class="indexterm" name="id385818"></a> + <a class="indexterm" name="id385827"></a> + <a class="indexterm" name="id385833"></a> + Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <code class="filename">/etc/krb5.conf</code> + file in order to work correctly. All ADS domains automatically create SRV records in the + DNS zone <code class="constant">Kerberos.REALM.NAME</code> for each KDC in the realm. Since both + MIT and Heimdal, KRB5 libraries default to checking for these records, so they + automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> allows + specifying only a single KDC, even if there is more than one. Using the DNS lookup + allows the KRB5 libraries to use whichever KDCs are available. + </p><div class="procedure"><a name="id385863"></a><p class="title"><b>Procedure 12.1. Kerberos Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id385874"></a> + If you find the need to manually configure the <code class="filename">krb5.conf</code>, you should edit it + to have the contents shown in <a href="DomApps.html#ch10-krb5conf" title="Example 12.1. Kerberos Configuration File: /etc/krb5.conf">???</a>. The final fully qualified path for this file + should be <code class="filename">/etc/krb5.conf</code>. + </p></li><li><p> + <a class="indexterm" name="id385907"></a> + <a class="indexterm" name="id385914"></a> + <a class="indexterm" name="id385920"></a> + <a class="indexterm" name="id385927"></a> + <a class="indexterm" name="id385934"></a> + <a class="indexterm" name="id385941"></a> + <a class="indexterm" name="id385947"></a> + <a class="indexterm" name="id385954"></a> + <a class="indexterm" name="id385961"></a> + <a class="indexterm" name="id385970"></a> + <a class="indexterm" name="id385976"></a> + <a class="indexterm" name="id385983"></a> + <a class="indexterm" name="id385990"></a> + The following gotchas often catch people out. Kerberos is case sensitive. Your realm must + be in UPPERCASE, or you will get an error: “<span class="quote">Cannot find KDC for requested realm while getting + initial credentials</span>”. Kerberos is picky about time synchronization. The time + according to your participating servers must be within 5 minutes or you get an error: + “<span class="quote">kinit(v5): Clock skew too great while getting initial credentials</span>”. + Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is + 5 minutes). A better solution is to implement NTP throughout your server network. + Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. + Also, the name that this reverse lookup maps to must either be the NetBIOS name of + the KDC (i.e., the hostname with no domain attached) or the + NetBIOS name followed by the realm. If all else fails, you can add a + <code class="filename">/etc/hosts</code> entry mapping the IP address of your KDC to its + NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error + when you try to join the realm. + </p></li><li><p> + <a class="indexterm" name="id386025"></a> + You are now ready to test your installation by issuing the command: +</p><pre class="screen"> +<code class="prompt">root# </code> kinit [USERNAME@REALM] +</pre><p> + You are asked for your password, which you should enter. The following + is a typical console sequence: +</p><pre class="screen"> +<code class="prompt">root# </code> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ +Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: +</pre><p> + Make sure that your password is accepted by the Active Directory KDC. + </p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example 12.1. Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></b></p><div class="example-contents"><pre class="screen"> +[libdefaults] + default_realm = LONDON.ABMAS.BIZ + +[realms] + LONDON.ABMAS.BIZ = { + kdc = w2k3s.london.abmas.biz + } +</pre></div></div><br class="example-break"><p><a class="indexterm" name="id386085"></a> + The command +</p><pre class="screen"> +<code class="prompt">root# </code> klist -e +</pre><p> + shows the Kerberos tickets cached by the system. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386107"></a>Samba Configuration</h4></div></div></div><p> + <a class="indexterm" name="id386115"></a> + Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it + has the necessary components to interface with Active Directory. + </p><div class="procedure"><a name="id386124"></a><p class="title"><b>Procedure 12.2. Securing Samba-3 With ADS Support Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id386136"></a> + <a class="indexterm" name="id386142"></a> + <a class="indexterm" name="id386149"></a> + <a class="indexterm" name="id386156"></a> + <a class="indexterm" name="id386163"></a> + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team + <a href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team + RPMs for Red Hat Fedora Linux contain the <code class="literal">ntlm_auth</code> tool + needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use. + </p><p> + <a class="indexterm" name="id386187"></a> + <a class="indexterm" name="id386194"></a> + The necessary, validated RPM packages for SUSE Linux may be obtained from + the <a href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that + is located in Germany. All SerNet RPMs are validated, have the necessary + <code class="literal">ntlm_auth</code> tool, and are statically linked + against suitably patched Heimdal 0.6 libraries. + </p></li><li><p> + Using your favorite editor, change the <code class="filename">/etc/samba/smb.conf</code> + file so it has contents similar to the example shown in <a href="DomApps.html#ch10-smbconf" title="Example 12.2. Samba Configuration File: /etc/samba/smb.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id386241"></a> + <a class="indexterm" name="id386248"></a> + <a class="indexterm" name="id386254"></a>i + <a class="indexterm" name="id386266"></a> + <a class="indexterm" name="id386273"></a> + Next you need to create a computer account in the Active Directory. + This sets up the trust relationship needed for other clients to + authenticate to the Samba server with an Active Directory Kerberos ticket. + This is done with the “<span class="quote">net ads join -U [Administrator%Password]</span>” + command, as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -U administrator%vulcon +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id386304"></a> + <a class="indexterm" name="id386311"></a> + <a class="indexterm" name="id386317"></a> + <a class="indexterm" name="id386324"></a> + <a class="indexterm" name="id386331"></a> + Your new Samba binaries must be started in the standard manner as is applicable + to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -D +<code class="prompt">root# </code> nmbd -D +<code class="prompt">root# </code> winbindd -B +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id386370"></a> + <a class="indexterm" name="id386376"></a> + <a class="indexterm" name="id386386"></a> + <a class="indexterm" name="id386392"></a> + <a class="indexterm" name="id386399"></a> + We now need to test that Samba is communicating with the Active + Directory domain; most specifically, we want to see whether winbind + is enumerating users and groups. Issue the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -t +checking the trust secret via RPC calls succeeded +</pre><p> + This tests whether we are authenticating against Active Directory: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +LONDON+Administrator +LONDON+Guest +LONDON+SUPPORT_388945a0 +LONDON+krbtgt +LONDON+jht +LONDON+xjht +</pre><p> + This enumerates all the users in your Active Directory tree: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +LONDON+Domain Computers +LONDON+Domain Controllers +LONDON+Schema Admins +LONDON+Enterprise Admins +LONDON+Domain Admins +LONDON+Domain Users +LONDON+Domain Guests +LONDON+Group Policy Creator Owners +LONDON+DnsUpdateProxy +</pre><p> + This enumerates all the groups in your Active Directory tree. + </p></li><li><p> + <a class="indexterm" name="id386456"></a> + <a class="indexterm" name="id386463"></a> + Squid uses the <code class="literal">ntlm_auth</code> helper build with Samba-3. + You may test <code class="literal">ntlm_auth</code> with the command: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/ntlm_auth --username=jht +password: XXXXXXXX +</pre><p> + You are asked for your password, which you should enter. You are rewarded with: +</p><pre class="screen"> +<code class="prompt">root# </code> NT_STATUS_OK: Success (0x0) +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id386513"></a> + <a class="indexterm" name="id386520"></a> + <a class="indexterm" name="id386527"></a> + <a class="indexterm" name="id386533"></a> + <a class="indexterm" name="id386540"></a> + <a class="indexterm" name="id386547"></a> + <a class="indexterm" name="id386554"></a> + <a class="indexterm" name="id386561"></a> + The <code class="literal">ntlm_auth</code> helper, when run from a command line as the user + “<span class="quote">root</span>”, authenticates against your Active Directory domain (with + the aid of winbind). It manages this by reading from the winbind privileged pipe. + Squid is running with the permissions of user “<span class="quote">squid</span>” and group + “<span class="quote">squid</span>” and is not able to do this unless we make a vital change. + Squid cannot read from the winbind privilege pipe unless you change the + permissions of its directory. This is the single biggest cause of failure in the + whole process. Remember to issue the following command (for Red Hat Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> chgrp squid /var/cache/samba/winbindd_privileged +<code class="prompt">root# </code> chmod 750 /var/cache/samba/winbindd_privileged +</pre><p> + For SUSE Linux 9, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chgrp squid /var/lib/samba/winbindd_privileged +<code class="prompt">root# </code> chmod 750 /var/lib/samba/winbindd_privileged +</pre><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386629"></a>NSS Configuration</h4></div></div></div><p> + <a class="indexterm" name="id386636"></a> + <a class="indexterm" name="id386643"></a> + <a class="indexterm" name="id386650"></a> + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. + </p><p> + Edit your <code class="filename">/etc/nsswitch.conf</code> file so it has the parameters shown + in <a href="DomApps.html#ch10-etcnsscfg" title="Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf">???</a>. + </p><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example 12.2. Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id386706"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id386719"></a><em class="parameter"><code>netbios name = W2K3S</code></em></td></tr><tr><td><a class="indexterm" name="id386731"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id386744"></a><em class="parameter"><code>security = ads</code></em></td></tr><tr><td><a class="indexterm" name="id386756"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id386769"></a><em class="parameter"><code>password server = w2k3s.london.abmas.biz</code></em></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id386786"></a><em class="parameter"><code>winbind separator = /</code></em></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id386802"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use GIDs from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id386818"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id386834"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id386847"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td><a class="indexterm" name="id386860"></a><em class="parameter"><code>winbind user default domain = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example 12.3. NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen"> +passwd: files winbind +shadow: files +group: files winbind +</pre></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386899"></a>Squid Configuration</h4></div></div></div><p> + <a class="indexterm" name="id386906"></a> + <a class="indexterm" name="id386913"></a> + Squid must be configured correctly to interact with the Samba-3 + components that handle Active Directory authentication. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386927"></a>Configuration</h3></div></div></div></div><div class="procedure"><a name="id386932"></a><p class="title"><b>Procedure 12.3. Squid Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id386944"></a> + <a class="indexterm" name="id386950"></a> + <a class="indexterm" name="id386958"></a> + If your Linux distribution is SUSE Linux 9, the version of Squid + supplied is already enabled to use the winbind helper agent. You + can therefore omit the steps that would build the Squid binary + programs. + </p></li><li><p> + <a class="indexterm" name="id386974"></a> + <a class="indexterm" name="id386980"></a> + <a class="indexterm" name="id386987"></a> + <a class="indexterm" name="id386994"></a> + <a class="indexterm" name="id387001"></a> + Squid, by default, runs as the user <code class="constant">nobody</code>. You need to + add a system user <code class="constant">squid</code> and a system group + <code class="constant">squid</code> if they are not set up already (if the default + Red Hat squid rpms were installed, they will be). Set up a + <code class="constant">squid</code> user in <code class="filename">/etc/passwd</code> + and a <code class="constant">squid</code> group in <code class="filename">/etc/group</code> if these aren't there already. + </p></li><li><p> + <a class="indexterm" name="id387046"></a> + <a class="indexterm" name="id387053"></a> + You now need to change the permissions on Squid's <code class="constant">var</code> + directory. Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R squid /var/cache/squid +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id387082"></a> + <a class="indexterm" name="id387089"></a> + Squid must also have control over its logging. Enter the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R chown squid:squid /var/log/squid +<code class="prompt">root# </code> chmod 770 /var/log/squid +</pre><p> + </p></li><li><p> + Finally, Squid must be able to write to its disk cache! + Enter the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R chown squid:squid /var/cache/squid +<code class="prompt">root# </code> chmod 770 /var/cache/squid +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id387147"></a> + The <code class="filename">/etc/squid/squid.conf</code> file must be edited to include the lines from + <a href="DomApps.html#etcsquidcfg" title="Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">???</a> and <a href="DomApps.html#etcsquid2" title="Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">???</a>. + </p></li><li><p> + <a class="indexterm" name="id387179"></a> + You must create Squid's cache directories before it may be run. Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> squid -z +</pre><p> + </p></li><li><p> + Finally, start Squid and enjoy transparent Active Directory authentication. + Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> squid +</pre><p> + </p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example 12.4. Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen"> + cache_effective_user squid + cache_effective_group squid +</pre></div></div><br class="example-break"><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example 12.5. Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen"> + auth_param ntlm program /usr/bin/ntlm_auth \ + --helper-protocol=squid-2.5-ntlmssp + auth_param ntlm children 5 + auth_param ntlm max_challenge_reuses 0 + auth_param ntlm max_challenge_lifetime 2 minutes + auth_param basic program /usr/bin/ntlm_auth \ + --helper-protocol=squid-2.5-basic + auth_param basic children 5 + auth_param basic realm Squid proxy-caching web server + auth_param basic credentialsttl 2 hours + acl AuthorizedUsers proxy_auth REQUIRED + http_access allow all AuthorizedUsers +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387274"></a>Key Points Learned</h3></div></div></div><p> + <a class="indexterm" name="id387282"></a> + <a class="indexterm" name="id387289"></a> + <a class="indexterm" name="id387296"></a> + <a class="indexterm" name="id387302"></a> + <a class="indexterm" name="id387314"></a> + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft + Windows clients use, even when accessing traditional services such as Web browsers. Depending + on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, + the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over + the cookie-based authentication regime used by all competing browsers. It is Samba's implementation + of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387329"></a>Questions and Answers</h2></div></div></div><p> + <a class="indexterm" name="id387337"></a> + <a class="indexterm" name="id387344"></a> + <a class="indexterm" name="id387350"></a> + <a class="indexterm" name="id387357"></a> + The development of the <code class="literal">ntlm_auth</code> module was first discussed in many Open Source circles + in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of + <code class="literal">ntlm_auth</code> during one of the late developer meetings that took place. Since that time, the + adoption of <code class="literal">ntlm_auth</code> has spread considerably. + </p><p> + The largest report from a site that uses Squid with <code class="literal">ntlm_auth</code>-based authentication + support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000 + users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who + wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following + comments were made with respect to questions regarding the performance of this installation: + </p><div class="blockquote"><blockquote class="blockquote"><p> + [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “<span class="quote">almost</span>” + part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case + scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication]. + </p></blockquote></div><p> + You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. + Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run + out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. + </p><div class="qandaset"><dl><dt> <a href="DomApps.html#id387422"> + What does Samba have to do with Web proxy serving? + </a></dt><dt> <a href="DomApps.html#id387582"> + What other services does Samba provide? + </a></dt><dt> <a href="DomApps.html#id387717"> + Does use of Samba (ntlm_auth) improve the performance of Squid? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id387422"></a><a name="id387425"></a></td><td align="left" valign="top"><p> + What does Samba have to do with Web proxy serving? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id387436"></a> + <a class="indexterm" name="id387443"></a> + <a class="indexterm" name="id387450"></a> + <a class="indexterm" name="id387459"></a> + <a class="indexterm" name="id387466"></a> + To provide transparent interoperability between Windows clients and the network services + that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit + of Open Source software is that it can readily be reused. The current <code class="literal">ntlm_auth</code> + module is basically a wrapper around authentication code from the core of the Samba project. + </p><p> + <a class="indexterm" name="id387485"></a> + <a class="indexterm" name="id387492"></a> + <a class="indexterm" name="id387501"></a> + <a class="indexterm" name="id387510"></a> + <a class="indexterm" name="id387519"></a> + <a class="indexterm" name="id387525"></a> + <a class="indexterm" name="id387532"></a> + <a class="indexterm" name="id387539"></a> + <a class="indexterm" name="id387546"></a> + The <code class="literal">ntlm_auth</code> module supports basic plain-text authentication and NTLMSSP + protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without + the user being interrupted via his or her Windows logon credentials. This facility is available with + MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server. + There are a few open source initiatives to provide support for these protocols in the Apache Web server + also. + </p><p> + <a class="indexterm" name="id387570"></a> + The short answer is that by adding a wrapper around key authentication components of Samba, other + projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id387582"></a><a name="id387584"></a></td><td align="left" valign="top"><p> + What other services does Samba provide? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id387595"></a> + <a class="indexterm" name="id387602"></a> + <a class="indexterm" name="id387609"></a> + <a class="indexterm" name="id387616"></a> + <a class="indexterm" name="id387623"></a> + Samba-3 is a file and print server. The core components that provide this functionality are <code class="literal">smbd</code>, + <code class="literal">nmbd</code>, and the identity resolver daemon, <code class="literal">winbindd</code>. + </p><p> + <a class="indexterm" name="id387652"></a> + <a class="indexterm" name="id387658"></a> + Samba-3 is an SMB/CIFS client. The core component that provides this is called <code class="literal">smbclient</code>. + </p><p> + <a class="indexterm" name="id387675"></a> + <a class="indexterm" name="id387682"></a> + <a class="indexterm" name="id387689"></a> + <a class="indexterm" name="id387696"></a> + <a class="indexterm" name="id387702"></a> + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. + Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux + servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts + as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules + to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial + server products). + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id387717"></a><a name="id387720"></a></td><td align="left" valign="top"><p> + Does use of Samba (<code class="literal">ntlm_auth</code>) improve the performance of Squid? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Not really. Samba's <code class="literal">ntlm_auth</code> module handles only authentication. It requires that + Squid make an external call to <code class="literal">ntlm_auth</code> and therefore actually incurs a + little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since + Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide + sufficient memory when using Squid. Just add a little more to accommodate <code class="literal">ntlm_auth</code>. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Active Directory, Kerberos, and Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Performance, Reliability, and Availability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ExNetworks.html b/docs/htmldocs/Samba3-ByExample/ExNetworks.html new file mode 100644 index 0000000000..872fb3338d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ExNetworks.html @@ -0,0 +1,23 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. Example Network Configurations</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="preface.html" title="Preface"><link rel="next" href="simple.html" title="Chapter 1. No-Frills Samba Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. Example Network Configurations</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="preface.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="simple.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="ExNetworks"></a>Part I. Example Network Configurations</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id323997"></a>Example Network Configurations</h1></div></div></div><p> +This section of <span class="emphasis"><em>Samba-3 by Example</em></span> provides example network +configurations that can be copied, or modified as needed, and deployed as-is. +The contents have been marginally updated to reflect changes made in Samba=3.0.23. +</p><p> +Best use can be made of this book by finding in this section the network design and +layout that best approximates your estimated needs. It is recommended that you will +implement the design pattern exactly as it appears, then after the installation has +been proven to work make any changes or modifications needed at your site. +</p><p> +The examples have been tested with Red Hat Fedora Core 2, Novell SUSE Linux Professional +9.3 and Novell SUSE Linux Enterprise Server (SLES) 9. The principals of implementation +apply to all Linux and UNIX systems in general, though some system files and tools will +be different and the location of some Samba file locations will be different since these +are determined by the person who packages Samba for each platform. +</p><p> +If you are deploying Samba is a mission-critical environment, or if you simply want +to save time and get your Samba network operational with minimal fuss, there is the +option to purchase commercial, professional, Samba support. Information regarding +commercial support options may be obtained from the commercial +<a href="http://www.samba.org/samba/support/" target="_top">support</a> pages from +the Samba web site. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="simple.html">1. No-Frills Samba Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="simple.html#id324059">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id324090">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id324129">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id324836">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id328349">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="small.html">2. Small Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="small.html#id328760">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328778">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id328824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328873">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id329059">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id329077">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id330725">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id331347">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id331367">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id331433">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="secure.html">3. Secure Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="secure.html#id331890">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id331930">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332152">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id332164">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id332528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332562">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id333388">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id337670">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id337723">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="Big500users.html">4. The 500-User Office</a></span></dt><dd><dl><dt><span class="sect1"><a href="Big500users.html#id338164">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338194">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338275">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338303">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id338479">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338499">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339213">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339728">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id342792">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id342844">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="happy.html">5. Making Happy Users</a></span></dt><dd><dl><dt><span class="sect1"><a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id343715">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id343791">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id343919">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id344321">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345972">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345985">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id346155">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id352602">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id352618">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id352707">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id352935">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id353033">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id353147">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id354146">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id354787">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id354813">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id354843">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id354931">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="2000users.html">6. A Distributed 2000-User Network</a></span></dt><dd><dl><dt><span class="sect1"><a href="2000users.html#id355265">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355290">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id355347">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355593">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id356417">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id356432">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id359591">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id359730">Questions and Answers</a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="preface.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="simple.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Preface </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. No-Frills Samba Servers</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/HA.html b/docs/htmldocs/Samba3-ByExample/HA.html new file mode 100644 index 0000000000..605a490fd7 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/HA.html @@ -0,0 +1,416 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Performance, Reliability, and Availability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="DomApps.html" title="Chapter 12. Integrating Additional Services"><link rel="next" href="ch14.html" title="Chapter 14. Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Performance, Reliability, and Availability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DomApps.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch14.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="HA"></a>Chapter 13. Performance, Reliability, and Availability</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="HA.html#id387816">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id387893">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id388343">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id388368">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id388810">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id389105">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id389172">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id389235">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id389326">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id389459">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id389537">Key Points Learned</a></span></dt></dl></div><p> + <a class="indexterm" name="id387778"></a> + <a class="indexterm" name="id387785"></a> + <a class="indexterm" name="id387792"></a> + Well, you have reached one of the last chapters of this book. It is customary to attempt + to wrap up the theme and contents of a book in what is generally regarded as the + chapter that should draw conclusions. This book is a suspense thriller, and since + the plot of the stories told mostly lead you to bigger, better Samba-3 networking + solutions, it is perhaps appropriate to close this book with a few pertinent comments + regarding some of the things everyone can do to deliver a reliable Samba-3 network. + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + In a world so full of noise, how can the sparrow be heard? + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Anonymous</span></td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387816"></a>Introduction</h2></div></div></div><p> + <a class="indexterm" name="id387823"></a> + The sparrow is a small bird whose sounds are drowned out by the noise of the busy + world it lives in. Likewise, the simple steps that can be taken to improve the + reliability and availability of a Samba network are often drowned out by the volume + of discussions about grandiose Samba clustering designs. This is not intended to + suggest that clustering is not important, because clearly it is. This chapter does not devote + itself to discussion of clustering because each clustering methodology uses its own + custom tools and methods. Only passing comments are offered concerning these methods. + </p><p> + <a class="indexterm" name="id387838"></a> + <a class="indexterm" name="id387845"></a> + <a class="indexterm" name="id387852"></a> +<a href="http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=samba+cluster&btnG=Google+Search" target="_top">A search</a> + for “<span class="quote">samba cluster</span>” produced 71,600 hits. And a search for “<span class="quote">highly available samba</span>” + and “<span class="quote">highly available windows</span>” produced an amazing number of references. + It is clear from the resources on the Internet that Windows file and print services + availability, reliability, and scalability are of vital interest to corporate network users. + </p><p> + <a class="indexterm" name="id387882"></a> + So without further background, you can review a checklist of simple steps that + can be taken to ensure acceptable network performance while keeping costs of ownership + well under control. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387893"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id387900"></a> + <a class="indexterm" name="id387907"></a> + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that + must be obeyed. If you want the best, keep your implementation as simple as possible. You may + well be forced to introduce some complexities, but you should do so only as a last resort. + </p><p> + Simple solutions are likely to be easier to get right than are complex ones. They certainly + make life easier for your successor. Simple implementations can be more readily audited than can + complex ones. + </p><p> + <a class="indexterm" name="id387925"></a> + <a class="indexterm" name="id387932"></a> + Problems reported by users fall into three categories: configurations that do not work, those + that have broken behavior, and poor performance. The term <span class="emphasis"><em>broken behavior</em></span> + means that the function of a particular Samba component appears to work sometimes, but not at + others. The resulting intermittent operation is clearly unacceptable. An example of + <span class="emphasis"><em>broken behavior</em></span> known to many Windows networking users occurs when the + list of Windows machines in MS Explorer changes, sometimes listing machines that are running + and at other times not listing them even though the machines are in use on the network. + </p><p> + <a class="indexterm" name="id387954"></a> + <a class="indexterm" name="id387961"></a> + <a class="indexterm" name="id387967"></a> + <a class="indexterm" name="id387974"></a> + <a class="indexterm" name="id387981"></a> + <a class="indexterm" name="id387988"></a> + A significant number of reports concern problems with the <code class="literal">smbfs</code> file system + driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that + <code class="literal">smbfs</code> is part of Samba, simply because Samba includes the front-end tools + that are used to manage <code class="literal">smbfs</code>-based file service connections. So, just + for the record, the tools <code class="literal">smbmnt</code>, <code class="literal">smbmount</code>, + <code class="literal">smbumount</code>, and <code class="literal">smbumnt</code> are front-end + facilities to core drivers that are supplied as part of the Linux kernel. These tools share a + common infrastructure with some Samba components, but they are not maintained as part of + Samba and are really foreign to it. + </p><p> + <a class="indexterm" name="id388044"></a> + The new project, <code class="literal">cifsfs</code>, is destined to replace <code class="literal">smbfs</code>. + It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in + this project. + </p><p> + Table 13.1 lists typical causes of: + </p><div class="itemizedlist"><ul type="disc"><li><p>Not Working (NW)</p></li><li><p>Broken Behavior (BB)</p></li><li><p>Poor Performance (PP)</p></li></ul></div><div class="table"><a name="ProbList"></a><p class="title"><b>Table 13.1. Effect of Common Problems</b></p><div class="table-contents"><table summary="Effect of Common Problems" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="left"><p>Problem</p></th><th align="center"><p>NW</p></th><th align="center"><p>BB</p></th><th align="center"><p>PP</p></th></tr></thead><tbody><tr><td align="left"><p>File locking</p></td><td align="center"><p>-</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Hardware problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Incorrect authentication</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Incorrect configuration</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>LDAP problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Name resolution</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Printing problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Slow file transfer</p></td><td align="center"><p>-</p></td><td align="center"><p>-</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Winbind problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr></tbody></table></div></div><br class="table-break"><p> + <a class="indexterm" name="id388332"></a> + It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate + problems that affect basic network operation. This book has provided sufficient working examples + to help you to avoid all these problems. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388343"></a>Guidelines for Reliable Samba Operation</h2></div></div></div><p> + <a class="indexterm" name="id388351"></a> + <a class="indexterm" name="id388358"></a> + Your objective is to provide a network that works correctly, can grow at all times, is resilient + at times of extreme demand, and can scale to meet future needs. The following subject areas provide + pointers that can help you today. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388368"></a>Name Resolution</h3></div></div></div><p> + There are three basic current problem areas: bad hostnames, routed networks, and network collisions. + These are covered in the following discussion. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id388378"></a>Bad Hostnames</h4></div></div></div><p> + <a class="indexterm" name="id388386"></a> + <a class="indexterm" name="id388395"></a> + <a class="indexterm" name="id388402"></a> + <a class="indexterm" name="id388409"></a> + <a class="indexterm" name="id388416"></a> + When configured as a DHCP client, a number of Linux distributions set the system hostname + to <code class="constant">localhost</code>. If the parameter <em class="parameter"><code>netbios name</code></em> is not + specified to something other than <code class="constant">localhost</code>, the Samba server appears + in the Windows Explorer as <code class="constant">LOCALHOST</code>. Moreover, the entry in the <code class="filename">/etc/hosts</code> + on the Linux server points to IP address <code class="constant">127.0.0.1</code>. This means that + when the Windows client obtains the IP address of the Samba server called <code class="constant">LOCALHOST</code>, + it obtains the IP address <code class="constant">127.0.0.1</code> and then proceeds to attempt to + set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is + the local Windows machine itself. Hostnames must be valid for Windows networking to function + correctly. + </p><p> + <a class="indexterm" name="id388465"></a> + A few sites have tried to name Windows clients and Samba servers with a name that begins + with the digits 1-9. This does not work either because it may result in the client or + server attempting to use that name as an IP address. + </p><p> + <a class="indexterm" name="id388477"></a> + <a class="indexterm" name="id388486"></a> + A Samba server called <code class="constant">FRED</code> in a NetBIOS domain called <code class="constant">COLLISION</code> + in a network environment that is part of the fully-qualified Internet domain namespace known + as <code class="constant">parrots.com</code>, results in DNS name lookups for <code class="constant">fred.parrots.com</code> + and <code class="constant">collision.parrots.com</code>. It is therefore a mistake to name the domain + (workgroup) <code class="constant">collision.parrots.com</code>, since this results in DNS lookup + attempts to resolve <code class="constant">fred.parrots.com.parrots.com</code>, which most likely + fails given that you probably do not have this in your DNS namespace. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id388526"></a> + <a class="indexterm" name="id388535"></a> + <a class="indexterm" name="id388542"></a> + An Active Directory realm called <code class="constant">collision.parrots.com</code> is perfectly okay, + although it too must be capable of being resolved via DNS, something that functions correctly + if Windows 200x ADS has been properly installed and configured. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id388556"></a>Routed Networks</h4></div></div></div><p> + <a class="indexterm" name="id388564"></a> + <a class="indexterm" name="id388570"></a> + <a class="indexterm" name="id388580"></a> + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use + of UDP-based broadcast traffic, as you saw during the exercises in <a href="primer.html" title="Chapter 16. Networking Primer">???</a>. + </p><p> + <a class="indexterm" name="id388598"></a> + <a class="indexterm" name="id388605"></a> + <a class="indexterm" name="id388612"></a> + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based + networking cannot function across routed networks (i.e., multi-subnet networks) unless + special provisions are made: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id388627"></a> + <a class="indexterm" name="id388634"></a> + <a class="indexterm" name="id388640"></a> + Either install on every Windows client an LMHOSTS file (located in the directory + <code class="filename">C:\windows\system32\drivers\etc</code>). It is also necessary to + add to the Samba server <code class="filename">smb.conf</code> file the parameters <em class="parameter"><code>remote announce</code></em> + and <em class="parameter"><code>remote browse sync</code></em>. For more information, refer to the online + manual page for the <code class="filename">smb.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id388683"></a> + Or configure Samba as a WINS server, and configure all network clients to use that + WINS server in their TCP/IP configuration. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id388699"></a> + <a class="indexterm" name="id388708"></a> + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific + information regarding NetBIOS networking particulars that get stored in the WINS + name resolution database and that Windows clients require and depend on. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id388719"></a>Network Collisions</h4></div></div></div><p> + <a class="indexterm" name="id388727"></a> + <a class="indexterm" name="id388736"></a> + <a class="indexterm" name="id388745"></a> + <a class="indexterm" name="id388752"></a> + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in + blue screen of death (BSOD) experiences. High collision rates may be caused by excessive + UDP broadcast activity, by defective networking hardware, or through excessive network + loads (another way of saying that the network is poorly designed). + </p><p> + The use of WINS is highly recommended to reduce network broadcast traffic, as outlined + in <a href="primer.html" title="Chapter 16. Networking Primer">???</a>. + </p><p> + <a class="indexterm" name="id388777"></a> + <a class="indexterm" name="id388784"></a> + <a class="indexterm" name="id388791"></a> + Under no circumstances should the facility be supported by many routers, known as <code class="constant">NetBIOS + forwarding</code>, unless you know exactly what you are doing. Inappropriate use of this + facility can result in UDP broadcast storms. In one case in 1999, a university network became + unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance + testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was + less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance + immediately returned to 11 MB/sec. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388810"></a>Samba Configuration</h3></div></div></div><p> + As a general rule, the contents of the <code class="filename">smb.conf</code> file should be kept as simple as possible. + No parameter should be specified unless you know it is essential to operation. + </p><p> + <a class="indexterm" name="id388828"></a> + <a class="indexterm" name="id388835"></a> + <a class="indexterm" name="id388842"></a> + Many UNIX administrators like to fully document the settings in the <code class="filename">smb.conf</code> file. This is a + bad idea because it adds content to the file. The <code class="filename">smb.conf</code> file is re-read by every <code class="literal">smbd</code> + process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). + </p><p> + As the size of the <code class="filename">smb.conf</code> file grows, the risk of introducing parsing errors also increases. + It is recommended to keep a fully documented <code class="filename">smb.conf</code> file on hand, and then to operate Samba only + with an optimized file. + </p><p><a class="indexterm" name="id388887"></a> + The preferred way to maintain a documented file is to call it something like <code class="filename">smb.conf.master</code>. + You can generate the optimized file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + You should carefully observe all warnings issued. It is also a good practice to execute the following + command to confirm correct interpretation of the <code class="filename">smb.conf</code> file contents: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +Load smb config files from /etc/samba/smb.conf +Can't find include file /etc/samba/machine. +Processing section "[homes]" +Processing section "[print$]" +Processing section "[netlogon]" +Processing section "[Profiles]" +Processing section "[printers]" +Processing section "[media]" +Processing section "[data]" +Processing section "[cdr]" +Processing section "[apps]" +Loaded services file OK. +'winbind separator = +' might cause problems with group membership. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + <a class="indexterm" name="id388938"></a> + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. + The important thing to note is the noted Server role, as well as warning messages. Noted configuration + conflicts must be remedied before proceeding. For example, the following error message represents a + common fatal problem: +</p><pre class="screen"> +ERROR: both 'wins support = true' and 'wins server = <server list>' +cannot be set in the smb.conf file. nmbd will abort with this setting. +</pre><p> + </p><p> + <a class="indexterm" name="id388960"></a> + <a class="indexterm" name="id388967"></a> + <a class="indexterm" name="id388974"></a> + There are two parameters that can cause severe network performance degradation: <em class="parameter"><code>socket options</code></em> + and <em class="parameter"><code>socket address</code></em>. The <em class="parameter"><code>socket options</code></em> parameter was often necessary + when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from + this parameter being set. Do not use either parameter unless it has been proven necessary to use them. + </p><p> + <a class="indexterm" name="id389004"></a> + <a class="indexterm" name="id389011"></a> + <a class="indexterm" name="id389018"></a> + <a class="indexterm" name="id389025"></a> + Another <code class="filename">smb.conf</code> parameter that may cause severe network performance degradation is the + <em class="parameter"><code>strict sync</code></em> parameter. Do not use this at all. There is no good reason + to use this with any modern Windows client. The <em class="parameter"><code>strict sync</code></em> is often + used with the <em class="parameter"><code>sync always</code></em> parameter. This, too, can severely + degrade network performance, so do not set it; if you must, do so with caution. + </p><p> + <a class="indexterm" name="id389064"></a> + <a class="indexterm" name="id389071"></a> + <a class="indexterm" name="id389077"></a> + <a class="indexterm" name="id389084"></a> + Finally, many network administrators deliberately disable opportunistic locking support. While this + does not degrade Samba performance, it significantly degrades Windows client performance because + this disables local file caching on Windows clients and forces every file read and written to + invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking) + support, do so only on the share on which it is required. That way, all other shares can provide + oplock support for operations that are tolerant of it. See <a href="appendix.html#ch12dblck" title="Shared Data Integrity">???</a> for more + information. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389105"></a>Use and Location of BDCs</h3></div></div></div><p> + <a class="indexterm" name="id389113"></a> + <a class="indexterm" name="id389119"></a> + <a class="indexterm" name="id389126"></a> + <a class="indexterm" name="id389132"></a> + <a class="indexterm" name="id389139"></a> + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon + processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of + authentication and logon processing. When a sole BDC on a routed network segment gets heavily + loaded, it is possible that network logon requests and authentication requests may be directed + to a BDC on a distant network segment. This significantly hinders WAN operations + and is undesirable. + </p><p> + <a class="indexterm" name="id389154"></a> + <a class="indexterm" name="id389160"></a> + As a general guide, instead of adding domain member servers to a network, you would be better advised + to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add + domain member servers. This practice ensures that there are always sufficient domain controllers + to handle logon requests and authentication traffic. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389172"></a>Use One Consistent Version of MS Windows Client</h3></div></div></div><p> + Every network client has its own peculiarities. From a management perspective, it is easier to deal + with one version of MS Windows that is maintained to a consistent update level than it is to deal + with a mixture of clients. + </p><p> + On a number of occasions, particular Microsoft service pack updates of a Windows server or client + have necessitated special handling from the Samba server end. If you want to remain sane, keep you + client workstation configurations consistent. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389190"></a>For Scalability, Use SAN-Based Storage on Samba Servers</h3></div></div></div><p> + <a class="indexterm" name="id389198"></a> + <a class="indexterm" name="id389205"></a> + Many SAN-based storage systems permit more than one server to share a common data store. + Use of a shared SAN data store means that you do not need to use time- and resource-hungry data + synchronization techniques. + </p><p> + <a class="indexterm" name="id389217"></a> + <a class="indexterm" name="id389224"></a> + The use of a collection of relatively low-cost front-end Samba servers that are coupled to + a shared backend SAN data store permits load distribution while containing costs below that + of installing and managing a complex clustering facility. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389235"></a>Distribute Network Load with MSDFS</h3></div></div></div><p> + <a class="indexterm" name="id389242"></a> + <a class="indexterm" name="id389249"></a> + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits + data to be accessed from a single share and yet to actually be distributed across multiple actual + servers. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 19, for information regarding + implementation of an MSDFS installation. + </p><p> + <a class="indexterm" name="id389266"></a> + <a class="indexterm" name="id389275"></a> + The combination of multiple backend servers together with a front-end server and use of MSDFS + can achieve almost the same as you would obtain with a clustered Samba server. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389285"></a>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</h3></div></div></div><p> + <a class="indexterm" name="id389293"></a> + <a class="indexterm" name="id389300"></a> + <a class="indexterm" name="id389307"></a> + Consider using <code class="literal">rsync</code> to replicate data across the WAN during times + of low utilization. Users can then access the replicated data store rather than needing to do so + across the WAN. This works best for read-only data, but with careful planning can be + implemented so that modified files get replicated back to the point of origin. Be careful with your + implementation if you choose to permit modification and return replication of the modified file; + otherwise, you may inadvertently overwrite important data. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389326"></a>Hardware Problems</h3></div></div></div><p> + <a class="indexterm" name="id389334"></a> + <a class="indexterm" name="id389341"></a> + <a class="indexterm" name="id389348"></a> + <a class="indexterm" name="id389354"></a> + <a class="indexterm" name="id389364"></a> + <a class="indexterm" name="id389373"></a> + Networking hardware prices have fallen sharply over the past 5 years. A surprising number + of Samba networking problems over this time have been traced to defective network interface + cards (NICs) or defective HUBs, switches, and cables. + </p><p> + <a class="indexterm" name="id389387"></a> + Not surprising is the fact that network administrators do not like to be shown to have made + a bad decision. Money saved in buying low-cost hardware may result in high costs incurred + in corrective action. + </p><p> + <a class="indexterm" name="id389399"></a> + <a class="indexterm" name="id389406"></a> + <a class="indexterm" name="id389413"></a> + <a class="indexterm" name="id389420"></a> + <a class="indexterm" name="id389426"></a> + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent + or persistent data corruption, slow network throughput, low performance, or even as BSOD + problems with MS Windows clients. In one case, a company updated several workstations with newer, faster + Windows client machines that triggered problems during logon as well as data integrity problems on + an older PC that was unaffected so long as the new machines were kept shut down. + </p><p> + Defective hardware problems may take patience and persistence before the real cause can be discovered. + </p><p> + <a class="indexterm" name="id389445"></a> + Networking hardware defects can significantly impact perceived Samba performance, but defective + RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server + operations. One business came to this realization only after replacing a Samba installation with MS + Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network + administrator until the entire server was replaced. While you may well think that this would never + happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389459"></a>Large Directories</h3></div></div></div><p> + There exist applications that create or manage directories containing many thousands of files. Such + applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, + listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, + and XP Pro cause network file system directory lookups on a Samba server to be performed for both + the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead + on the Samba server that may slow down the system dramatically. + </p><p> + In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows + XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately + 30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the + transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was + on the order of a factor of 20-fold slower. + </p><p> + The symptoms that will be observed on the Samba server when a large directory is accessed will be that + aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly + long while at the same time the read queue is large. Close observation will show that the hard drive + that the file system is on will be thrashing wildly. + </p><p> + Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is + really in the <a class="indexterm" name="id389490"></a>case sensitive = True line. This tells smbd never to scan + for case-insensitive versions of names. So if an application asks for a file called <code class="filename">FOO</code>, + and it can not be found by a simple stat call, then smbd will return "file not found" immediately without + scanning the containing directory for a version of a different case. + </p><p> + Canonicalize all the files in the directory to have one case, upper or lower - either will do. Then set up + a new custom share for the application as follows: + </p><pre class="screen"> + [bigshare] + path = /data/xrayfiles/neurosurgeons/ + read only = no + case sensitive = True + default case = upper + preserve case = no + short preserve case = no + </pre><p> + </p><p> + All files and directories under the <em class="parameter"><code>path</code></em> directory must be in the same case + as specified in the <code class="filename">smb.conf</code> stanza. This means that smbd will not be able to find lower case + filenames with these settings. Note, this is done on a per-share basis. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389537"></a>Key Points Learned</h2></div></div></div><p> + This chapter has touched in broad sweeps on a number of simple steps that can be taken + to ensure that your Samba network is resilient, scalable, and reliable, and that it + performs well. + </p><p> + Always keep in mind that someone is responsible to maintain and manage your design. + In the long term, that may not be you. Spare a thought for your successor and give him or + her an even break. + </p><p> + <a class="indexterm" name="id389554"></a> + Last, but not least, you should not only keep the network design simple, but also be sure it is + well documented. This book may serve as your pattern for documenting every + aspect of your design, its implementation, and particularly the objects and assumptions + that underlie it. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DomApps.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch14.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Integrating Additional Services </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Samba Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/RefSection.html b/docs/htmldocs/Samba3-ByExample/RefSection.html new file mode 100644 index 0000000000..bf26841535 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/RefSection.html @@ -0,0 +1,52 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Reference Section</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="nw4migration.html" title="Chapter 10. Migrating NetWare Server to Samba-3"><link rel="next" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Reference Section</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="kerberos.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="RefSection"></a>Part III. Reference Section</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id380028"></a>Reference Section</h1></div></div></div><p> +This section <span class="emphasis"><em>Samba-3 by Example</em></span> provides important reference material +that may help you to solve network performance issues, to answer some of the critiques +published regarding Samba, or just to gain a more broad understanding of how Samba can +play in a Windows networking world. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="kerberos.html">11. Active Directory, Kerberos, and Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="kerberos.html#id380108">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id380691">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id380704">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id381076">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id382562">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id382896">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id384506">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id384628">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="DomApps.html">12. Integrating Additional Services</a></span></dt><dd><dl><dt><span class="sect1"><a href="DomApps.html#id385213">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385236">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385322">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385351">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id385497">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385511">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id387274">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id387329">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="HA.html">13. Performance, Reliability, and Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="HA.html#id387816">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id387893">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id388343">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id388368">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id388810">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id389105">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id389172">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id389235">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id389326">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id389459">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id389537">Key Points Learned</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch14.html">14. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch14.html#id389686">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id389884">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="appendix.html">15. A Collection of Useful Tidbits</a></span></dt><dd><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390543">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390934">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id391231">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391242">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391285">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391367">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391422">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id391880">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id392795">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id393226">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393365">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393440">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="primer.html">16. Networking Primer</a></span></dt><dd><dl><dt><span class="sect1"><a href="primer.html#id393582">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id393718">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393768">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id393876">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393989">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id396068">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id396170">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></dd><dt><span class="appendix"><a href="apa.html">A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </a></span></dt><dd><dl><dt><span class="bridgehead"><a href="apa.html#id396759">A. + Preamble + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396868">A. + TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396872">A. + 0. Definitions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396936">A. + 1. Source Code. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396998">A. + 2. Basic Permissions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397032">A. + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397056">A. + 4. Conveying Verbatim Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397075">A. + 5. Conveying Modified Source Versions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397152">A. + 6. Conveying Non-Source Forms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397284">A. + 7. Additional Terms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397389">A. + 8. Termination. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397424">A. + 9. Acceptance Not Required for Having Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397438">A. + 10. Automatic Licensing of Downstream Recipients. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397472">A. + 11. Patents. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397561">A. + 12. No Surrender of Others’ Freedom. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397577">A. + 13. Use with the ???TITLE??? Affero General Public License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397600">A. + 14. Revised Versions of this License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397648">A. + 15. Disclaimer of Warranty. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397665">A. + 16. Limitation of Liability. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397680">A. + 17. Interpretation of Sections 15 and 16. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397692">A. + END OF TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397696">A. + How to Apply These Terms to Your New Programs + </a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="kerberos.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Migrating NetWare Server to Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Active Directory, Kerberos, and Security</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/apa.html b/docs/htmldocs/Samba3-ByExample/apa.html new file mode 100644 index 0000000000..13ddab27e8 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/apa.html @@ -0,0 +1,719 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix A. GNU General Public License version 3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="primer.html" title="Chapter 16. Networking Primer"><link rel="next" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </th></tr><tr><td width="20%" align="left"><a accesskey="p" href="primer.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id396733"></a>Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="bridgehead"><a href="apa.html#id396759">A. + Preamble + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396868">A. + TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396872">A. + 0. Definitions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396936">A. + 1. Source Code. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396998">A. + 2. Basic Permissions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397032">A. + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397056">A. + 4. Conveying Verbatim Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397075">A. + 5. Conveying Modified Source Versions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397152">A. + 6. Conveying Non-Source Forms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397284">A. + 7. Additional Terms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397389">A. + 8. Termination. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397424">A. + 9. Acceptance Not Required for Having Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397438">A. + 10. Automatic Licensing of Downstream Recipients. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397472">A. + 11. Patents. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397561">A. + 12. No Surrender of Others’ Freedom. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397577">A. + 13. Use with the ???TITLE??? Affero General Public License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397600">A. + 14. Revised Versions of this License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397648">A. + 15. Disclaimer of Warranty. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397665">A. + 16. Limitation of Liability. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397680">A. + 17. Interpretation of Sections 15 and 16. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397692">A. + END OF TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397696">A. + How to Apply These Terms to Your New Programs + </a></span></dt></dl></div><p> + Version 3, 29 June 2007 + </p><p> + Copyright © 2007 Free Software Foundation, Inc. + <a href="http://fsf.org/" target="_top">http://fsf.org/</a> + </p><p> + Everyone is permitted to copy and distribute verbatim copies of this license + document, but changing it is not allowed. + </p><h2><a name="id396759"></a> + Preamble + </h2><p> + The <acronym class="acronym">GNU</acronym> General Public License is a free, copyleft + license for software and other kinds of works. + </p><p> + The licenses for most software and other practical works are designed to + take away your freedom to share and change the works. By contrast, the + <acronym class="acronym">GNU</acronym> General Public License is intended to guarantee your + freedom to share and change all versions of a program—to make sure it + remains free software for all its users. We, the Free Software Foundation, + use the <acronym class="acronym">GNU</acronym> General Public License for most of our + software; it applies also to any other work released this way by its + authors. You can apply it to your programs, too. + </p><p> + When we speak of free software, we are referring to freedom, not price. Our + General Public Licenses are designed to make sure that you have the freedom + to distribute copies of free software (and charge for them if you wish), + that you receive source code or can get it if you want it, that you can + change the software or use pieces of it in new free programs, and that you + know you can do these things. + </p><p> + To protect your rights, we need to prevent others from denying you these + rights or asking you to surrender the rights. Therefore, you have certain + responsibilities if you distribute copies of the software, or if you modify + it: responsibilities to respect the freedom of others. + </p><p> + For example, if you distribute copies of such a program, whether gratis or + for a fee, you must pass on to the recipients the same freedoms that you + received. You must make sure that they, too, receive or can get the source + code. And you must show them these terms so they know their rights. + </p><p> + Developers that use the <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym> + protect your rights with two steps: (1) assert copyright on the software, + and (2) offer you this License giving you legal permission to copy, + distribute and/or modify it. + </p><p> + For the developers’ and authors’ protection, the + <acronym class="acronym">GPL</acronym> clearly explains that there is no warranty for this + free software. For both users’ and authors’ sake, the + <acronym class="acronym">GPL</acronym> requires that modified versions be marked as changed, + so that their problems will not be attributed erroneously to authors of + previous versions. + </p><p> + Some devices are designed to deny users access to install or run modified + versions of the software inside them, although the manufacturer can do so. + This is fundamentally incompatible with the aim of protecting users’ + freedom to change the software. The systematic pattern of such abuse occurs + in the area of products for individuals to use, which is precisely where it + is most unacceptable. Therefore, we have designed this version of the + <acronym class="acronym">GPL</acronym> to prohibit the practice for those products. If such + problems arise substantially in other domains, we stand ready to extend this + provision to those domains in future versions of the <acronym class="acronym">GPL</acronym>, + as needed to protect the freedom of users. + </p><p> + Finally, every program is threatened constantly by software patents. States + should not allow patents to restrict development and use of software on + general-purpose computers, but in those that do, we wish to avoid the + special danger that patents applied to a free program could make it + effectively proprietary. To prevent this, the <acronym class="acronym">GPL</acronym> + assures that patents cannot be used to render the program non-free. + </p><p> + The precise terms and conditions for copying, distribution and modification + follow. + </p><h2><a name="id396868"></a> + TERMS AND CONDITIONS + </h2><h2><a name="id396872"></a> + 0. Definitions. + </h2><p> + “This License” refers to version 3 of the <acronym class="acronym">GNU</acronym> + General Public License. + </p><p> + “Copyright” also means copyright-like laws that apply to other + kinds of works, such as semiconductor masks. + </p><p> + “The Program” refers to any copyrightable work licensed under + this License. Each licensee is addressed as “you”. + “Licensees” and “recipients” may be individuals or + organizations. + </p><p> + To “modify” a work means to copy from or adapt all or part of + the work in a fashion requiring copyright permission, other than the making + of an exact copy. The resulting work is called a “modified + version” of the earlier work or a work “based on” the + earlier work. + </p><p> + A “covered work” means either the unmodified Program or a work + based on the Program. + </p><p> + To “propagate” a work means to do anything with it that, without + permission, would make you directly or secondarily liable for infringement + under applicable copyright law, except executing it on a computer or + modifying a private copy. Propagation includes copying, distribution (with + or without modification), making available to the public, and in some + countries other activities as well. + </p><p> + To “convey” a work means any kind of propagation that enables + other parties to make or receive copies. Mere interaction with a user + through a computer network, with no transfer of a copy, is not conveying. + </p><p> + An interactive user interface displays “Appropriate Legal + Notices” to the extent that it includes a convenient and prominently + visible feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the extent + that warranties are provided), that licensees may convey the work under this + License, and how to view a copy of this License. If the interface presents + a list of user commands or options, such as a menu, a prominent item in the + list meets this criterion. + </p><h2><a name="id396936"></a> + 1. Source Code. + </h2><p> + The “source code” for a work means the preferred form of the + work for making modifications to it. “Object code” means any + non-source form of a work. + </p><p> + A “Standard Interface” means an interface that either is an + official standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that is + widely used among developers working in that language. + </p><p> + The “System Libraries” of an executable work include anything, + other than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major Component, + and (b) serves only to enable use of the work with that Major Component, or + to implement a Standard Interface for which an implementation is available + to the public in source code form. A “Major Component”, in this + context, means a major essential component (kernel, window system, and so + on) of the specific operating system (if any) on which the executable work + runs, or a compiler used to produce the work, or an object code interpreter + used to run it. + </p><p> + The “Corresponding Source” for a work in object code form means + all the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work’s + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but which + are not part of the work. For example, Corresponding Source includes + interface definition files associated with source files for the work, and + the source code for shared libraries and dynamically linked subprograms that + the work is specifically designed to require, such as by intimate data + communication or control flow between those subprograms and other parts of + the work. + </p><p> + The Corresponding Source need not include anything that users can regenerate + automatically from other parts of the Corresponding Source. + </p><p> + The Corresponding Source for a work in source code form is that same work. + </p><h2><a name="id396998"></a> + 2. Basic Permissions. + </h2><p> + All rights granted under this License are granted for the term of copyright + on the Program, and are irrevocable provided the stated conditions are met. + This License explicitly affirms your unlimited permission to run the + unmodified Program. The output from running a covered work is covered by + this License only if the output, given its content, constitutes a covered + work. This License acknowledges your rights of fair use or other + equivalent, as provided by copyright law. + </p><p> + You may make, run and propagate covered works that you do not convey, + without conditions so long as your license otherwise remains in force. You + may convey covered works to others for the sole purpose of having them make + modifications exclusively for you, or provide you with facilities for + running those works, provided that you comply with the terms of this License + in conveying all material for which you do not control copyright. Those + thus making or running the covered works for you must do so exclusively on + your behalf, under your direction and control, on terms that prohibit them + from making any copies of your copyrighted material outside their + relationship with you. + </p><p> + Conveying under any other circumstances is permitted solely under the + conditions stated below. Sublicensing is not allowed; section 10 makes it + unnecessary. + </p><h2><a name="id397032"></a> + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </h2><p> + No covered work shall be deemed part of an effective technological measure + under any applicable law fulfilling obligations under article 11 of the WIPO + copyright treaty adopted on 20 December 1996, or similar laws prohibiting or + restricting circumvention of such measures. + </p><p> + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention is + effected by exercising rights under this License with respect to the covered + work, and you disclaim any intention to limit operation or modification of + the work as a means of enforcing, against the work’s users, your or + third parties’ legal rights to forbid circumvention of technological + measures. + </p><h2><a name="id397056"></a> + 4. Conveying Verbatim Copies. + </h2><p> + You may convey verbatim copies of the Program’s source code as you + receive it, in any medium, provided that you conspicuously and appropriately + publish on each copy an appropriate copyright notice; keep intact all + notices stating that this License and any non-permissive terms added in + accord with section 7 apply to the code; keep intact all notices of the + absence of any warranty; and give all recipients a copy of this License + along with the Program. + </p><p> + You may charge any price or no price for each copy that you convey, and you + may offer support or warranty protection for a fee. + </p><h2><a name="id397075"></a> + 5. Conveying Modified Source Versions. + </h2><p> + You may convey a work based on the Program, or the modifications to produce + it from the Program, in the form of source code under the terms of section + 4, provided that you also meet all of these conditions: + </p><div class="orderedlist"><ol type="a"><li><p> + The work must carry prominent notices stating that you modified it, and + giving a relevant date. + </p></li><li><p> + The work must carry prominent notices stating that it is released under + this License and any conditions added under section 7. This requirement + modifies the requirement in section 4 to “keep intact all + notices”. + </p></li><li><p> + You must license the entire work, as a whole, under this License to + anyone who comes into possession of a copy. This License will therefore + apply, along with any applicable section 7 additional terms, to the + whole of the work, and all its parts, regardless of how they are + packaged. This License gives no permission to license the work in any + other way, but it does not invalidate such permission if you have + separately received it. + </p></li><li><p> + If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your work need + not make them do so. + </p></li></ol></div><p> + A compilation of a covered work with other separate and independent works, + which are not by their nature extensions of the covered work, and which are + not combined with it such as to form a larger program, in or on a volume of + a storage or distribution medium, is called an “aggregate” if + the compilation and its resulting copyright are not used to limit the access + or legal rights of the compilation’s users beyond what the individual works + permit. Inclusion of a covered work in an aggregate does not cause + this License to apply to the other parts of the aggregate. + </p><h2><a name="id397152"></a> + 6. Conveying Non-Source Forms. + </h2><p> + You may convey a covered work in object code form under the terms of + sections 4 and 5, provided that you also convey the machine-readable + Corresponding Source under the terms of this License, in one of these ways: + </p><div class="orderedlist"><ol type="a"><li><p> + Convey the object code in, or embodied in, a physical product (including + a physical distribution medium), accompanied by the Corresponding Source + fixed on a durable physical medium customarily used for software + interchange. + </p></li><li><p> + Convey the object code in, or embodied in, a physical product (including + a physical distribution medium), accompanied by a written offer, valid + for at least three years and valid for as long as you offer spare parts + or customer support for that product model, to give anyone who possesses + the object code either (1) a copy of the Corresponding Source for all + the software in the product that is covered by this License, on a + durable physical medium customarily used for software interchange, for a + price no more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the Corresponding Source from + a network server at no charge. + </p></li><li><p> + Convey individual copies of the object code with a copy of the written + offer to provide the Corresponding Source. This alternative is allowed + only occasionally and noncommercially, and only if you received the + object code with such an offer, in accord with subsection 6b. + </p></li><li><p> + Convey the object code by offering access from a designated place + (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to copy + the object code is a network server, the Corresponding Source may be on + a different server (operated by you or a third party) that supports + equivalent copying facilities, provided you maintain clear directions + next to the object code saying where to find the Corresponding Source. + Regardless of what server hosts the Corresponding Source, you remain + obligated to ensure that it is available for as long as needed to + satisfy these requirements. + </p></li><li><p> + Convey the object code using peer-to-peer transmission, provided you + inform other peers where the object code and Corresponding Source of the + work are being offered to the general public at no charge under + subsection 6d. + </p></li></ol></div><p> + A separable portion of the object code, whose source code is excluded from + the Corresponding Source as a System Library, need not be included in + conveying the object code work. + </p><p> + A “User Product” is either (1) a “consumer product”, + which means any tangible personal property which is normally used for + personal, family, or household purposes, or (2) anything designed or sold + for incorporation into a dwelling. In determining whether a product is a + consumer product, doubtful cases shall be resolved in favor of coverage. + For a particular product received by a particular user, “normally + used” refers to a typical or common use of that class of product, + regardless of the status of the particular user or of the way in which the + particular user actually uses, or expects or is expected to use, the + product. A product is a consumer product regardless of whether the product + has substantial commercial, industrial or non-consumer uses, unless such + uses represent the only significant mode of use of the product. + </p><p> + “Installation Information” for a User Product means any methods, + procedures, authorization keys, or other information required to install and + execute modified versions of a covered work in that User Product from a + modified version of its Corresponding Source. The information must suffice + to ensure that the continued functioning of the modified object code is in + no case prevented or interfered with solely because modification has been + made. + </p><p> + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as part of + a transaction in which the right of possession and use of the User Product + is transferred to the recipient in perpetuity or for a fixed term + (regardless of how the transaction is characterized), the Corresponding + Source conveyed under this section must be accompanied by the Installation + Information. But this requirement does not apply if neither you nor any + third party retains the ability to install modified object code on the User + Product (for example, the work has been installed in + <acronym class="acronym">ROM</acronym>). + </p><p> + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates for + a work that has been modified or installed by the recipient, or for the User + Product in which it has been modified or installed. Access to a network may + be denied when the modification itself materially and adversely affects the + operation of the network or violates the rules and protocols for + communication across the network. + </p><p> + Corresponding Source conveyed, and Installation Information provided, in + accord with this section must be in a format that is publicly documented + (and with an implementation available to the public in source code form), + and must require no special password or key for unpacking, reading or + copying. + </p><h2><a name="id397284"></a> + 7. Additional Terms. + </h2><p> + “Additional permissions” are terms that supplement the terms of + this License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall be + treated as though they were included in this License, to the extent that + they are valid under applicable law. If additional permissions apply only + to part of the Program, that part may be used separately under those + permissions, but the entire Program remains governed by this License + without regard to the additional permissions. + </p><p> + When you convey a copy of a covered work, you may at your option remove any + additional permissions from that copy, or from any part of it. (Additional + permissions may be written to require their own removal in certain cases + when you modify the work.) You may place additional permissions on + material, added by you to a covered work, for which you have or can give + appropriate copyright permission. + </p><p> + Notwithstanding any other provision of this License, for material you add + to a covered work, you may (if authorized by the copyright holders of that + material) supplement the terms of this License with terms: + </p><div class="orderedlist"><ol type="a"><li><p> + Disclaiming warranty or limiting liability differently from the terms + of sections 15 and 16 of this License; or + </p></li><li><p> + Requiring preservation of specified reasonable legal notices or author + attributions in that material or in the Appropriate Legal Notices + displayed by works containing it; or + </p></li><li><p> + Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + </p></li><li><p> + Limiting the use for publicity purposes of names of licensors or + authors of the material; or + </p></li><li><p> + Declining to grant rights under trademark law for use of some trade + names, trademarks, or service marks; or + </p></li><li><p> + Requiring indemnification of licensors and authors of that material by + anyone who conveys the material (or modified versions of it) with + contractual assumptions of liability to the recipient, for any + liability that these contractual assumptions directly impose on those + licensors and authors. + </p></li></ol></div><p> + All other non-permissive additional terms are considered “further + restrictions” within the meaning of section 10. If the Program as + you received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further restriction, + you may remove that term. If a license document contains a further + restriction but permits relicensing or conveying under this License, you + may add to a covered work material governed by the terms of that license + document, provided that the further restriction does not survive such + relicensing or conveying. + </p><p> + If you add terms to a covered work in accord with this section, you must + place, in the relevant source files, a statement of the additional terms + that apply to those files, or a notice indicating where to find the + applicable terms. + </p><p> + Additional terms, permissive or non-permissive, may be stated in the form + of a separately written license, or stated as exceptions; the above + requirements apply either way. + </p><h2><a name="id397389"></a> + 8. Termination. + </h2><p> + You may not propagate or modify a covered work except as expressly provided + under this License. Any attempt otherwise to propagate or modify it is + void, and will automatically terminate your rights under this License + (including any patent licenses granted under the third paragraph of section + 11). + </p><p> + However, if you cease all violation of this License, then your license from + a particular copyright holder is reinstated (a) provisionally, unless and + until the copyright holder explicitly and finally terminates your license, + and (b) permanently, if the copyright holder fails to notify you of the + violation by some reasonable means prior to 60 days after the cessation. + </p><p> + Moreover, your license from a particular copyright holder is reinstated + permanently if the copyright holder notifies you of the violation by some + reasonable means, this is the first time you have received notice of + violation of this License (for any work) from that copyright holder, and + you cure the violation prior to 30 days after your receipt of the notice. + </p><p> + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under this + License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + </p><h2><a name="id397424"></a> + 9. Acceptance Not Required for Having Copies. + </h2><p> + You are not required to accept this License in order to receive or run a + copy of the Program. Ancillary propagation of a covered work occurring + solely as a consequence of using peer-to-peer transmission to receive a + copy likewise does not require acceptance. However, nothing other than + this License grants you permission to propagate or modify any covered work. + These actions infringe copyright if you do not accept this License. + Therefore, by modifying or propagating a covered work, you indicate your + acceptance of this License to do so. + </p><h2><a name="id397438"></a> + 10. Automatic Licensing of Downstream Recipients. + </h2><p> + Each time you convey a covered work, the recipient automatically receives a + license from the original licensors, to run, modify and propagate that + work, subject to this License. You are not responsible for enforcing + compliance by third parties with this License. + </p><p> + An “entity transaction” is a transaction transferring control + of an organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered work + results from an entity transaction, each party to that transaction who + receives a copy of the work also receives whatever licenses to the work the + party’s predecessor in interest had or could give under the previous + paragraph, plus a right to possession of the Corresponding Source of the + work from the predecessor in interest, if the predecessor has it or can get + it with reasonable efforts. + </p><p> + You may not impose any further restrictions on the exercise of the rights + granted or affirmed under this License. For example, you may not impose a + license fee, royalty, or other charge for exercise of rights granted under + this License, and you may not initiate litigation (including a cross-claim + or counterclaim in a lawsuit) alleging that any patent claim is infringed + by making, using, selling, offering for sale, or importing the Program or + any portion of it. + </p><h2><a name="id397472"></a> + 11. Patents. + </h2><p> + A “contributor” is a copyright holder who authorizes use under + this License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor’s “contributor + version”. + </p><p> + A contributor’s “essential patent claims” are all patent + claims owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted by + this License, of making, using, or selling its contributor version, but do + not include claims that would be infringed only as a consequence of further + modification of the contributor version. For purposes of this definition, + “control” includes the right to grant patent sublicenses in a + manner consistent with the requirements of this License. + </p><p> + Each contributor grants you a non-exclusive, worldwide, royalty-free patent + license under the contributor’s essential patent claims, to make, use, + sell, offer for sale, import and otherwise run, modify and propagate the + contents of its contributor version. + </p><p> + In the following three paragraphs, a “patent license” is any + express agreement or commitment, however denominated, not to enforce a + patent (such as an express permission to practice a patent or covenant not + to sue for patent infringement). To “grant” such a patent + license to a party means to make such an agreement or commitment not to + enforce a patent against the party. + </p><p> + If you convey a covered work, knowingly relying on a patent license, and the + Corresponding Source of the work is not available for anyone to copy, free + of charge and under the terms of this License, through a publicly available + network server or other readily accessible means, then you must either (1) + cause the Corresponding Source to be so available, or (2) arrange to deprive + yourself of the benefit of the patent license for this particular work, or + (3) arrange, in a manner consistent with the requirements of this License, + to extend the patent license to downstream recipients. “Knowingly + relying” means you have actual knowledge that, but for the patent + license, your conveying the covered work in a country, or your + recipient’s use of the covered work in a country, would infringe one + or more identifiable patents in that country that you have reason to believe + are valid. + </p><p> + If, pursuant to or in connection with a single transaction or arrangement, + you convey, or propagate by procuring conveyance of, a covered work, and + grant a patent license to some of the parties receiving the covered work + authorizing them to use, propagate, modify or convey a specific copy of the + covered work, then the patent license you grant is automatically extended to + all recipients of the covered work and works based on it. + </p><p> + A patent license is “discriminatory” if it does not include + within the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered work + if you are a party to an arrangement with a third party that is in the + business of distributing software, under which you make payment to the third + party based on the extent of your activity of conveying the work, and under + which the third party grants, to any of the parties who would receive the + covered work from you, a discriminatory patent license (a) in connection + with copies of the covered work conveyed by you (or copies made from those + copies), or (b) primarily for and in connection with specific products or + compilations that contain the covered work, unless you entered into that + arrangement, or that patent license was granted, prior to 28 March 2007. + </p><p> + Nothing in this License shall be construed as excluding or limiting any + implied license or other defenses to infringement that may otherwise be + available to you under applicable patent law. + </p><h2><a name="id397561"></a> + 12. No Surrender of Others’ Freedom. + </h2><p> + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey the + Program, the only way you could satisfy both those terms and this License + would be to refrain entirely from conveying the Program. + </p><h2><a name="id397577"></a> + 13. Use with the <acronym class="acronym">GNU</acronym> Affero General Public License. + </h2><p> + Notwithstanding any other provision of this License, you have permission to + link or combine any covered work with a work licensed under version 3 of the + <acronym class="acronym">GNU</acronym> Affero General Public License into a single combined + work, and to convey the resulting work. The terms of this License will + continue to apply to the part which is the covered work, but the special + requirements of the <acronym class="acronym">GNU</acronym> Affero General Public License, + section 13, concerning interaction through a network will apply to the + combination as such. + </p><h2><a name="id397600"></a> + 14. Revised Versions of this License. + </h2><p> + The Free Software Foundation may publish revised and/or new versions of the + <acronym class="acronym">GNU</acronym> General Public License from time to time. Such new + versions will be similar in spirit to the present version, but may differ in + detail to address new problems or concerns. + </p><p> + Each version is given a distinguishing version number. If the Program + specifies that a certain numbered version of the <acronym class="acronym">GNU</acronym> + General Public License “or any later version” applies to it, you + have the option of following the terms and conditions either of that + numbered version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + <acronym class="acronym">GNU</acronym> General Public License, you may choose any version + ever published by the Free Software Foundation. + </p><p> + If the Program specifies that a proxy can decide which future versions of + the <acronym class="acronym">GNU</acronym> General Public License can be used, that + proxy’s public statement of acceptance of a version permanently + authorizes you to choose that version for the Program. + </p><p> + Later license versions may give you additional or different permissions. + However, no additional obligations are imposed on any author or copyright + holder as a result of your choosing to follow a later version. + </p><h2><a name="id397648"></a> + 15. Disclaimer of Warranty. + </h2><p> + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE + LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR + OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF + ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH + YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + </p><h2><a name="id397665"></a> + 16. Limitation of Liability. + </h2><p> + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL + ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE + PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE + OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA + OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. + </p><h2><a name="id397680"></a> + 17. Interpretation of Sections 15 and 16. + </h2><p> + If the disclaimer of warranty and limitation of liability provided above + cannot be given local legal effect according to their terms, reviewing + courts shall apply local law that most closely approximates an absolute + waiver of all civil liability in connection with the Program, unless a + warranty or assumption of liability accompanies a copy of the Program in + return for a fee. + </p><h2><a name="id397692"></a> + END OF TERMS AND CONDITIONS + </h2><h2><a name="id397696"></a> + How to Apply These Terms to Your New Programs + </h2><p> + If you develop a new program, and you want it to be of the greatest possible + use to the public, the best way to achieve this is to make it free software + which everyone can redistribute and change under these terms. + </p><p> + To do so, attach the following notices to the program. It is safest to + attach them to the start of each source file to most effectively state the + exclusion of warranty; and each file should have at least the + “copyright” line and a pointer to where the full notice is + found. + </p><pre class="screen"> +<em class="replaceable"><code>one line to give the program’s name and a brief idea of what it does.</code></em> +Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> + +This program is free software: you can redistribute it and/or modify +it under the terms of the <acronym class="acronym">GNU</acronym> General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +<acronym class="acronym">GNU</acronym> General Public License for more details. + +You should have received a copy of the <acronym class="acronym">GNU</acronym> General Public License +along with this program. If not, see <a href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. + </pre><p> + Also add information on how to contact you by electronic and paper mail. + </p><p> + If the program does terminal interaction, make it output a short notice like + this when it starts in an interactive mode: + </p><pre class="screen"> +<em class="replaceable"><code>program</code></em> Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> +This program comes with ABSOLUTELY NO WARRANTY; for details type ‘<code class="literal">show w</code>’. +This is free software, and you are welcome to redistribute it +under certain conditions; type ‘<code class="literal">show c</code>’ for details. + </pre><p> + The hypothetical commands ‘<code class="literal">show w</code>’ and + ‘<code class="literal">show c</code>’ should show the appropriate parts of + the General Public License. Of course, your program’s commands might be + different; for a GUI interface, you would use an “about box”. + </p><p> + You should also get your employer (if you work as a programmer) or school, + if any, to sign a “copyright disclaimer” for the program, if + necessary. For more information on this, and how to apply and follow the + <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym>, see <a href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. + </p><p> + The <acronym class="acronym">GNU</acronym> General Public License does not permit + incorporating your program into proprietary programs. If your program is a + subroutine library, you may consider it more useful to permit linking + proprietary applications with the library. If this is what you want to do, + use the <acronym class="acronym">GNU</acronym> Lesser General Public License instead of this + License. But first, please read <a href="http://www.gnu.org/philosophy/why-not-lgpl.html" target="_top">http://www.gnu.org/philosophy/why-not-lgpl.html</a>. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="primer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 16. Networking Primer </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Glossary</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/appendix.html b/docs/htmldocs/Samba3-ByExample/appendix.html new file mode 100644 index 0000000000..5758a48e91 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/appendix.html @@ -0,0 +1,1060 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390543">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390934">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id391231">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391242">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391285">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391367">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391422">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id391880">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id392795">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id393226">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393365">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393440">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p> + <a class="indexterm" name="id389998"></a> + <a class="indexterm" name="id390004"></a> + Information presented here is considered to be either basic or well-known material that is informative + yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that + the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps + different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, + as shown in the example given below. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p> + <a class="indexterm" name="id390030"></a> + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. + This section steps through the process for making a Windows 200x/XP Professional machine a + member of a Domain Security environment. It should be noted that this process is identical + when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. + </p><div class="procedure"><a name="id390041"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span>. + </p></li><li><p> + Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. + </p></li><li><p> + The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. + See <a href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">???</a>. + </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click the <span class="guimenu">Computer Name</span> tab. + This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, + and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. + </p><p> + Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with + Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. + See <a href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">???</a>. + </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. + We join the domain called MIDEARTH. See <a href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">???</a>. + </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. + </p><p> + This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a>. + </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) + of a domain administrative account that has the rights to add machines to the domain. + </p><p> + Enter the name “<span class="quote">root</span>” and the root password from your Samba-3 server. See <a href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">???</a>. + </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes User name and Password Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click <span class="guimenu">OK</span>. + </p><p> + The “<span class="quote">Welcome to the MIDEARTH domain</span>” dialog box should appear. At this point, the machine must be rebooted. + Joining the domain is now complete. + </p></li></ol></div><p> + <a class="indexterm" name="id390446"></a> + <a class="indexterm" name="id390452"></a> + The screen capture shown in <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a + panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members + of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. + </p><p> + <a class="indexterm" name="id390476"></a> + <a class="indexterm" name="id390483"></a> + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers + register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server + to find the services (like which machines are domain controllers or which machines have the Netlogon service running). + </p><p> + <a class="indexterm" name="id390498"></a> + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, + this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to + a valid IP address. + </p><p> + The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. + Where the client is a member of a Samba domain, it is preferable to leave this field blank. + </p><p> + <a class="indexterm" name="id390518"></a> + According to Microsoft documentation, “<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code> + enabled on <code class="literal">Primary DNS suffice of this computer</code>, the string specified in the Group Policy is used + as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is + used only if Group Policy is disabled or unspecified.</span>” + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390543"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id390549"></a><a class="indexterm" name="id390557"></a><a class="indexterm" name="id390565"></a> + One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team + build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is + in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other + Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories. + </p><p> + Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team + default. + </p><p><a class="indexterm" name="id390596"></a><a class="indexterm" name="id390607"></a><a class="indexterm" name="id390615"></a><a class="indexterm" name="id390626"></a><a class="indexterm" name="id390633"></a><a class="indexterm" name="id390644"></a><a class="indexterm" name="id390652"></a><a class="indexterm" name="id390660"></a><a class="indexterm" name="id390668"></a><a class="indexterm" name="id390676"></a><a class="indexterm" name="id390684"></a><a class="indexterm" name="id390691"></a><a class="indexterm" name="id390699"></a><a class="indexterm" name="id390707"></a><a class="indexterm" name="id390715"></a><a class="indexterm" name="id390723"></a> + Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy + System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary + files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the + <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the + <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in + <code class="filename">/usr/share/swat</code>. There are additional support files for <code class="literal">smbd</code> in the + <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the + passdb backend as well as for the VFS modules. + </p><p><a class="indexterm" name="id390786"></a><a class="indexterm" name="id390794"></a><a class="indexterm" name="id390802"></a> + Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in + the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code> + </p><p> + When Samba is built and installed using the default Samba Team process, all files are located under the + <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns. + </p><p><a class="indexterm" name="id390837"></a> + One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location + of all files called <code class="literal">smbd</code>. Here is an example: +</p><pre class="screen"> +<code class="prompt">root# </code> find / -name smbd -print +</pre><p> + You can find the location of the configuration files by running: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -b | more +... +Paths: + SBINDIR: /usr/sbin + BINDIR: /usr/bin + SWATDIR: /usr/share/samba/swat + CONFIGFILE: /etc/samba/smb.conf + LOGFILEBASE: /var/log/samba + LMHOSTSFILE: /etc/samba/lmhosts + LIBDIR: /usr/lib/samba + SHLIBEXT: so + LOCKDIR: /var/lib/samba + PIDDIR: /var/run/samba + SMB_PASSWD_FILE: /etc/samba/smbpasswd + PRIVATE_DIR: /etc/samba +... +</pre><p> + If you wish to locate the Samba version, just run: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -V +Version 3.0.20-SUSE +</pre><p> + </p><p> + Many people have been caught by installation of Samba using the default Samba Team process when it was already installed + by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by + executing:<a class="indexterm" name="id390901"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -qa | grep samba +samba3-pdb-3.0.20-1 +samba3-vscan-0.3.6-0 +samba3-winbind-3.0.20-1 +samba3-3.0.20-1 +samba3-python-3.0.20-1 +samba3-utils-3.0.20-1 +samba3-doc-3.0.20-1 +samba3-client-3.0.20-1 +samba3-cifsmount-3.0.20-1 + </pre><p><a class="indexterm" name="id390922"></a> + The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390934"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id390941"></a> + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. + An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba, there + are three daemons, two of which are needed as a minimum. + </p><p> + The Samba server is made up of the following daemons: + </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# Script to start/stop samba +# Locate this in /sbin as a file called 'samba' + +RCD=/etc/rc.d + +if [ z$1 == 'z' ]; then + echo $0 - No arguments given; must be start or stop. + exit +fi + +if [ $1 == 'start' ]; then + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start + +fi +if [ $1 == 'stop' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop +fi +if [ $1 == 'restart' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop + sleep 5 + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start +fi +exit 0 +</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> + <a class="indexterm" name="id390994"></a> + <a class="indexterm" name="id391001"></a> + This daemon handles all name registration and resolution requests. It is the primary vehicle involved + in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should + be the first command started as part of the Samba startup process. + </p></dd><dt><span class="term">smbd</span></dt><dd><p> + <a class="indexterm" name="id391029"></a> + <a class="indexterm" name="id391035"></a> + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also + manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. + </p></dd><dt><span class="term">winbindd</span></dt><dd><p> + <a class="indexterm" name="id391062"></a> + <a class="indexterm" name="id391069"></a> + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when + Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the + <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> + parameters. If they are not found, <code class="literal">winbindd</code> bails out and refuses to start. + </p></dd></dl></div><p> + When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its + integration into the platform as a whole. Please refer to your operating system platform administration manuals for + specific information pertaining to correct management of Samba startup. + </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/sh +# +# chkconfig: 345 81 35 +# description: Starts and stops the Samba smbd and nmbd daemons \ +# used to provide SMB network services. + +# Source function library. +. /etc/rc.d/init.d/functions +# Source networking configuration. +. /etc/sysconfig/network +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 +CONFIG=/etc/samba/smb.conf +# Check that smb.conf exists. +[ -f $CONFIG ] || exit 0 + +# See how we were called. +case "$1" in + start) + echo -n "Starting SMB services: " + daemon smbd -D; daemon nmbd -D; echo; + touch /var/lock/subsys/smb + ;; + stop) + echo -n "Shutting down SMB services: " + smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` + for pid in $smbdpids; do + kill -TERM $pid + done + killproc nmbd -TERM; rm -f /var/lock/subsys/smb + echo "" + ;; + status) + status smbd; status nmbd; + ;; + restart) + echo -n "Restarting SMB services: " + $0 stop; $0 start; + echo "done." + ;; + *) + echo "Usage: smb {start|stop|restart|status}" + exit 1 +esac +</pre></div></div><br class="example-break"><p><a class="indexterm" name="id391161"></a> + SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently + executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">???</a>. This can be located in the directory + <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be + owned by user root and group root, and set so that only root can execute it. + </p><p><a class="indexterm" name="id391193"></a> + A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">???</a>. + This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called + <code class="filename">samba</code>. A similar startup script is required to control <code class="literal">winbind</code>. + If you want to find more information regarding startup scripts please refer to the packaging section of + the Samba source code distribution tarball. The packaging files for each platform include a + startup control file. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id391231"></a>DNS Configuration Files</h2></div></div></div><p> + The following files are common to all DNS server configurations. Rather than repeat them multiple times, they + are presented here for general reference. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391242"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> + The forward zone file for the loopback address never changes. An example file is shown + in <a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a + physical interface on the machine itself is routed to the loopback adaptor. This is + a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor + is called <code class="constant">localhost</code>. + </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA @ root ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS @ + IN A 127.0.0.1 +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391285"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> + The reverse zone file for the loopback address as shown in <a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a> + is necessary so that references to the address <code class="constant">127.0.0.1</code> can be + resolved to the correct name of the interface. + </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA localhost. root.localhost. ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS localhost. +1 IN PTR localhost. +</pre></div></div><br class="example-break"><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><div class="example-contents"><pre class="screen"> +; This file is made available by InterNIC under anonymous FTP as +; file /domain/named.root +; on server FTP.INTERNIC.NET +; last update: Nov 5, 2002. Related version of root zone: 2002110501 +; formerly NS.INTERNIC.NET +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +; formerly NS1.ISI.EDU +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 +; formerly C.PSI.NET +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; formerly TERP.UMD.EDU +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +; formerly NS.NASA.GOV +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; formerly NS.ISC.ORG +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +; formerly NS.NIC.DDN.MIL +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; formerly AOS.ARL.ARMY.MIL +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +; formerly NIC.NORDU.NET +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +; operated by VeriSign, Inc. +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +; housed in LINX, operated by RIPE NCC +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +; operated by IANA +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 +; housed in Japan, operated by WIDE +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +; End of File +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391367"></a>DNS Root Server Hint File</h3></div></div></div><p> + The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time. + Periodically this file should be updated from the source shown. Because + of its size, this file is located at the end of this chapter. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id391396"></a><a class="indexterm" name="id391407"></a> + The following procedure may be used as an alternative means of configuring + the initial LDAP database. Many administrators prefer to have greater control + over how system files get configured. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391422"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id391429"></a><a class="indexterm" name="id391437"></a><a class="indexterm" name="id391448"></a> + The first step to get the LDAP server ready for action is to create the LDIF file from + which the LDAP database will be preloaded. This is necessary to create the containers + into which the user, group, and other accounts are written. It is also necessary to + preload the well-known Windows NT Domain Groups, as they must have the correct SID so + that they can be recognized as special NT Groups by the MS Windows clients. + </p><div class="procedure"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol type="1"><li><p> + Create a directory in which to store the files you use to generate + the LDAP LDIF file for your system. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /etc/openldap/SambaInit +<code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit +<code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit +</pre><p> + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">???</a>, <a href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">???</a>, + and <a href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are, + respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file. + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">???</a> and <a href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/.</code> These two files are + parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file. + </p></li><li><p> + Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh + +How do you wish to refer to your organization? +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. +How would you like your organization name to appear? +Your organization name is: My Organization +Enter a new name is this is not what you want, press Enter to Continue. +Name [My Organization]: Abmas Inc. + +Samba Config File Location [/etc/samba/smb.conf]: +Enter a new full path or press Enter to continue. +Samba Config File Location [/etc/samba/smb.conf]: +Domain Name: MEGANET2 +Domain SID: S-1-5-21-3504140859-1010554828-2431957765 + +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +Found the following domain name: abmas.biz +I think the bit we are looking for might be: abmas +Enter the domain name or press Enter to continue: + +The top level organization name I will use is: biz +Enter the top level org name or press Enter to continue: +<code class="prompt">root# </code> +</pre><p> + This creates a file called <code class="filename">MEGANET2.ldif</code>. + </p></li><li><p> + It is now time to preload the LDAP database with the following + command: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif +added: "dc=abmas,dc=biz" (00000001) +added: "cn=Manager,dc=abmas,dc=biz" (00000002) +added: "ou=People,dc=abmas,dc=biz" (00000003) +added: "ou=Computers,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Domains,dc=abmas,dc=biz" (00000006) +added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) +added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) +added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) +</pre><p> + You should verify that the account information was correctly loaded by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +structuralObjectClass: organization +entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x0001#0#0000 +... + +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +structuralObjectClass: posixGroup +entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x000a#0#0000 +</pre><p> + </p></li><li><p> + Your LDAP database is ready for testing. You can now start the LDAP server + using the system tool for your Linux operating system. For SUSE Linux, you can + do this as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +</pre><p> + </p></li><li><p> + It is now a good idea to validate that the LDAP server is running correctly. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +... +# domusers, Groups, abmas.biz +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users + +# search result +search: 2 +result: 0 Success + +# numResponses: 11 +# numEntries: 10 +</pre><p> + Your LDAP server is ready for creation of additional accounts. + </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# This script prepares the ldif LDAP load file only +# + +# Pattern File Name +file=init-ldif.pat + +# The name of my organization +ORGNAME="My Organization" + +# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" +INETDOMAIN="my-domain" + +# In the above case, md domain is: buckets.org, TLDORG="org" +TLDORG="org" + +# This is the Samba Domain/Workgroup Name +DOMNAME="MYWORKGROUP" + +# +# Here We Go ... +# + +cat <<EOF + +How do you wish to refer to your organization? + +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. + +How would you like your organization name to appear? + +EOF + +echo "Your organization name is: $ORGNAME" +echo +echo "Enter a new name or, press Enter to Continue." +echo +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</b></p><div class="example-contents"><pre class="screen"> +echo -e -n "Name [$ORGNAME]: " + read name + +if [ ! -z "$name" ]; then + ORGNAME=${name} +fi +echo +sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 + +# Try to find smb.conf + +if [ -e /usr/local/samba/lib/smb.conf ]; then + CONF=/usr/local/samba/lib/smb.conf +elif [ -e /etc/samba/smb.conf ]; then + CONF=/etc/samba/smb.conf +fi + +echo "Samba Config File Location [$CONF]: " +echo +echo "Enter a new full path or press Enter to continue." +echo +echo -n "Samba Config File Location [$CONF]: " + read name +if [ ! -z "$name" ]; then + CONF=$name +fi +echo + +# Find the name of our Domain/Workgroup +DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` +echo Domain Name: $DOMNAME +echo + +sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 + +DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` +echo Domain SID: $DOMSID + +sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</b></p><div class="example-contents"><pre class="screen"> +cat <<EOL +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org + +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +EOL +INETDOMAIN=`hostname -d | cut -f1 -d.` +echo Found the following domain name: `hostname -d` +echo "I think the bit we are looking for might be: $INETDOMAIN" +echo +echo -n "Enter the domain name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + INETDOMAIN=$domnam +fi +echo +sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 +TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` +echo "The top level organization name I will use is: ${TLDORG}" +echo +echo -n "Enter the top level org name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + TLDORG=$domnam +fi +sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif +rm $file.tmp* +exit 0 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><div class="example-contents"><pre class="screen"> +dn: dc=INETDOMAIN,dc=TLDORG +objectClass: dcObject +objectClass: organization +dc: INETDOMAIN +o: ORGNAME +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=People,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Computers + +dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Idmap + +dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Domains + +dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: sambaDomain +sambaDomainName: DOMNAME +sambaSID: DOMSID +sambaAlgorithmicRidBase: 1000 +structuralObjectClass: sambaDomain +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><div class="example-contents"><pre class="screen"> +dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 512 +cn: domadmins +sambaSID: DOMSID-512 +sambaGroupType: 2 +displayName: Domain Admins +description: Domain Administrators + +dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 514 +cn: domguests +sambaSID: DOMSID-514 +sambaGroupType: 2 +displayName: Domain Guests +description: Domain Guests Users + +dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: DOMSID-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id391880"></a>The LDAP Account Manager</h2></div></div></div><p> +<a class="indexterm" name="id391888"></a> +<a class="indexterm" name="id391894"></a> +<a class="indexterm" name="id391903"></a> +<a class="indexterm" name="id391910"></a> +<a class="indexterm" name="id391916"></a> +<a class="indexterm" name="id391923"></a> +<a class="indexterm" name="id391930"></a> +The LDAP Account Manager (LAM) is an application suite that has been written in PHP. +LAM can be used with any Web server that has PHP4 support. It connects to the LDAP +server either using unencrypted connections or via SSL/TLS. LAM can be used to manage +Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines +(hosts). +</p><p> +LAM is available from the <a href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> +home page and from its mirror sites. LAM has been released under the GNU GPL version 2. +The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter +of 2005. +</p><p> +<a class="indexterm" name="id391956"></a> +<a class="indexterm" name="id391963"></a> +<a class="indexterm" name="id391970"></a> +Requirements: +</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p> +LAM is a useful tool that provides a simple Web-based device that can be used to +manage the contents of the LDAP directory to: +<a class="indexterm" name="id392027"></a> +<a class="indexterm" name="id392034"></a> +<a class="indexterm" name="id392041"></a> +</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manage entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p> +When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba +user, group, and windows domain member machine accounts. +</p><p> +<a class="indexterm" name="id392092"></a> +<a class="indexterm" name="id392098"></a> +<a class="indexterm" name="id392105"></a> +<a class="indexterm" name="id392112"></a> +The default password is “<span class="quote">lam.</span>” It is highly recommended that you use only +an SSL connection to your Web server for all remote operations involving LAM. If you +want secure connections, you must configure your Apache Web server to permit connections +to LAM using only SSL. +</p><div class="procedure"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol type="1"><li><p> + Extract the LAM package by untarring it as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz +</pre><p> + Alternatively, install the LAM DEB for your system using the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb +</pre><p> + </p></li><li><p> + Copy the extracted files to the document root directory of your Web server. + For example, on SUSE Linux Enterprise Server 9, copy to the + <code class="filename">/srv/www/htdocs</code> directory. + </p></li><li><p> + <a class="indexterm" name="id392185"></a> + Set file permissions using the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id392235"></a> + Using your favorite editor create the following <code class="filename">config.cfg</code> + LAM configuration file: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /srv/www/htdocs/lam/config +<code class="prompt">root# </code> cp config.cfg_sample config.cfg +<code class="prompt">root# </code> vi config.cfg +</pre><p> + <a class="indexterm" name="id392275"></a> + <a class="indexterm" name="id392284"></a> + An example file is shown in <a href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">???</a>. + This is the minimum configuration that must be completed. The LAM profile + file can be created using a convenient wizard that is part of the LAM + configuration suite. + </p></li><li><p> + Start your Web server then, using your Web browser, connect to + <a href="http://localhost/lam" target="_top">LAM</a> URL. Click on the + the <em class="parameter"><code>Configuration Login</code></em> link then click on the + Configuration Wizard link to begin creation of the default profile so that + LAM can connect to your LDAP server. Alternately, copy the + <code class="filename">lam.conf_sample</code> file to a file called + <code class="filename">lam.conf</code> then, using your favorite editor, + change the settings to match local site needs. + </p></li></ol></div><p> + <a class="indexterm" name="id392339"></a> + An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">???</a>. + This file has been stripped of comments to keep the size small. The comments + and help information provided in the profile file that the wizard creates + is very useful and will help many administrators to avoid pitfalls. + Your configuration file obviously reflects the configuration options that + are preferred at your site. + </p><p> + <a class="indexterm" name="id392359"></a> + It is important that your LDAP server is running at the time that LAM is + being configured. This permits you to validate correct operation. + An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">???</a>. + </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id392419"></a> + The LAM configuration editor has a number of options that must be managed correctly. + An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">???</a>. + It is important that you correctly set the minimum and maximum UID/GID values that are + permitted for use at your site. The default values may not be compatible with a need to + modify initial default account values for well-known Windows network users and groups. + The best work-around is to temporarily set the minimum values to zero (0) to permit + the initial settings to be made. Do not forget to reset these to sensible values before + using LAM to add additional users and groups. + </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id392484"></a> + LAM has some nice, but unusual features. For example, one unexpected feature in most application + screens permits the generation of a PDF file that lists configuration information. This is a well + thought out facility. This option has been edited out of the following screen shots to conserve + space. + </p><p> + <a class="indexterm" name="id392496"></a> + When you log onto LAM the opening screen drops you right into the user manager as shown in + <a href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility + to be used immediately. The editing of an existing user, as with the addition of a new user, + is easy to follow and very clear in both layout and intent. It is a simple matter to edit + generic settings, UNIX specific parameters, and then Samba account requirements. Each step + involves clicking a button that intuitively drives you through the process. When you have + finished editing simply press the <span class="guimenu">Final</span> button. + </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div></div><br class="figure-break"><p> + The edit screen for groups is shown in <a href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">???</a>. As with the edit screen + for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">???</a> + shows a sub-screen from the group editor that permits users to be assigned secondary group + memberships. + </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div></div><br class="figure-break"><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id392664"></a><a class="indexterm" name="id392670"></a> + The final screen presented here is one that you should not normally need to use. Host accounts will + be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">???</a> + will, in most cases, not be used. + </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div></div><br class="figure-break"><p> + One aspect of LAM that may annoy some users is the way it forces certain conventions on + the administrator. For example, LAM does not permit the creation of Windows user and group + accounts that contain spaces even though the underlying UNIX/Linux + operating system may exhibit no problems with them. Given the propensity for using upper-case + characters and spaces (particularly in the default Windows account names) this may cause + some annoyance. For the rest, LAM is a very useful administrative tool. + </p><p> + The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features + (e.g., logon hours). The new plugin-based architecture also allows management of much more different + account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another + important point is the tree view which allows browsing and editing LDAP objects directly. + </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File <code class="filename">config.cfg</code></b></p><div class="example-contents"><pre class="screen"> +# password to add/delete/rename configuration profiles +password: not24get + +# default profile, without ".conf" +default: lam +</pre></div></div><br class="example-break"><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File <code class="filename">lam.conf</code></b></p><div class="example-contents"><pre class="screen"> +ServerURL: ldap://massive.abmas.org:389 +Admins: cn=Manager,dc=abmas,dc=biz +Passwd: not24get +usersuffix: ou=People,dc=abmas,dc=biz +groupsuffix: ou=Groups,dc=abmas,dc=biz +hostsuffix: ou=Computers,dc=abmas,dc=biz +domainsuffix: ou=Domains,dc=abmas,dc=biz +MinUID: 0 +MaxUID: 65535 +MinGID: 0 +MaxGID: 65535 +MinMachine: 20000 +MaxMachine: 25000 +userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber +grouplistAttributes: #cn;#gidNumber;#memberUID;#description +hostlistAttributes: #cn;#description;#uidNumber;#gidNumber +maxlistentries: 30 +defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) +scriptPath: +scriptServer: +samba3: yes +cachetimeout: 5 +pwdhash: SSHA +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id392795"></a>IDEALX Management Console</h2></div></div></div><p> + IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive + web-based management interface for UNIX and Linux systems. + </p><p> + The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic + interface for managing a Samba domain controler. The goal is to give Linux administrators who + need to manage production Samba servers an effective, intuitive and consistent management + experience. An IMC screenshot of the user management tool is shown in <a href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">???</a>. + </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div></div><br class="figure-break"><p> + IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC, + but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language. + </p><p> + For further information regarding IMC refer to the web <a href="http://imc.sourceforge.net/" target="_top">site.</a> + Prebuilt RPM packages are also <a href="http://imc.sourceforge.net/download.html" target="_top">available.</a> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id392892"></a><a class="indexterm" name="id392898"></a><p> + The setting of the SUID/SGID bits on the file or directory permissions flag has particular + consequences. If the file is executable and the SUID bit is set, it executes with the privilege + of (with the UID of) the owner of the file. For example, if you are logged onto a system as + a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned + by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is + executed as if you had logged in as the user <code class="constant">root</code> and then executed the file. + The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the + use of that executable file. + </p><p> + The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it + applies the privilege to the UNIX group setting. In other words, the file executes with the force + of capability of the group. + </p><p> + When the SUID/SGID permissions are set on a directory, all files that are created within that directory + are automatically given the ownership of the SUID user and the SGID group, as per the ownership + of the directory in which the file is created. This means that the system level <code class="literal">create()</code> + function executes with the SUID user and/or SGID group of the directory in which the file is + created. + </p><p> + If you want to obtain the SUID behavior, simply execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod u+s file-or-directory +</pre><p> + To set the SGID properties on a file or a directory, execute this command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod g+s file-or-directory +</pre><p> + And to set both SUID and SGID properties, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s file-or-directory +</pre><p> + </p><p> + Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this + directory before setting both SUID and SGID on this directory are: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her. + If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is + owned by the group <code class="constant">Accounts</code>, as shown in this listing: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 +</pre><p> + </p><p> + Now you set the SUID and SGID and check the result as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the + file is owned by the user <code class="constant">bobj</code>, and the group is set to the group + <code class="constant">Domain Users</code>, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +total 1 +drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id393104"></a><a class="indexterm" name="id393112"></a> + The integrity of shared data is often viewed as a particularly emotional issue, especially where + there are concurrent problems with multiuser data access. Contrary to the assertions of some who have + experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. + </p><p> + The solution to concurrent multiuser data access problems must consider three separate areas + from which the problem may stem:<a class="indexterm" name="id393131"></a><a class="indexterm" name="id393142"></a><a class="indexterm" name="id393154"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>application-level locking controls</p></li><li><p>client-side locking controls</p></li><li><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id393186"></a><a class="indexterm" name="id393193"></a> + Many database applications use some form of application-level access control. An example of one + well-known application that uses application-level locking is Microsoft Access. Detailed guidance + is provided here because this is the most common application for which problems have been reported. + </p><p><a class="indexterm" name="id393207"></a><a class="indexterm" name="id393215"></a> + Common applications that are affected by client- and server-side locking controls include MS + Excel and Act!. Important locking guidance is provided here. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id393226"></a>Microsoft Access</h3></div></div></div><p> + The best advice that can be given is to carefully read the Microsoft knowledgebase articles that + cover this area. Examples of relevant documents include: + </p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id393251"></a><a class="indexterm" name="id393262"></a> + Make sure that your MS Access database file is configured for multiuser access (not set for + exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <code class="filename">\\server\share\folder</code>. + </p><p> + You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. + Set:<a class="indexterm" name="id393310"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id393338"></a> + You must now commit the changes so that they will take effect. To do so, click + <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart + it, and then validate that these settings have not changed. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id393365"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id393372"></a><a class="indexterm" name="id393379"></a> + Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you + must disable opportunistic locking on the server and all workstations. Failure to do so + results in data corruption. This information is available from the Act! Web site + knowledgebase articles + <a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> + as well as from article + <a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. + </p><p><a class="indexterm" name="id393406"></a><a class="indexterm" name="id393414"></a> + These documents clearly state that opportunistic locking must be disabled on both + the server (Samba in the case we are interested in here), as well as on every workstation + from which the centrally shared Act! database will be accessed. Act! provides + a tool called <code class="literal">Act!Diag</code> that may be used to disable all workstation + registry settings that may otherwise interfere with the operation of Act! + Registered Act! users may download this utility from the Act! Web + <a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id393440"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id393447"></a> + Third-party Windows applications may not be compatible with the use of opportunistic file + and record locking. For applications that are known not to be compatible,<sup>[<a name="id393458" href="#ftn.id393458">14</a>]</sup> oplock + support may need to be disabled both on the Samba server and on the Windows workstations. + </p><p><a class="indexterm" name="id393468"></a><a class="indexterm" name="id393475"></a><a class="indexterm" name="id393483"></a> + Oplocks enable a Windows client to cache parts of a file that are being + edited. Another windows client may then request to open the file with the + ability to write to it. The server will then ask the original workstation + that had the file open with a write lock to release its lock. Before + doing so, that workstation must flush the file from cache memory to the + disk or network drive. + </p><p><a class="indexterm" name="id393501"></a> + Disabling of Oplocks usage may require server and client changes. + Oplocks may be disabled by file, by file pattern, on the share, or on the + Samba server. + </p><p> + The following are examples showing how Oplock support may be managed using + Samba <code class="filename">smb.conf</code> file settings: +</p><pre class="screen"> +By file: veto oplock files = myfile.mdb + +By Pattern: veto oplock files = /*.mdb/ + +On the Share: oplocks = No + level2 oplocks = No + +On the server: +(in [global]) oplocks = No + level2 oplocks = No +</pre><p> + </p><p> + The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 + workstation clients must be configured as shown here: +</p><pre class="screen"> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanServer\Parameters] + "EnableOplocks"=dword:00000000 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanWorkstation\Parameters] + "UseOpportunisticLocking"=dword:00000000 +</pre><p> + </p><p> + Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. + The information in that chapter was obtained from a wide variety of sources. + </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ch14.html b/docs/htmldocs/Samba3-ByExample/ch14.html new file mode 100644 index 0000000000..1787f6e87d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ch14.html @@ -0,0 +1,106 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Samba Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"><link rel="next" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Samba Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="HA.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="appendix.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id389570"></a>Chapter 14. Samba Support</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch14.html#id389686">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id389884">Commercial Support</a></span></dt></dl></div><p> +<a class="indexterm" name="id389579"></a> +One of the most difficult to answer questions in the information technology industry is, “<span class="quote">What is +support?</span>”. That question irritates some folks, as much as common answers may annoy others. +</p><p> +<a class="indexterm" name="id389595"></a> +The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to +an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: +“<span class="quote">Oh, Linux? We do not support Linux!</span>”. It has happened to me, and similar situations happen +through-out the IT industry. Answers like that are designed to inform us that there are some customers +that a business just does not want to deal with, and well may we feel the anguish of the rejection that +is dished out. +</p><p> +One way to consider support is to view it as consisting of the right answer, in the right place, +at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, +inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk. +</p><p> +<a class="indexterm" name="id389618"></a> +<a class="indexterm" name="id389625"></a> +<a class="indexterm" name="id389632"></a> +One of the forces that has become a driving force for the adoption of open source software is the fact that +many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or +that have been found wanting for other reasons. +</p><p> +<a class="indexterm" name="id389644"></a> +<a class="indexterm" name="id389651"></a> +In recognition of the need for needs satisfaction as the primary experience an information technology user or +consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience +in respect of problem resolution. +</p><p> +<a class="indexterm" name="id389663"></a> +<a class="indexterm" name="id389670"></a> +<a class="indexterm" name="id389677"></a> +In the open source software arena there are two support options: free support and paid-for (commercial) +support. +</p><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389686"></a>Free Support</h2></div></div></div><p> +<a class="indexterm" name="id389694"></a> +<a class="indexterm" name="id389700"></a> +<a class="indexterm" name="id389707"></a> +<a class="indexterm" name="id389714"></a> +<a class="indexterm" name="id389721"></a> +<a class="indexterm" name="id389728"></a> + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help + facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user + supported mutual assistance. + </p><p> +<a class="indexterm" name="id389740"></a> +<a class="indexterm" name="id389747"></a> +<a class="indexterm" name="id389753"></a> +<a class="indexterm" name="id389760"></a> +<a class="indexterm" name="id389767"></a> + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. + Information regarding subscription to the Samba mailing list can be found on the Samba <a href="https://lists.samba.org/mailman/" target="_top">web</a> site. The public mailing list that can be used to obtain + free, user contributed, support is called the <code class="literal">samba</code> list. The email address for this list + is at <code class="literal">mail:samba@samba.org</code>. Information regarding the Samba IRC channels may be found on + the Samba <a href="http://www.samba.org/samba.irc.html" target="_top">IRC</a> web page. + </p><p> +<a class="indexterm" name="id389804"></a> +<a class="indexterm" name="id389811"></a> +<a class="indexterm" name="id389817"></a> +<a class="indexterm" name="id389824"></a> + As a general rule, it is considered poor net behavior to contact a Samba Team member directly + for free support. Most active members of the Samba Team work exceptionally long hours to assist + users who have demonstrated a qualified problem. Some team members may respond to direct email + or telephone contact, with requests for assistance, by requesting payment. A few of the Samba + Team members actually provide professional paid-for Samba support and it is therefore wise + to show appropriate discretion and reservation in all direct contact. + </p><p> +<a class="indexterm" name="id389839"></a> +<a class="indexterm" name="id389846"></a> +<a class="indexterm" name="id389852"></a> + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting + a bug <a href="https://bugzilla.samba.org/" target="_top">report</a>. All such reports are mailed to + the responsible code maintainer for action. The better the report, and the more serious it is, + the sooner it will be dealt with. On the other hand, if the responsible person can not duplicate + the reported bug it is likely to be rejected. It is up to you to provide sufficient information + that will permit the problem to be reproduced. + </p><p> +<a class="indexterm" name="id389872"></a> + We all recognize that sometimes free support does not provide the answer that is sought within + the time-frame required. At other times the problem is elusive and you may lack the experience + necessary to isolate the problem and thus to resolve it. This is a situation where is may be + prudent to purchase paid-for support. + </p></div><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389884"></a>Commercial Support</h2></div></div></div><p> + There are six basic support oriented services that are most commonly sought by Samba sites: + </p><div class="itemizedlist"><ul type="disc"><li><p>Assistance with network design</p></li><li><p>Staff Training</p></li><li><p>Assistance with Samba network deployment and installation</p></li><li><p>Priority telephone or email Samba configuration assistance</p></li><li><p>Trouble-shooting and diagnostic assistance</p></li><li><p>Provision of quality assured ready-to-install Samba binary packages</p></li></ul></div><p> +<a class="indexterm" name="id389928"></a> +<a class="indexterm" name="id389935"></a> + Information regarding companies that provide professional Samba support can be obtained by performing a Google + search, as well as by reference to the Samba <a href="http://www.samba.org/samba/support.html" target="_top">Support</a> web page. Companies who notify the Samba Team + that they provide commercial support are given a free listing that is sorted by the country of origin. + Multiple listings are permitted, however no guarantee is offered. It is left to you to qualify a support + provider and to satisfy yourself that both the company and its staff are able to deliver what is required of + them. + </p><p> +<a class="indexterm" name="id389955"></a> + The policy within the Samba Team is to treat all commercial support providers equally and to show no + preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. + You are encouraged to obtain the services needed from a company in your local area. The open source movement + is pro-community; so do what you can to help a local business to prosper. + </p><p> +<a class="indexterm" name="id389969"></a> + Open source software support can be found in any quality, at any price and in any place you can + to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for + suffering in the mistaken belief that Samba is unsupported software it is supported. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="HA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="appendix.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Performance, Reliability, and Availability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. A Collection of Useful Tidbits</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/go01.html b/docs/htmldocs/Samba3-ByExample/go01.html new file mode 100644 index 0000000000..601f63e965 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/go01.html @@ -0,0 +1,115 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Glossary</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="apa.html" title="Appendix A. GNU General Public License version 3"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Glossary</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="glossary"><div class="titlepage"><div><div><h2 class="title"><a name="id397855"></a>Glossary</h2></div></div></div><dl><dt>Access Control List</dt><dd><p> + A detailed list of permissions granted to users or groups with respect to file and network + resource access. + </p></dd><dt>Active Directory Service</dt><dd><p> + A service unique to Microsoft Windows 200x servers that provides a centrally managed + directory for management of user identities and computer objects, as well as the + permissions each user or computer may be granted to access distributed network resources. + ADS uses Kerberos-based authentication and LDAP over Kerberos for directory access. + </p></dd><dt>Common Internet File System</dt><dd><p> + The new name for SMB. Microsoft renamed the SMB protocol to CIFS during + the Internet hype in the 1990s. At about the time that the SMB protocol was renamed + to CIFS, an additional dialect of the SMB protocol was in development. The need for the + deployment of the NetBIOS layer was also removed, thus paving the way for use of the SMB + protocol natively over TCP/IP (known as NetBIOS-less SMB or “<span class="quote">naked</span>” TCP + transport). + </p></dd><dt>Common UNIX Printing System</dt><dd><p> + A recent implementation of a high-capability printing system for UNIX developed by + <a href="http://www.easysw.com/" target="_top">Easy Software Inc.</a>. The design objective + of CUPS was to provide a rich print processing system that has built-in intelligence + that is capable of correctly rendering (processing) a file that is submitted for + printing even if it was formatted for an entirely different printer. + </p></dd><dt>Domain Master Browser</dt><dd><p> + The Domain Master Browser maintains a list of all the servers that + have announced their services within a given workgroup or NT domain. + </p></dd><dt>Domain Name Service</dt><dd><p> + A protocol by which computer hostnames may be resolved to the matching IP address/es. + DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version + of DNS that allows dynamic name registration by network clients or by a DHCP server. + This recent protocol is known as dynamic DNS (DDNS). + </p></dd><dt>Dynamic Host Configuration Protocol</dt><dd><p> + A protocol that was based on the BOOTP protocol that may be used to dynamically assign + an IP address, from a reserved pool of addresses, to a network client or device. + Additionally, DHCP may assign all network configuration settings and may be used to + register a computer name and its address with a dynamic DNS server. + </p></dd><dt>Group IDentifier</dt><dd><p> + The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on + newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems + for all group-level access control. + </p></dd><dt>Key Distribution Center</dt><dd><p> + The Kerberos authentication protocol makes use of security keys (also called a ticket) + by which access to network resources is controlled. The issuing of Kerberos tickets + is effected by a KDC. + </p></dd><dt>Lightweight Directory Access Protocol</dt><dd><p> + The Lightweight Directory Access Protocol is a technology that + originated from the development of X.500 protocol specifications and + implementations. LDAP was designed as a means of rapidly searching + through X.500 information. Later LDAP was adapted as an engine that + could drive its own directory database. LDAP is not a database per + se; rather it is a technology that enables high-volume search and + locate activity from clients that wish to obtain simply defined + information about a subset of records that are stored in a + database. LDAP does not have a particularly efficient mechanism for + storing records in the database, and it has no concept of transaction + processing nor of mechanisms for preserving data consistency. LDAP is + premised around the notion that the search and read activity far + outweigh any need to add, delete, or modify records. LDAP does + provide a means for replication of the database to keep slave + servers up to date with a master. It also has built-in capability to + handle external references and deferral. + </p></dd><dt>Local Master Browser</dt><dd><p> + The Local Master Browser maintains a list of all servers that have announced themselves + within a given workgroup or NT domain on a particular broadcast isolated subnet. + </p></dd><dt>Media Access Control</dt><dd><p> + The hard-coded address of the physical-layer device that is attached to the network. + All network interface controllers must have a hard-coded and unique MAC address. The + MAC address is 48 bits long. + </p></dd><dt>NetBIOS Extended User Interface</dt><dd><p> + Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS + over Ethernet with low overhead. NetBEUI is a non-routable protocol. + </p></dd><dt>Network Address Translation</dt><dd><p> + Network address translation is a form of IP address masquerading. It ensures that internal + private (RFC1918) network addresses from packets inside the network are rewritten so + that TCP/IP packets that leave the server over a public connection are seen to come only + from the external network address. + </p></dd><dt>Network Basic Input/Output System</dt><dd><p> + NetBIOS is a simple application programming interface (API) invented in the 1980s + that allows programs to send data to certain network names. NetBIOS is always run over + another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC). + NetBIOS run over LLC is best known as NetBEUI (the NetBIOS Extended User Interface + a complete misnomer!). + </p></dd><dt>NetBT</dt><dd><p> + Protocol for transporting NetBIOS frames over TCP/IP. Uses ports 137, 138, and 139. + NetBT is a fully routable protocol. + </p></dd><dt>NT/LanManager Security Support Provider</dt><dd><p> + The NTLM Security Support Provider (NTLMSSP) service in Windows NT4/200x/XP is responsible for + handling all NTLM authentication requests. It is the front end for protocols such as SPNEGO, + Schannel, and other technologies. The generic protocol family supported by NTLMSSP is known as + GSSAPI, the Generic Security Service Application Program Interface specified in RFC2078. + </p></dd><dt>Server Message Block</dt><dd><p> + SMB was the original name of the protocol spoken by Samba. It was invented in the 1980s + by IBM and adopted and extended further by Microsoft. Microsoft renamed the protocol to + CIFS during the Internet hype in the 1990s. + </p></dd><dt>The Simple and Protected GSS-API Negotiation</dt><dd><p> + The purpose of SPNEGO is to allow a client and server to negotiate a security mechanism for + authentication. The protocol is specified in RFC2478 and uses tokens as built via ASN.1 DER. + DER refers to Distinguished Encoding Rules. These are a set of common rules for creating + binary encodings in a platform-independent manner. Samba has support for SPNEGO. + </p></dd><dt>The Official Samba-3 HOWTO and Reference Guide, Second Edition</dt><dd><p> + This book makes repeated reference to “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second + Edition</span>” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from + Amazon.com. Publisher: Prentice Hall PTR (August 2005), + ISBN: 013122282. + </p></dd><dt>User IDentifier</dt><dd><p> + The UNIX system user identifier; on older systems, a 32-bit unsigned integer, and on newer systems, + an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access + control. + </p></dd><dt>Universal Naming Convention</dt><dd><p>A syntax for specifying the location of network resources (such as file shares). + The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol. + </p></dd><dt>Wireshark</dt><dd><p> + A network analyzer, also known as a network sniffer or a protocol analyzer. Formerly known as Ethereal, Wireshark is + freely available for UNIX/Linux and Microsoft Windows systems from + <a href="http://www.wireshark.org" target="_top">the Wireshark Web site</a>. + </p></dd></dl></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/happy.html b/docs/htmldocs/Samba3-ByExample/happy.html new file mode 100644 index 0000000000..ba341e1a34 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/happy.html @@ -0,0 +1,2878 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id343715">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id343791">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id343919">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id344321">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345972">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345985">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id346155">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id352602">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id352618">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id352707">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id352935">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id353033">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id353147">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id354146">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id354787">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id354813">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id354843">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id354931">Questions and Answers</a></span></dt></dl></div><p> + It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give + me a day of troubles well handled so that I can be content with my achievements.</span>” + </p><p> + In the world of computer networks, problems are as varied as the people who create them + or experience them. The design of the network implemented in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> + may create problems for some network users. The following lists some of the problems that + may occur: + </p><a class="indexterm" name="id343219"></a><a class="indexterm" name="id343225"></a><a class="indexterm" name="id343234"></a><a class="indexterm" name="id343241"></a><a class="indexterm" name="id343248"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> +A significant number of network administrators have responded to the guidance given +here. It should be noted that there are sites that have a single PDC for many hundreds of +concurrent network clients. Network bandwidth, network bandwidth utilization, and server load +are among the factors that determine the maximum number of Windows clients that +can be served by a single domain controller (PDC or BDC) on a network segment. It is possible +to operate with only a single PDC over a routed network. What is possible is not necessarily +<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with +the message that the domain controller cannot be found or that the user account cannot +be found (when you know it exists), that may be an indication that the domain controller is +overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows +clients is conservative and if followed will minimize problems but it is not absolute. +</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p> + <a class="indexterm" name="id343284"></a> + <a class="indexterm" name="id343294"></a> + When a Windows client logs onto the network, many data packets are exchanged + between the client and the server that is providing the network logon services. + Each request between the client and the server must complete within a specific + time limit. This is one of the primary factors that govern the installation of + multiple domain controllers (usually called secondary or backup controllers). + As a rough rule, there should be one such backup controller for every + 30 to 150 clients. The actual limits are determined by network operational + characteristics. + </p><p> + <a class="indexterm" name="id343309"></a> + <a class="indexterm" name="id343315"></a> + <a class="indexterm" name="id343322"></a> + If the domain controller provides only network logon services + and all file and print activity is handled by domain member servers, one domain + controller per 150 clients on a single network segment may suffice. In any + case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) + per network segment. It is better to have at least one BDC on the network + segment that has a PDC. If the domain controller is also used as a file and + print server, the number of clients it can service reliably is reduced, + and generally for low powered hardware should not exceed 30 machines (Windows + workstations plus domain member servers) per domain controller. Many sites are + able to operate with more clients per domain controller, the number of clients + that can be supported is limited by the CPU speed, memory and the workload on + the Samba server as well as network bandwidth utilization. + </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p> + <a class="indexterm" name="id343355"></a> + Slow logons and log-offs may be caused by many factors that include: + + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id343368"></a> + <a class="indexterm" name="id343380"></a> + Excessive delays in the resolution of a NetBIOS name to its IP + address. This may be observed when an overloaded domain controller + is also the WINS server. Another cause may be the failure to use + a WINS server (this assumes that there is a single network segment). + </p></li><li><p> + <a class="indexterm" name="id343396"></a> + <a class="indexterm" name="id343403"></a> + <a class="indexterm" name="id343409"></a> + Network traffic collisions due to overloading of the network + segment. One short-term workaround to this may be to replace + network HUBs with Ethernet switches. + </p></li><li><p> + <a class="indexterm" name="id343422"></a> + Defective networking hardware. Over the past few years, we have seen + on the Samba mailing list a significant increase in the number of + problems that were traced to a defective network interface controller, + a defective HUB or Ethernet switch, or defective cabling. In most cases, + it was the erratic nature of the problem that ultimately pointed to + the cause of the problem. + </p></li><li><p> + <a class="indexterm" name="id343439"></a> + <a class="indexterm" name="id343448"></a> + Excessively large roaming profiles. This type of problem is typically + the result of poor user education as well as poor network management. + It can be avoided by users not storing huge quantities of email in + MS Outlook PST files as well as by not storing files on the desktop. + These are old bad habits that require much discipline and vigilance + on the part of network management. + </p></li><li><p> + <a class="indexterm" name="id343465"></a> + You should verify that the Windows XP WebClient service is not running. + The use of the WebClient service has been implicated in many Windows + networking-related problems. + </p></li></ul></div><p> + </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p> + Loss of access to network resources during client operation may be caused by a number + of factors, including: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id343494"></a> + Network overload (typically indicated by a high network collision rate) + </p></li><li><p> + Server overload + </p></li><li><p> + <a class="indexterm" name="id343513"></a> + Timeout causing the client to close a connection that is in use but has + been latent (no traffic) for some time (5 minutes or more) + </p></li><li><p> + <a class="indexterm" name="id343528"></a> + Defective networking hardware + </p></li></ul></div><p> + <a class="indexterm" name="id343542"></a> + No matter what the cause, a sudden loss of access to network resources can + result in BSOD (blue screen of death) situations that necessitate rebooting of the client + workstation. In the case of a mild problem, retrying to access the network drive of the printer + may restore operations, but in any case this is a serious problem that may lead to the next + problem, data corruption. + </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p> + <a class="indexterm" name="id343566"></a> + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and + frustration, and generally precipitates immediate corrective demands. Management response + to this type of problem may be rational, as well as highly irrational. There have been + cases where management has fired network staff for permitting this situation to occur without + immediate correction. There have been situations where perfectly functional hardware was thrown + out and replaced, only to find the problem caused by a low-cost network hardware item. There + have been cases where server operating systems were replaced, or where Samba was updated, + only to later isolate the problem due to defective client software. + </p></dd></dl></div><p> + In this chapter, you can work through a number of measures that significantly arm you to + anticipate and combat network performance issues. You can work through complex and thorny + methods to improve the reliability of your network environment, but be warned that all such steps + demand the price of complexity. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343590"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p> + <a class="indexterm" name="id343598"></a> + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some + constraints that are described in this section. + </p><p> + <a class="indexterm" name="id343612"></a> + <a class="indexterm" name="id343619"></a> + <a class="indexterm" name="id343626"></a> + <a class="indexterm" name="id343633"></a> + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. + That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats + them. A user account and a machine account are indistinguishable from each other, except that + the machine account ends in a $ character, as do trust accounts. + </p><p> + <a class="indexterm" name="id343646"></a> + <a class="indexterm" name="id343653"></a> + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID + is a design decision that was made a long way back in the history of Samba development. It is + unlikely that this decision will be reversed or changed during the remaining life of the + Samba-3.x series. + </p><p> + <a class="indexterm" name="id343665"></a> + <a class="indexterm" name="id343672"></a> + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that + must refer back to the host operating system on which Samba is running. The name service + switch (NSS) is the preferred mechanism that shields applications (like Samba) from the + need to know everything about every host OS it runs on. + </p><p> + Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>” + and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool + for achieving this is left up to the UNIX administrator to determine. It is not imposed by + Samba. Samba provides winbindd together with its support libraries as one method. It is + possible to do this via LDAP, and for that Samba provides the appropriate hooks so that + all account entities can be located in an LDAP directory. + </p><p> + <a class="indexterm" name="id343702"></a> + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must + be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That + is fundamentally an LDAP design question. The information provided on the Samba list and + in the documentation is directed at providing working examples only. The design + of an LDAP directory is a complex subject that is beyond the scope of this documentation. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343715"></a>Introduction</h2></div></div></div><p> + You just opened an email from Christine that reads: + </p><p> + Good morning, + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + A few months ago we sat down to design the network. We discussed the challenges ahead and we all + agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated + that we would have some time to resolve any issues that might be encountered. + </p><p> + As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them + resigned yesterday afternoon because she was under duress to complete some critical projects. She + suffered a blue screen of death situation just as she was finishing four hours of intensive work, all + of which was lost. She has a unique requirement that involves storing large files on her desktop. + Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it + takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all + network logon traffic passes over the network links between our buildings, logging on may take + three or four attempts due to blue screen problems associated with network timeouts. + </p><p> + A few of us worked to help her out of trouble. We convinced her to stay and promised to fully + resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard + limits on what our users can do with their desktops. Otherwise, we face staff losses + that can surely do harm to our growth as well as to staff morale. I am sure we can better deal + with the consequences of what we know we must do than we can with the unrest we have now. + </p><p> + Stan and I have discussed the current situation. We are resolved to help our users and protect + the well being of Abmas. Please acknowledge this advice with consent to proceed as required to + regain control of our vital IT operations. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p> + </p><p> + <a class="indexterm" name="id343761"></a> + <a class="indexterm" name="id343768"></a> + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a + single domain controller is a poor design that has obvious operational effects that may + frustrate users. Here is your reply: + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + Christine, Your diligence and attention to detail are much valued. Stan and I fully support your + proposals to resolve the issues. I am confident that your plans fully realized will significantly + boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. + Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait + for approval; I appreciate the urgency. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id343791"></a>Assignment Tasks</h3></div></div></div><p> + The priority of assigned tasks in this chapter is: + </p><div class="orderedlist"><ol type="1"><li><p> + <a class="indexterm" name="id343810"></a> + <a class="indexterm" name="id343819"></a> + <a class="indexterm" name="id343826"></a> + <a class="indexterm" name="id343832"></a><a class="indexterm" name="id343838"></a> + Implement Backup Domain Controllers (BDCs) in each building. This involves + a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous + chapter to an LDAP-based backend. + </p><p> + You can implement a single central LDAP server for this purpose. + </p></li><li><p> + <a class="indexterm" name="id343858"></a> + <a class="indexterm" name="id343865"></a> + <a class="indexterm" name="id343872"></a> + <a class="indexterm" name="id343879"></a> + Rectify the problem of excessive logon times. This involves redirection of + folders to network shares as well as modification of all user desktops to + exclude the redirected folders from being loaded at login time. You can also + create a new default profile that can be used for all new users. + </p></li></ol></div><p> + <a class="indexterm" name="id343895"></a> + You configure a new MS Windows XP Professional workstation disk image that you roll out + to all desktop users. The instructions you have created are followed on a staging machine + from which all changes can be carefully tested before inflicting them on your network users. + </p><p> + <a class="indexterm" name="id343907"></a> + This is the last network example in which specific mention of printing is made. The example + again makes use of the CUPS printing system. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343919"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id343927"></a> + <a class="indexterm" name="id343933"></a> + <a class="indexterm" name="id343940"></a> + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. + For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial + LDAP servers in current use with Samba-3 include: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id343955"></a> + Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a> + is being successfully used by some sites. Information on how to use eDirectory can be + obtained from the Samba mailing lists or from Novell. + </p></li><li><p> + <a class="indexterm" name="id343974"></a> + IBM <a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli + Directory Server</a> can be used to provide the Samba LDAP backend. Example schema + files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li><li><p> + <a class="indexterm" name="id343999"></a> + Sun <a href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity + Server product suite</a> provides an LDAP server that can be used for Samba. + Example schema files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li></ul></div><p> + A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial + offerings, it requires that you manually edit the server configuration files and manually + initialize the LDAP directory database. OpenLDAP itself has only command-line tools to + help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. + </p><p> + <a class="indexterm" name="id344030"></a> + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite + adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include + GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database + requires an understanding of what you are doing, why you are doing it, and the tools that you must use. + </p><p> + <a class="indexterm" name="id344044"></a> + <a class="indexterm" name="id344050"></a> + <a class="indexterm" name="id344057"></a> + <a class="indexterm" name="id344066"></a> + <a class="indexterm" name="id344076"></a> + <a class="indexterm" name="id344082"></a> + <a class="indexterm" name="id344092"></a> + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. + High availability operation may be obtained through directory replication/synchronization and + master/slave server configurations. OpenLDAP is a mature platform to host the organizational + directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. + The price paid through learning how to design an LDAP directory schema in implementation and configuration + of management tools is well rewarded by performance and flexibility and the freedom to manage directory + contents with greater ability to back up, restore, and modify the directory than is generally possible + with Microsoft Active Directory. + </p><p> + <a class="indexterm" name="id344110"></a> + <a class="indexterm" name="id344120"></a> + <a class="indexterm" name="id344127"></a> + <a class="indexterm" name="id344133"></a> + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory + tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured + for a specific task orientation. It comes with a set of administrative tools that is entirely customized + for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange + server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator + who wants to build a custom directory solution. Microsoft provides an application called + <a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top"> + MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services + of OpenLDAP. + </p><p> + <a class="indexterm" name="id344156"></a> + <a class="indexterm" name="id344165"></a> + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly + if you find the challenge of learning about LDAP directories, schemas, configuration, and management + tools and the creation of shell and Perl scripts a bit + challenging. OpenLDAP can be easily customized, though it includes + many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file + that is required for use as a passdb backend. + </p><p> + <a class="indexterm" name="id344179"></a> + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, + there are a few nice Web-based tools that may help you to manage your users and groups more effectively. + The Web-based tools you might like to consider include the + <a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based + <a href="http://www.webmin.com" target="_top">Webmin</a> Idealx + <a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>. + </p><p> + Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of + these, so it may be useful to them: + <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser; + LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a> + <a href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates); + and <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal + security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided + is considered to consist of the barest essentials only. You are strongly encouraged to learn more about + LDAP before attempting to deploy it in a business-critical environment. + </p></div><p> + Information to help you get started with OpenLDAP is available from the + <a href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book + <a href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a> + by Jerry Carter quite useful. + </p><p> + <a class="indexterm" name="id344265"></a> + <a class="indexterm" name="id344272"></a> + <a class="indexterm" name="id344281"></a> + <a class="indexterm" name="id344288"></a> + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the + main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must + be loaded over the WAN connection. The addition of BDCs on each network segment significantly + improves overall network performance for most users, but it is not enough. You must gain control over + user desktops, and this must be done in a way that wins their support and does not cause further loss of + staff morale. The following procedures solve this problem. + </p><p> + <a class="indexterm" name="id344305"></a> + There is also an opportunity to implement smart printing features. You add this to the Samba configuration + so that future printer changes can be managed without need to change desktop configurations. + </p><p> + You add the ability to automatically download new printer drivers, even if they are not installed + in the default desktop profile. Only one example of printing configuration is given. It is assumed that + you can extrapolate the principles and use them to install all printers that may be needed. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id344321"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id344328"></a> + <a class="indexterm" name="id344338"></a> + <a class="indexterm" name="id344347"></a> + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory + server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system + accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account + attributes Samba needs. Samba-3 can use the LDAP backend to store: + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p> + <a class="indexterm" name="id344383"></a> + <a class="indexterm" name="id344390"></a> + <a class="indexterm" name="id344396"></a> + <a class="indexterm" name="id344403"></a> + <a class="indexterm" name="id344410"></a> + <a class="indexterm" name="id344417"></a> + <a class="indexterm" name="id344426"></a> + <a class="indexterm" name="id344432"></a> + <a class="indexterm" name="id344439"></a> + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking + accounts in the LDAP backend. This implies the need to use the + <a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution + of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code> + or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set + that integrates with the NSS. The same requirements exist for resolution + of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>. + </p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id344519"></a> + <a class="indexterm" name="id344525"></a> + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really + ought to learn how to configure secure communications over LDAP so that site security is not + at risk. This is not covered in the following guidance. + </p><p> + <a class="indexterm" name="id344540"></a> + <a class="indexterm" name="id344546"></a> + <a class="indexterm" name="id344556"></a> + <a class="indexterm" name="id344562"></a> + When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>. + You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you + create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. + You need to decide how best to create user and group accounts. A few hints are, of course, provided. + You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools + that help to manage user and group configuration. + </p><p> + <a class="indexterm" name="id344593"></a> + <a class="indexterm" name="id344600"></a> + <a class="indexterm" name="id344606"></a> + In order to effect folder redirection and to add robustness to the implementation, + create a network default profile. All network users workstations are configured to use + the new profile. Roaming profiles will automatically be deleted from the workstation + when the user logs off. + </p><p> + <a class="indexterm" name="id344619"></a> + The profile is configured so that users cannot change the appearance + of their desktop. This is known as a mandatory profile. You make certain that users + are able to use their computers efficiently. + </p><p> + <a class="indexterm" name="id344631"></a> + A network logon script is used to deliver flexible but consistent network drive + connections. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p> + <a class="indexterm" name="id344651"></a> + <a class="indexterm" name="id344656"></a> + <a class="indexterm" name="id344662"></a> + <a class="indexterm" name="id344667"></a> + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account + that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code> + user to add user and group accounts. Samba 3.0.11 introduced a new facility known as + <code class="constant">Privileges</code>, which provides five new privileges that + can be assigned to users and/or groups; see Table 5.1. + </p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p> + In this network example use is made of one of the supported privileges purely to demonstrate + how any user can now be given the ability to add machines to the domain using a normal user account + that has been given the appropriate privileges. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id344798"></a>Roaming Profile Background</h4></div></div></div><p> + As XP roaming profiles grow, so does the amount of time it takes to log in and out. + </p><p> + <a class="indexterm" name="id344810"></a> + <a class="indexterm" name="id344816"></a> + <a class="indexterm" name="id344823"></a> + <a class="indexterm" name="id344830"></a> + An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file + <code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data, + Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the + network with the default configuration of MS Windows NT/200x/XPP, all this data is + copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code> + directory. While the user is logged in, any changes made to any of these folders or to the + <code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy + of the profile. At logout the profile data is copied back to the server. This behavior + can be changed through appropriate registry changes and/or through changes to the default + user profile. In the latter case, it updates the registry with the values that are set in the + profile <code class="filename">NTUSER.DAT</code> + file. + </p><p> + The first challenge is to reduce the amount of data that must be transferred to and + from the profile server as roaming profiles are processed. This includes removing + all the shortcuts in the Recent directory, making sure the cache used by the Web browser + is not being dumped into the <code class="filename">Application Data</code> folder, removing the + Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the + user to not place large files on the desktop and to use his or her mapped home directory + instead of the <code class="filename">My Documents</code> folder for saving documents. + </p><p> + <a class="indexterm" name="id344891"></a> + Using a folder other than <code class="filename">My Documents</code> is a nuisance for + some users, since many applications use it by default. + </p><p> + <a class="indexterm" name="id344908"></a> + <a class="indexterm" name="id344915"></a> + <a class="indexterm" name="id344922"></a> + The secret to rapid loading of roaming profiles is to prevent unnecessary data from + being copied back and forth, without losing any functionality. This is not difficult; + it can be done by making changes to the Local Group Policy on each client as well + as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive. + </p><p> + <a class="indexterm" name="id344941"></a> + <a class="indexterm" name="id344947"></a> + Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means + you need to edit every user's profile, unless a better method can be + followed. Fortunately, with the right preparations, this is not difficult. + It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each + user's profile. Then just create a Network Default Profile. Of course, it is + necessary to copy all files from redirected folders to the network share to which + they are redirected. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p> + <a class="indexterm" name="id344983"></a> + <a class="indexterm" name="id344990"></a> + <a class="indexterm" name="id344996"></a> + <a class="indexterm" name="id345003"></a> + Without an Active Directory PDC, you cannot take full advantage of Group Policy + Objects. However, you can still make changes to the Local Group Policy by using + the Group Policy editor (<code class="literal">gpedit.msc</code>). + </p><p> + The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can + be found under + <span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. + By default this setting contains + “<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”. + </p><p> + Simply add the folders you do not wish to be copied back and forth to this + semicolon-separated list. Note that this change must be made on all clients + that are using roaming profiles. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id345065"></a>Profile Changes</h4></div></div></div><p> + <a class="indexterm" name="id345073"></a> + <a class="indexterm" name="id345080"></a> + There are two changes that should be done to each user's profile. Move each of + the directories that you have excluded from being copied back and forth out of + the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file + to point to the new paths that are shared over the network instead of to the default + path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>). + </p><p> + <a class="indexterm" name="id345104"></a> + <a class="indexterm" name="id345111"></a> + The above modifies existing user profiles. So that newly created profiles have + these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in + the <code class="filename">C:\Documents and Settings\Default User</code> folder on each + client machine, changing the same registry keys. You could do this by copying + <code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>. + The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id345153"></a>Using a Network Default User Profile</h4></div></div></div><p> + <a class="indexterm" name="id345161"></a> + <a class="indexterm" name="id345168"></a> + If you are using Samba as your PDC, you should create a file share called + <code class="constant">NETLOGON</code> and within that create a directory called + <code class="filename">Default User</code>, which is a copy of the desired default user + configuration (including a copy of <code class="filename">NTUSER.DAT</code>). + If this share exists and the <code class="filename">Default User</code> folder exists, + the first login from a new account pulls its configuration from it. + See also <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top"> + the Real Men Don't Click</a> Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id345208"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p> + <a class="indexterm" name="id345216"></a> + <a class="indexterm" name="id345225"></a> + <a class="indexterm" name="id345232"></a> + The subject of printing is quite topical. Printing problems run second place to name + resolution issues today. So far in this book, you have experienced only what is generally + known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers + are manually installed on each client and the printing subsystems perform no filtering + or intelligent processing. Dumb printing is easily understood. It usually works without + many problems, but it has its limitations also. Dumb printing is better known as + <code class="literal">Raw-Print-Through</code> printing. + </p><p> + <a class="indexterm" name="id345256"></a> + <a class="indexterm" name="id345265"></a> + Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft + Windows point-and-click (also called drag-and-drop) printing. What this provides is + essentially the ability to print to any printer. If the local client does not yet have a + driver installed, the driver is automatically downloaded from the Samba server and + installed on the client. Drag-and-drop printing is neat; it means the user never needs + to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™ + isn't it? + </p><p> + There is a further layer of print job processing that is known as <code class="literal">intelligent</code> + printing that automatically senses the file format of data submitted for printing and + then invokes a suitable print filter to convert the incoming data stream into a format + suited to the printer to which the job is dispatched. + </p><p> + <a class="indexterm" name="id345305"></a> + <a class="indexterm" name="id345312"></a> + <a class="indexterm" name="id345318"></a> + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to + detect the data format and apply a print filter. This means that it is feasible to install + on all Windows clients a single printer driver for use with all printers that are routed + through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, + <a href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have + released a PostScript printing driver for Windows. It can be installed into the Samba + printing backend so that it automatically downloads to the client when needed. + </p><p> + This means that so long as there is a CUPS driver for the printer, all printing from Windows + software can use PostScript, no matter what the actual printer language for the physical + device is. It also means that the administrator can swap out a printer with a totally + different type of device without ever needing to change a client workstation driver. + </p><p> + This book is about Samba-3, so you can confine the printing style to just the smart + style of installation. Those interested in further information regarding intelligent + printing should review documentation on the Easy Software Products Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p> + It has often been said that there are three types of people in the world: those who + have sharp minds and those who forget things. Please do not ask what the third group + is like! Well, it seems that many of us have company in the second group. There must + be a good explanation why so many network administrators fail to solve apparently + simple problems efficiently and effectively. + </p><p> + Here are some diagnostic guidelines that can be referred to when things go wrong: + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345370"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p> + The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>” + </p><p> + <a class="indexterm" name="id345385"></a> + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice + regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>” + </p><p> + If you are now asking yourself how problems can be avoided, the best advice is to start + out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After + you have seen a fully working solution, a good way to learn is to make slow and progressive + changes that cause things to break, then observe carefully how and why things ceased to work. + </p><p> + The examples in this chapter (also in the book as a whole) are known to work. That means + that they could serve as the kick-off point for your journey through fields of knowledge. + Use this resource carefully; we hope it serves you well. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not be lulled into thinking that you can easily adopt the examples in this + book and adapt them without first working through the examples provided. A little + thing overlooked can cause untold pain and may permanently tarnish your experience. + </p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345421"></a>The Name Service Caching Daemon</h5></div></div></div><p> + The name service caching daemon (nscd) is a primary cause of difficulties with name + resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its + own caching, thus nscd causes double caching which can lead to peculiar problems during + debugging. As a rule, it is a good idea to turn off the name service caching daemon. + </p><p> + Operation of the name service caching daemon is controlled by the + <code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows: +</p><pre class="screen"> +# /etc/nscd.conf +# An example Name Service Cache config file. This file is needed by nscd. +# Legal entries are: +# logfile <file> +# debug-level <level> +# threads <threads to use> +# server-user <user to run server as instead of root> +# server-user is ignored if nscd is started with -S parameters +# stat-user <user who is allowed to request statistics> +# reload-count unlimited|<number> +# +# enable-cache <service> <yes|no> +# positive-time-to-live <service> <time in seconds> +# negative-time-to-live <service> <time in seconds> +# suggested-size <service> <prime number> +# check-files <service> <yes|no> +# persistent <service> <yes|no> +# shared <service> <yes|no> +# Currently supported cache names (services): passwd, group, hosts +# logfile /var/log/nscd.log +# threads 6 +# server-user nobody +# stat-user somebody + debug-level 0 +# reload-count 5 + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd yes + shared passwd yes + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group yes + shared group yes +# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to +# cache hosts will cause your local system to not be able to trust +# forward/reverse lookup checks. DO NOT USE THIS if your system relies on +# this sort of security mechanism. Use a caching DNS server instead. + enable-cache hosts no + positive-time-to-live hosts 3600 + negative-time-to-live hosts 20 + suggested-size hosts 211 + check-files hosts yes + persistent hosts yes + shared hosts yes +</pre><p> + It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code> + entries so they will not be cached. Alternatively, it is often simpler to just disable the + <code class="literal">nscd</code> service by executing (on Novell SUSE Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig nscd off +<code class="prompt">root# </code> rcnscd off +</pre><p> + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345538"></a>Debugging LDAP</h5></div></div></div><p> + <a class="indexterm" name="id345546"></a> + <a class="indexterm" name="id345553"></a> + <a class="indexterm" name="id345559"></a> + In the example <code class="filename">/etc/openldap/slapd.conf</code> control file + (see <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a>) there is an entry for <code class="constant">loglevel 256</code>. + To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter + and restart <code class="literal">slapd</code>. + </p><p> + <a class="indexterm" name="id345593"></a> + <a class="indexterm" name="id345600"></a> + LDAP log information can be directed into a file that is separate from the normal system + log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following + contents: +</p><pre class="screen"> +# Some foreign boot scripts require local7 +# +local0,local1.* -/var/log/localmessages +local2,local3.* -/var/log/localmessages +local5.* -/var/log/localmessages +local6,local7.* -/var/log/localmessages +local4.* -/var/log/ldaplogs +</pre><p> + In this case, all LDAP-related logs will be directed to the file + <code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors. + The snippet provides a simple example of usage that can be modified to suit + local site needs. The configuration used later in this chapter reflects such + customization with the intent that LDAP log files will be stored at a location + that meets local site needs and wishes more fully. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345634"></a>Debugging NSS_LDAP</h5></div></div></div><p> + The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the + <code class="filename">/etc/ldap.conf</code> file the following parameters: +</p><pre class="screen"> +debug 256 +logdir /data/logs +</pre><p> + Create the log directory as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /data/logs +</pre><p> + </p><p> + The diagnostic process should follow these steps: + </p><div class="procedure"><a name="id345674"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p> + Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries + in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory + tree location that was chosen when the directory was first created. + </p><p> + One way this can be done is by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep Group | grep dn +dn: ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz +dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + The first line is the DIT entry point for the container for POSIX groups. The correct entry + for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code> + parameter therefore is the distinguished name (dn) as applied here: +</p><pre class="screen"> +nss_base_group ou=Groups,dc=abmas,dc=biz?one +</pre><p> + The same process may be followed to determine the appropriate dn for user accounts. + If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code> + file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the + following DIT dn in the <code class="filename">/etc/ldap.conf</code> file: +</p><pre class="screen"> +nss_base_passwd dc=abmas,dc=biz?sub +</pre><p> + This instructs LDAP to search for machine as well as user entries from the top of the DIT + down. This is inefficient, but at least should work. Note: It is possible to specify multiple + <code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they + will be evaluated sequentially. Let us consider an example of use where the following DIT + has been implemented: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p> + </p><p> + The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive + in the <code class="filename">/etc/ldap.conf</code> file may be: +</p><pre class="screen"> +nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one +nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one +</pre><p> + </p></li><li><p> + Perform lookups such as: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +</pre><p> + Each such lookup will create an entry in the <code class="filename">/data/log</code> directory + for each such process executed. The contents of each file created in this directory + may provide a hint as to the cause of the a problem that is under investigation. + </p></li><li><p> + For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code> + to see what error messages are being generated as a result of the LDAP lookups. Here is an example of + a successful lookup: +</p><pre class="screen"> +slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 +(IP=0.0.0.0:389) +slapd[12164]: conn=0 op=0 BIND dn="" method=128 +slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 +filter="(objectClass=*)" +slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 +nentries=1 text= +slapd[12164]: conn=0 op=2 UNBIND +slapd[12164]: conn=0 fd=10 closed +slapd[12164]: conn=1 fd=10 ACCEPT from +IP=127.0.0.1:33540 (IP=0.0.0.0:389) +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" method=128 +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 +slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=1 op=1 SRCH +base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 +filter="(objectClass=posixAccount)" +slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword +uidNumber gidNumber cn +homeDirectory loginShell gecos description objectClass +slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 +nentries=2 text= +slapd[12164]: conn=1 fd=10 closed + +</pre><p> + </p></li><li><p> + Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the + <code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the + <code class="filename">/etc/openldap/slapd.conf</code> file. + </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345893"></a>Debugging Samba</h5></div></div></div><p> + The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems: +</p><pre class="screen"> +[global] + ... + log level = 5 + log file = /var/log/samba/%m.log + max log size = 0 + ... +</pre><p> + This will result in the creation of a separate log file for every client from which connections + are made. The log file will be quite verbose and will grow continually. Do not forget to + change these lines to the following when debugging has been completed: +</p><pre class="screen"> +[global] + ... + log level = 1 + log file = /var/log/samba/%m.log + max log size = 50 + ... +</pre><p> + </p><p> + The log file can be analyzed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /var/log/samba +<code class="prompt">root# </code> grep -v "^\[200" machine_name.log +</pre><p> + </p><p> + Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span> + and <span class="emphasis"><em>error</em></span>. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id345957"></a>Debugging on the Windows Client</h5></div></div></div><p> + MS Windows 2000 Professional and Windows XP Professional clients can be configured + to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search + the Microsoft knowledge base for detailed instructions. The techniques vary a little with each + version of MS Windows. + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345972"></a>Political Issues</h3></div></div></div><p> + MS Windows network users are generally very sensitive to limits that may be imposed when + confronted with locked-down workstation configurations. The challenge you face must + be promoted as a choice between reliable, fast network operation and a constant flux + of problems that result in user irritation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345985"></a>Installation Checklist</h3></div></div></div><p> + You are starting a complex project. Even though you went through the installation of a complex + network in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>, this network is a bigger challenge because of the + large number of complex applications that must be configured before the first few steps + can be validated. Take stock of what you are about to undertake, prepare yourself, and + frequently review the steps ahead while making at least a mental note of what has already + been completed. The following task list may help you to keep track of the task items + that are covered: + </p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id346155"></a>Samba Server Implementation</h2></div></div></div><p> + <a class="indexterm" name="id346163"></a> + <a class="indexterm" name="id346170"></a> + The network design shown in <a href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">???</a> is not comprehensive. It is assumed + that you will install additional file servers and possibly additional BDCs. + </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id346230"></a> + <a class="indexterm" name="id346237"></a> + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE + Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to + adjust the locations for your particular Linux system distribution/implementation. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools +scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, +please verify that the versions you are about to use are matching. The smbldap-tools package +uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are +issued for POSIX accounts. The LDAP rdn under which this information is stored are called +<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be +located in any convenient part of the directory information tree (DIT). In the examples that +follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>. +They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>. +</p></div><p> + The steps in the process involve changes from the network configuration shown in + <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. Before implementing the following steps, you must + have completed the network implementation shown in that chapter. If you are starting + with newly installed Linux servers, you must complete the steps shown in + <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p> + <a class="indexterm" name="id346306"></a> + <a class="indexterm" name="id346313"></a> + <a class="indexterm" name="id346320"></a> + Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">???</a> are installed on your system. + </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><p> + Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method + for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you + follow these guidelines, the resulting system should work fine. + </p><div class="procedure"><a name="id346449"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id346460"></a> + Install the file shown in <a href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">???</a> in the directory + <code class="filename">/etc/openldap</code>. + </p></li><li><p> + <a class="indexterm" name="id346487"></a> + <a class="indexterm" name="id346493"></a> + <a class="indexterm" name="id346500"></a> + Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that + the directory exists with permissions: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data | grep ldap +drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap +</pre><p> + This may require you to add a user and a group account for LDAP if they do not exist. + </p></li><li><p> + <a class="indexterm" name="id346533"></a> + Install the file shown in <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a> in the directory + <code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code> + has been started, it is possible to cause the new settings to take effect by shutting down + the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the + <code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server. + </p></li><li><p> + <a class="indexterm" name="id346583"></a> + Performance logging can be enabled and should preferably be sent to a file on + a file system that is large enough to handle significantly sized logs. To enable + the logging at a verbose level to permit detailed analysis, uncomment the entry in + the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”. + </p><p> + Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end + of the file: +</p><pre class="screen"> +local4.* -/data/ldap/log/openldap.log +</pre><p> + Note: The path <code class="filename">/data/ldap/log</code> should be set at a location + that is convenient and that can store a large volume of data. + </p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen"> +set_cachesize 0 150000000 1 +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + +access to * + by * read + by anonymous auth + +#loglevel 256 + +schemacheck on +idletimeout 30 +backend bdb +database bdb +checkpoint 1024 5 +cachesize 10000 + +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +directory /data/ldap +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p> + <a class="indexterm" name="id346721"></a> + <a class="indexterm" name="id346728"></a> + <a class="indexterm" name="id346734"></a> + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and + groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure + the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. + </p><p> + <a class="indexterm" name="id346747"></a> + <a class="indexterm" name="id346756"></a> + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely + that you may want to use them for UNIX system (Linux) local machine logons. This necessitates + correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the + PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code> + module also has the ability to redirect authentication requests through LDAP. + </p><p> + <a class="indexterm" name="id346781"></a> + <a class="indexterm" name="id346788"></a> + <a class="indexterm" name="id346794"></a> + <a class="indexterm" name="id346801"></a> + You have chosen to configure these services by directly editing the system files, but of course, you + know that this configuration can be done using system tools provided by the Linux system vendor. + SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits + configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code> + tool for this. + </p><div class="procedure"><a name="id346838"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 127.0.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 172.16.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><ol type="1"><li><p> + <a class="indexterm" name="id346849"></a> + <a class="indexterm" name="id346856"></a> + <a class="indexterm" name="id346863"></a> + Execute the following command to find where the <code class="filename">nss_ldap</code> module + expects to find its control file: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf +</pre><p> + The preferred and usual location is <code class="filename">/etc/ldap.conf</code>. + </p></li><li><p> + On the server <code class="constant">MASSIVE</code>, install the file shown in + <a href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in + <a href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + </p></li><li><p> + <a class="indexterm" name="id346985"></a> + Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that + control user and group resolution will obtain information from the normal system files as + well as from <code class="literal">ldap</code>: +</p><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap +hosts: files dns wins +</pre><p> + Later, when the LDAP database has been initialized and user and group accounts have been + added, you can validate resolution of the LDAP resolver process. The inclusion of + WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be + resolved to their IP addresses, whether or not they are DHCP clients. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code> + file that may cause operational problems with the configuration methods adopted in this book. It is + advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code> + where they are found in this file. + </p></div><p> + Even at the risk of overstating the issue, incorrect and inappropriate configuration of the + <code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP. + </p></li><li><p> + <a class="indexterm" name="id347051"></a> + For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following + files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>, + <code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the + <code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown + for the <code class="literal">login</code> module in this example: +</p><pre class="screen"> +#%PAM-1.0 +auth requisite pam_unix2.so nullok use_ldap #set_secrpc +auth required pam_securetty.so +auth required pam_nologin.so +#auth required pam_homecheck.so +auth required pam_env.so +auth required pam_mail.so +account required pam_unix2.so use_ldap +password required pam_pwcheck.s nullok +password required pam_unix2.so nullok use_first_pass \ + use_authtok use_ldap +session required pam_unix2.so none use_ldap # debug or trace +session required pam_limits.so +</pre><p> + </p><p> + <a class="indexterm" name="id347127"></a> + On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module, + you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here: +</p><pre class="screen"> +#%PAM-1.0 +auth required pam_securetty.so +auth required pam_nologin.so +auth sufficient pam_ldap.so +auth required pam_unix2.so nullok try_first_pass #set_secrpc +account sufficient pam_ldap.so +account required pam_unix2.so +password required pam_pwcheck.so nullok +password required pam_ldap.so use_first_pass use_authtok +password required pam_unix2.so nullok use_first_pass use_authtok +session required pam_unix2.so none # debug or trace +session required pam_limits.so +session required pam_env.so +session optional pam_mail.so +</pre><p> + This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply + demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either + implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports + LDAP, you probably want to use it rather than add an additional module. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p> + <a class="indexterm" name="id347192"></a> + Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server + before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the + choice to either build your own or obtain the packages from a dependable source. + Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for + Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that + is included with this book. + </p><div class="procedure"><a name="id347204"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">???</a>, + <a href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">???</a>, <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, + and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> into the <code class="filename">/etc/samba/</code> + directory. The three files should be added together to form the <code class="filename">smb.conf</code> + master file. It is a good practice to call this file something like + <code class="filename">smb.conf.master</code> and then to perform all file edits + on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in + the next step. + </p></li><li><p> + <a class="indexterm" name="id347276"></a> + Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + Immediately follow this with the following: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +</pre><p> + The output that is created should be free from errors, as shown here: + +</p><pre class="screen"> +Load smb config files from /etc/samba/smb.conf +Processing section "[accounts]" +Processing section "[service]" +Processing section "[pidata]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[apps]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[profdata]" +Processing section "[print$]" +Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + </p></li><li><p> + Delete all runtime files from prior Samba operation by executing (for SUSE + Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rm /etc/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*dat +<code class="prompt">root# </code> rm /var/log/samba/* +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id347368"></a> + <a class="indexterm" name="id347374"></a> + Samba-3 communicates with the LDAP server. The password that it uses to + authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code> + file. Execute the following to create the new <code class="filename">secrets.tdb</code> files + and store the password for the LDAP Manager: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + The expected output from this command is: +</p><pre class="screen"> +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id347420"></a> + <a class="indexterm" name="id347426"></a> + Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code> + has been started. For this reason, you start Samba. After a few seconds delay, + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% +<code class="prompt">root# </code> net getlocalsid +</pre><p> + A report such as the following means that the domain SID has not yet + been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend: +</p><pre class="screen"> +[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) + failed to bind to server ldap://massive.abmas.biz +with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server + (unknown) +[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) + smbldap_search_suffix: Problem during the LDAP search: + (unknown) (Timed out) +</pre><p> + The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server + is not running, this operation will fail by way of a timeout, as shown previously. This is + normal output; do not worry about this error message. When the domain has been created and + written to the <code class="filename">secrets.tdb</code> file, the output should look like this: +</p><pre class="screen"> +SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 +</pre><p> + If, after a short delay (a few seconds), the domain SID has still not been written to + the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what + may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical + errors (the most common problem). The use of the <code class="literal">testparm</code> is highly + recommended to validate the contents of this file. + </p></li><li><p> + When a positive domain SID has been reported, stop Samba. + </p></li><li><p> + <a class="indexterm" name="id347525"></a> + <a class="indexterm" name="id347532"></a> + <a class="indexterm" name="id347539"></a> + <a class="indexterm" name="id347546"></a> + Configure the NFS server for your Linux system. So you can complete the steps that + follow, enter into the <code class="filename">/etc/exports</code> the following entry: +</p><pre class="screen"> +/home *(rw,root_squash,sync) +</pre><p> + This permits the user home directories to be used on the BDC servers for testing + purposes. You, of course, decide what is the best way for your site to distribute + data drives, and you create suitable backup and restore procedures for Abmas + I'd strongly recommend that for normal operation the BDC is completely independent + of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite + closely. If you do use NFS, do not forget to start the NFS server as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcnfsserver start +</pre><p> + </p></li></ol></div><p> + Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with + configuration of the LDAP server. + </p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id347624"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id347636"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id347649"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id347661"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id347674"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id347686"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id347699"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id347712"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id347724"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id347737"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id347749"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id347762"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id347775"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id347787"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id347800"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id347812"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id347825"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id347838"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id347850"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id347863"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id347876"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id347889"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id347902"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id347916"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id347929"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id347966"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id347978"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id347991"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id348004"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348016"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348029"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348041"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id348054"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id348067"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id348079"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id348092"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id348105"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id348117"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id348130"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id348143"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id348155"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348168"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id348180"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p> + <a class="indexterm" name="id348207"></a> + The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts + on the LDAP server. You have chosen the Idealx scripts because they are the best-known + LDAP configuration scripts. The use of these scripts will help avoid the necessity + to create custom scripts. It is easy to download them from the Idealx + <a href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may + be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a> + from this site also. Alternatively, you may obtain the + <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a> + file that may be used to build an installable RPM package for your Linux system. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must +change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>). +</p></div><p> + The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>. + The scripts are not needed on BDC machines because all LDAP updates are handled by + the PDC alone. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348265"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p> + To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: + </p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p> + Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions + and ownership as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin +<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools +<code class="prompt">root# </code> chown root:root /etc/smbldap-tools +<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools +</pre><p> + </p></li><li><p> + If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. + Change into either the directory extracted from the tarball or the smbldap-tools + directory in your <code class="filename">/usr/share/doc/packages</code> directory tree. + </p></li><li><p> + Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the + <code class="filename">/opt/IDEALX/sbin</code> directory, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd smbldap-tools-0.9.1/ +<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ +<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/ +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl +<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf +<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf +</pre><p> + </p></li><li><p> + The smbldap-tools scripts master control file must now be configured. + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the + <code class="filename">smbldap_tools.pm</code> to affect the changes + shown here: +</p><pre class="screen"> +... +# ugly funcs using global variables and spawning openldap clients + +my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; +my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; +... +</pre><p> + </p></li><li><p> + To complete the configuration of the smbldap-tools, set the permissions and ownership + by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/* +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm +</pre><p> + The smbldap-tools scripts are now ready for the configuration step outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">???</a>. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348500"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p> + In the event that you have elected to use the RPM package provided by Idealx, download the + source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure: + </p><div class="procedure"><a name="id348516"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p> + Install the source RPM that has been downloaded as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm +</pre><p> + </p></li><li><p> + Change into the directory in which the SPEC files are located. On SUSE Linux: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/packages/SPECS +</pre><p> + On Red Hat Linux systems: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/redhat/SPECS +</pre><p> + </p></li><li><p> + Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the + <code class="constant">_sysconfig</code> macro as shown here: +</p><pre class="screen"> +%define _prefix /opt/IDEALX +%define _sysconfdir /etc +</pre><p> + Note: Any suitable directory can be specified. + </p></li><li><p> + Build the package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec +</pre><p> + A build process that has completed without error will place the installable binary + files in the directory <code class="filename">../RPMS/noarch</code>. + </p></li><li><p> + Install the binary package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm +</pre><p> + </p></li></ol></div><p> + The Idealx scripts should now be ready for configuration using the steps outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p> + Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file + and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption + is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that + this is completed correctly: + </p><p> + The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included + in the <code class="filename">smb.conf</code> file. + </p><div class="procedure"><a name="id348699"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p> + Change into the directory that contains the <code class="filename">configure.pl</code> script. +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +</pre><p> + </p></li><li><p> + Execute the <code class="filename">configure.pl</code> script as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ./configure.pl +</pre><p> + The interactive use of this script for the PDC is demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined (you can get it with the + 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." character +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap-tools configuration file Location (global parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [MEGANET2] > +. netbios name: netbios name of the samba controler + netbios name [MASSIVE] > +. logon drive: local path to which the home directory + will be connected (for NT Workstations). Ex: 'H:' + logon drive [H:] > +. logon home: home directory location (for Win95/98 or NT Workstation) + (use %U as username) Ex:'\\MASSIVE\%U' + logon home (press the "." character if you don't want homeDirectory) + [\\MASSIVE\%U] > +. logon path: directory where roaming profiles are stored. + Ex:'\\MASSIVE\profiles\%U' + logon path (press the "." character + if you don't want roaming profile) [\\%L\profiles\%U] > +. home directory prefix (use %U as username) + [/home/%U] > /data/users/%U +. default users' homeDirectory mode [700] > +. default user netlogon script (use %U as username) + [scripts\logon.bat] > + default password validation time (time in days) [45] > 900 +. ldap suffix [dc=abmas,dc=biz] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People,ou=Users] > +. ldap machine suffix [ou=Computers,ou=Users] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) + [sambaDomainName=MEGANET2] > +. ldap master server: IP adress or DNS name of the master + (writable) ldap server + ldap master server [massive.abmas.biz] > +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap master bind password [] > +. ldap slave server: IP adress or DNS name of the slave ldap server: + can also be the master one + ldap slave server [massive.abmas.biz] > +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain MEGANET2: SID of the domain + (can be obtained with 'net getlocalsid MASSIVE') + SID for domain MEGANET2 + [S-1-5-21-3504140859-1010554828-2431957765]] > +. unix password encryption: encryption used for unix passwords + unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default skeleton directory [/etc/skel] > +. default domain name to append to mail adress [] > abmas.biz +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf done. + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done. +</pre><p> + Since a slave LDAP server has not been configured, it is necessary to specify the IP + address of the master LDAP server for both the master and the slave configuration + prompts. + </p></li><li><p> + Change to the directory that contains the <code class="filename">smbldap.conf</code> file, + then verify its contents. + </p></li></ol></div><p> + The smbldap-tools are now ready for use. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id348843"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p> + The LDAP database must be populated with well-known Windows domain user accounts and domain group + accounts before Samba can be used. The following procedures step you through the process. + </p><p> + At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are + mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not + hurt to have UNIX user and group accounts in both the system files as well as in the LDAP + database. From a UNIX system perspective, the NSS resolver checks system files before + referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it + does not need to ask LDAP. + </p><p> + Addition of an account to the LDAP backend can be done in two ways: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id348870"></a> + <a class="indexterm" name="id348877"></a> + <a class="indexterm" name="id348884"></a> + <a class="indexterm" name="id348891"></a> + <a class="indexterm" name="id348898"></a> + <a class="indexterm" name="id348904"></a> + If you always have a user account in the <code class="filename">/etc/passwd</code> on every + server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in + LDAP. In this case, you can add Windows domain user accounts using the + <code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the + SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. + </p><p> + This is the least desirable method because when LDAP is used as the passwd backend Samba + expects the POSIX account to be in LDAP also. It is possible to use the PADL account + migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code> + files, or from NIS, to LDAP. + </p></li><li><p> + If you decide that it is probably a good idea to add both the PosixAccount attributes + as well as the SambaSamAccount attributes for each user, then a suitable script is needed. + In the example system you are installing in this exercise, you are making use of the + Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, + is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code> + </p></li></ul></div><p> + <a class="indexterm" name="id348956"></a> + If you wish to have more control over how the LDAP database is initialized or + if you don't want to use the Idealx smbldap-tools, you should refer to + <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>. + </p><p> + <a class="indexterm" name="id348982"></a> + The following steps initialize the LDAP database, and then you can add user and group + accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to + seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">???</a>. + The list of users does not cover all 500 network users; it provides examples only. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id349008"></a> + <a class="indexterm" name="id349017"></a> + <a class="indexterm" name="id349026"></a> + In the following examples, as the LDAP database is initialized, we do create a container + for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made + of the People container, not the Computers container, for domain member accounts. This is not a + mistake; it is a deliberate action that is necessitated by the fact that the resolution of + a machine (computer) account to a UID is done via NSS. The only way this can be handled is + using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>, + which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for + the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that + provides only one possible LDAP search command that is specified by the entry called + <code class="constant">nss_base_passwd</code>. This means that the search path must take into account + the directory structure so that the LDAP search will commence at a level that is above + both the Computers container and the Users (or People) container. If this is done, it is + necessary to use a search that will descend the directory tree so that the machine account + can be found. Alternatively, by placing all machine accounts in the People container, we + are able to sidestep this limitation. This is the simpler solution that has been adopted + in this chapter. + </p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol type="1"><li><p> + Start the LDAP server by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +Starting ldap-server done +</pre><p> + </p></li><li><p> + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory. + </p></li><li><p> + Execute the script that will populate the LDAP database as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0 +</pre><p> + The expected output from this is: +</p><pre class="screen"> +Using workgroup name from smb.conf: sambaDomainName=MEGANET2 +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +=> Warning: you must update smbldap.conf configuration file to : +=> sambaUnixIdPooldn parameter must be set + to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Using builtin directory structure +adding new entry: dc=abmas,dc=biz +adding new entry: ou=People,dc=abmas,dc=biz +adding new entry: ou=Groups,dc=abmas,dc=biz +entry ou=People,dc=abmas,dc=biz already exist. +adding new entry: ou=Idmap,dc=abmas,dc=biz +adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz +adding new entry: uid=root,ou=People,dc=abmas,dc=biz +adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz +adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + </p></li><li><p> + Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following + information is changed from: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +</pre><p> + to read, after modification: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" +</pre><p> + </p></li><li><p> + It is necessary to restart the LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap restart +Shutting down ldap-server done +Starting ldap-server done +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id349412"></a> + So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. + There are several ways you can check that your LDAP database is able to receive IDMAP information. One of + the simplest is to execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep -i idmap +dn: ou=Idmap,dc=abmas,dc=biz +ou: idmap +</pre><p> + <a class="indexterm" name="id349433"></a> + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see <a href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ + -w not24get < /etc/openldap/idmap.LDIF +</pre><p> + Samba automatically populates this LDAP directory container when it needs to. + </p></li><li><p> + <a class="indexterm" name="id349469"></a> + It looks like all has gone well, as expected. Let's confirm that this is the case + by running a few tests. First we check the contents of the database directly + by running <code class="literal">slapcat</code> as follows (the output has been cut down): +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas +structuralObjectClass: organization +entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234200Z +entryCSN: 2003121723:42:00Z#0x0001#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234200Z +... +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers +structuralObjectClass: posixGroup +entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234206Z +entryCSN: 2003121723:42:06Z#0x0002#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234206Z +</pre><p> + This looks good so far. + </p></li><li><p> + <a class="indexterm" name="id349517"></a> + The next step is to prove that the LDAP server is running and responds to a + search request. Execute the following as shown (output has been cut to save space): +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People +... +# Domain Computers, Groups, abmas.biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers + +# search result +search: 2 +result: 0 Success + +# numResponses: 20 +# numEntries: 19 +</pre><p> + Good. It is all working just fine. + </p></li><li><p> + <a class="indexterm" name="id349558"></a> + You must now make certain that the NSS resolver can interrogate LDAP also. + Execute the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:998:512:Netbios Domain Administrator:/home:/bin/false + +<code class="prompt">root# </code> getent group | grep Domain +Domain Admins:x:512:root +Domain Users:x:513: +Domain Guests:x:514: +Domain Computers:x:553: +</pre><p> + <a class="indexterm" name="id349585"></a> + This demonstrates that the <code class="literal">nss_ldap</code> library is functioning + as it should. If these two steps fail to produce this information, refer to + <a href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">???</a> for diagnostic procedures that can be followed to + isolate the cause of the problem. Proceed to the next step only when the previous steps + have been successfully completed. + </p></li><li><p> + <a class="indexterm" name="id349613"></a> + <a class="indexterm" name="id349620"></a> + <a class="indexterm" name="id349627"></a> + Our database is now ready for the addition of network users. For each user for + whom an account must be created, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code> +<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code> +Changing password for <code class="constant">username</code> +New password : XXXXXXXX +Retype new password : XXXXXXXX + +<code class="prompt">root# </code> smbpasswd <code class="constant">username</code> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +</pre><p> + where <code class="constant">username</code> is the login ID for each user. + </p></li><li><p> + <a class="indexterm" name="id349684"></a> + Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the + following: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +root:x:0:512:Netbios Domain Administrator:/home:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +</pre><p> + This demonstrates that user account resolution via LDAP is working. + </p></li><li><p> + This step will determine whether or not identity resolution is working correctly. + Do not procede is this step fails, rather find the cause of the failure. The + <code class="literal">id</code> command may be used to validate your configuration so far, + as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> id chrisr +uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) +</pre><p> + This confirms that the UNIX (POSIX) user account information can be resolved from LDAP + by system tools that make a getentpw() system call. + </p></li><li><p> + <a class="indexterm" name="id349745"></a> + The root account must have UID=0; if not, this means that operations conducted from + a Windows client using tools such as the Domain User Manager fails under UNIX because + the management of user and group accounts requires that the UID=0. Additionally, it is + a good idea to make certain that no matter how root account credentials are resolved, + the home directory and shell are valid. You decide to effect this immediately + as demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root +</pre><p> + </p></li><li><p> + Verify that the changes just made to the <code class="constant">root</code> account were + accepted by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:0:0:root:/root:/bin/bash +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +</pre><p> + This demonstrates that the changes were accepted. + </p></li><li><p> + Make certain that a home directory has been created for every user by listing the + directories in <code class="filename">/home</code> as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /home +drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ +drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ +drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ +drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ +drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ +drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ +</pre><p> + This is precisely what we want to see. + </p></li><li><p> + <a class="indexterm" name="id349832"></a> + <a class="indexterm" name="id349839"></a> + The final validation step involves making certain that Samba-3 can obtain the user + accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lv chrisr +Unix username: chrisr +NT username: chrisr +Account Flags: [U ] +User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 +Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 +Full Name: System User +Home Directory: \\MASSIVE\homes +HomeDir Drive: H: +Logon Script: scripts\login.cmd +Profile Path: \\MASSIVE\profiles\chrisr +Domain: MEGANET2 +Account desc: System User +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 17 Dec 2003 17:17:40 GMT +Password can change: Wed, 17 Dec 2003 17:17:40 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> + This looks good. Of course, you fully expected that it would all work, didn't you? + </p></li><li><p> + <a class="indexterm" name="id349882"></a> + Now you add the group accounts that are used on the Abmas network. Execute + the following exactly as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts +<code class="prompt">root# </code> ./smbldap-groupadd -a Finances +<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps +</pre><p> + The addition of groups does not involve keyboard interaction, so the lack of console + output is of no concern. + </p></li><li><p> + <a class="indexterm" name="id349921"></a> + You really do want to confirm that UNIX group resolution from LDAP is functioning + as it should. Let's do this as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv +Domain Guests:x:514: +... +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well + as our own site-specific group accounts, are correctly listed. This is looking good. + </p></li><li><p> + <a class="indexterm" name="id349950"></a> + The final step we need to validate is that Samba can see all the Windows domain groups + and that they are correctly mapped to the respective UNIX group account. To do this, + just execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + This is looking good. Congratulations it works! Note that in the above output + the lines were shortened by replacing the middle value (1010554828) of the SID with the + ellipsis (...). + </p></li><li><p> + The server you have so carefully built is now ready for another important step. You + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, on system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + </p></li><li><p> + The next step might seem a little odd at this point, but take note that you are about to + start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the + localhost interface with the <code class="literal">smbd</code> process. This account can be + easily created by joining the PDC to the domain by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get +</pre><p> + Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and + <code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command + can communicate with <code class="literal">smbd</code>. The expected output is as follows: +</p><pre class="screen"> +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the PDC has been correctly created. + </p></li><li><p> + At this time it is necessary to restart <code class="literal">winbindd</code> so that it can + correctly authenticate to the PDC. The following command achieves that: +</p><pre class="screen"> +<code class="prompt">root# </code> rcwinbind restart +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id350147"></a> + You may now check Samba-3 operation as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L massive -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + accounts Disk Accounting Files + service Disk Financial Services Files + pidata Disk Property Insurance Files + apps Disk Application Files + netlogon Disk Network Logon Service + profiles Disk Profile Share + profdata Disk Profile Data Share + ADMIN$ IPC IPC Service (Samba 3.0.20) + + Server Comment + --------- ------- + MASSIVE Samba 3.0.20 + + Workgroup Master + --------- ------- + MEGANET2 MASSIVE +</pre><p> + This shows that an anonymous connection is working. + </p></li><li><p> + For your finale, let's try an authenticated connection: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + Well done. All is working fine. + </p></li></ol></div><p> + The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p> + <a class="indexterm" name="id350224"></a> + The configuration for Samba-3 to enable CUPS raw-print-through printing has already been + taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code> + printing to be possible involves creation of the directories in which Samba-3 stores + Windows printing driver files. + </p><div class="procedure"><a name="id350244"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol type="1"><li><p> + Configure all network-attached printers to have a fixed IP address. + </p></li><li><p> + Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> + in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> + and in the reverse lookup database for the network segment that the printer is to + be located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>. + </p></li><li><p> + Follow the instructions in the printer manufacturers' manuals to permit printing + to port 9100. Use any other port the manufacturer specifies for direct mode, + raw printing. This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id350298"></a> + <a class="indexterm" name="id350305"></a> + </p></li><li><p> + <a class="indexterm" name="id350318"></a> + <a class="indexterm" name="id350325"></a> + Only on the server to which the printer is attached, configure the CUPS Print + Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> + -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id350359"></a> + This step creates the necessary print queue to use no assigned print filter. This + is ideal for raw printing, that is, printing without use of filters. + The name <em class="parameter"><code>printque</code></em> is the name you have assigned for + the particular printer. + </p></li><li><p> + Print queues may not be enabled at creation. Make certain that the queues + you have just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + Even though your print queue may be enabled, it is still possible that it + may not accept print jobs. A print queue will service incoming printing + requests only when configured to do so. Ensure that your print queue is + set to accept incoming jobs by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id350433"></a> + <a class="indexterm" name="id350440"></a> + <a class="indexterm" name="id350447"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id350473"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Refer to the CUPS printing manual for instructions regarding how to configure + CUPS so that print queues that reside on CUPS servers on remote networks + route print jobs to the print server that owns that queue. The default setting + on your CUPS server may automatically discover remotely installed printers and + may permit this functionality without requiring specific configuration. + </p></li><li><p> + The following action creates the necessary directory subsystem. Follow these + steps to printing heaven: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} +<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers +<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id350549"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Verify the <code class="filename">smb.conf</code> file as in step 2 of <a href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">???</a>. + </p></li><li><p> + Carefully follow the steps outlined in <a href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking + particular note to install the correct <code class="filename">ldap.conf</code>. + </p></li><li><p> + Verify that the NSS resolver is working. You may need to cycle the run level + to 1 and back to 5 before the NSS LDAP resolver functions. Follow these + commands: +</p><pre class="screen"> +<code class="prompt">root# </code> init 1 +</pre><p> + After the run level has been achieved, you are prompted to provide the + <code class="constant">root</code> password. Log on, and then execute: +</p><pre class="screen"> +<code class="prompt">root# </code> init 5 +</pre><p> + When the normal logon prompt appears, log into the system as <code class="constant">root</code> + and then execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +daemon:x:2:2:Daemon:/sbin:/bin/bash +lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash +mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false +... +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false +bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false +</pre><p> + This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. + </p></li><li><p> + <a class="indexterm" name="id350695"></a> + The next step in the verification process involves testing the operation of UNIX group + resolution via the NSS LDAP resolver. Execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +root:x:0: +bin:x:1:daemon +daemon:x:2: +sys:x:3: +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv,jht +Domain Guests:x:514: +Administrators:x:544: +Users:x:545: +Guests:x:546:nobody +Power Users:x:547: +Account Operators:x:548: +Server Operators:x:549: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + This is also the correct and desired output, because it demonstrates that the LDAP client + is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>). + </p></li><li><p> + <a class="indexterm" name="id350730"></a> + You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code> + file by executing this command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + Now you must obtain the domain SID from the PDC and store it into the + <code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP + passdb backend because Samba-3 obtains the domain SID from the + sambaDomain object it automatically stores in the LDAP backend. It does not hurt to + add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this + command can achieve that: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid MEGANET2 +Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ + for Domain MEGANET2 in secrets.tdb +</pre><p> + When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take + any special action to join it to the domain. However, winbind communicates with the + domain controller that is running on the localhost and must be able to authenticate, + thus requiring that the BDC should be joined to the domain. The process of joining + the domain creates the necessary authentication accounts. + </p></li><li><p> + To join the Samba BDC to the domain, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the BDC has been correctly created. + </p></li><li><p> + <a class="indexterm" name="id350819"></a> + Verify that user and group account resolution works via Samba-3 tools as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -L +root:0:root +nobody:65534:nobody +bobj:1000:System User +stans:1001:System User +chrisr:1002:System User +maryv:1003:System User +bldg1$:1006:bldg1$ + +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> + Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> + Domain Guests +Administrators (S-1-5-21-3504140859-...-2431957765-544) -> + Administrators +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + These results show that all things are in order. + </p></li><li><p> + The server you have so carefully built is now ready for another important step. Now + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, upon system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + Samba-3 should now be running and is ready for a quick test. But not quite yet! + </p></li><li><p> + Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users. + To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code> + file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported + from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate + approach could be to create local home directories for users who are to use these machines. + This is a choice that you, as system administrator, must make. The following entry in the + <code class="filename">/etc/fstab</code> file suffices for now: +</p><pre class="screen"> +massive.abmas.biz:/home /home nfs rw 0 0 +</pre><p> + To mount this resource, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> mount -a +</pre><p> + Verify that the home directory has been mounted as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> df | grep home +massive:/home 29532988 283388 29249600 1% /home +</pre><p> + </p></li><li><p> + Implement a quick check using one of the users that is in the LDAP database. Here you go: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + </p></li></ol></div><p> + Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build + and configure the second BDC server (<code class="constant">BLDG2</code>) as follows: + </p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Follow carefully the steps shown in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2. + </p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id351124"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id351137"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id351149"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id351162"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351175"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351187"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id351200"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id351212"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id351225"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id351238"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id351250"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id351263"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id351275"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id351288"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id351301"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id351313"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id351326"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id351338"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351351"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id351364"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id351376"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351389"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351402"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351414"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id351427"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id351440"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351452"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351465"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351478"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351490"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id351503"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id351549"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id351562"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id351574"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id351587"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351599"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351612"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id351625"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id351637"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id351650"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id351662"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id351675"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id351687"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id351700"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id351713"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id351725"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id351738"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id351751"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id351763"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351776"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id351788"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id351801"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351814"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351826"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351839"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id351852"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id351864"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351877"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351890"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351902"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351915"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id351927"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id351973"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id351986"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id351998"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id352020"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id352032"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id352045"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id352066"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id352079"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id352092"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id352113"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id352126"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id352138"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id352151"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id352172"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id352185"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id352197"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id352210"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id352222"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id352268"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id352281"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id352293"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id352306"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id352327"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id352340"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id352352"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id352365"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id352386"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id352399"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id352412"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id352424"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id352446"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id352458"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id352471"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id352484"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id352505"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id352518"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id352530"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352543"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id352555"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352568"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: idmap +structuralObjectClass: organizationalUnit +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352602"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p> + My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>” + The makings of a great network environment take a lot of effort and attention to detail. + So far, you have completed most of the complex (and to many administrators, the interesting + part of server configuration) steps, but remember to tie it all together. Here are + a few more steps that must be completed so that your network runs like a well-rehearsed + orchestra. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id352618"></a>Configuring Directory Share Point Roots</h3></div></div></div><p> + In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em> + parameter. Even though it is obvious to all, one of the common Samba networking problems is + caused by forgetting to verify that every such share root directory actually exists and that it + has the necessary permissions and ownership. + </p><p> + Here is an example, but remember to create the directory needed for every share: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts +<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs +<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id352707"></a>Configuring Profile Directories</h3></div></div></div><p> + You made a conscious decision to do everything it would take to improve network client + performance. One of your decisions was to implement folder redirection. This means that Windows + user desktop profiles are now made up of two components: a dynamically loaded part and a set of file + network folders. + </p><p> + For this arrangement to work, every user needs a directory structure for the network folder + portion of his or her profile as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata +<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata +<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata + +# Per user structure +<code class="prompt">root# </code> cd /var/lib/samba/profdata +<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \ + LocalSettings MyPictures MyDocuments Recent +<code class="prompt">root# </code> do +<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i +<code class="prompt">root# </code> done +<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span> +</pre><p> + </p><p> + <a class="indexterm" name="id352816"></a> + <a class="indexterm" name="id352823"></a> + You have three options insofar as the dynamically loaded portion of the roaming profile + is concerned: + </p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p> + Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory + profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>, + that is, just by changing the filename extension. + </p><p> + <a class="indexterm" name="id352869"></a> + <a class="indexterm" name="id352876"></a> + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. + You can manage this using the Idealx smbldap-tools or using the + <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>. + </p><p> + It may not be obvious that you must ensure that the root directory for the user's profile exists + and has the needed permissions. Use the following commands to create this directory: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users + /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id352935"></a>Preparation of Logon Scripts</h3></div></div></div><p> + <a class="indexterm" name="id352943"></a> + The use of a logon script with Windows XP Professional is an option that every site should consider. + Unless you have locked down the desktop so the user cannot change anything, there is risk that + a vital network drive setting may be broken or that printer connections may be lost. Logon scripts + can help to restore persistent network folder (drive) and printer connections in a predictable + manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) + user attaches to another company's network that forces environment changes that are alien to your + network. + </p><p> + If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain + controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code> + share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon + script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows + NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code> + from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully + qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>. + </p><p> + You can, of course, create the fully qualified path by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts +</pre><p> + </p><p> + You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24, + Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon + facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353033"></a>Assigning User Rights and Privileges</h3></div></div></div><p> + The ability to perform tasks such as joining Windows clients to the domain can be assigned to + normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX + systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant + this privilege in a very limited fashion to particular accounts. + </p><p> + By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code> + group. Here we grant this group all privileges. + </p><p> + Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who + are granted rights can be restricted to particular machines. It is left to the network administrator + to determine which rights should be provided and to whom. + </p><div class="procedure"><a name="id353062"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p> + Log onto the PDC as the <code class="constant">root</code> account. + </p></li><li><p> + Execute the following command to grant the <code class="constant">Domain Admins</code> group all + rights and privileges: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ + SePrintOperatorPrivilege SeAddUsersPrivilege \ + SeDiskOperatorPrivilege SeRemoteShutdownPrivilege +Successfully granted rights. +</pre><p> + Repeat this step on each domain controller, in each case substituting the name of the server + (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. + </p></li><li><p> + In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations + to the domain. Execute the following only on the PDC. It is not necessary to do this on + BDCs or on DMS machines because machine accounts are only ever added by the PDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\bobj" SeMachineAccountPrivilege +Successfully granted rights. +</pre><p> + </p></li><li><p> + Verify that privilege assignments have been correctly applied by executing: +</p><pre class="screen"> +net rpc rights list accounts -Uroot%not24get +MEGANET2\bobj +SeMachineAccountPrivilege + +S-0-0 +No privileges assigned + +BUILTIN\Print Operators +No privileges assigned + +BUILTIN\Account Operators +No privileges assigned + +BUILTIN\Backup Operators +No privileges assigned + +BUILTIN\Server Operators +No privileges assigned + +BUILTIN\Administrators +No privileges assigned + +Everyone +No privileges assigned + +MEGANET2\Domain Admins +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeRemoteShutdownPrivilege +SeDiskOperatorPrivilege +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353147"></a>Windows Client Configuration</h2></div></div></div><p> + <a class="indexterm" name="id353154"></a> + In the next few sections, you can configure a new Windows XP Professional disk image on a staging + machine. You will configure all software, printer settings, profile and policy handling, and desktop + default profile settings on this system. When it is complete, you copy the contents of the + <code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same + name in the <code class="constant">NETLOGON</code> share on the domain controllers. + </p><p> + Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. + One knowledge-base article in particular stands out: + "<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a + Base Profile for All Users."</a> + + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p> + <a class="indexterm" name="id353198"></a> + Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>. + It is necessary to expose folders that are generally hidden to provide access to the + <code class="constant">Default User</code> folder. + </p><div class="procedure"><a name="id353215"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol type="1"><li><p> + Launch the Windows Explorer by clicking + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Select <span class="guilabel">Show hidden files and folders</span>, + and click <span class="guibutton">OK</span>. Exit Windows Explorer. + </p></li><li><p> + <a class="indexterm" name="id353279"></a> + Launch the Registry Editor. Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click + <span class="guibutton">OK</span>. + </p></li></ol></div><p> + </p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p> + <a class="indexterm" name="id353336"></a> + <a class="indexterm" name="id353342"></a> + Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name + <code class="constant">Default</code> and click <span class="guibutton">OK</span>. + </p></li><li><p> + Browse inside the newly loaded Default folder to: +</p><pre class="screen"> +HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ + CurrentVersion\Explorer\User Shell Folders\ +</pre><p> + The right panel reveals the contents as shown in <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>. + </p></li><li><p> + <a class="indexterm" name="id353431"></a> + <a class="indexterm" name="id353438"></a> + You edit hive keys. Acceptable values to replace the + <code class="constant">%USERPROFILE%</code> variable includes: + + </p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as + <code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p> + </p></li><li><p> + <a class="indexterm" name="id353482"></a> + Set the registry keys as shown in <a href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">???</a>. Your implementation makes the assumption + that users have statically located machines. Notebook computers (mobile users) need to be + accommodated using local profiles. This is not an uncommon assumption. + </p></li><li><p> + Click back to the root of the loaded hive <code class="constant">Default</code>. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>. + </p></li><li><p> + <a class="indexterm" name="id353534"></a> + Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the + Registry Editor. + </p></li><li><p> + Now follow the procedure given in <a href="happy.html#sbehap-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you + have redirected is in the exclusion list. + </p></li><li><p> + You are now ready to copy<sup>[<a name="id353576" href="#ftn.id353576">11</a>]</sup> + the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, + and use it to copy the full contents of the directory <code class="filename">Default User</code> that + is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the + <code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined + UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must + be a directory in there called <code class="filename">Default User</code>. + </p></li></ol></div><p> + Before punching out new desktop images for the client workstations, it is perhaps a good idea that + desktop behavior should be returned to the original Microsoft settings. The following steps achieve + that ojective: + </p><div class="procedure"><a name="id353635"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul><li><p> + To launch the Windows Explorer, click + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>. + Exit Windows Explorer. + </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353863"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p> + <a class="indexterm" name="id353871"></a> + <a class="indexterm" name="id353880"></a> + Microsoft Outlook can store a Personal Storage file, generally known as a PST file. + It is the nature of email storage that this file grows, at times quite rapidly. + So that users' email is available to them at every workstation they may log onto, + it is common practice in well-controlled sites to redirect the PST folder to the + users' home directory. Follow these steps for each user who wishes to do this. + </p><p> + To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave + slightly differently), follow these steps: + </p><div class="procedure"><a name="id353898"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol type="1"><li><p> + Close Outlook if it is open. + </p></li><li><p> + From the <span class="guimenu">Control Panel</span>, launch the Mail icon. + </p></li><li><p> + Click <span class="guimenu">Email Accounts.</span> + </p></li><li><p> + Make a note of the location of the PST file(s). From this location, move + the files to the desired new target location. The most desired new target location + may well be the users' home directory. + </p></li><li><p> + Add a new data file, selecting the PST file in the new desired target location. + Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>” + </p><p> + Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems + following these instructions. Feedback from users suggests that where IMAP is used the PST + file is used to store rules and filters. When the PST store is relocated it appears to break + MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is + used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that + this warning can be removed or modified. + </p></li><li><p> + Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>. + </p></li><li><p> + Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span> + </p></li><li><p> + Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new + target location. + </p></li><li><p> + Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry. + </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id354037"></a> + You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise + the user may be not be able to retrieve contacts when addressing a new email message. + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id354050"></a> + Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook + Express storage files can not be redirected to network shares. The options panel will not permit + this, but they can be moved to folders outside of the user's profile. They can also be excluded + from folder synchronization as part of the roaming profile. + </p><p> + While it is possible to redirect the data stores for Outlook Express data stores by editing the + registry, experience has shown that data corruption and loss of email messages will result. + </p><p> + <a class="indexterm" name="id354068"></a> + <a class="indexterm" name="id354075"></a> + In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with + roaming profiles this can result in excruciatingly long login and logout behavior will files are + synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming + profiles are used. + </p></div><p> + <a class="indexterm" name="id354088"></a> + Microsoft does not support storing PST files on network shares, although the practice does appear + to be rather popular. Anyone who does relocation the PST file to a network resource should refer + the Microsoft <a href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better + understand the issues. + </p><p> + <a class="indexterm" name="id354106"></a> + Apart from manually moving PST files to a network share, it is possible to set the default PST + location for new accounts by following the instructions at the WindowsITPro <a href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site. + </p><p> + <a class="indexterm" name="id354124"></a> + User feedback suggests that disabling of oplocks on PST files will significantly improve + network performance by reducing locking overheads. One way this can be done is to add to the + <code class="filename">smb.conf</code> file stanza for the share the PST file the following: +</p><pre class="screen"> +veto oplock files = /*.pdf/*.PST/ +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id354146"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p> + Configure the Windows XP Professional client to auto-delete roaming profiles on logout: + </p><p> + <a class="indexterm" name="id354159"></a> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>. + </p><p> + Follow these steps to set the default behavior of the staging machine so that all roaming + profiles are deleted as network users log out of the system. Click + <span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>. + </p><p> + <a class="indexterm" name="id354252"></a> + The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span> + utility that enables you to set the policies needed. In the left panel, click + <span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each + item as shown: + </p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p> + Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies + made of this system to deploy the new standard desktop system. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id354318"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p> + <a class="indexterm" name="id354326"></a> + Users want to be able to use network printers. You have a vested interest in making + it easy for them to print. You have chosen to install the printer drivers onto the Samba + servers and to enable point-and-click (drag-and-drop) printing. This process results in + Samba being able to automatically provide the Windows client with the driver necessary to + print to the printer chosen. The following procedure must be followed for every network + printer: + </p><div class="procedure"><a name="id354340"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p> + Join your Windows XP Professional workstation (the staging machine) to the + <code class="constant">MEGANET2</code> domain. If you are not sure of the procedure, + follow the guidance given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + </p></li><li><p> + After the machine has rebooted, log onto the workstation as the domain + <code class="constant">root</code> (this is the Administrator account for the + operating system that is the host platform for this implementation of Samba. + </p></li><li><p> + Launch MS Windows Explorer. Navigate in the left panel. Click + <span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span> + <span class="guimenu">Printers and Faxes</span>. + </p></li><li><p> + Identify a printer that is shown in the right panel. Let us assume the printer is called + <code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon + and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates + that “<span class="quote">The printer driver is not installed on this computer. Some printer properties + will not be accessible unless you install the printer driver. Do you want to install the + driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>. + </p></li><li><p> + The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server + <code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab. + Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span> + button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”. + </p></li><li><p> + <a class="indexterm" name="id354519"></a> + <a class="indexterm" name="id354528"></a> + The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel + is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the + printer manufacturer. In your case, you are adding a driver for a printer manufactured by + Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click + <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A + progress bar appears and instructs you as each file is being uploaded and that it is being + directed at the network server <code class="constant">\\massive\ps01-color</code>. + </p></li><li><p> + <a class="indexterm" name="id354573"></a> + <a class="indexterm" name="id354582"></a> + <a class="indexterm" name="id354591"></a> + <a class="indexterm" name="id354600"></a> + <a class="indexterm" name="id354610"></a> + <a class="indexterm" name="id354619"></a> + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, + you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. + You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under + the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to + load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the + directory</span>”. When this box is checked, the printer will be published in Active Directory + (Applicable to Active Directory use only.) + </p></li><li><p> + <a class="indexterm" name="id354669"></a> + Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. + You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor. + Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit + your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if + you need to reverse the changes back to their original settings. + </p></li><li><p> + This is necessary so that the printer settings are initialized in the Samba printers + database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed + just to initialize the Samba printers database entry for this printer. If you need to revert a setting, + click <span class="guimenu">Apply</span> again. + </p></li><li><p> + <a class="indexterm" name="id354737"></a> + Verify that all printer settings are at the desired configuration. When you are satisfied that they are, + click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button. + A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span> + in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on + massive Properties</span> panel. + </p></li><li><p> + You must repeat this process for all network printers (i.e., for every printer on each server). + When you have finished uploading drivers to all printers, close all applications. The next task + is to install software your users require to do their work. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id354787"></a>Software Installation</h3></div></div></div><p> + Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is + a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. + Notebooks require special handling that is beyond the scope of this chapter. + </p><p> + For desktop systems, the installation of software onto administratively centralized application servers + make a lot of sense. This means that you can manage software maintenance from a central + perspective and that only minimal application stubware needs to be installed onto the desktop + systems. You should proceed with software installation and default configuration as far as is humanly + possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect + of software operations and configuration. + </p><p> + When you believe that the overall configuration is complete, be sure to create a shared group profile + and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in + case a user may have specific needs you had not anticipated. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id354813"></a>Roll-out Image Creation</h3></div></div></div><p> + The final steps before preparing the distribution Norton Ghost image file you might follow are: + </p><div class="blockquote"><blockquote class="blockquote"><p> + Unjoin the domain Each workstation requires a unique name and must be independently + joined into domain membership. + </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p> + Defragment the hard disk While not obvious to the uninitiated, defragmentation results + in better performance and often significantly reduces the size of the compressed disk image. That + also means it will take less time to deploy the image onto 500 workstations. + </p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354843"></a>Key Points Learned</h2></div></div></div><p> + This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately + avoided any consideration of security. Security does not just happen; you must design it into your total + network. Security begins with a systems design and implementation that anticipates hostile behavior from + users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; + they accept them as challenges. For that reason, if not simply from a desire to establish safe networking + practices, you must not deploy the design presented in this book in an environment where there is risk + of compromise. + </p><p> + <a class="indexterm" name="id354859"></a> + <a class="indexterm" name="id354868"></a> + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be + configured to use secure protocols for all communications over the network. Of course, secure networking + does not result just from systems design and implementation but involves constant user education + training and, above all, disciplined attention to detail and constant searching for signs of unfriendly + or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. + Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"> + <span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP + as well as security considerations. + </p><p> + The substance of this chapter that has been deserving of particular attention includes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Implementation of an OpenLDAP-based passwd backend, necessary to support distributed + domain control. + </p></li><li><p> + Implementation of Samba primary and secondary domain controllers with a common LDAP backend + for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and + pam_ldap tool-sets. + </p></li><li><p> + Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as + to manage Samba Windows user and group accounts. + </p></li><li><p> + The basics of implementation of Group Policy controls for Windows network clients. + </p></li><li><p> + Control over roaming profiles, with particular focus on folder redirection to network drives. + </p></li><li><p> + Use of the CUPS printing system together with Samba-based printer driver auto-download. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354931"></a>Questions and Answers</h2></div></div></div><p> + Well, here we are at the end of this chapter and we have only ten questions to help you to + remember so much. There are bound to be some sticky issues here. + </p><div class="qandaset"><dl><dt> <a href="happy.html#id354947"> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </a></dt><dt> <a href="happy.html#id354981"> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </a></dt><dt> <a href="happy.html#id355025"> + You did not use SWAT to configure Samba. Is there something wrong with it? + </a></dt><dt> <a href="happy.html#id355060"> + You have exposed a well-used password not24get. Is that + not irresponsible? + </a></dt><dt> <a href="happy.html#id355082"> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </a></dt><dt> <a href="happy.html#id355105"> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </a></dt><dt> <a href="happy.html#id355125"> + Why are the Windows domain RID portions not the same as the UNIX UID? + </a></dt><dt> <a href="happy.html#id355157"> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </a></dt><dt> <a href="happy.html#id355182"> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </a></dt><dt> <a href="happy.html#id355204"> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id354947"></a><a name="id354950"></a></td><td align="left" valign="top"><p> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Let's get this right. This is a book about Samba, not about OpenLDAP and secure + communication protocols for subjects other than Samba. Earlier on, you note, + that the dynamic DNS and DHCP solutions also used no protective secure communications + protocols. The reason for this is simple: There are so many ways of implementing + secure protocols that this book would have been even larger and more complex. + </p><p> + The solutions presented here all work (at least they did for me). Network administrators + have the interest and the need to be better trained and instructed in secure networking + practices and ought to implement safe systems. I made the decision, right or wrong, + to keep this material as simple as possible. The intent of this book is to demonstrate + a working solution and not to discuss too many peripheral issues. + </p><p> + This book makes little mention of backup techniques. Does that mean that I am recommending + that you should implement a network without provision for data recovery and for disaster + management? Back to our focus: The deployment of Samba has been clearly demonstrated. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id354981"></a><a name="id354983"></a></td><td align="left" valign="top"><p> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications + for a standard Linux distribution. The differences are marginal. Surely you know + your Linux platform, and you do have access to administration manuals for it. This + book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on + the Samba part of the book; all the other bits are peripheral (but important) to + creation of a total network solution. + </p><p> + What I find interesting is the attention reviewers give to Linux installation and to + the look and feel of the desktop, but does that make for a great server? In this book, + I have paid particular attention to the details of creating a whole solution framework. + I have not tightened every nut and bolt, but I have touched on all the issues you + need to be familiar with. Over the years many people have approached me wanting to + know the details of exactly how to implement a DHCP and dynamic DNS server with Samba + and WINS. In this chapter, it is plain to see what needs to be configured to provide + transparent interoperability. Likewise for CUPS and Samba interoperation. These are + key stumbling areas for many people. + </p><p> + At every critical junction, I have provided comparative guidance for both SUSE and + Red Hat Linux. Both manufacturers have done a great job in furthering the cause + of open source software. I favor neither and respect both. I like particular + features of both products (companies also). No bias in presentation is intended. + Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355025"></a><a name="id355027"></a></td><td align="left" valign="top"><p> + You did not use SWAT to configure Samba. Is there something wrong with it? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented + in as direct a format as possible. Adding SWAT into the equation would have complicated + matters. I sought simplicity of implementation. The fact is that I did use SWAT to + create the files in the first place. + </p><p> + There are people in the Linux and open source community who feel that SWAT is dangerous + and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I + hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355060"></a><a name="id355062"></a></td><td align="left" valign="top"><p> + You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that + not irresponsible? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Well, I had to use a password of some sort. At least this one has been consistently + used throughout. I guess you can figure out that in a real deployment it would make + sense to use a more secure and original password. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355082"></a><a name="id355084"></a></td><td align="left" valign="top"><p> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + I took this up with Idealx and found them most willing to change that in the next version. + Let's give Idealx some credit for the contribution they have made. I appreciate their work + and, besides, it does no harm to create accounts that are not now used at some time + Samba may well use them. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355105"></a><a name="id355107"></a></td><td align="left" valign="top"><p> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) + group account for every Windows domain group account. But if you put your users into + the system password account, how do you plan to keep all domain controller system + password files in sync? I think that having everything in LDAP makes a lot of sense + for the UNIX administrator who is still learning the craft and is migrating from MS Windows. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355125"></a><a name="id355128"></a></td><td align="left" valign="top"><p> + Why are the Windows domain RID portions not the same as the UNIX UID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. + This algorithm ought to ensure that there will be no clashes with well-known RIDs. + Well-known RIDs have special significance to MS Windows clients. The automatic + assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does + permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry + for <em class="parameter"><code>algorithmic rid base</code></em>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355157"></a><a name="id355159"></a></td><td align="left" valign="top"><p> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. You can use any type of printer and must use the interfacing protocol supported + by the printer. Many networks use LPR/LPD print servers to which are attached + PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached + inkjet printer. Use the appropriate device URI (Universal Resource Interface) + argument to the <code class="constant">lpadmin -v</code> option that is right for your + printer. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355182"></a><a name="id355184"></a></td><td align="left" valign="top"><p> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The only loss of data I know of that involved folder redirection was caused by + manual misuse of the redirection tool. The administrator redirected a folder to + a network drive and said he wanted to migrate (move) the data over. Then he + changed his mind, so he moved the folder back to the roaming profile. This time, + he declined to move the data because he thought it was still in the local profile + folder. That was not the case, so by declining to move the data back, he wiped out + the data. You cannot hold the tool responsible for that. Caveat emptor still applies. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id355204"></a><a name="id355206"></a></td><td align="left" valign="top"><p> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. If you do not do this, the data will still be copied from the network folder + (share) to the local cached copy of the profile. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id353576" href="#id353576">11</a>] </sup> + There is an alternate method by which a default user profile can be added to the + <code class="constant">NETLOGON</code> share. This facility in the Windows System tool + permits profiles to be exported. The export target may be a particular user or + group profile share point or else the <code class="constant">NETLOGON</code> share. + In this case, the profile directory must be named <code class="constant">Default User</code>. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png b/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png Binary files differnew file mode 100644 index 0000000000..0471322d36 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png diff --git a/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png b/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png Binary files differnew file mode 100644 index 0000000000..52ccbef7c4 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png diff --git a/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png b/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png Binary files differnew file mode 100644 index 0000000000..56f9fb8576 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png diff --git a/docs/htmldocs/Samba3-ByExample/images/NullConnect.png b/docs/htmldocs/Samba3-ByExample/images/NullConnect.png Binary files differnew file mode 100644 index 0000000000..5320fc6db1 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/NullConnect.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png b/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png Binary files differnew file mode 100644 index 0000000000..c29574b5a4 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UserConnect.png b/docs/htmldocs/Samba3-ByExample/images/UserConnect.png Binary files differnew file mode 100644 index 0000000000..0b9acce15e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UserConnect.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png b/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png Binary files differnew file mode 100644 index 0000000000..516c75b4b1 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png Binary files differnew file mode 100644 index 0000000000..3b6dc3ae56 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png Binary files differnew file mode 100644 index 0000000000..b9b82c2287 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png Binary files differnew file mode 100644 index 0000000000..76d1ac2c9a --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png Binary files differnew file mode 100644 index 0000000000..d60fefc659 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png diff --git a/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png b/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png Binary files differnew file mode 100644 index 0000000000..6f0fe58e78 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png diff --git a/docs/htmldocs/Samba3-ByExample/images/acct2net.png b/docs/htmldocs/Samba3-ByExample/images/acct2net.png Binary files differnew file mode 100644 index 0000000000..4a95e3ce97 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/acct2net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png Binary files differnew file mode 100644 index 0000000000..5928cdfbbc --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png Binary files differnew file mode 100644 index 0000000000..d5f9d6d737 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png Binary files differnew file mode 100644 index 0000000000..5cfb4f76d1 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png Binary files differnew file mode 100644 index 0000000000..d0e6e272d9 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png b/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png Binary files differnew file mode 100644 index 0000000000..6893840b0b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap4-net.png b/docs/htmldocs/Samba3-ByExample/images/chap4-net.png Binary files differnew file mode 100644 index 0000000000..7183527c89 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap4-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap5-net.png b/docs/htmldocs/Samba3-ByExample/images/chap5-net.png Binary files differnew file mode 100644 index 0000000000..604192e22d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap5-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap6-net.png b/docs/htmldocs/Samba3-ByExample/images/chap6-net.png Binary files differnew file mode 100644 index 0000000000..a3b18d6574 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap6-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png b/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png Binary files differnew file mode 100644 index 0000000000..89ecbc224d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png b/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png Binary files differnew file mode 100644 index 0000000000..2f4d80f47b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png b/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png Binary files differnew file mode 100644 index 0000000000..a75a47dc5d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png b/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png Binary files differnew file mode 100644 index 0000000000..ec52aabc01 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png b/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png Binary files differnew file mode 100644 index 0000000000..b0103e4378 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png diff --git a/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png b/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png Binary files differnew file mode 100644 index 0000000000..3cfcc6a6ec --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-config.png b/docs/htmldocs/Samba3-ByExample/images/lam-config.png Binary files differnew file mode 100644 index 0000000000..15f989bf37 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-config.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png b/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png Binary files differnew file mode 100644 index 0000000000..cab8e42fc7 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-groups.png b/docs/htmldocs/Samba3-ByExample/images/lam-groups.png Binary files differnew file mode 100644 index 0000000000..da17b19a77 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-groups.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png b/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png Binary files differnew file mode 100644 index 0000000000..27806eb9ab --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-login.png b/docs/htmldocs/Samba3-ByExample/images/lam-login.png Binary files differnew file mode 100644 index 0000000000..cce500fc43 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-login.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-users.png b/docs/htmldocs/Samba3-ByExample/images/lam-users.png Binary files differnew file mode 100644 index 0000000000..0ca4b437ec --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-users.png diff --git a/docs/htmldocs/Samba3-ByExample/images/openmag.png b/docs/htmldocs/Samba3-ByExample/images/openmag.png Binary files differnew file mode 100644 index 0000000000..52eca30c35 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/openmag.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp001.png b/docs/htmldocs/Samba3-ByExample/images/wxpp001.png Binary files differnew file mode 100644 index 0000000000..2e689a17e2 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp001.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp004.png b/docs/htmldocs/Samba3-ByExample/images/wxpp004.png Binary files differnew file mode 100644 index 0000000000..656f67942e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp004.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp006.png b/docs/htmldocs/Samba3-ByExample/images/wxpp006.png Binary files differnew file mode 100644 index 0000000000..a20b3ed583 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp006.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp007.png b/docs/htmldocs/Samba3-ByExample/images/wxpp007.png Binary files differnew file mode 100644 index 0000000000..cf41352220 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp007.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp008.png b/docs/htmldocs/Samba3-ByExample/images/wxpp008.png Binary files differnew file mode 100644 index 0000000000..9958c7c873 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp008.png diff --git a/docs/htmldocs/Samba3-ByExample/index.html b/docs/htmldocs/Samba3-ByExample/index.html new file mode 100644 index 0000000000..50e1ffc3b4 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/index.html @@ -0,0 +1,47 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Samba-3 by Example</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="next" href="pr01.html" title="About the Cover Artwork"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Samba-3 by Example</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="S3bE"></a>Samba-3 by Example</h1></div><div><h2 class="subtitle">Practical Exercises in Successful Samba Deployment</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div><div><p class="pubdate">July, 2006</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="pr01.html">About the Cover Artwork</a></span></dt><dt><span class="preface"><a href="pr02.html">Acknowledgments</a></span></dt><dt><span class="preface"><a href="pr03.html">Foreword</a></span></dt><dd><dl><dt><span class="sect1"><a href="pr03.html#id314237">By John M. Weathersby, Executive Director, OSSI</a></span></dt></dl></dd><dt><span class="preface"><a href="preface.html">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="preface.html#id281893">Why Is This Book Necessary?</a></span></dt><dd><dl><dt><span class="sect2"><a href="preface.html#id281931">Samba 3.0.20 Update Edition</a></span></dt></dl></dd><dt><span class="sect1"><a href="preface.html#id281662">Prerequisites</a></span></dt><dt><span class="sect1"><a href="preface.html#id323198">Approach</a></span></dt><dt><span class="sect1"><a href="preface.html#id323250">Summary of Topics</a></span></dt><dt><span class="sect1"><a href="preface.html#id323874">Conventions Used</a></span></dt></dl></dd><dt><span class="part"><a href="ExNetworks.html">I. Example Network Configurations</a></span></dt><dd><dl><dt><span class="chapter"><a href="simple.html">1. No-Frills Samba Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="simple.html#id324059">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id324090">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id324129">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id324836">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id328349">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="small.html">2. Small Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="small.html#id328760">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328778">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id328824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328873">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id329059">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id329077">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id330725">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id331347">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id331367">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id331433">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="secure.html">3. Secure Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="secure.html#id331890">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id331930">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332152">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id332164">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id332528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332562">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id333388">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id337670">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id337723">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="Big500users.html">4. The 500-User Office</a></span></dt><dd><dl><dt><span class="sect1"><a href="Big500users.html#id338164">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338194">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338275">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id338303">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id338479">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id338499">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339213">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id339728">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id342792">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id342844">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="happy.html">5. Making Happy Users</a></span></dt><dd><dl><dt><span class="sect1"><a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id343715">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id343791">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id343919">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id344321">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345972">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id345985">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id346155">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id352602">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id352618">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id352707">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id352935">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id353033">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id353147">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id354146">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id354787">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id354813">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id354843">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id354931">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="2000users.html">6. A Distributed 2000-User Network</a></span></dt><dd><dl><dt><span class="sect1"><a href="2000users.html#id355265">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355290">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id355347">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id355593">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id356417">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id356432">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id359591">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id359730">Questions and Answers</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="DMSMig.html">II. Domain Members, Updating Samba and Migration</a></span></dt><dd><dl><dt><span class="chapter"><a href="unixclients.html">7. Adding Domain Member Servers and Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="unixclients.html#id360510">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360558">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360587">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360610">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id361198">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id361279">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367699">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id367744">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="upgrades.html">8. Updating Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrades.html#id368817">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id368901">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370109">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370773">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id370982">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371166">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371543">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ntmigration.html">9. Migrating NT4 Domain to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntmigration.html#id371689">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371765">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id371815">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371970">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id372273">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id372293">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id375038">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id375074">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="nw4migration.html">10. Migrating NetWare Server to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="nw4migration.html#id375956">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376063">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376162">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376233">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376404">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376413">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="RefSection.html">III. Reference Section</a></span></dt><dd><dl><dt><span class="chapter"><a href="kerberos.html">11. Active Directory, Kerberos, and Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="kerberos.html#id380108">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id380691">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id380704">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id381076">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id382562">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id382896">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id384506">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id384628">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="DomApps.html">12. Integrating Additional Services</a></span></dt><dd><dl><dt><span class="sect1"><a href="DomApps.html#id385213">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385236">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385322">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id385351">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id385497">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id385511">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id387274">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id387329">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="HA.html">13. Performance, Reliability, and Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="HA.html#id387816">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id387893">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id388343">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id388368">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id388810">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id389105">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id389172">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id389235">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id389326">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id389459">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id389537">Key Points Learned</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch14.html">14. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch14.html#id389686">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id389884">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="appendix.html">15. A Collection of Useful Tidbits</a></span></dt><dd><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390543">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id390934">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id391231">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391242">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391285">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id391367">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id391422">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id391880">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id392795">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id393226">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393365">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id393440">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="primer.html">16. Networking Primer</a></span></dt><dd><dl><dt><span class="sect1"><a href="primer.html#id393582">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id393718">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393768">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id393876">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393989">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id396068">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id396170">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></dd><dt><span class="appendix"><a href="apa.html">A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </a></span></dt><dd><dl><dt><span class="bridgehead"><a href="apa.html#id396759">A. + Preamble + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396868">A. + TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396872">A. + 0. Definitions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396936">A. + 1. Source Code. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id396998">A. + 2. Basic Permissions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397032">A. + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397056">A. + 4. Conveying Verbatim Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397075">A. + 5. Conveying Modified Source Versions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397152">A. + 6. Conveying Non-Source Forms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397284">A. + 7. Additional Terms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397389">A. + 8. Termination. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397424">A. + 9. Acceptance Not Required for Having Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397438">A. + 10. Automatic Licensing of Downstream Recipients. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397472">A. + 11. Patents. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397561">A. + 12. No Surrender of Others’ Freedom. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397577">A. + 13. Use with the ???TITLE??? Affero General Public License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397600">A. + 14. Revised Versions of this License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397648">A. + 15. Disclaimer of Warranty. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397665">A. + 16. Limitation of Liability. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397680">A. + 17. Interpretation of Sections 15 and 16. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397692">A. + END OF TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id397696">A. + How to Apply These Terms to Your New Programs + </a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>1.1. <a href="simple.html#charitynet">Charity Administration Office Network</a></dt><dt>1.2. <a href="simple.html#acctingnet2">Accounting Office Network Topology</a></dt><dt>2.1. <a href="small.html#acct2net">Abmas Accounting 52-User Network Topology</a></dt><dt>3.1. <a href="secure.html#ch04net">Abmas Network Topology 130 Users</a></dt><dt>4.1. <a href="Big500users.html#chap05net">Network Topology 500 User Network Using tdbsam passdb backend.</a></dt><dt>5.1. <a href="happy.html#sbehap-LDAPdiag">The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</a></dt><dt>5.2. <a href="happy.html#chap6net">Network Topology 500 User Network Using ldapsam passdb backend</a></dt><dt>5.3. <a href="happy.html#XP-screen001">Windows XP Professional User Shared Folders</a></dt><dt>6.1. <a href="2000users.html#chap7idres">Samba and Authentication Backend Search Pathways</a></dt><dt>6.2. <a href="2000users.html#ch7singleLDAP">Samba Configuration to Use a Single LDAP Server</a></dt><dt>6.3. <a href="2000users.html#ch7dualLDAP">Samba Configuration to Use a Dual (Fail-over) LDAP Server</a></dt><dt>6.4. <a href="2000users.html#ch7dualadd">Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</a></dt><dt>6.5. <a href="2000users.html#ch7dualok">Samba Configuration to Use Two LDAP Databases - The result is additive.</a></dt><dt>6.6. <a href="2000users.html#chap7net">Network Topology 2000 User Complex Design A</a></dt><dt>6.7. <a href="2000users.html#chap7net2">Network Topology 2000 User Complex Design B</a></dt><dt>7.1. <a href="unixclients.html#ch09openmag">Open Magazine Samba Survey</a></dt><dt>7.2. <a href="unixclients.html#ch9-sambadc">Samba Domain: Samba Member Server</a></dt><dt>7.3. <a href="unixclients.html#ch9-adsdc">Active Directory Domain: Samba Member Server</a></dt><dt>9.1. <a href="ntmigration.html#ch8-migration">Schematic Explaining the <code class="literal">net rpc vampire</code> Process</a></dt><dt>9.2. <a href="ntmigration.html#NT4DUM">View of Accounts in NT4 Domain User Manager</a></dt><dt>15.1. <a href="appendix.html#swxpp001">The General Panel.</a></dt><dt>15.2. <a href="appendix.html#swxpp004">The Computer Name Panel.</a></dt><dt>15.3. <a href="appendix.html#swxpp006">The Computer Name Changes Panel</a></dt><dt>15.4. <a href="appendix.html#swxpp007">The Computer Name Changes Panel Domain MIDEARTH</a></dt><dt>15.5. <a href="appendix.html#swxpp008">Computer Name Changes User name and Password Panel</a></dt><dt>15.6. <a href="appendix.html#lam-login">The LDAP Account Manager Login Screen</a></dt><dt>15.7. <a href="appendix.html#lam-config">The LDAP Account Manager Configuration Screen</a></dt><dt>15.8. <a href="appendix.html#lam-user">The LDAP Account Manager User Edit Screen</a></dt><dt>15.9. <a href="appendix.html#lam-group">The LDAP Account Manager Group Edit Screen</a></dt><dt>15.10. <a href="appendix.html#lam-group-mem">The LDAP Account Manager Group Membership Edit Screen</a></dt><dt>15.11. <a href="appendix.html#lam-host">The LDAP Account Manager Host Edit Screen</a></dt><dt>15.12. <a href="appendix.html#imcidealx">The IMC Samba User Account Screen</a></dt><dt>16.1. <a href="primer.html#pktcap01">Windows Me Broadcasts The First 10 Minutes</a></dt><dt>16.2. <a href="primer.html#pktcap02">Windows Me Later Broadcast Sample</a></dt><dt>16.3. <a href="primer.html#hostannounce">Typical Windows 9x/Me Host Announcement</a></dt><dt>16.4. <a href="primer.html#nullconnect">Typical Windows 9x/Me NULL SessionSetUp AndX Request</a></dt><dt>16.5. <a href="primer.html#userconnect">Typical Windows 9x/Me User SessionSetUp AndX Request</a></dt><dt>16.6. <a href="primer.html#XPCap01">Typical Windows XP NULL Session Setup AndX Request</a></dt><dt>16.7. <a href="primer.html#XPCap02">Typical Windows XP User Session Setup AndX Request</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1. <a href="preface.html#pref-new">Samba Changes 3.0.2 to 3.0.20</a></dt><dt>1.1. <a href="simple.html#acctingnet">Accounting Office Network Information</a></dt><dt>3.1. <a href="secure.html#chap4netid">Abmas.US ISP Information</a></dt><dt>3.2. <a href="secure.html#namedrscfiles">DNS (named) Resource Files</a></dt><dt>4.1. <a href="Big500users.html#ch5-filelocations">Domain: <code class="constant">MEGANET</code>, File Locations for Servers</a></dt><dt>5.1. <a href="happy.html#sbehap-privs">Current Privilege Capabilities</a></dt><dt>5.2. <a href="happy.html#oldapreq">Required OpenLDAP Linux Packages</a></dt><dt>5.3. <a href="happy.html#sbehap-bigacct">Abmas Network Users and Groups</a></dt><dt>5.4. <a href="happy.html#proffold">Default Profile Redirections</a></dt><dt>9.1. <a href="ntmigration.html#ch8-vampire">Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</a></dt><dt>13.1. <a href="HA.html#ProbList">Effect of Common Problems</a></dt><dt>16.1. <a href="primer.html#capsstats01">Windows Me Startup Broadcast Capture Statistics</a></dt><dt>16.2. <a href="primer.html#capsstats02">Second Machine (Windows 98) Capture Statistics</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>1.1. <a href="simple.html#draft-smbconf">Drafting Office <code class="filename">smb.conf</code> File</a></dt><dt>1.2. <a href="simple.html#charity-smbconfnew">Charity Administration Office <code class="filename">smb.conf</code> New-style File</a></dt><dt>1.3. <a href="simple.html#charity-smbconf">Charity Administration Office <code class="filename">smb.conf</code> Old-style File</a></dt><dt>1.4. <a href="simple.html#MEreg">Windows Me Registry Edit File: Disable Password Caching</a></dt><dt>1.5. <a href="simple.html#acctconf">Accounting Office Network <code class="filename">smb.conf</code> Old Style Configuration File</a></dt><dt>2.1. <a href="small.html#initGrps">Script to Map Windows NT Groups to UNIX Groups</a></dt><dt>2.2. <a href="small.html#dhcp01">Abmas Accounting DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></a></dt><dt>2.3. <a href="small.html#acct2conf">Accounting Office Network <code class="filename">smb.conf</code> File [globals] Section</a></dt><dt>2.4. <a href="small.html#acct3conf">Accounting Office Network <code class="filename">smb.conf</code> File Services and Shares Section</a></dt><dt>3.1. <a href="secure.html#ch4memoryest">Estimation of Memory Requirements</a></dt><dt>3.2. <a href="secure.html#ch4diskest">Estimation of Disk Storage Requirements</a></dt><dt>3.3. <a href="secure.html#ch4natfw">NAT Firewall Configuration Script</a></dt><dt>3.4. <a href="secure.html#promisnet">130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</a></dt><dt>3.5. <a href="secure.html#promisnetsvca">130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</a></dt><dt>3.6. <a href="secure.html#promisnetsvcb">130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</a></dt><dt>3.7. <a href="secure.html#ch4initGrps">Script to Map Windows NT Groups to UNIX Groups</a></dt><dt>3.8. <a href="secure.html#prom-dhcp">DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></a></dt><dt>3.9. <a href="secure.html#ch4namedcfg">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</a></dt><dt>3.10. <a href="secure.html#ch4namedvarfwd">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</a></dt><dt>3.11. <a href="secure.html#ch4namedvarrev">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</a></dt><dt>3.12. <a href="secure.html#eth1zone">DNS 192.168.1 Reverse Zone File</a></dt><dt>3.13. <a href="secure.html#eth2zone">DNS 192.168.2 Reverse Zone File</a></dt><dt>3.14. <a href="secure.html#abmasbiz">DNS Abmas.biz Forward Zone File</a></dt><dt>3.15. <a href="secure.html#abmasus">DNS Abmas.us Forward Zone File</a></dt><dt>4.1. <a href="Big500users.html#ch5-massivesmb">Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/smb.conf</code></a></dt><dt>4.2. <a href="Big500users.html#ch5-dc-common">Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/dc-common.conf</code></a></dt><dt>4.3. <a href="Big500users.html#ch5-commonsmb">Common Samba Configuration File: <code class="filename">/etc/samba/common.conf</code></a></dt><dt>4.4. <a href="Big500users.html#ch5-bldg1-smb">Server: BLDG1 (Member), File: smb.conf</a></dt><dt>4.5. <a href="Big500users.html#ch5-bldg2-smb">Server: BLDG2 (Member), File: smb.conf</a></dt><dt>4.6. <a href="Big500users.html#ch5-dommem-smb">Common Domain Member Include File: dom-mem.conf</a></dt><dt>4.7. <a href="Big500users.html#massive-dhcp">Server: MASSIVE, File: dhcpd.conf</a></dt><dt>4.8. <a href="Big500users.html#bldg1dhcp">Server: BLDG1, File: dhcpd.conf</a></dt><dt>4.9. <a href="Big500users.html#bldg2dhcp">Server: BLDG2, File: dhcpd.conf</a></dt><dt>4.10. <a href="Big500users.html#massive-nameda">Server: MASSIVE, File: named.conf, Part: A</a></dt><dt>4.11. <a href="Big500users.html#massive-namedb">Server: MASSIVE, File: named.conf, Part: B</a></dt><dt>4.12. <a href="Big500users.html#massive-namedc">Server: MASSIVE, File: named.conf, Part: C</a></dt><dt>4.13. <a href="Big500users.html#abmasbizdns">Forward Zone File: abmas.biz.hosts</a></dt><dt>4.14. <a href="Big500users.html#abmasusdns">Forward Zone File: abmas.biz.hosts</a></dt><dt>4.15. <a href="Big500users.html#bldg12nameda">Servers: BLDG1/BLDG2, File: named.conf, Part: A</a></dt><dt>4.16. <a href="Big500users.html#bldg12namedb">Servers: BLDG1/BLDG2, File: named.conf, Part: B</a></dt><dt>4.17. <a href="Big500users.html#ch5-initgrps">Initialize Groups Script, File: /etc/samba/initGrps.sh</a></dt><dt>5.1. <a href="happy.html#sbehap-dbconf">LDAP DB_CONFIG File</a></dt><dt>5.2. <a href="happy.html#sbehap-slapdconf">LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</a></dt><dt>5.3. <a href="happy.html#sbehap-slapdconf2">LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</a></dt><dt>5.4. <a href="happy.html#sbehap-nss01">Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>5.5. <a href="happy.html#sbehap-nss02">Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>5.6. <a href="happy.html#sbehap-massive-smbconfa">LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</a></dt><dt>5.7. <a href="happy.html#sbehap-massive-smbconfb">LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</a></dt><dt>5.8. <a href="happy.html#sbehap-bldg1-smbconf">LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</a></dt><dt>5.9. <a href="happy.html#sbehap-bldg2-smbconf">LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</a></dt><dt>5.10. <a href="happy.html#sbehap-shareconfa">LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</a></dt><dt>5.11. <a href="happy.html#sbehap-shareconfb">LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</a></dt><dt>5.12. <a href="happy.html#sbehap-ldifadd">LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</a></dt><dt>6.1. <a href="2000users.html#ch7-LDAP-master">LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></a></dt><dt>6.2. <a href="2000users.html#ch7-LDAP-slave">LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></a></dt><dt>6.3. <a href="2000users.html#ch7-massmbconfA">Primary Domain Controller <code class="filename">smb.conf</code> File Part A</a></dt><dt>6.4. <a href="2000users.html#ch7-massmbconfB">Primary Domain Controller <code class="filename">smb.conf</code> File Part B</a></dt><dt>6.5. <a href="2000users.html#ch7-massmbconfC">Primary Domain Controller <code class="filename">smb.conf</code> File Part C</a></dt><dt>6.6. <a href="2000users.html#ch7-slvsmbocnfA">Backup Domain Controller <code class="filename">smb.conf</code> File Part A</a></dt><dt>6.7. <a href="2000users.html#ch7-slvsmbocnfB">Backup Domain Controller <code class="filename">smb.conf</code> File Part B</a></dt><dt>7.1. <a href="unixclients.html#ch9-sdmsdc">Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</a></dt><dt>7.2. <a href="unixclients.html#ch9-ldifadd">LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</a></dt><dt>7.3. <a href="unixclients.html#ch9-sdmlcnf">Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>7.4. <a href="unixclients.html#ch9-sdmnss">NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></a></dt><dt>7.5. <a href="unixclients.html#ch0-NT4DSDM">Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</a></dt><dt>7.6. <a href="unixclients.html#ch0-NT4DSCM">Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</a></dt><dt>7.7. <a href="unixclients.html#ch9-adssdm">Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</a></dt><dt>7.8. <a href="unixclients.html#sbe-idmapridex">Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></a></dt><dt>7.9. <a href="unixclients.html#sbeunxa">Typical ADS Style Domain <code class="filename">smb.conf</code> File</a></dt><dt>7.10. <a href="unixclients.html#sbewinbindex">ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</a></dt><dt>7.11. <a href="unixclients.html#ch9-pamwnbdlogin">SUSE: PAM <code class="filename">login</code> Module Using Winbind</a></dt><dt>7.12. <a href="unixclients.html#ch9-pamwbndxdm">SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</a></dt><dt>7.13. <a href="unixclients.html#ch9-rhsysauth">Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</a></dt><dt>9.1. <a href="ntmigration.html#sbent4smb">NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</a></dt><dt>9.2. <a href="ntmigration.html#sbent4smb2">NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</a></dt><dt>9.3. <a href="ntmigration.html#sbentslapd">NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</a></dt><dt>9.4. <a href="ntmigration.html#sbentslapd2">NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part B</a></dt><dt>9.5. <a href="ntmigration.html#sbrntldapconf">NT4 Migration NSS LDAP File: <code class="filename">/etc/ldap.conf</code></a></dt><dt>9.6. <a href="ntmigration.html#sbentnss">NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:1)</a></dt><dt>9.7. <a href="ntmigration.html#sbentnss2">NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:2)</a></dt><dt>10.1. <a href="nw4migration.html#sbeamg">A Rough Tool to Create an LDIF File from the System Account Files</a></dt><dt>10.2. <a href="nw4migration.html#ch8ldap">NSS LDAP Control File /etc/ldap.conf</a></dt><dt>10.3. <a href="nw4migration.html#sbepu2">The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></a></dt><dt>10.4. <a href="nw4migration.html#ch8smbconf">Samba Configuration File smb.conf Part A</a></dt><dt>10.5. <a href="nw4migration.html#ch8smbconf2">Samba Configuration File smb.conf Part B</a></dt><dt>10.6. <a href="nw4migration.html#ch8smbconf3">Samba Configuration File smb.conf Part C</a></dt><dt>10.7. <a href="nw4migration.html#ch8smbconf4">Samba Configuration File smb.conf Part D</a></dt><dt>10.8. <a href="nw4migration.html#ch8smbconf5">Samba Configuration File smb.conf Part E</a></dt><dt>10.9. <a href="nw4migration.html#sbersync">Rsync Script</a></dt><dt>10.10. <a href="nw4migration.html#sbexcld">Rsync Files Exclusion List <code class="filename">/root/excludes.txt</code></a></dt><dt>10.11. <a href="nw4migration.html#ch8ideal">Idealx smbldap-tools Control File Part A</a></dt><dt>10.12. <a href="nw4migration.html#ch8ideal2">Idealx smbldap-tools Control File Part B</a></dt><dt>10.13. <a href="nw4migration.html#ch8ideal3">Idealx smbldap-tools Control File Part C</a></dt><dt>10.14. <a href="nw4migration.html#ch8ideal4">Idealx smbldap-tools Control File Part D</a></dt><dt>10.15. <a href="nw4migration.html#ch8kix">Kixtart Control File File: logon.kix</a></dt><dt>10.16. <a href="nw4migration.html#ch8kix2">Kixtart Control File File: main.kix</a></dt><dt>10.17. <a href="nw4migration.html#ch8kix3">Kixtart Control File File: setup.kix, Part A</a></dt><dt>10.18. <a href="nw4migration.html#ch8kix3b">Kixtart Control File File: setup.kix, Part B</a></dt><dt>10.19. <a href="nw4migration.html#ch8kix4">Kixtart Control File File: acct.kix</a></dt><dt>12.1. <a href="DomApps.html#ch10-krb5conf">Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></a></dt><dt>12.2. <a href="DomApps.html#ch10-smbconf">Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></a></dt><dt>12.3. <a href="DomApps.html#ch10-etcnsscfg">NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></a></dt><dt>12.4. <a href="DomApps.html#etcsquidcfg">Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</a></dt><dt>12.5. <a href="DomApps.html#etcsquid2">Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</a></dt><dt>15.1. <a href="appendix.html#ch12SL">A Useful Samba Control Script for SUSE Linux</a></dt><dt>15.2. <a href="appendix.html#ch12RHscript">A Sample Samba Control Script for Red Hat Linux</a></dt><dt>15.3. <a href="appendix.html#loopback">DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></a></dt><dt>15.4. <a href="appendix.html#dnsloopy">DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></a></dt><dt>15.5. <a href="appendix.html#roothint">DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></a></dt><dt>15.6. <a href="appendix.html#sbehap-ldapreconfa">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</a></dt><dt>15.7. <a href="appendix.html#sbehap-ldapreconfb">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</a></dt><dt>15.8. <a href="appendix.html#sbehap-ldapreconfc">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</a></dt><dt>15.9. <a href="appendix.html#sbehap-ldifpata">LDIF Pattern File Used to Pre-configure LDAP Part A</a></dt><dt>15.10. <a href="appendix.html#sbehap-ldifpatb">LDIF Pattern File Used to Pre-configure LDAP Part B</a></dt><dt>15.11. <a href="appendix.html#lamcfg">Example LAM Configuration File <code class="filename">config.cfg</code></a></dt><dt>15.12. <a href="appendix.html#lamconf">LAM Profile Control File <code class="filename">lam.conf</code></a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> About the Cover Artwork</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ix01.html b/docs/htmldocs/Samba3-ByExample/ix01.html new file mode 100644 index 0000000000..d454f63af3 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ix01.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id398277"></a>Index</h2></div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>#delete group script, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>#delete user from group script, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>#delete user script, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>#wins support, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>%LOGONSERVER%, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>%USERNAME%, <a href="happy.html#id344798">Roaming Profile Background</a>, <a href="happy.html#id345065">Profile Changes</a></dt><dt>%USERPROFILE%, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>/data/ldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>/etc/cups/mime.convs, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>/etc/cups/mime.types, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>/etc/dhcpd.conf, <a href="small.html#id329077">Implementation</a>, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>/etc/exports, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>/etc/group, <a href="happy.html#id344321">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>/etc/hosts, <a href="simple.html#id324238">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a>, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>/etc/krb5.conf, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>/etc/ldap.conf, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>/etc/mime.convs, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>/etc/mime.types, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>/etc/named.conf, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></dt><dt>/etc/nsswitch.conf, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a>, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>/etc/openldap/slapd.conf, <a href="happy.html#id345538">Debugging LDAP</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>/etc/passwd, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="nw4migration.html#id376233">Technical Issues</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>/etc/rc.d/boot.local, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>/etc/rc.d/rc.local, <a href="small.html#id329077">Implementation</a></dt><dt>/etc/resolv.conf, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a></dt><dt>/etc/samba, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/etc/samba/secrets.tdb, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>/etc/samba/smbusers, <a href="Big500users.html#id339213">Server Preparation: All Servers</a></dt><dt>/etc/shadow, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="nw4migration.html#id376233">Technical Issues</a></dt><dt>/etc/squid/squid.conf, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>/etc/syslog.conf, <a href="happy.html#id345538">Debugging LDAP</a></dt><dt>/etc/xinetd.d, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>/lib/libnss_ldap.so.2, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>/opt/IDEALX/sbin, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>/proc/sys/net/ipv4/ip_forward, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>/usr/bin, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/lib/samba, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/local, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/local/samba, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/local/samba/var/locks, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>/usr/sbin, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/share, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/share/samba/swat, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/usr/share/swat, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/var/cache/samba, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>/var/lib/samba, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>/var/log/ldaplogs, <a href="happy.html#id345538">Debugging LDAP</a></dt><dt>/var/log/samba, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>8-bit, <a href="upgrades.html#id369962">International Language Support</a></dt></dl></div><div class="indexdiv"><h3></h3><dl><dt>, <a href="secure.html#ch4appscfg">Application Share Configuration</a>, <a href="happy.html#sbehap-ppc">Addition of Machines to the Domain</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dd><dl><dt>Domain account, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>liability, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>logon, <a href="simple.html#id325119">Implementation</a></dt><dt>problem, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>transparent inter-operability, <a href="DomApps.html#id387329">Questions and Answers</a></dt></dl></dd></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>abmas-netfw.sh, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>abort shutdown script, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>accept, <a href="secure.html#ch4ptrcfg">Printer Configuration</a></dt><dt>accepts liability, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>access, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>access control, <a href="kerberos.html#id382267">Kerberos Exposed</a>, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>Access Control Lists (see ACLs)</dt><dt>access control settings, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>access controls, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>accessible, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>account, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dd><dl><dt>ADS Domain, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></dd><dt>account credentials, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>account information, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>account names, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>account policies, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>accountable, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>accounts</dt><dd><dl><dt>authoritative, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Domain, <a href="ntmigration.html#id371689">Introduction</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>group, <a href="ntmigration.html#id371689">Introduction</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>machine, <a href="ntmigration.html#id371689">Introduction</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>manage, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>user, <a href="ntmigration.html#id371689">Introduction</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a></dt></dl></dd><dt>ACL, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>ACLs, <a href="happy.html#id354843">Key Points Learned</a>, <a href="kerberos.html#id382562">Share Access Controls</a>, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>acquisitions, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Act!, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>ACT! database, <a href="appendix.html#id393365">Act! Database Sharing</a></dt><dt>Act!Diag, <a href="appendix.html#id393365">Act! Database Sharing</a></dt><dt>Active Directory, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="unixclients.html#id360558">Assignment Tasks</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="kerberos.html#id384628">Questions and Answers</a>, <a href="DomApps.html">Integrating Additional Services</a>, <a href="DomApps.html#id385236">Assignment Tasks</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dd><dl><dt>authentication, <a href="DomApps.html#id386899">Squid Configuration</a></dt><dt>domain, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>join, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>management tools, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>realm, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>Replacement, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>server, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>Server, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>tree, <a href="DomApps.html#id386107">Samba Configuration</a></dt></dl></dd><dt>active directory, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>AD printer publishing, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>ADAM, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a></dt><dt>add group script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>add machine script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Add Printer Wizard</dt><dd><dl><dt>APW, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt></dl></dd><dt>add user script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>add user to group script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>adduser, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>adequate precautions, <a href="upgrades.html#id368817">Introduction</a></dt><dt>admin users, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>administrative installation, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>administrative rights, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>administrator, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a></dt><dt>ADMT, <a href="upgrades.html#id371543">Migration of Samba Accounts to Active Directory</a></dt><dt>ADS, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a>, <a href="HA.html#id388378">Bad Hostnames</a></dt><dd><dl><dt>server, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></dd><dt>ADS Domain, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>affordability, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>alarm, <a href="kerberos.html#id380108">Introduction</a></dt><dt>algorithm, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>allow trusted domains, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>alternative, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>analysis, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>anonymous connection, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>Apache Web server, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>appliance mode, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>application server, <a href="secure.html#id332164">Technical Issues</a>, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>application servers, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>application/octet-stream, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>APW, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>arp, <a href="secure.html#ch4valid">Validation</a></dt><dt>assessment, <a href="kerberos.html#id380108">Introduction</a></dt><dt>assistance, <a href="ch14.html#id389686">Free Support</a></dt><dt>assumptions, <a href="HA.html#id389537">Key Points Learned</a></dt><dt>authconfig, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>authenticate, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>authenticated, <a href="DomApps.html#id385236">Assignment Tasks</a></dt><dt>authenticated connection, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>authentication, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="nw4migration.html#id376162">Dissection and Discussion</a>, <a href="DomApps.html">Integrating Additional Services</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="DomApps.html#id386629">NSS Configuration</a>, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dd><dl><dt>plain-text, <a href="DomApps.html#id387329">Questions and Answers</a></dt></dl></dd><dt>authentication process, <a href="unixclients.html#id361279">Implementation</a></dt><dt>authentication protocols, <a href="DomApps.html#id387274">Key Points Learned</a></dt><dt>authoritative, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>authorized location, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>auto-generated SID, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>automatically allocate, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>availability, <a href="HA.html">Performance, Reliability, and Availability</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>backends, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>background communication, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>Backup, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Backup Domain Controller (see BDC)</dt><dt>bandwidth, <a href="DomApps.html#id385236">Assignment Tasks</a></dt><dd><dl><dt>requirements, <a href="2000users.html#id355630">User Needs</a></dt></dl></dd><dt>bandwidth calculations, <a href="secure.html#id332397">Hardware Requirements</a></dt><dt>BDC, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="happy.html#id346155">Samba Server Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id359591">Key Points Learned</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a>, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dt>benefit, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>best practices, <a href="kerberos.html#id380108">Introduction</a></dt><dt>bias, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>binary database, <a href="secure.html#id332562">Implementation</a></dt><dt>binary files, <a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></dt><dt>binary package, <a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></dt><dt>bind interfaces only, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>broadcast, <a href="HA.html#id388556">Routed Networks</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>directed, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>mailslot, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>broadcast messages, <a href="secure.html#id332562">Implementation</a></dt><dt>broadcast storms, <a href="HA.html#id388719">Network Collisions</a></dt><dt>broken, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>broken behavior, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>browse, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>browse master, <a href="primer.html#id394114">Findings</a></dt><dt>Browse Master, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>browse.dat, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a></dt><dt>browseable, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Browser Election Service, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>browsing, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="primer.html#id393768">Assignment Tasks</a></dt><dt>budgetted, <a href="kerberos.html#id380108">Introduction</a></dt><dt>bug fixes, <a href="kerberos.html#id380108">Introduction</a></dt><dt>bug report, <a href="ch14.html#id389686">Free Support</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>cache, <a href="appendix.html#id393440">Opportunistic Locking Controls</a></dt><dt>cache directories, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>caching, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>case sensitive, <a href="HA.html#id389459">Large Directories</a></dt><dt>case-sensitive, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>centralized storage, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>character set, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>check samba daemons, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>check-point, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>check-point controls, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>Checkpoint Controls, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>chgrp, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>chkconfig, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>chmod, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>choice, <a href="kerberos.html#id380704">Dissection and Discussion</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>chown, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>CIFS, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="primer.html#id394114">Findings</a></dt><dt>cifsfs, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>clean database, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>clients per DC, <a href="happy.html">Making Happy Users</a></dt><dt>Clock skew, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>cluster, <a href="HA.html#id387816">Introduction</a></dt><dt>clustering, <a href="HA.html#id387816">Introduction</a>, <a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>code maintainer, <a href="ch14.html#id389686">Free Support</a></dt><dt>codepage, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>collision rates, <a href="HA.html#id388719">Network Collisions</a></dt><dt>comment, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>commercial, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>commercial software, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>commercial support, <a href="ch14.html">Samba Support</a>, <a href="ch14.html#id389884">Commercial Support</a></dt><dt>Common Internet File System (see CIFS)</dt><dt>comparison</dt><dd><dl><dt>Active Directory & OpenLDAP, <a href="happy.html#id343919">Dissection and Discussion</a></dt></dl></dd><dt>compat, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>compatible, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>compile-time, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dt>complexities, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>compromise, <a href="happy.html#id343715">Introduction</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>computer account, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>Computer Management, <a href="kerberos.html#id382562">Share Access Controls</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>computer name, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>condemns, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>conferences, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>configuration files, <a href="upgrades.html#id368817">Introduction</a></dt><dt>configure.pl, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>connection, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>connectivity, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>consequential risk, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>consultant, <a href="simple.html#id324129">Drafting Office</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>consumer, <a href="kerberos.html#id380704">Dissection and Discussion</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>consumer expects, <a href="ch14.html">Samba Support</a></dt><dt>contiguous directory, <a href="2000users.html#id356432">Implementation</a></dt><dt>contributions, <a href="upgrades.html">Updating Samba-3</a></dt><dt>control files, <a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></dt><dt>convmv, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>copy, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>corrective action, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>cost, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>cost-benefit, <a href="nw4migration.html#id376063">Assignment Tasks</a></dt><dt>country of origin, <a href="ch14.html#id389884">Commercial Support</a></dt><dt>Courier-IMAP, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>create mask, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>credential, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>credentials, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>crippled, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>criticism, <a href="kerberos.html">Active Directory, Kerberos, and Security</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Critics, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Cryptographic, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>CUPS, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a>, <a href="small.html#id331367">Key Points Learned</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dd><dl><dt>queue, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt></dl></dd><dt>cups options, <a href="secure.html#id333388">Samba Configuration</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>cupsd, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>customer expected, <a href="ch14.html">Samba Support</a></dt><dt>customers, <a href="ch14.html">Samba Support</a></dt></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="DomApps.html#id387329">Questions and Answers</a>, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>daemon control, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>data</dt><dd><dl><dt>corruption, <a href="happy.html">Making Happy Users</a></dt><dt>integrity, <a href="unixclients.html#id367744">Questions and Answers</a></dt></dl></dd><dt>data corruption, <a href="HA.html#id389326">Hardware Problems</a>, <a href="appendix.html#id393365">Act! Database Sharing</a></dt><dt>data integrity, <a href="HA.html#id389326">Hardware Problems</a>, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>data storage, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>database, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="nw4migration.html#id376162">Dissection and Discussion</a></dt><dt>database applications, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>DB_CONFIG, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>DCE, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>DDNS (see dynamic DNS)</dt><dt>Debian, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>default devmode, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a></dt><dt>default installation, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>default password, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>default profile, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="happy.html#id344321">Technical Issues</a></dt><dt>Default User, <a href="happy.html#id345065">Profile Changes</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>defective</dt><dd><dl><dt>cables, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>HUBs, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>switches, <a href="HA.html#id389326">Hardware Problems</a></dt></dl></dd><dt>defects, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>defensible standards, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>defragmentation, <a href="secure.html#ch4wincfg">Windows Client Configuration</a></dt><dt>delete group script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>delete user from group script, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>delete user script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>delimiter, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>dependability, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>deployment, <a href="ch14.html#id389686">Free Support</a></dt><dt>desired security setting, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>development, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>DHCP, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a>, <a href="small.html#id331367">Key Points Learned</a>, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="Big500users.html#ch5wincfg">Windows Client Configuration</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dd><dl><dt>client, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>relay, <a href="Big500users.html#id338303">Technical Issues</a></dt><dt>Relay Agent, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>request, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>requests, <a href="Big500users.html#id338303">Technical Issues</a></dt><dt>servers, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>traffic, <a href="2000users.html#id359730">Questions and Answers</a></dt></dl></dd><dt>dhcp client validation, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>DHCP Server, <a href="small.html#id329077">Implementation</a></dt><dt>DHCP server, <a href="secure.html#id332164">Technical Issues</a></dt><dt>diagnostic, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a></dt><dt>diffusion, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>digital rights, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>digital sign'n'seal, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>digits, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>diligence, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>directory, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="unixclients.html#id361198">Political Issues</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dd><dl><dt>Computers container, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>management, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>People container, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>replication, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>schema, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>server, <a href="happy.html#id344321">Technical Issues</a></dt><dt>synchronization, <a href="happy.html#id343919">Dissection and Discussion</a></dt></dl></dd><dt>directory mask, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>directory tree, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>disable, <a href="kerberos.html#id380108">Introduction</a></dt><dt>disable spoolss, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>disaster recovery, <a href="kerberos.html#id380108">Introduction</a></dt><dt>disk image, <a href="happy.html#id343791">Assignment Tasks</a></dt><dt>disruptive, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>distributed, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="HA.html#id389235">Distribute Network Load with MSDFS</a></dt><dt>distributed domain, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>DMB, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>DMS, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a></dt><dt>DNS, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332164">Technical Issues</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="HA.html#id388378">Bad Hostnames</a>, <a href="HA.html#id388556">Routed Networks</a>, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dd><dl><dt>configuration, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>Dynamic, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>dynamic, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>lookup, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>name lookup, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>SRV records, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>suffix, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt></dl></dd><dt>DNS server, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></dt><dt>document the settings, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>documentation, <a href="kerberos.html#id380704">Dissection and Discussion</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>documented, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>Domain, <a href="small.html#id328873">Technical Issues</a></dt><dd><dl><dt>groups, <a href="small.html#id328873">Technical Issues</a></dt></dl></dd><dt>domain</dt><dd><dl><dt>Active Directory, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>controller, <a href="upgrades.html#id371366">Replacing a Domain Controller</a></dt><dt>joining, <a href="appendix.html">A Collection of Useful Tidbits</a></dt><dt>trusted, <a href="unixclients.html#id367744">Questions and Answers</a></dt></dl></dd><dt>Domain accounts, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Domain Administrator, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>Domain Controller, <a href="small.html#id331367">Key Points Learned</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id361279">Implementation</a>, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dd><dl><dt>closest, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>domain controller, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>domain controllers, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Domain Controllers, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>Domain Groups</dt><dd><dl><dt>well-known, <a href="appendix.html#id391422">Initialization of the LDAP Database</a></dt></dl></dd><dt>Domain join, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>domain logons, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>domain master, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></dt><dt>Domain Master Browser (see DMB)</dt><dt>Domain Member, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dd><dl><dt>authoritative</dt><dd><dl><dt>local accounts, <a href="unixclients.html#id360610">Technical Issues</a></dt></dl></dd><dt>client, <a href="unixclients.html#id361279">Implementation</a></dt><dt>desktop, <a href="unixclients.html#id360510">Introduction</a></dt><dt>server, <a href="unixclients.html#id360510">Introduction</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id361279">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>servers, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>workstations, <a href="unixclients.html#id361279">Implementation</a></dt></dl></dd><dt>domain member</dt><dd><dl><dt>servers, <a href="unixclients.html#id360610">Technical Issues</a></dt></dl></dd><dt>Domain Member server, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>Domain Member servers, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>domain members, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>domain name space, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>domain replication, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>domain SID, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>Domain SID, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>domain tree, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>Domain User Manager, <a href="happy.html#id352707">Configuring Profile Directories</a></dt><dt>Domain users, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>DOS, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>dos2unix, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>down-grade, <a href="upgrades.html#id368817">Introduction</a></dt><dt>drive letters, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>drive mapping, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>dumb printing, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>dump, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>duplicate accounts, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>dynamic DNS, <a href="secure.html#id332164">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>e-Directory, <a href="nw4migration.html#id376162">Dissection and Discussion</a></dt><dt>ea support, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>Easy Software Products, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>economically sustainable, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>eDirectory, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>education, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>election, <a href="primer.html#id394114">Findings</a></dt><dt>employment, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>enable, <a href="secure.html#ch4ptrcfg">Printer Configuration</a></dt><dt>enable privileges, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></dt><dt>encrypt passwords, <a href="DomApps.html#id386629">NSS Configuration</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>encrypted, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>encrypted password, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>encrypted passwords, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>End User License Agreement (see EULA)</dt><dt>enumerating, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>essential, <a href="kerberos.html#id380108">Introduction</a></dt><dt>ethereal, <a href="primer.html#id393876">Exercises</a></dt><dt>Ethernet switch, <a href="small.html#id328873">Technical Issues</a></dt><dt>ethernet switch, <a href="happy.html">Making Happy Users</a></dt><dt>EULA, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>Everyone, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>Excel, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>exclusive open, <a href="appendix.html#id393226">Microsoft Access</a></dt><dt>experiment, <a href="kerberos.html">Active Directory, Kerberos, and Security</a></dt><dt>export, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>extent, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>External Domains, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>extreme demand, <a href="HA.html#id388343">Guidelines for Reliable Samba Operation</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fail, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>fail-over, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>failed, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>failed join, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>failure, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>familiar, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>fatal problem, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>fear, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>fears, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Fedora, <a href="simple.html#id324129">Drafting Office</a></dt><dt>FHS, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>file and print server, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>file and print service, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>file caching, <a href="HA.html#id388810">Samba Configuration</a>, <a href="appendix.html#id393440">Opportunistic Locking Controls</a></dt><dt>File Hierarchy System (see FHS)</dt><dt>file locations, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>file permissions, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>file server</dt><dd><dl><dt>read-only, <a href="simple.html#id324194">Dissection and Discussion</a></dt></dl></dd><dt>file servers, <a href="happy.html#id346155">Samba Server Implementation</a></dt><dt>file system, <a href="kerberos.html#id381076">Technical Issues</a></dt><dd><dl><dt>access control, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>Ext3, <a href="simple.html#id324238">Implementation</a></dt><dt>permissions, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>file system security, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>filter, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>financial responsibility, <a href="kerberos.html#id380108">Introduction</a></dt><dt>firewall, <a href="secure.html#id332164">Technical Issues</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>fix, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>flaws, <a href="kerberos.html#id380108">Introduction</a></dt><dt>flexibility, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>flush</dt><dd><dl><dt>cache memory, <a href="appendix.html#id393440">Opportunistic Locking Controls</a></dt></dl></dd><dt>folder redirection, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>force group, <a href="simple.html#id325119">Implementation</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="kerberos.html#id383310">Override Controls</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>force printername, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>force user, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="simple.html#id325119">Implementation</a>, <a href="kerberos.html#id383310">Override Controls</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>forced settings, <a href="kerberos.html#id383310">Override Controls</a></dt><dt>foreign, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>foreign SID, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>forwarded, <a href="HA.html#id388556">Routed Networks</a></dt><dt>foundation members, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Free Standards Group (see FSG)</dt><dt>free support, <a href="ch14.html">Samba Support</a>, <a href="ch14.html#id389686">Free Support</a></dt><dt>front-end, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dd><dl><dt>server, <a href="HA.html#id389235">Distribute Network Load with MSDFS</a></dt></dl></dd><dt>frustration, <a href="upgrades.html#id368817">Introduction</a></dt><dt>FSG, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>FTP</dt><dd><dl><dt>proxy, <a href="DomApps.html#id387329">Questions and Answers</a></dt></dl></dd><dt>full control, <a href="kerberos.html#id382562">Share Access Controls</a>, <a href="kerberos.html#id384149">Using MS Windows Explorer (File Manager)</a></dt><dt>fully qualified, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>functional differences, <a href="upgrades.html#id368901">Cautions and Notes</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>generation, <a href="upgrades.html#id368901">Cautions and Notes</a></dt><dt>Gentoo, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>getent, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>getfacl, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>getgrnam, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>getpwnam, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>getpwnam(), <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>GID, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>Goettingen, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>government, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>GPL, <a href="secure.html#id337170">Comments Regarding Software Terms of Use</a></dt><dt>group account, <a href="simple.html#AcctgNet">Implementation</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>group management, <a href="secure.html#id332562">Implementation</a></dt><dt>group mapping, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>group membership, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>group names, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>group policies, <a href="ntmigration.html#id371689">Introduction</a></dt><dt>Group Policy, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>Group Policy editor, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a></dt><dt>Group Policy Objects, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a></dt><dt>groupadd, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>groupdel, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>groupmem, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>groupmod, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>GSS-API, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>guest account, <a href="primer.html#id395302">Findings and Comments</a>, <a href="primer.html#chap01conc">Dissection and Discussion</a>, <a href="primer.html#id396170">Technical Issues</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>guest ok, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>hackers, <a href="kerberos.html#id380108">Introduction</a></dt><dt>hardware prices, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>hardware problems, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>Heimdal, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>Heimdal Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>Heimdal kerberos, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a></dt><dt>help, <a href="ch14.html#id389686">Free Support</a></dt><dt>helper agent, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>hesiod, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>hide files, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>hierarchy of control, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>high availability, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>hire, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>HKEY_CURRENT_USER, <a href="happy.html#id344798">Roaming Profile Background</a></dt><dt>HKEY_LOCAL_MACHINE, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>HKEY_LOCAL_USER, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>host announcement, <a href="primer.html#id393768">Assignment Tasks</a>, <a href="primer.html#id394736">Findings</a></dt><dt>hostname, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>hosts, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>hosts allow, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></dt><dt>HUB, <a href="happy.html">Making Happy Users</a></dt><dt>Hybrid, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>hypothetical, <a href="kerberos.html#id380108">Introduction</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>Idealx, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dd><dl><dt>smbldap-tools, <a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt></dl></dd><dt>identifiers, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>identity, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dd><dl><dt>management, <a href="happy.html#id344321">Technical Issues</a></dt></dl></dd><dt>identity management, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="unixclients.html#id361198">Political Issues</a>, <a href="nw4migration.html#id376162">Dissection and Discussion</a></dt><dt>Identity Management, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>Identity management, <a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></dt><dt>Identity resolution, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a>, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>Identity resolver, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>IDMAP, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>idmap backend, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>IDMAP backend, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>idmap gid, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>idmap uid, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>idmap_rid, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>IMAP, <a href="nw4migration.html#id376233">Technical Issues</a></dt><dt>import, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>include, <a href="Big500users.html#id338499">Implementation</a></dt><dt>income, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>independent expert, <a href="kerberos.html#id380108">Introduction</a></dt><dt>inetd, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>inetOrgPerson, <a href="nw4migration.html#id376233">Technical Issues</a></dt><dt>inheritance, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>initGrps.sh, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>initial credentials, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>inoperative, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>install, <a href="upgrades.html">Updating Samba-3</a></dt><dt>installation, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>integrate, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>integrity, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>inter-domain, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>inter-operability, <a href="kerberos.html#id380704">Dissection and Discussion</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>interactive help, <a href="ch14.html#id389686">Free Support</a></dt><dt>interdomain trusts, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>interfaces, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>intermittent, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>internationalization, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>Internet Explorer, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>Internet Information Server, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>interoperability, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>IP forwarding, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>IPC$, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>iptables, <a href="secure.html#id332164">Technical Issues</a></dt><dt>IRC, <a href="ch14.html#id389686">Free Support</a></dt><dt>isolated, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Italian, <a href="DomApps.html#id387329">Questions and Answers</a></dt></dl></div><div class="indexdiv"><h3>J</h3><dl><dt>jobs, <a href="kerberos.html#id380108">Introduction</a></dt><dt>joining a domain, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KDC, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dd><dl><dt>Heimdal, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>interoperability, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>libraries, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>MIT, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>unspecified fields, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt></dl></dd><dt>kerberos, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dd><dl><dt>server, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt></dl></dd><dt>Kerberos ticket, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>kinit, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>Kixtart, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>klist, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>krb5, <a href="DomApps.html#id385511">Implementation</a></dt><dt>krb5.conf, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>LAM, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dd><dl><dt>configuration editor, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>configuration file, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>login screen, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>opening screen, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>profile, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>wizard, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt></dl></dd><dt>large domain, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>LDAP, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#id345370">Preliminary Advice: Dangers Can Be Avoided</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id355265">Introduction</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="2000users.html#id359591">Key Points Learned</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id371765">Assignment Tasks</a>, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="nw4migration.html#id376162">Dissection and Discussion</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dd><dl><dt>backend, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>database, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></dt><dt>directory, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>fail-over, <a href="2000users.html#id356432">Implementation</a></dt><dt>initial configuration, <a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></dt><dt>master, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>master/slave</dt><dd><dl><dt>background communication, <a href="2000users.html#id359730">Questions and Answers</a></dt></dl></dd><dt>preload, <a href="2000users.html#id356432">Implementation</a></dt><dt>schema, <a href="upgrades.html#id371011">Updating from Samba Versions between 3.0.6 and 3.0.10</a></dt><dt>secure, <a href="happy.html#id344321">Technical Issues</a></dt><dt>server, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>slave, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>updates, <a href="2000users.html#id356003">Identity Management Needs</a></dt></dl></dd><dt>ldap, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>LDAP Account Manager (see LAM)</dt><dt>ldap admin dn, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>LDAP backend, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>LDAP database, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>ldap group suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>ldap idmap suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>LDAP Interchange Format (see LDIF)</dt><dt>ldap machine suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>ldap passwd sync, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>LDAP server, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>ldap ssl, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>ldap suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>ldap timeout, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>ldap user suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>LDAP-transfer-LDIF.txt, <a href="2000users.html#id356432">Implementation</a></dt><dt>ldap.conf, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapadd, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapsam, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="upgrades.html#id371011">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id371765">Assignment Tasks</a>, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>ldapsam backend, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapsearch, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>LDIF, <a href="happy.html#id344321">Technical Issues</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="nw4migration.html#id376233">Technical Issues</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="appendix.html#id391422">Initialization of the LDAP Database</a></dt><dt>leadership, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Lightweight Directory Access Protocol (see LDAP)</dt><dt>limit, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>Linux desktop, <a href="unixclients.html#id360510">Introduction</a></dt><dt>Linux Standards Base (see LSB)</dt><dt>LMB, <a href="primer.html#id394114">Findings</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>LMHOSTS, <a href="HA.html#id388556">Routed Networks</a></dt><dt>load distribution, <a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>local accounts, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Local Group Policy, <a href="happy.html#id344798">Roaming Profile Background</a></dt><dt>Local Master Announcement, <a href="primer.html#id394736">Findings</a></dt><dt>Local Master Browser (see LMB)</dt><dt>localhost, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>lock directory, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>locking, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dd><dl><dt>Application level, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Client side, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Server side, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt></dl></dd><dt>log file, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>log level, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>logging, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>login, <a href="secure.html#id332164">Technical Issues</a></dt><dt>loglevel, <a href="happy.html#id345538">Debugging LDAP</a></dt><dt>logon credentials, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>logon drive, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>logon home, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>logon hours, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a></dt><dt>logon machines, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>logon path, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>logon process, <a href="unixclients.html#id361279">Implementation</a></dt><dt>logon scrip, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>logon script, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="happy.html#id352935">Preparation of Logon Scripts</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>logon server, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>logon services, <a href="secure.html#id332562">Implementation</a></dt><dt>logon time, <a href="happy.html#id343791">Assignment Tasks</a></dt><dt>logon traffic, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>logon.kix, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>loopback, <a href="simple.html#validate1">Validation</a></dt><dt>low performance, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>lower-case, <a href="ntmigration.html#id372293">Implementation</a></dt><dt>lpadmin, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>LSB, <a href="appendix.html#id390543">Samba System File Location</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>machine, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>machine account, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>machine accounts, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>machine secret password, <a href="Big500users.html#id338303">Technical Issues</a></dt><dt>MACHINE.SID, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>mailing list, <a href="ch14.html#id389686">Free Support</a></dt><dt>mailing lists, <a href="ch14.html#id389686">Free Support</a></dt><dt>managed, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>management, <a href="unixclients.html#id361198">Political Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dd><dl><dt>group, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>User, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></dd><dt>mandatory profile, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#id352707">Configuring Profile Directories</a></dt><dt>Mandrake, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>map acl inherit, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>map to guest, <a href="simple.html#id325119">Implementation</a></dt><dt>mapped drives, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>mapping, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dd><dl><dt>consistent, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt></dl></dd><dt>Mars_NWE, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>master, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>material, <a href="appendix.html">A Collection of Useful Tidbits</a></dt><dt>max log size, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>memberUID, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>memory requirements, <a href="secure.html#id332397">Hardware Requirements</a></dt><dt>merge, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>merged, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>meta-directory, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>meta-service, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>Microsoft Access, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Microsoft Excel, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Microsoft ISA, <a href="DomApps.html#id385236">Assignment Tasks</a></dt><dt>Microsoft Management Console (see MMC)</dt><dt>Microsoft Office, <a href="secure.html#ch4appscfg">Application Share Configuration</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>Microsoft Outlook</dt><dd><dl><dt>PST files, <a href="2000users.html#id359730">Questions and Answers</a></dt></dl></dd><dt>migrate, <a href="upgrades.html">Updating Samba-3</a>, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>migration, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="ntmigration.html#id371689">Introduction</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dd><dl><dt>objectives, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt></dl></dd><dt>Migration speed, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>mime type, <a href="simple.html#id325119">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>mime types, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>missing RPC's, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>MIT, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>MIT Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>MIT kerberos, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a></dt><dt>MIT KRB5, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>mixed mode, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>mixed-mode, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>MMC, <a href="happy.html#id354146">Configure Delete Cached Profiles on Logout</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>mobile computing, <a href="small.html#id328824">Dissection and Discussion</a></dt><dt>mobility, <a href="2000users.html#id355593">Technical Issues</a></dt><dt>modularization, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>modules, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>MS Access</dt><dd><dl><dt>validate, <a href="appendix.html#id393226">Microsoft Access</a></dt></dl></dd><dt>MS Outlook, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt><dd><dl><dt>PST, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt><dt>PST file, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>MS Windows Server 2003, <a href="DomApps.html#id385511">Implementation</a></dt><dt>MS Word, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>MSDFS, <a href="HA.html#id389235">Distribute Network Load with MSDFS</a></dt><dt>multi-subnet, <a href="HA.html#id388556">Routed Networks</a></dt><dt>multi-user</dt><dd><dl><dt>access, <a href="appendix.html#id393226">Microsoft Access</a></dt><dt>data access, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt></dl></dd><dt>multiple directories, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>multiple domain controllers, <a href="happy.html">Making Happy Users</a></dt><dt>multiple group mappings, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>mutual assistance, <a href="ch14.html#id389686">Free Support</a></dt><dt>My Documents, <a href="happy.html#id344798">Roaming Profile Background</a></dt><dt>My Network Places, <a href="simple.html#id325119">Implementation</a></dt><dt>mysqlsam, <a href="2000users.html#id356432">Implementation</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>name resolution, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="primer.html#id393768">Assignment Tasks</a></dt><dd><dl><dt>Defective, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt></dl></dd><dt>name resolve order, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>name service switch, <a href="small.html#id329077">Implementation</a> (see NSS)</dt><dt>named, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a></dt><dt>NAT, <a href="secure.html#id332164">Technical Issues</a></dt><dt>native, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>net</dt><dd><dl><dt>ads</dt><dd><dl><dt>info, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>join, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>status, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt></dl></dd><dt>getlocalsid, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>group, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></dt><dt>groupmap</dt><dd><dl><dt>add, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>list, <a href="secure.html#id333388">Samba Configuration</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>modify, <a href="secure.html#id333388">Samba Configuration</a></dt></dl></dd><dt>rpc</dt><dd><dl><dt>info, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>join, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></dt><dt>vampire, <a href="upgrades.html">Updating Samba-3</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></dt></dl></dd><dt>setlocalsid, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt></dl></dd><dt>NetBIOS, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="HA.html#id388378">Bad Hostnames</a>, <a href="HA.html#id388556">Routed Networks</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>name cache, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>name resolution</dt><dd><dl><dt>delays, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>Node Type, <a href="primer.html#chap01qa">Questions and Answers</a></dt></dl></dd><dt>netbios</dt><dd><dl><dt>machine name, <a href="upgrades.html#id369661">Change of hostname</a></dt></dl></dd><dt>netbios forwarding, <a href="HA.html#id388719">Network Collisions</a></dt><dt>netbios name, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id369661">Change of hostname</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="DomApps.html#id386629">NSS Configuration</a>, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>NetBIOS name, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dd><dl><dt>aliases, <a href="2000users.html#id356003">Identity Management Needs</a></dt></dl></dd><dt>NETLOGON, <a href="happy.html#id345153">Using a Network Default User Profile</a>, <a href="happy.html#id353147">Windows Client Configuration</a></dt><dt>netlogon, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Netlogon, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>netmask, <a href="simple.html#id324238">Implementation</a></dt><dt>Netware, <a href="small.html">Small Office Networking</a></dt><dt>NetWare, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>network</dt><dd><dl><dt>administrators, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>analyzer, <a href="primer.html#id393768">Assignment Tasks</a></dt><dt>bandwidth, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>broadcast, <a href="primer.html#id393718">Introduction</a></dt><dt>captures, <a href="primer.html#id393582">Requirements and Notes</a></dt><dt>collisions, <a href="HA.html#id388719">Network Collisions</a></dt><dt>load, <a href="HA.html#id388719">Network Collisions</a></dt><dt>logon, <a href="happy.html">Making Happy Users</a></dt><dt>logon scripts, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>management, <a href="kerberos.html#id380108">Introduction</a></dt><dt>multi-segment, <a href="happy.html#id343715">Introduction</a></dt><dt>overload, <a href="happy.html">Making Happy Users</a></dt><dt>performance, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>routed, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>secure, <a href="kerberos.html#id380108">Introduction</a></dt><dt>segment, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>services, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>sniffer, <a href="primer.html#id393582">Requirements and Notes</a></dt><dt>timeout, <a href="happy.html">Making Happy Users</a></dt><dt>timeouts, <a href="HA.html#id388719">Network Collisions</a></dt><dt>trace, <a href="primer.html#id393768">Assignment Tasks</a></dt><dt>traffic</dt><dd><dl><dt>observation, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></dd><dt>wide-area, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt></dl></dd><dt>Network Address Translation (see NAT)</dt><dt>network administrators, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>network attached storage (see NAS)</dt><dt>network bandwidth</dt><dd><dl><dt>utilization, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>Network Default Profile, <a href="happy.html#id344798">Roaming Profile Background</a></dt><dt>network hardware</dt><dd><dl><dt>defective, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>network hygiene, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>network Identities, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>network load factors, <a href="Big500users.html#id338275">Dissection and Discussion</a></dt><dt>Network Neighborhood, <a href="simple.html#validate1">Validation</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>network segment, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dt>network segments, <a href="secure.html#id332397">Hardware Requirements</a></dt><dt>network share, <a href="happy.html#id343791">Assignment Tasks</a></dt><dt>networking</dt><dd><dl><dt>client, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt></dl></dd><dt>networking hardware</dt><dd><dl><dt>defective, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>networking protocols, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>next generation, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>NextFreeUnixId, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>NFS server, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>NICs, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>NIS, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id361198">Political Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>nis, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>NIS schema, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>NIS server, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>NIS+, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>nisplus, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>NLM, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>nmap, <a href="secure.html#ch4valid">Validation</a></dt><dt>nmbd, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>nobody, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>Novell, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a>, <a href="nw4migration.html#id375956">Introduction</a></dt><dt>Novell SUSE SLES 9, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>NSS, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="DomApps.html#id386629">NSS Configuration</a> (see same service switch)</dt><dt>nss_ldap, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>nt acl support, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="simple.html#id325119">Implementation</a></dt><dt>NT4 registry, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>NTLM, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>NTLM authentication daemon, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>NTLMSSP, <a href="DomApps.html#id387274">Key Points Learned</a>, <a href="DomApps.html#id387329">Questions and Answers</a>, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>NTLMSSP_AUTH, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>ntlm_auth, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>NTP, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>NTUSER.DAT, <a href="happy.html#id344798">Roaming Profile Background</a>, <a href="happy.html#id345065">Profile Changes</a>, <a href="happy.html#id345153">Using a Network Default User Profile</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>NULL connection, <a href="simple.html#validate1">Validation</a></dt><dt>NULL session, <a href="primer.html#id395302">Findings and Comments</a></dt><dt>NULL-Session, <a href="primer.html#id396042">Discussion</a></dt></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>objectClass, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>off-site storage, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Open Magazine, <a href="unixclients.html">Adding Domain Member Servers and Clients</a></dt><dt>Open Source, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>OpenLDAP, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="unixclients.html#id361198">Political Issues</a>, <a href="nw4migration.html#id376233">Technical Issues</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>openldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>OpenOffice, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>operating profiles, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>oplock break, <a href="kerberos.html#id383310">Override Controls</a></dt><dt>oplocks, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>Oplocks</dt><dd><dl><dt>disabled, <a href="appendix.html#id393440">Opportunistic Locking Controls</a></dt></dl></dd><dt>opportunistic</dt><dd><dl><dt>locking, <a href="kerberos.html#id383310">Override Controls</a></dt></dl></dd><dt>opportunistic locking, <a href="secure.html#id332562">Implementation</a>, <a href="HA.html#id388810">Samba Configuration</a>, <a href="appendix.html#id393365">Act! Database Sharing</a></dt><dt>optimized, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>organizational units, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>os level, <a href="2000users.html#id356432">Implementation</a></dt><dt>OS/2, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>Outlook</dt><dd><dl><dt>PST, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt></dl></dd><dt>Outlook Address Book, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt><dt>Outlook Express, <a href="secure.html#id332528">Political Issues</a>, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt><dt>over-ride, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>over-ride controls, <a href="kerberos.html#id383310">Override Controls</a></dt><dt>over-rule, <a href="kerberos.html#id382562">Share Access Controls</a>, <a href="kerberos.html#id384149">Using MS Windows Explorer (File Manager)</a></dt><dt>overheads, <a href="kerberos.html#id383310">Override Controls</a></dt><dt>ownership, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>package, <a href="simple.html#id324238">Implementation</a></dt><dt>package names, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>packages, <a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></dt><dt>PADL, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a></dt><dt>PADL LDAP tools, <a href="happy.html#id344321">Technical Issues</a></dt><dt>PADL Software, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>paid-for support, <a href="ch14.html">Samba Support</a></dt><dt>PAM, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>pam password change, <a href="secure.html#id333388">Samba Configuration</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>pam_ldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>pam_ldap.so, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>pam_unix2.so, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dd><dl><dt>use_ldap, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt></dl></dd><dt>parameters, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>passdb backend, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html">The 500-User Office</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html">Updating Samba-3</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="upgrades.html#id371011">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id371765">Assignment Tasks</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>passdb.tdb, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>passwd, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>passwd chat, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>passwd program, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>password</dt><dd><dl><dt>backend, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>password caching, <a href="simple.html#id325119">Implementation</a></dt><dt>password change, <a href="kerberos.html#id384506">Key Points Learned</a></dt><dt>password length, <a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>password server, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>path, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>payroll, <a href="nw4migration.html#id375956">Introduction</a></dt><dt>pdbedit, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>PDC, <a href="Big500users.html#id338194">Assignment Tasks</a>, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372293">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a>, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dt>PDC/BDC ratio, <a href="happy.html">Making Happy Users</a></dt><dt>PDF, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>performance, <a href="happy.html#id343919">Dissection and Discussion</a>, <a href="kerberos.html#id384628">Questions and Answers</a>, <a href="HA.html">Performance, Reliability, and Availability</a>, <a href="HA.html#id387816">Introduction</a>, <a href="HA.html#id388719">Network Collisions</a></dt><dt>performance degradation, <a href="kerberos.html#id383310">Override Controls</a>, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>Perl, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>permission, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>permissions, <a href="simple.html#id325119">Implementation</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id382562">Share Access Controls</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dd><dl><dt>excessive, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>group, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>user, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt></dl></dd><dt>Permissions, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>permits, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>permitted group, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>PHP, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>PHP4, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>pile-driver, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>ping, <a href="secure.html#ch4valid">Validation</a></dt><dt>pitfalls, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>plain-text, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>Pluggable Authentication Modules (see PAM)</dt><dt>policy, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>poor performance, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>POP3, <a href="nw4migration.html#id376233">Technical Issues</a></dt><dt>Posix, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id372293">Implementation</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>POSIX, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Posix accounts, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Posix ACLs, <a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></dt><dt>PosixAccount, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>posixAccount, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Postfix, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Postscript, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>powers, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>practices, <a href="kerberos.html#id380108">Introduction</a></dt><dt>precaution, <a href="upgrades.html#id368817">Introduction</a></dt><dt>preferred master, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>presence and leadership, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>price paid, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>primary group, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>principals, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>print filter, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>print queue, <a href="simple.html#id324836">Charity Administration Office</a>, <a href="simple.html#id324932">Dissection and Discussion</a></dt><dt>print spooler, <a href="simple.html#id324836">Charity Administration Office</a></dt><dt>Print Test Page, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>printable, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>printcap name, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>printer admin, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>printer validation, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>printers</dt><dd><dl><dt>Advanced, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>Default Settings, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>General, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>Properties, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>Security, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>Sharing, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt></dl></dd><dt>printing, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dd><dl><dt>drag-and-drop, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a>, <a href="happy.html#id354318">Uploading Printer Drivers to Samba Servers</a></dt><dt>dumb, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>point-n-click, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>raw, <a href="simple.html#id324932">Dissection and Discussion</a></dt></dl></dd><dt>privacy, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>Privilege Attribute Certificates (see PAC)</dt><dt>privilege controls, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>privileged pipe, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>privileges, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="upgrades.html#id371085">Updating from Samba Versions after 3.0.6 to a Current Release</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id382896">Share Definition Controls</a></dt><dt>problem report, <a href="ch14.html#id389686">Free Support</a></dt><dt>problem resolution, <a href="ch14.html">Samba Support</a></dt><dt>product defects, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>professional support, <a href="ch14.html#id389686">Free Support</a></dt><dt>profile</dt><dd><dl><dt>default, <a href="happy.html#id343791">Assignment Tasks</a></dt><dt>mandatory, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>roaming, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>profile acls, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>profile path, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>profile share, <a href="secure.html#id332562">Implementation</a></dt><dt>profiles, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>profiles share, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>programmer, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>project, <a href="ch14.html#id389686">Free Support</a></dt><dt>project maintainers, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Properties, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>proprietary, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>protected, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>protection, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>protocol</dt><dd><dl><dt>negotiation, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>protocol analysis, <a href="primer.html#id393582">Requirements and Notes</a></dt><dt>protocols, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>provided services, <a href="ch14.html">Samba Support</a></dt><dt>proxy, <a href="DomApps.html#id385236">Assignment Tasks</a>, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>PST file, <a href="happy.html#id353863">Configuration of MS Outlook to Relocate PST File</a></dt><dt>public specifications, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>purchase support, <a href="ch14.html#id389686">Free Support</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>Qbasic, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>qualified problem, <a href="ch14.html#id389686">Free Support</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>RAID, <a href="secure.html#id332397">Hardware Requirements</a></dt><dt>RAID controllers, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>Raw Print Through, <a href="happy.html#id345208">Installation of Printer Driver Auto-Download</a></dt><dt>raw printing, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>Rbase, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>rcldap, <a href="2000users.html#id356432">Implementation</a></dt><dt>read only, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>realm, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="DomApps.html#id385744">Kerberos Configuration</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>recognize, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>record locking, <a href="appendix.html#id393226">Microsoft Access</a></dt><dt>recursively, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>Red Hat, <a href="simple.html#id324129">Drafting Office</a>, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>Red Hat Fedora Linux, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>Red Hat Linux, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="simple.html#AccountingOffice">Accounting Office</a>, <a href="happy.html#id346155">Samba Server Implementation</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>redirected folders, <a href="happy.html#id344798">Roaming Profile Background</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>refereed standards, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>regedit, <a href="simple.html#id325119">Implementation</a></dt><dt>regedt32, <a href="happy.html#id345065">Profile Changes</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>registry, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dd><dl><dt>keys</dt><dd><dl><dt>SAM, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>SECURITY, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt></dl></dd></dl></dd><dt>registry change, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>Registry Editor, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>registry hacks, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>registry keys, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>reimburse, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>rejected, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>rejoin, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>reliability, <a href="HA.html">Performance, Reliability, and Availability</a></dt><dt>remote announce, <a href="HA.html#id388556">Routed Networks</a></dt><dt>remote browse sync, <a href="HA.html#id388556">Routed Networks</a></dt><dt>remote procedure call (see RPC)</dt><dt>replicate, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>replicated, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>requesting payment, <a href="ch14.html#id389686">Free Support</a></dt><dt>resilient, <a href="HA.html#id388343">Guidelines for Reliable Samba Operation</a></dt><dt>resolution, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a></dt><dt>resolve, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="HA.html#id388378">Bad Hostnames</a></dt><dt>response, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a></dt><dt>responsibility, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>responsible, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>restrict anonymous, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>restricted export, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>Restrictive security, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>reverse DNS, <a href="DomApps.html#id385744">Kerberos Configuration</a></dt><dt>rfc2307bis, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>RID, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>risk, <a href="secure.html#id332164">Technical Issues</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>road-map, <a href="kerberos.html#id381076">Technical Issues</a></dt><dd><dl><dt>published, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></dd><dt>roaming profile, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#id344798">Roaming Profile Background</a>, <a href="happy.html#id352707">Configuring Profile Directories</a>, <a href="2000users.html#id355630">User Needs</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>roaming profiles, <a href="secure.html#id332164">Technical Issues</a>, <a href="secure.html#id332562">Implementation</a>, <a href="happy.html#id344798">Roaming Profile Background</a></dt><dt>routed network, <a href="HA.html#id389105">Use and Location of BDCs</a></dt><dt>router, <a href="small.html#id329077">Implementation</a></dt><dt>routers, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="HA.html#id388556">Routed Networks</a></dt><dt>RPC, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>rpc, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>rpcclient, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>RPM, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="nw4migration.html#id376162">Dissection and Discussion</a></dt><dd><dl><dt>install, <a href="simple.html#id324238">Implementation</a></dt></dl></dd><dt>rpm, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>RPMs, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>rpms, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>rsync, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>rsyncd.conf, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>run-time control files, <a href="appendix.html#id390543">Samba System File Location</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>safe-guards, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>SAM, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>samba, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dd><dl><dt>starting samba, <a href="simple.html#id324238">Implementation</a></dt></dl></dd><dt>Samba, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>Samba accounts, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>samba cluster, <a href="HA.html#id387816">Introduction</a></dt><dt>samba control script, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>Samba Domain, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>Samba Domain server, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>Samba RPM Packages, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>Samba Tea, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>sambaDomainName, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>sambaGroupMapping, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>SambaSAMAccount, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>SambaSamAccount, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>sambaSamAccount, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>SambaXP conference, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>SAN, <a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>SAS, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>scalability, <a href="HA.html#id387816">Introduction</a></dt><dt>scalable, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>schannel, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>schema, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id370773">Samba-2.x with LDAP Support</a>, <a href="upgrades.html#id371011">Updating from Samba Versions between 3.0.6 and 3.0.10</a></dt><dt>scripts, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>secondary group, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>secret, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>secrets.tdb, <a href="happy.html#id344321">Technical Issues</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dt>secure, <a href="kerberos.html#id380108">Introduction</a></dt><dt>secure account password, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>secure connections, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>secure networking, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>secure networking protocols, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>security, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a>, <a href="kerberos.html#id384628">Questions and Answers</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dd><dl><dt>identifier, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>share mode, <a href="simple.html#id324932">Dissection and Discussion</a></dt><dt>user mode, <a href="simple.html#id327103">Dissection and Discussion</a></dt></dl></dd><dt>Security, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id383872">Using the MMC Computer Management Interface</a></dt><dt>Security Account Manager (see SAM)</dt><dt>security controls, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>security descriptors, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>security fixes, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>security updates, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>SerNet, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>server</dt><dd><dl><dt>domain member, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>stand-alone, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt></dl></dd><dt>server string, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>service, <a href="2000users.html#id356432">Implementation</a></dt><dd><dl><dt>smb</dt><dd><dl><dt>start, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a></dt></dl></dd></dl></dd><dt>Service Packs, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>services, <a href="DomApps.html#id387274">Key Points Learned</a></dt><dt>services provided, <a href="ch14.html">Samba Support</a></dt><dt>session setup, <a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>Session Setup, <a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a></dt><dt>SessionSetUpAndX, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>set primary group script, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>setfacl, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>severely degrade, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>SFU, <a href="unixclients.html#id367167">IDMAP, Active Directory, and MS Services for UNIX 3.5</a></dt><dt>SGID, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a>, <a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></dt><dt>shadow-utils, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>Share Access Controls, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>share ACLs, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>share definition, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>Share Definition</dt><dd><dl><dt>Controls, <a href="kerberos.html#id382896">Share Definition Controls</a></dt></dl></dd><dt>share definition controls, <a href="kerberos.html#id382896">Share Definition Controls</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a>, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>share level access controls, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>share level ACL, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>Share Permissions, <a href="kerberos.html#id382562">Share Access Controls</a></dt><dt>shared resource, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>shares, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>show add printer wizard, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>shutdown script, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>SID, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id369719">Change of Workgroup (Domain) Name</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="appendix.html#id391422">Initialization of the LDAP Database</a></dt><dt>side effects, <a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></dt><dt>Sign'n'seal, <a href="kerberos.html#id384506">Key Points Learned</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>silent return, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>simple, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>Single Sign-On (see SSO)</dt><dt>slapcat, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>slapd, <a href="happy.html#id345538">Debugging LDAP</a></dt><dt>slapd.conf, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>slave, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>slow logon, <a href="happy.html">Making Happy Users</a></dt><dt>slow network, <a href="HA.html#id389326">Hardware Problems</a></dt><dt>slurpd, <a href="2000users.html#id356432">Implementation</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>smart printing, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>SMB, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>SMB passwords, <a href="2000users.html#id356432">Implementation</a></dt><dt>smb ports, <a href="secure.html#id333388">Samba Configuration</a>, <a href="secure.html#id337723">Questions and Answers</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>SMB/CIFS, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>smbclient, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>smbd, <a href="simple.html#validate1">Validation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug1">Location of config files</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="DomApps.html#id387329">Questions and Answers</a>, <a href="appendix.html#id390934">Starting Samba</a></dt><dd><dl><dt>location of files, <a href="appendix.html#id390543">Samba System File Location</a></dt></dl></dd><dt>smbfs, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>smbldap-groupadd, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>smbldap-groupmod, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>smbldap-passwd, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>smbldap-populate, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>smbldap-tools, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>smbldap-tools updating, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>smbldap-useradd, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id356432">Implementation</a></dt><dt>smbldap-usermod, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>smbmnt, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>smbmount, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>smbpasswd, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332164">Technical Issues</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#id348843">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html">Updating Samba-3</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>smbumnt, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>smbumount, <a href="HA.html#id387893">Dissection and Discussion</a></dt><dt>SMTP, <a href="nw4migration.html#id376233">Technical Issues</a></dt><dt>snap-shot, <a href="ntmigration.html#id371815">Dissection and Discussion</a></dt><dt>socket address, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>socket options, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>software, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>solve, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>source code, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>SPNEGO, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>SQL, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>Squid, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="DomApps.html#id386899">Squid Configuration</a></dt><dt>squid, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>Squid proxy, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>SRVTOOLS.EXE, <a href="secure.html#id332562">Implementation</a>, <a href="happy.html#id352707">Configuring Profile Directories</a>, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>SSL, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>stand-alone server, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>starting CUPS, <a href="simple.html#id325119">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>starting dhcpd, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>starting samba, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dd><dl><dt>nmbd, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>smbd, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>winbindd, <a href="appendix.html#id390934">Starting Samba</a></dt></dl></dd><dt>startingCUPS, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>startup script, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>sticky bit, <a href="small.html#id329077">Implementation</a></dt><dt>storage capacity, <a href="secure.html#id332397">Hardware Requirements</a></dt><dt>strategic, <a href="ntmigration.html#id371970">Technical Issues</a></dt><dt>strategy, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>straw-man, <a href="kerberos.html">Active Directory, Kerberos, and Security</a></dt><dt>strict sync, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>stripped, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>strong cryptography, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>subscription, <a href="ch14.html#id389686">Free Support</a></dt><dt>SUID, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="kerberos.html#id384628">Questions and Answers</a>, <a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></dt><dt>Sun ONE Identity Server, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>super daemon, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>support, <a href="kerberos.html#id380704">Dissection and Discussion</a>, <a href="ch14.html">Samba Support</a></dt><dt>survey, <a href="unixclients.html">Adding Domain Member Servers and Clients</a></dt><dt>SUSE, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>SUSE Enterprise Linux Server, <a href="simple.html#id324836">Charity Administration Office</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="DomApps.html#id385511">Implementation</a></dt><dt>SUSE Linux, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="happy.html#id346155">Samba Server Implementation</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id385511">Implementation</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>SWAT, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>sync always, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>synchronization, <a href="DomApps.html#id385744">Kerberos Configuration</a>, <a href="HA.html#id389190">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>synchronize, <a href="2000users.html#id355630">User Needs</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>synchronized, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>syslog, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>system level logins, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>system security, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>tattooing, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>TCP/IP, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>tdbdump, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>tdbsam, <a href="secure.html#id332164">Technical Issues</a>, <a href="secure.html#id332562">Implementation</a>, <a href="Big500users.html">The 500-User Office</a>, <a href="happy.html#id343791">Assignment Tasks</a>, <a href="2000users.html#id355347">Dissection and Discussion</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="upgrades.html#id371011">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id371970">Technical Issues</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>template primary group, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>template shell, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>testparm, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="HA.html#id388810">Samba Configuration</a></dt><dt>ticket, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>time server, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Tivoli Directory Server, <a href="happy.html#id343919">Dissection and Discussion</a></dt><dt>TLS, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>token, <a href="DomApps.html#id385351">Technical Issues</a></dt><dt>tool, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>TOSHARG2, <a href="simple.html#id325119">Implementation</a></dt><dt>track record, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>traffic collisions, <a href="happy.html">Making Happy Users</a></dt><dt>transaction processing, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>transactional, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>transfer, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>translate, <a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></dt><dt>traverse, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>tree, <a href="nw4migration.html#id376162">Dissection and Discussion</a></dt><dt>Tree Connect, <a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a></dt><dt>trust account, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>trusted computing, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Trusted Domains, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>trusted domains, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>trusted third-party, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>trusting, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>turn-around time, <a href="kerberos.html#id381076">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UDP</dt><dd><dl><dt>broadcast, <a href="HA.html#id388556">Routed Networks</a></dt></dl></dd><dt>UID, <a href="simple.html#id324932">Dissection and Discussion</a>, <a href="happy.html#id343590">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id344321">Technical Issues</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>un-join, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>unauthorized activities, <a href="kerberos.html#id382267">Kerberos Exposed</a></dt><dt>UNC name, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>unencrypted, <a href="appendix.html#id391880">The LDAP Account Manager</a></dt><dt>Unicast, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a></dt><dt>unicode, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>Universal Naming Convention (see UNC name)</dt><dt>UNIX, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dd><dl><dt>groups, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a></dt></dl></dd><dt>UNIX accounts, <a href="happy.html#id344321">Technical Issues</a></dt><dt>unix charset, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>unix password sync, <a href="secure.html#id333388">Samba Configuration</a></dt><dt>UNIX/Linux server, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>unix2dos, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt><dt>unknown, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>unsupported software, <a href="ch14.html#id389884">Commercial Support</a></dt><dt>update, <a href="upgrades.html#id368817">Introduction</a>, <a href="upgrades.html#id368901">Cautions and Notes</a></dt><dt>updates, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>updating smbldap-tools, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>upgrade, <a href="upgrades.html#id368817">Introduction</a>, <a href="upgrades.html#id368901">Cautions and Notes</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>uppercase, <a href="ntmigration.html#id372293">Implementation</a></dt><dt>use client driver, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>user</dt><dd><dl><dt>management, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>user account, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>User and Group Controls, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>user credentials, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></dt><dt>user errors, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>user groups, <a href="ch14.html#id389686">Free Support</a></dt><dt>user identities, <a href="unixclients.html#id361279">Implementation</a></dt><dt>user logins, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>user management, <a href="secure.html#id332562">Implementation</a></dt><dt>User Manager, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>User Mode, <a href="secure.html#id332562">Implementation</a>, <a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>useradd, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339740">Configuration for Server: MASSIVE</a>, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>userdel, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>usermod, <a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>username, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>username map, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id339213">Server Preparation: All Servers</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>UTF-8, <a href="upgrades.html#id369962">International Language Support</a></dt><dt>utilities, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>utmp, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="2000users.html#id356432">Implementation</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid users, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a>, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>validate, <a href="ntmigration.html#id375074">Questions and Answers</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>validated, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id380108">Introduction</a></dt><dt>validation, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>vampire, <a href="ntmigration.html#id375074">Questions and Answers</a></dt><dt>vendor, <a href="kerberos.html#id380704">Dissection and Discussion</a></dt><dt>vendors, <a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></dt><dt>veto files, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>veto oplock files, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a></dt><dt>VFS modules, <a href="appendix.html#id390543">Samba System File Location</a></dt><dt>virus, <a href="secure.html#id332562">Implementation</a></dt><dt>VPN, <a href="2000users.html#id355290">Assignment Tasks</a></dt><dt>vulnerabilities, <a href="kerberos.html#id380108">Introduction</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>wbinfo, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id386107">Samba Configuration</a></dt><dt>weakness, <a href="kerberos.html#id381076">Technical Issues</a></dt><dt>web</dt><dd><dl><dt>caching, <a href="DomApps.html#id385236">Assignment Tasks</a></dt><dt>proxying, <a href="DomApps.html#id385236">Assignment Tasks</a></dt></dl></dd><dt>Web</dt><dd><dl><dt>proxy, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dd><dl><dt>access, <a href="DomApps.html#id387274">Key Points Learned</a></dt></dl></dd></dl></dd><dt>Web browsers, <a href="DomApps.html#id387274">Key Points Learned</a></dt><dt>WebClient, <a href="happy.html">Making Happy Users</a></dt><dt>WHATSNEW.txt, <a href="upgrades.html#id370773">Samba-2.x with LDAP Support</a></dt><dt>white-pages, <a href="nw4migration.html#id376233">Technical Issues</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>wide-area, <a href="2000users.html#id355630">User Needs</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id359591">Key Points Learned</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>wide-area network, <a href="HA.html#id389105">Use and Location of BDCs</a>, <a href="HA.html#id389285">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>winbind, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#id360587">Dissection and Discussion</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id380108">Introduction</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="DomApps.html#id385351">Technical Issues</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>Winbind, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="kerberos.html#id381076">Technical Issues</a>, <a href="kerberos.html#id384506">Key Points Learned</a></dt><dt>winbind enum groups, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>winbind enum users, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>winbind nested groups, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>winbind separator, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>winbind trusted domains only, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>winbind use default domain, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="kerberos.html#id383030">Checkpoint Controls</a></dt><dt>winbind user default domain, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>winbindd, <a href="small.html#id330725">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="unixclients.html#id360610">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id367744">Questions and Answers</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id371085">Updating from Samba Versions after 3.0.6 to a Current Release</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a>, <a href="DomApps.html#id386107">Samba Configuration</a>, <a href="DomApps.html#id387329">Questions and Answers</a>, <a href="appendix.html#id390934">Starting Samba</a></dt><dt>winbindd_cache.tdb, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>winbindd_idmap.tdb, <a href="unixclients.html#id360610">Technical Issues</a></dt><dt>Windows, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dd><dl><dt>client, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt><dt>NT, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a></dt></dl></dd><dt>Windows 2000 ACLs, <a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></dt><dt>Windows 2003 Serve, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Windows 200x ACLs, <a href="kerberos.html#id384628">Questions and Answers</a></dt><dt>Windows accounts, <a href="happy.html#id344321">Technical Issues</a></dt><dt>Windows ACLs, <a href="kerberos.html#id384311">Setting Posix ACLs in UNIX/Linux</a></dt><dt>Windows Address Book, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>Windows ADS Domain, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>Windows clients, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>Windows Explorer, <a href="simple.html#validate1">Validation</a></dt><dt>Windows explorer, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>Windows security identifier (see SID)</dt><dt>Windows Servers, <a href="kerberos.html#id380108">Introduction</a></dt><dt>Windows Services for UNIX (see SUS)</dt><dt>Windows XP, <a href="small.html#id328778">Assignment Tasks</a></dt><dt>WINS, <a href="simple.html#id325119">Implementation</a>, <a href="small.html#id328873">Technical Issues</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="Big500users.html#id338303">Technical Issues</a>, <a href="Big500users.html#ch5wincfg">Windows Client Configuration</a>, <a href="2000users.html#id355706">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="2000users.html#id359730">Questions and Answers</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>lookup, <a href="unixclients.html#id367744">Questions and Answers</a></dt><dt>name resolution, <a href="HA.html#id388556">Routed Networks</a></dt><dt>server, <a href="happy.html">Making Happy Users</a>, <a href="HA.html#id388556">Routed Networks</a></dt></dl></dd><dt>WINS server, <a href="Big500users.html">The 500-User Office</a>, <a href="2000users.html#id359730">Questions and Answers</a></dt><dt>wins server, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></dt><dt>WINS serving, <a href="secure.html#id332562">Implementation</a></dt><dt>wins support, <a href="simple.html#id325119">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id332562">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>wins.dat, <a href="2000users.html#id356003">Identity Management Needs</a>, <a href="upgrades.html#id371176">Replacing a Domain Member Server</a></dt><dt>Wireshark, <a href="primer.html#id393582">Requirements and Notes</a></dt><dt>wireshark, <a href="primer.html#id393876">Exercises</a></dt><dt>Word, <a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></dt><dt>workgroup, <a href="simple.html#id324238">Implementation</a>, <a href="simple.html#id325119">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id329077">Implementation</a>, <a href="secure.html#id333388">Samba Configuration</a>, <a href="Big500users.html#id338499">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id365733">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id366318">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id366884">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id368991">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id369719">Change of Workgroup (Domain) Name</a>, <a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a>, <a href="DomApps.html#id386629">NSS Configuration</a></dt><dt>Workgroup Announcement, <a href="primer.html#id394736">Findings</a></dt><dt>workstation, <a href="unixclients.html#id361279">Implementation</a></dt><dt>wrapper, <a href="DomApps.html#id387329">Questions and Answers</a></dt><dt>write list, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id356432">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id376484">LDAP Server Configuration</a></dt><dt>write lock, <a href="appendix.html#id393440">Opportunistic Locking Controls</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>xinetd, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>XML, <a href="2000users.html#id355347">Dissection and Discussion</a></dt><dt>xmlsam, <a href="2000users.html#id356432">Implementation</a></dt></dl></div><div class="indexdiv"><h3>Y</h3><dl><dt>YaST, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>Yellow Pages, <a href="2000users.html#id356003">Identity Management Needs</a></dt><dt>yellow pages (see NIS)</dt></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Glossary </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/kerberos.html b/docs/htmldocs/Samba3-ByExample/kerberos.html new file mode 100644 index 0000000000..1115974407 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/kerberos.html @@ -0,0 +1,826 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id380108">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id380691">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id380704">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id381076">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id382562">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id382896">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383453">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id383822">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id384506">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id384628">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id380057"></a> + By this point in the book, you have been exposed to many Samba-3 features and capabilities. + More importantly, if you have implemented the examples given, you are well on your way to becoming + a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to + practice, you likely have thought of improvements and scenarios with which you can experiment. You + are rather well plugged in to the many flexible ways Samba can be used. + </p><p><a class="indexterm" name="id380072"></a> + This is a book about Samba-3. Understandably, its intent is to present it in a positive light. + The casual observer might conclude that this book is one-eyed about Samba. It is what + would you expect? This chapter exposes some criticisms that have been raised concerning + the use of Samba. For each criticism, there are good answers and appropriate solutions. + </p><p> + Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular + decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of + criticism develops with respect to Abmas. + </p><p><a class="indexterm" name="id380095"></a> + This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled + out of thin air. They were drawn from comments made by Samba users and from criticism during + discussions with Windows network administrators. The tone of the objections reflects as closely + as possible that of the original. The case presented is a straw-man example that is designed to + permit each objection to be answered as it might occur in real life. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380108"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id380115"></a><a class="indexterm" name="id380123"></a><a class="indexterm" name="id380131"></a><a class="indexterm" name="id380139"></a><a class="indexterm" name="id380146"></a> + Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took + note of the spectacular projection of Abmas onto the global business stage. Abmas is building an + interesting portfolio of companies that includes accounting services, financial advice, investment + portfolio management, property insurance, risk assessment, and the recent addition of a a video rental + business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an + interesting business growth and development plan. Abmas Video Rentals was recently acquired. + During the time that the acquisition was closing, the Video Rentals business upgraded its Windows + NT4-based network to Windows 2003 Server and Active Directory. + </p><p><a class="indexterm" name="id380164"></a> + You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. + The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. + Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to + operate with a solution that is viewed by Christine and her group as “<span class="quote">an island of broken + technologies.</span>” This comment was made by one of Christine's staff as they were installing a new + Samba-3 server at the new business. + </p><p><a class="indexterm" name="id380183"></a><a class="indexterm" name="id380191"></a> + Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer + should make such a comment. He felt that he had to prepare in case he might be criticized for his + decision to use Active Directory. He decided he would defend his decision by hiring the services + of an outside security systems consultant to report<sup>[<a name="id380203" href="#ftn.id380203">12</a>]</sup> on his unit's operations + and to investigate the role of Samba at his site. Here are key extracts from this hypothetical + report: + </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id380212"></a><a class="indexterm" name="id380219"></a><a class="indexterm" name="id380227"></a><a class="indexterm" name="id380235"></a> + ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, + has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. + ... we took additional steps to validate the integrity of the installation and operation of Active + Directory and are pleased that your staff are following sound practices. + </p><p> + ... + </p><p><a class="indexterm" name="id380253"></a><a class="indexterm" name="id380264"></a><a class="indexterm" name="id380276"></a><a class="indexterm" name="id380284"></a><a class="indexterm" name="id380291"></a><a class="indexterm" name="id380299"></a> + User and group accounts, and respective privileges, have been well thought out. File system shares are + appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and + effective off-site storage practices are considered to exceed industry norms. + </p><p><a class="indexterm" name="id380313"></a><a class="indexterm" name="id380321"></a><a class="indexterm" name="id380329"></a> + Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain + a secure network. + </p><p><a class="indexterm" name="id380344"></a><a class="indexterm" name="id380352"></a><a class="indexterm" name="id380360"></a><a class="indexterm" name="id380368"></a> + The recently installed Linux file and application server uses a tool called <code class="literal">winbind</code> + that is indiscriminate about security. All user accounts in Active Directory can be used to access data + stored on the Linux system. We are alarmed that secure information is accessible to staff who should + not even be aware that it exists. We share the concerns of your network management staff who have gone + to great lengths to set fine-grained controls that limit information access to those who need access. + It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. + </p><p><a class="indexterm" name="id380394"></a><a class="indexterm" name="id380402"></a><a class="indexterm" name="id380409"></a> + Graham Judd [head of network administration] has locked down the security of all systems and is following + the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network + is isolated from the outside world, the [product name removed] firewall is under current contract + maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems + failed to find problems common to Windows networking sites. We commend your staff on their attention to + detail and for following Microsoft recommended best practices. + </p><p> + ... + </p><p><a class="indexterm" name="id380429"></a><a class="indexterm" name="id380437"></a><a class="indexterm" name="id380445"></a><a class="indexterm" name="id380453"></a> + Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of + all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft + ... what worries us regarding Samba is the need to disable essential Windows security features such as + secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in + mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that + Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that + with trusted computing initiatives that the Samba developers do not participate in. + </p><p><a class="indexterm" name="id380470"></a><a class="indexterm" name="id380478"></a><a class="indexterm" name="id380486"></a><a class="indexterm" name="id380493"></a><a class="indexterm" name="id380501"></a><a class="indexterm" name="id380509"></a><a class="indexterm" name="id380517"></a> + One wonders about the integrity of an open source program that is developed by a team of hackers + who cannot be held accountable for the flaws in their code. The sheer number of updates and bug + fixes they have released should ring alarm bells in any business. + </p><p><a class="indexterm" name="id380530"></a><a class="indexterm" name="id380538"></a><a class="indexterm" name="id380546"></a> + Another factor that should be considered is that buying Microsoft products and services helps to + provide employment in the IT industry. Samba and Open Source software place those jobs at risk. + </p></blockquote></div><p><a class="indexterm" name="id380559"></a><a class="indexterm" name="id380567"></a> + This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple + discussion, but it gets further out of hand. When you return to your office, you find the following + email in your in-box: + </p><p> + Good afternoon, + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + I apologize for the leak of internal discussions to the new business. It reflects poorly on our + professionalism and has put you in an unpleasant position. I regret the incident. + </p><p> + I also wish to advise that two of the recent recruits want to implement Kerberos authentication + across all systems. I concur with the desire to improve security. One of the new guys who is championing + the move to Kerberos was responsible for the comment that caused the embarrassment. + </p><p><a class="indexterm" name="id380597"></a><a class="indexterm" name="id380605"></a><a class="indexterm" name="id380613"></a><a class="indexterm" name="id380621"></a> + I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, + plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect + to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, + I would like to hire the services of a well-known Samba consultant to set the record straight. + </p><p><a class="indexterm" name="id380636"></a><a class="indexterm" name="id380644"></a><a class="indexterm" name="id380652"></a><a class="indexterm" name="id380659"></a><a class="indexterm" name="id380667"></a><a class="indexterm" name="id380675"></a> + I intend to use this report to answer the criticism raised and would like to establish a policy that we + will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered + out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain + responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce + use of any centrally proposed standards, but make all noncompliance the financial responsibility of the + out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id380691"></a>Assignment Tasks</h3></div></div></div><p> + You agreed with Stan's recommendations and hired a consultant to help defuse the powder + keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able + to support his or her claims, keep emotions to the side, and answer technically. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380704"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id380711"></a><a class="indexterm" name="id380719"></a><a class="indexterm" name="id380727"></a><a class="indexterm" name="id380735"></a><a class="indexterm" name="id380743"></a><a class="indexterm" name="id380750"></a><a class="indexterm" name="id380758"></a> + Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to + make or reject. It is likely that your decision to use Samba can greatly benefit your company. + The Samba Team obviously believes that the Samba software is a worthy choice. + If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire + someone to help manage your Samba installation, you can create income and employment. Alternately, + money saved by not spending in the IT area can be spent elsewhere in the business. All money saved + or spent creates employment. + </p><p><a class="indexterm" name="id380775"></a><a class="indexterm" name="id380783"></a><a class="indexterm" name="id380791"></a><a class="indexterm" name="id380798"></a><a class="indexterm" name="id380806"></a> + In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted + purely to provide file and print service interoperability on platforms that otherwise cannot provide + access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to + effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an + alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. + </p><p><a class="indexterm" name="id380822"></a><a class="indexterm" name="id380830"></a><a class="indexterm" name="id380838"></a><a class="indexterm" name="id380845"></a> + It would be foolish to adopt a technology that might put any data or users at risk. Security affects + everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. + The Samba documentation clearly reveals that full responsibility is accepted to fix anything + that is broken. + </p><p><a class="indexterm" name="id380859"></a><a class="indexterm" name="id380867"></a><a class="indexterm" name="id380875"></a><a class="indexterm" name="id380882"></a><a class="indexterm" name="id380894"></a><a class="indexterm" name="id380902"></a><a class="indexterm" name="id380910"></a><a class="indexterm" name="id380918"></a><a class="indexterm" name="id380925"></a><a class="indexterm" name="id380933"></a><a class="indexterm" name="id380941"></a> + There is a mistaken perception in the IT industry that commercial software providers are fully + accountable for the defects in products. Open Source software comes with no warranty, so it is + often assumed that its use confers a higher degree of risk. Everyone should read commercial software + End User License Agreements (EULAs). You should determine what real warranty is offered and the + extent of liability that is accepted. Doing so soon dispels the popular notion that + commercial software vendors are willingly accountable for product defects. In many cases, the + commercial vendor accepts liability only to reimburse the price paid for the software. + </p><p><a class="indexterm" name="id380963"></a><a class="indexterm" name="id380971"></a><a class="indexterm" name="id380979"></a><a class="indexterm" name="id380987"></a><a class="indexterm" name="id380995"></a><a class="indexterm" name="id381003"></a> + The real issues that a consumer (like you) needs answered are What is the way of escape from technical + problems, and how long will it take? The average problem turnaround time in the Open Source community is + approximately 48 hours. What does the EULA offer? What is the track record in the commercial software + industry? What happens when your commercial vendor decides to cease providing support? + </p><p><a class="indexterm" name="id381017"></a><a class="indexterm" name="id381025"></a><a class="indexterm" name="id381033"></a><a class="indexterm" name="id381041"></a><a class="indexterm" name="id381049"></a><a class="indexterm" name="id381057"></a><a class="indexterm" name="id381064"></a> + Open Source software at least puts you in possession of the source code. This means that when + all else fails, you can hire a programmer to solve the problem. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381076"></a>Technical Issues</h3></div></div></div><p> + Each issue is now discussed and, where appropriate, example implementation steps are + provided. + </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id381095"></a><a class="indexterm" name="id381103"></a><a class="indexterm" name="id381111"></a><a class="indexterm" name="id381122"></a><a class="indexterm" name="id381130"></a><a class="indexterm" name="id381138"></a><a class="indexterm" name="id381146"></a><a class="indexterm" name="id381154"></a><a class="indexterm" name="id381162"></a><a class="indexterm" name="id381170"></a> + Windows network administrators may be dismayed to find that <code class="literal">winbind</code> + exposes all domain users so that they may use their domain account credentials to + log on to a UNIX/Linux system. The fact that all users in the domain can see the + UNIX/Linux server in their Network Neighborhood and can browse the shares on the + server seems to excite them further. + </p><p><a class="indexterm" name="id381190"></a><a class="indexterm" name="id381198"></a><a class="indexterm" name="id381205"></a><a class="indexterm" name="id381213"></a> + <code class="literal">winbind</code> provides for the UNIX/Linux domain member server or + client, the same as one would obtain by adding a Microsoft Windows server or + client to the domain. The real objection is the fact that Samba is not MS Windows + and therefore requires handling a little differently from the familiar Windows systems. + One must recognize fear of the unknown. + </p><p><a class="indexterm" name="id381236"></a><a class="indexterm" name="id381244"></a><a class="indexterm" name="id381252"></a><a class="indexterm" name="id381260"></a><a class="indexterm" name="id381268"></a><a class="indexterm" name="id381279"></a> + Windows network administrators need to recognize that <code class="literal">winbind</code> does + not, and cannot, override account controls set using the Active Directory management + tools. The control is the same. Have no fear. + </p><p><a class="indexterm" name="id381298"></a><a class="indexterm" name="id381306"></a><a class="indexterm" name="id381317"></a><a class="indexterm" name="id381325"></a><a class="indexterm" name="id381333"></a><a class="indexterm" name="id381341"></a><a class="indexterm" name="id381348"></a><a class="indexterm" name="id381356"></a><a class="indexterm" name="id381364"></a><a class="indexterm" name="id381372"></a> + Where Samba and the ADS domain account information obtained through the use of + <code class="literal">winbind</code> permits access, by browsing or by the drive mapping to + a share, to data that should be better protected. This can only happen when security + controls have not been properly implemented. Samba permits access controls to be set + on: + </p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p> + Examples of each are given in <a href="kerberos.html#ch10expl" title="Implementation">???</a>. + </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id381441"></a><a class="indexterm" name="id381449"></a><a class="indexterm" name="id381460"></a><a class="indexterm" name="id381472"></a><a class="indexterm" name="id381479"></a><a class="indexterm" name="id381487"></a><a class="indexterm" name="id381495"></a><a class="indexterm" name="id381503"></a><a class="indexterm" name="id381511"></a> + User and group management facilities as known in the Windows ADS environment may be + used to provide equivalent access control constraints or to provide equivalent + permissions and privileges on Samba servers. Samba offers greater flexibility in the + use of user and group controls because it has additional layers of control compared to + Windows 200x/XP. For example, access controls on a Samba server may be set within + the share definition in a manner for which Windows has no equivalent. + </p><p><a class="indexterm" name="id381531"></a><a class="indexterm" name="id381539"></a><a class="indexterm" name="id381546"></a><a class="indexterm" name="id381554"></a><a class="indexterm" name="id381566"></a><a class="indexterm" name="id381574"></a><a class="indexterm" name="id381581"></a> + In any serious analysis of system security, it is important to examine the safeguards + that remain when all other protective measures fail. An administrator may inadvertently + set excessive permissions on the file system of a shared resource, or he may set excessive + privileges on the share itself. If that were to happen in a Windows 2003 Server environment, + the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is + possible to guard against that by enforcing controls on the share definition itself. You + see a practical example of this a little later in this chapter. + </p><p><a class="indexterm" name="id381598"></a><a class="indexterm" name="id381606"></a> + The report that is critical of Samba really ought to have exercised greater due + diligence: the real weakness is on the side of a Microsoft Windows environment. + </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id381626"></a> + Samba is designed in such a manner that weaknesses inherent in the design of + Microsoft Windows networking ought not to expose the underlying UNIX/Linux file + system in any way. All software has potential defects, and Samba is no exception. + What matters more is how defects that are discovered get dealt with. + </p><p><a class="indexterm" name="id381640"></a><a class="indexterm" name="id381648"></a><a class="indexterm" name="id381656"></a><a class="indexterm" name="id381664"></a> + The Samba Team totally agrees with the necessity to observe and fully implement + every security facility to provide a level of protection and security that is necessary + and that the end user (or network administrator) needs. Never would the Samba Team + recommend a compromise to system security, nor would deliberate defoliation of + security be publicly condoned; yet this is the practice by many Windows network + administrators just to make happy users who have no notion of consequential risk. + </p><p><a class="indexterm" name="id381679"></a><a class="indexterm" name="id381687"></a><a class="indexterm" name="id381695"></a><a class="indexterm" name="id381703"></a><a class="indexterm" name="id381711"></a><a class="indexterm" name="id381719"></a><a class="indexterm" name="id381727"></a> + The report condemns Samba for releasing updates and security fixes, yet Microsoft + online updates need to be applied almost weekly. The answer to the criticism + lies in the fact that Samba development is continuing, documentation is improving, + user needs are being increasingly met or exceeded, and security updates are issued + with a short turnaround time. + </p><p><a class="indexterm" name="id381741"></a><a class="indexterm" name="id381749"></a><a class="indexterm" name="id381757"></a><a class="indexterm" name="id381765"></a><a class="indexterm" name="id381772"></a> + The release of Samba-4 is expected around late 2004 to early 2005 and involves a near + complete rewrite to permit extensive modularization and to prepare Samba for new + functionality planned for addition during the next-generation series. The Samba Team + is responsible and can be depended upon; the history to date suggests a high + degree of dependability and on charter development consistent with published + roadmap projections. + </p><p><a class="indexterm" name="id381791"></a><a class="indexterm" name="id381799"></a><a class="indexterm" name="id381810"></a><a class="indexterm" name="id381822"></a><a class="indexterm" name="id381829"></a><a class="indexterm" name="id381837"></a><a class="indexterm" name="id381845"></a> + Not well published is the fact that Microsoft was a foundation member of + the Common Internet File System (CIFS) initiative, together with the participation + of the network attached storage (NAS) industry. Unfortunately, for the past few years, + Microsoft has been absent from active involvement at CIFS conferences and has + not exercised the leadership expected of a major force in the networking technology + space. The Samba Team has maintained consistent presence and leadership at all + CIFS conferences and at the interoperability laboratories run concurrently with + them. + </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id381869"></a><a class="indexterm" name="id381877"></a><a class="indexterm" name="id381885"></a> + The report correctly mentions that Samba did not support the most recent + <code class="constant">schannel</code> and <code class="constant">digital sign'n'seal</code> features + of Microsoft Windows NT/200x/XPPro products. This is one of the key features + of the Samba-3 release. Market research reports take so long to generate that they are + seldom a reflection of current practice, and in many respects reports are like a + pathology report they reflect accurately (at best) status at a snapshot in time. + Meanwhile, the world moves on. + </p><p><a class="indexterm" name="id381911"></a><a class="indexterm" name="id381918"></a><a class="indexterm" name="id381926"></a><a class="indexterm" name="id381934"></a><a class="indexterm" name="id381942"></a><a class="indexterm" name="id381956"></a><a class="indexterm" name="id381964"></a> + It should be pointed out that had clear public specifications for the protocols + been published, it would have been much easier to implement these features and would have + taken less time to do. The sole mechanism used to find an algorithm that is compatible + with the methods used by Microsoft has been based on observation of network traffic + and trial-and-error implementation of potential techniques. The real value of public + and defensible standards is obvious to all and would have enabled more secure networking + for everyone. + </p><p><a class="indexterm" name="id381980"></a><a class="indexterm" name="id381988"></a> + Critics of Samba often ignore fundamental problems that may plague (or may have plagued) + the users of Microsoft's products also. Those who are first to criticize Samba + for not rushing into release of <code class="constant">digital sign'n'seal</code> support + often dismiss the problems that Microsoft has + <a href="http://support.microsoft.com/default.aspx?kbid=321733" target="_top">acknowledged</a> + and for which a fix was provided. In fact, + <a href="http://www.tangent-systems.com/support/delayedwrite.html" target="_top">Tangent Systems</a> + have documented a significant problem with delays writes that can be connected with the + implementation of sign'n'seal. They provide a work-around that is not trivial for many + Windows networking sites. From notes such as this it is clear that there are benefits + from not rushing new technology out of the door too soon. + </p><p><a class="indexterm" name="id382021"></a><a class="indexterm" name="id382029"></a><a class="indexterm" name="id382037"></a><a class="indexterm" name="id382044"></a><a class="indexterm" name="id382052"></a><a class="indexterm" name="id382060"></a><a class="indexterm" name="id382068"></a><a class="indexterm" name="id382076"></a><a class="indexterm" name="id382084"></a> + One final comment is warranted. If companies want more secure networking protocols, + the most effective method by which this can be achieved is by users seeking + and working together to help define open and publicly refereed standards. The + development of closed source, proprietary methods that are developed in a + clandestine framework of secrecy, under claims of digital rights protection, does + not favor the diffusion of safe networking protocols and certainly does not + help the consumer to make a better choice. + </p></dd><dt><span class="term">Active Directory Replacement with Kerberos, LDAP, and Samba</span></dt><dd><p> + </p><div class="literallayout"><p> </p></div><p> + The Microsoft networking protocols extensively make use of remote procedure call (RPC) + technology. Active Directory is not a simple mixture of LDAP and Kerberos together + with file and print services, but rather is a complex, intertwined implementation + of them that uses RPCs that are not supported by any of these component technologies + and yet by which they are made to interoperate in ways that the components do not + support. + </p><p><a class="indexterm" name="id382166"></a><a class="indexterm" name="id382177"></a><a class="indexterm" name="id382185"></a><a class="indexterm" name="id382193"></a><a class="indexterm" name="id382201"></a> + In order to make the popular request for Samba to be an Active Directory Server a + reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls + that are not presently supported. The Samba Team has not been able to gain critical + overall support for all project maintainers to work together on the complex + challenge of developing and integrating the necessary technologies. Therefore, if + the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality + into the Samba project, this dream request cannot become a reality. + </p><p><a class="indexterm" name="id382217"></a><a class="indexterm" name="id382225"></a><a class="indexterm" name="id382233"></a><a class="indexterm" name="id382244"></a><a class="indexterm" name="id382251"></a> + At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the + Samba development roadmap. If it is not on the published roadmap, it cannot be delivered + anytime soon. Ergo, ADS server support is not a current goal for Samba development. + The Samba Team is most committed to permitting Samba to be a full ADS domain member + that is increasingly capable of being managed using Microsoft Windows MMC tools. + </p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id382267"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id382274"></a><a class="indexterm" name="id382282"></a><a class="indexterm" name="id382290"></a> + Kerberos is a network authentication protocol that provides secure authentication for + client-server applications by using secret-key cryptography. Firewalls are an insufficient + barrier mechanism in today's networking world; at best they only restrict incoming network + traffic but cannot prevent network traffic that comes from authorized locations from + performing unauthorized activities. + </p><p><a class="indexterm" name="id382304"></a><a class="indexterm" name="id382312"></a><a class="indexterm" name="id382320"></a> + Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses + strong cryptography so that a client can prove its identity to a server (and vice versa) across an + insecure network connection. After a client and server has used Kerberos to prove their identity, + they can also encrypt all of their communications to assure privacy and data integrity as they go + about their business. + </p><p><a class="indexterm" name="id382335"></a><a class="indexterm" name="id382343"></a><a class="indexterm" name="id382350"></a><a class="indexterm" name="id382358"></a><a class="indexterm" name="id382370"></a> + Kerberos is a trusted third-party service. That means that there is a third party (the kerberos + server) that is trusted by all the entities on the network (users and services, usually called + principals). All principals share a secret password (or key) with the kerberos server and this + enables principals to verify that the messages from the kerberos server are authentic. Therefore, + trusting the kerberos server, users and services can authenticate each other. + </p><p> + <a class="indexterm" name="id382386"></a> + <a class="indexterm" name="id382393"></a> + <a class="indexterm" name="id382400"></a> + Kerberos was, until recently, a technology that was restricted from being exported from the United States. + For many years that hindered global adoption of more secure networking technologies both within the United States + and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe + and is available from the <a href="http://www.pdc.kth.se/heimdal/" target="_top">Royal Institute</a> of + Technology (KTH), Sweden. It is known as the Heimdal Kerberos project. In recent times the U.S. government + has removed sanctions affecting the global distribution of MIT Kerberos. It is likely that there will be a + significant surge forward in the development of Kerberos-enabled applications and in the general deployment + and use of Kerberos across the spectrum of the information technology industry. + </p><p> + <a class="indexterm" name="id382422"></a> + A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation + of it. For example, a 2002 + <a href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a> + report<sup>[<a name="id382439" href="#ftn.id382439">13</a>]</sup> by + states: + </p><div class="blockquote"><blockquote class="blockquote"><p> + A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to + great lengths to disclose interfaces and protocols that allow third-party software products to interact + with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's + use of the Kerberos authentication specification, not everyone agrees. + </p><p> + <a class="indexterm" name="id382460"></a> + Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared + before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version + 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with + the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing + Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so + that software developers could add their own authorization information, he said. + </p></blockquote></div><p> + <a class="indexterm" name="id382478"></a> + <a class="indexterm" name="id382485"></a> + It so happens that Microsoft Windows clients depend on and expect the contents of the <span class="emphasis"><em>unspecified + fields</em></span> in the Kerberos 5 communications data stream for their Windows interoperability, + particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability + issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional, + there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment + (DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by + Microsoft. + </p><p> + Microsoft makes the following comment in a reference in a + <a href="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp" target="_top"> + technet</a> article: + </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id382518"></a><a class="indexterm" name="id382529"></a> + The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC + representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos + tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. + The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control. + Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This + is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and + Windows NT access control information. + </p></blockquote></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p> + The following procedures outline the implementation of the security measures discussed so far. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id382562"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id382568"></a><a class="indexterm" name="id382576"></a><a class="indexterm" name="id382584"></a> + Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as + Windows XP Pro) attempts to make a connection to the Samba server. + </p><div class="procedure"><a name="id382596"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol type="1"><li><p><a class="indexterm" name="id382606"></a><a class="indexterm" name="id382614"></a> + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator + account (on Samba domains, this is usually the account called <code class="constant">root</code>). + </p></li><li><p> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. + </p></li><li><p> + In the left panel, + <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to + administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id382733"></a> + In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect + the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, + the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>. + </p></li><li><p> + In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. + </p></li><li><p><a class="indexterm" name="id382795"></a><a class="indexterm" name="id382803"></a> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab. + </p></li><li><p><a class="indexterm" name="id382825"></a><a class="indexterm" name="id382833"></a><a class="indexterm" name="id382840"></a><a class="indexterm" name="id382848"></a><a class="indexterm" name="id382856"></a><a class="indexterm" name="id382864"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id382896"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id382903"></a><a class="indexterm" name="id382914"></a><a class="indexterm" name="id382922"></a><a class="indexterm" name="id382930"></a><a class="indexterm" name="id382938"></a><a class="indexterm" name="id382946"></a> + Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a + checkpoint can be used to require someone who wants to get through to meet certain requirements, so + it is possible to require the user (or group the user belongs to) to meet specified credential-related + objectives. It can be likened to a pile-driver by overriding default controls in that having met the + credential-related objectives, the user can be granted powers and privileges that would not normally be + available under default settings. + </p><p><a class="indexterm" name="id382962"></a><a class="indexterm" name="id382970"></a><a class="indexterm" name="id382978"></a><a class="indexterm" name="id382986"></a> + It must be emphasized that the controls discussed here can act as a filter or give rights of passage + that act as a superstructure over normal directory and file access controls. However, share-level + ACLs act at a higher level than do share definition controls because the user must filter through the + share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented + by Samba and Windows networking consists of: + </p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id383030"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id383036"></a> + Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + valid users = @Employees +</pre><p> + This definition permits only those who are members of the group called <code class="constant">Employees</code> to + access the share. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id383070"></a><a class="indexterm" name="id383081"></a><a class="indexterm" name="id383089"></a><a class="indexterm" name="id383097"></a><a class="indexterm" name="id383105"></a> + On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has + been specified, the use of domain accounts in security controls requires fully qualified domain specification, + for example, <a class="indexterm" name="id383121"></a>valid users = @"MEGANET\Northern Engineers". + Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a + delimiter. + </p></div><p><a class="indexterm" name="id383132"></a><a class="indexterm" name="id383139"></a><a class="indexterm" name="id383147"></a> + If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code> + as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through + to the share. However, at the moment an attempt is made to set up a connection to the share, a member of + the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>, + would immediately fail to validate. + </p><p><a class="indexterm" name="id383176"></a> + Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code> + except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be + easily achieved by setting a share-level ACL permitting only <code class="constant">Employees</code> to access the share, + and then in the share definition controls excluding just <code class="constant">patrickj</code>. Here is how that might + be done: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj +</pre><p> + <a class="indexterm" name="id383212"></a> + Let us assume that you want to permit the user <code class="constant">gbshaw</code> to manage any file in the + UNIX/Linux file system directory <code class="filename">/data/apps</code>, but you do not want to grant any write + permissions beyond that directory tree. Here is one way this can be done: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw +</pre><p> + <a class="indexterm" name="id383240"></a> + Now we have a set of controls that permits only <code class="constant">Employees</code> who are also members of + the group <code class="constant">Doctors</code>, excluding the user <code class="constant">patrickj</code>, to have + read-only privilege, but the user <code class="constant">gbshaw</code> is granted administrative rights. + The administrative rights conferred upon the user <code class="constant">gbshaw</code> permit operation as + if that user has logged in as the user <code class="constant">root</code> on the UNIX/Linux system and thus, + for access to the directory tree that has been shared (exported), permit the user to override controls + that apply to all other users on that resource. + </p><p> + There are additional checkpoint controls that may be used. For example, if for the same share we now + want to provide the user <code class="constant">peters</code> with the ability to write to one directory to + which he has write privilege in the UNIX file system, you can specifically permit that with the + following settings: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw + write list = peters +</pre><p> + <a class="indexterm" name="id383291"></a> + This is a particularly complex example at this point, but it begins to demonstrate the possibilities. + You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding + the checkpoint controls that Samba implements. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id383310"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id383317"></a> + Override controls implemented by Samba permit actions like the adoption of a different identity + during file system operations, the forced overwriting of normal file and directory permissions, + and so on. You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding + the override controls that Samba implements. + </p><p> + In the following example, you want to create a Windows networking share that any user can access. + However, you want all read and write operations to be performed as if the user <code class="constant">billc</code> + and member of the group <code class="constant">Mentors</code> read/write the files. Here is one way this + can be done: +</p><pre class="screen"> +[someshare] + comment = Some Files Everyone May Overwrite + path = /data/somestuff + read only = No + force user = billc + force group = Mentors +</pre><p> + <a class="indexterm" name="id383354"></a><a class="indexterm" name="id383362"></a> + That is all there is to it. Well, it is almost that simple. The downside of this method is that + users are logged onto the Windows client as themselves, and then immediately before accessing the + file, Samba makes system calls to change the effective user and group to the forced settings + specified, completes the file transaction, and then reverts to the actually logged-on identity. + This imposes significant overhead on Samba. The alternative way to effectively achieve the same result + (but with lower system CPU overheads) is described next. + </p><p><a class="indexterm" name="id383378"></a><a class="indexterm" name="id383386"></a><a class="indexterm" name="id383393"></a><a class="indexterm" name="id383405"></a><a class="indexterm" name="id383413"></a> + The use of the <em class="parameter"><code>force user</code></em> or the <em class="parameter"><code>force group</code></em> may + also have a severe impact on system (particularly on Windows client) performance. If opportunistic + locking is enabled on the share (the default), it causes an <code class="constant">oplock break</code> to be + sent to the client even if the client has not opened the file. On networks that have high traffic + density, or on links that are routed to a remote network segment, <code class="constant">oplock breaks</code> + can be lost. This results in possible retransmission of the request, or the client may time-out while + waiting for the file system transaction (read or write) to complete. The result can be a profound + apparent performance degradation as the client continually attempts to reconnect to overcome the + effect of the lost <code class="constant">oplock break</code>, or time-out. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383453"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id383460"></a><a class="indexterm" name="id383468"></a><a class="indexterm" name="id383476"></a><a class="indexterm" name="id383484"></a> + Samba has been designed and implemented so that it respects as far as is feasible the security and + user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing + with respect to file system access that violates file system permission settings, unless it is + explicitly instructed to do otherwise through share definition controls. Given that Samba obeys + UNIX file system controls, this chapter does not document simple information that can be obtained + from a basic UNIX training guide. Instead, one common example of a typical problem is used + to demonstrate the most effective solution referred to in the immediately preceding paragraph. + </p><p><a class="indexterm" name="id383501"></a><a class="indexterm" name="id383509"></a><a class="indexterm" name="id383516"></a> + One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of + Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: + </p><div class="orderedlist"><ol type="1"><li><p> + A user opens a Work document from a network drive. The file was owned by user <code class="constant">janetp</code> + and [users], and was set read/write-enabled for everyone. + </p></li><li><p> + File changes and edits are made. + </p></li><li><p> + The file is saved, and MS Word is closed. + </p></li><li><p> + The file is now owned by the user <code class="constant">billc</code> and group <code class="constant">doctors</code>, + and is set read/write by <code class="constant">billc</code>, read-only by <code class="constant">doctors</code>, and + no access by everyone. + </p></li><li><p> + The original owner cannot now access her own file and is “<span class="quote">justifiably</span>” upset. + </p></li></ol></div><p> + There have been many postings over the years that report the same basic problem. Frequently Samba users + want to know when this “<span class="quote">bug</span>” will be fixed. The fact is, this is not a bug in Samba at all. + Here is the real sequence of what happens in this case. + </p><p><a class="indexterm" name="id383601"></a><a class="indexterm" name="id383609"></a><a class="indexterm" name="id383617"></a> + When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned + by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow + that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing + the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not + change the ownership or permissions to what they were on the original file. The file is thus a totally + new file, and the old one has been deleted in the process. + </p><p> + Samba received a request to create a new file, and then to rename the file to a new name. The old file that + has the same name is now automatically deleted. Samba has no way of knowing that the new file should + perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent + operations. + </p><p> + The question is, “<span class="quote">How can we solve the problem?</span>” + </p><p> + The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these + simple steps to create a share in which all files will consistently be owned by the same user and the + same group: + </p><div class="procedure"><a name="id383654"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p> + Change your share definition so that it matches this pattern: +</p><pre class="screen"> +[finance] + path = /usr/data/finance + browseable = Yes + read only = No +</pre><p> + </p></li><li><p><a class="indexterm" name="id383678"></a><a class="indexterm" name="id383689"></a> + Set consistent user and group permissions recursively down the directory tree as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R janetp.users /usr/data/finance +</pre><p> + </p></li><li><p><a class="indexterm" name="id383719"></a> + Set the files and directory permissions to be read/write for owner and group, and not accessible + to others (everyone), using the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance +</pre><p> + </p></li><li><p><a class="indexterm" name="id383747"></a> + Set the SGID (supergroup) bit on all directories from the top down. This means all files + can be created with the permissions of the group set on the directory. It means all users + who are members of the group <code class="constant">finance</code> can read and write all files in + the directory. The directory is not readable or writable by anyone who is not in the + <code class="constant">finance</code> group. Simply follow this example: +</p><pre class="screen"> +<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod ug+s {}\; +</pre><p> + + </p></li><li><p><a class="indexterm" name="id383784"></a><a class="indexterm" name="id383791"></a><a class="indexterm" name="id383799"></a> + Make sure all users that must have read/write access to the directory have + <code class="constant">finance</code> group membership as their primary group, + for example, the group they belong to in <code class="filename">/etc/passwd</code>. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383822"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id383829"></a><a class="indexterm" name="id383837"></a><a class="indexterm" name="id383845"></a><a class="indexterm" name="id383853"></a> + Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because + there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means + that some transactions are not possible from MS Windows clients. One of these is to reset the ownership + of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login. + </p><p> + There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, + either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id383872"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p> + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator + account (on Samba domains, this is usually the account called <code class="constant">root</code>). + </p></li><li><p> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. + </p></li><li><p> + In the left panel, + <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to + administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>. + In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect + the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, + the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>. + </p></li><li><p> + In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. + </p></li><li><p><a class="indexterm" name="id384048"></a><a class="indexterm" name="id384056"></a><a class="indexterm" name="id384064"></a><a class="indexterm" name="id384072"></a> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best + to edit ACLs using the <code class="constant">Advanced</code> editing features. Click the + <span class="guimenu">Advanced</span> button. This opens a panel that has four tabs. Only the + functionality under the <code class="constant">Permissions</code> tab can be utilized with respect + to a Samba domain server. + </p></li><li><p><a class="indexterm" name="id384108"></a><a class="indexterm" name="id384116"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons until the last panel closes. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id384149"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> + The following alternative method may be used from a Windows workstation. In this example we work + with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a + share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is + <code class="filename">/data/apps</code>. + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">[right-click] My Computer</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">[left panel] [+] My Network Places</span> → <span class="guimenuitem">[+] Entire Network</span> → <span class="guimenuitem">[+] Microsoft Windows Network</span> → <span class="guimenuitem">[+] Meganet</span> → <span class="guimenuitem">[+] Massive</span> → <span class="guimenuitem">[right-click] Apps</span> → <span class="guimenuitem">Properties</span> → <span class="guimenuitem">Security</span> → <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the + <code class="constant">Permissions</code> tab can be utilized for a Samba domain server. + </p></li><li><p><a class="indexterm" name="id384269"></a><a class="indexterm" name="id384277"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons until the last panel closes. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id384311"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id384317"></a><a class="indexterm" name="id384325"></a> + Yet another alternative method for setting desired security settings on the shared resource files and + directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line + tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 + Linux system: + </p><div class="procedure"><ol type="1"><li><p> + Log into the Linux system as the user <code class="constant">root</code>. + </p></li><li><p> + Change directory to the location of the exported (shared) Windows file share (Apps), which is in + the directory <code class="filename">/data</code>. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /data +</pre><p> + Retrieve the existing POSIX ACLs entry by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getfacl apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +other::r-x +</pre><p> + </p></li><li><p><a class="indexterm" name="id384394"></a> + You want to add permission for <code class="constant">AppsMgrs</code> to enable them to + manage the applications (apps) share. It is important to set the ACL recursively + so that the AppsMgrs have this capability throughout the directory tree that is + being shared. This is done using the <code class="constant">-R</code> option as shown. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> setfacl -m -R group:AppsMgrs:rwx /data/apps +</pre><p> + Because setting an ACL does not provide a response, you immediately validate the command executed + as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> getfacl /data/apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +group:AppsMgrs:rwx +mask::rwx +other::r-x +</pre><p> + This confirms that the change of POSIX ACL permissions has been effective. + </p></li><li><p><a class="indexterm" name="id384444"></a><a class="indexterm" name="id384451"></a><a class="indexterm" name="id384459"></a><a class="indexterm" name="id384467"></a><a class="indexterm" name="id384475"></a> + It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code> + and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default + ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent + of setting <code class="constant">inheritance</code> properties. + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384506"></a>Key Points Learned</h3></div></div></div><p> + The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. + Looking back, this chapter could be broken into two, but it's too late now. It has been done. + The highlights covered are as follows: + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id384522"></a><a class="indexterm" name="id384529"></a><a class="indexterm" name="id384537"></a><a class="indexterm" name="id384545"></a> + Winbind honors and does not override account controls set in Active Directory. + This means that password change, logon hours, and so on, are (or soon will be) enforced + by Samba winbind. At this time, an out-of-hours login is denied and password + change is enforced. At this time, if logon hours expire, the user is not forcibly + logged off. That may be implemented at some later date. + </p></li><li><p><a class="indexterm" name="id384561"></a><a class="indexterm" name="id384569"></a> + Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential + problems acknowledged by Microsoft as having been fixed but reported by some as still + possibly an open issue. + </p></li><li><p><a class="indexterm" name="id384583"></a><a class="indexterm" name="id384590"></a><a class="indexterm" name="id384598"></a><a class="indexterm" name="id384606"></a> + The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft + Active Directory. The possibility to do this is not planned in the current Samba-3 + roadmap. Samba-3 does aim to provide further improvements in interoperability so that + UNIX/Linux systems may be fully integrated into Active Directory domains. + </p></li><li><p> + This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of + the four key methodologies was reviewed with specific reference to example deployment + techniques. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384628"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id384644"> + Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? + </a></dt><dt> <a href="kerberos.html#id384712"> + Does Samba-3 support Active Directory? + </a></dt><dt> <a href="kerberos.html#id384740"> + When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was + necessary with Samba-2? + </a></dt><dt> <a href="kerberos.html#id384775"> + Is it safe to set share-level access controls in Samba? + </a></dt><dt> <a href="kerberos.html#id384802"> + Is it mandatory to set share ACLs to get a secure Samba-3 server? + </a></dt><dt> <a href="kerberos.html#id384874"> + The valid users did not work on the [homes]. + Has this functionality been restored yet? + </a></dt><dt> <a href="kerberos.html#id384933"> + Is the bias against use of the force user and force group + really warranted? + </a></dt><dt> <a href="kerberos.html#id384994"> + The example given for file and directory access control forces all files to be owned by one + particular user. I do not like that. Is there any way I can see who created the file? + </a></dt><dt> <a href="kerberos.html#id385038"> + In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use + of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why + have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? + </a></dt><dt> <a href="kerberos.html#id385098"> + I tried to set valid users = @Engineers, but it does not work. My Samba + server is an Active Directory domain member server. Has this been fixed now? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id384644"></a><a name="id384646"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384649"></a><a class="indexterm" name="id384657"></a> + Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384676"></a><a class="indexterm" name="id384683"></a><a class="indexterm" name="id384691"></a> + No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code> + operation. The registry change should not be applied when Samba-3 is used as a domain controller. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384712"></a><a name="id384714"></a></td><td align="left" valign="top"><p> + Does Samba-3 support Active Directory? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384724"></a> + Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not + provide Active Directory services. It cannot be used to replace a Microsoft Active Directory + server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, + and it can function as an Active Directory domain member server. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384740"></a><a name="id384742"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384745"></a> + When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was + necessary with Samba-2? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384760"></a> + No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x + Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, + because Samba-3 can join a native Windows 2003 Server ADS domain. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384775"></a><a name="id384777"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384780"></a> + Is it safe to set share-level access controls in Samba? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. Share-level access controls have been supported since early versions of Samba-2. This is + very mature technology. Not enough sites make use of this powerful capability, neither on + Windows server or with Samba servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384802"></a><a name="id384804"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384807"></a> + Is it mandatory to set share ACLs to get a secure Samba-3 server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384822"></a><a class="indexterm" name="id384830"></a><a class="indexterm" name="id384838"></a><a class="indexterm" name="id384846"></a><a class="indexterm" name="id384853"></a> + No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides + means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional + support for share-level ACLs is like frosting on the cake. It adds to security but is not essential + to it. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384874"></a><a name="id384876"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384879"></a> + The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>. + Has this functionality been restored yet? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384906"></a> + Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard + on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is: + <a class="indexterm" name="id384922"></a>valid users = %S. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384933"></a><a name="id384935"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id384938"></a><a class="indexterm" name="id384946"></a><a class="indexterm" name="id384954"></a> + Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em> + really warranted? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id384980"></a> + There is no bias. There is a determination to recommend the right tool for the task at hand. + After all, it is better than putting users through performance problems, isn't it? + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id384994"></a><a name="id384996"></a></td><td align="left" valign="top"><p> + The example given for file and directory access control forces all files to be owned by one + particular user. I do not like that. Is there any way I can see who created the file? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id385008"></a> + Sure. You do not have to set the SUID bit on the directory. Simply execute the following command + to permit file ownership to be retained by the user who created it: +</p><pre class="screen"> +<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod g+s {}\; +</pre><p> + Note that this required no more than removing the <code class="constant">u</code> argument so that the + SUID bit is not set for the owner. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id385038"></a><a name="id385040"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id385043"></a> + In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use + of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why + have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id385069"></a><a class="indexterm" name="id385076"></a> + Either tool can be used with equal effect. There is no benefit of one over the other, except that + the MMC utility is present on all Windows 200x/XP systems and does not require additional software + to be downloaded and installed. Note that if you want to manage user and group accounts in your + Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which + is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id385098"></a><a name="id385100"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id385104"></a><a class="indexterm" name="id385111"></a><a class="indexterm" name="id385119"></a> + I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba + server is an Active Directory domain member server. Has this been fixed now? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of this parameter has always required the full specification of the domain account, for + example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id382439" href="#id382439">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ntmigration.html b/docs/htmldocs/Samba3-ByExample/ntmigration.html new file mode 100644 index 0000000000..f43933d7e2 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ntmigration.html @@ -0,0 +1,1128 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Migrating NT4 Domain to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="upgrades.html" title="Chapter 8. Updating Samba-3"><link rel="next" href="nw4migration.html" title="Chapter 10. Migrating NetWare Server to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Migrating NT4 Domain to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ntmigration"></a>Chapter 9. Migrating NT4 Domain to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntmigration.html#id371689">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371765">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id371815">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id371970">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id372273">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id372293">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id372418">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id374706">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id375038">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id375074">Questions and Answers</a></span></dt></dl></div><p> + Ever since Microsoft announced that it was discontinuing support for Windows + NT4, Samba users started to ask for detailed instructions on how to migrate + from NT4 to Samba-3. This chapter provides background information that should + meet these needs. + </p><p> + One wonders how many NT4 systems will be left in service by the time you read this + book though. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id371689"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id371695"></a> + Network administrators who want to migrate off a Windows NT4 environment know + one thing with certainty. They feel that NT4 has been abandoned, and they want + to update. The desire to get off NT4 and to not adopt Windows 200x and Active + Directory is driven by a mixture of concerns over complexity, cost, fear of + failure, and much more. + </p><p> + <a class="indexterm" name="id371710"></a> + <a class="indexterm" name="id371717"></a> + <a class="indexterm" name="id371726"></a> + <a class="indexterm" name="id371736"></a> + The migration from NT4 to Samba-3 can involve a number of factors, including + migration of data to another server, migration of network environment controls + such as group policies, and migration of the users, groups, and machine + accounts. + </p><p> + <a class="indexterm" name="id371750"></a> + It should be pointed out now that it is possible to migrate some systems from + a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly + not possible in every case. It is possible to just migrate the domain accounts + to Samba-3 and then to switch machines, but as a hands-off transition, this is more + the exception than the rule. Most systems require some tweaking after + migration before an environment that is acceptable for immediate use + is obtained. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id371765"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id371772"></a> + <a class="indexterm" name="id371779"></a> + <a class="indexterm" name="id371786"></a> + You are about to migrate an MS Windows NT4 domain accounts database to + a Samba-3 server. The Samba-3 server is using a + <em class="parameter"><code>passdb backend</code></em> based on LDAP. The + <code class="constant">ldapsam</code> is ideal because an LDAP backend can be distributed + for use with BDCs generally essential for larger networks. + </p><p> + Your objective is to document the process of migrating user and group accounts + from several NT4 domains into a single Samba-3 LDAP backend database. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id371815"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id371823"></a> + <a class="indexterm" name="id371830"></a> + <a class="indexterm" name="id371836"></a> + <a class="indexterm" name="id371848"></a> + <a class="indexterm" name="id371859"></a> + <a class="indexterm" name="id371866"></a> + The migration process takes a snapshot of information that is stored in the + Windows NT4 registry-based accounts database. That information resides in + the Security Account Manager (SAM) portion of the NT4 registry under keys called + <code class="constant">SAM</code> and <code class="constant">SECURITY</code>. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + <a class="indexterm" name="id371888"></a> + <a class="indexterm" name="id371895"></a> + The Windows NT4 registry keys called <code class="constant">SAM</code> and <code class="constant">SECURITY</code> + are protected so that you cannot view the contents. If you change the security setting + to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not + do this unless you are willing to render your domain controller inoperative. + </p></div><p> + <a class="indexterm" name="id371915"></a> + <a class="indexterm" name="id371924"></a> + Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. + While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, + that may not be a good idea from an administration perspective. Since the process involves going + through a certain amount of disruptive activity anyhow, why not take this opportunity to + review the structure of the network, how Windows clients are controlled and how they + interact with the network environment. + </p><p> + <a class="indexterm" name="id371938"></a> + <a class="indexterm" name="id371948"></a> + <a class="indexterm" name="id371954"></a> + MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed + have done little to keep the NT4 server environment up to date with more recent Windows releases, + particularly Windows XP Professional. The migration provides opportunity to revise and update + roaming profile deployment as well as folder redirection. Given that you must port the + greater network configuration of this from the old NT4 server to the new Samba-3 server. + Do not forget to validate the security descriptors in the profiles share as well as network logon + scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this + as a good time to update desktop systems also. In all, the extra effort should constitute no + real disruption to users, but rather, with due diligence and care, should make their network experience + a much happier one. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id371970"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id371978"></a> + <a class="indexterm" name="id371984"></a> + Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic + element. Many sites have asked for instructions regarding merging of multiple NT4 + domains into one Samba-3 LDAP database. It seems that this is viewed as a significant + added value compared with the alternative of migration to Windows Server 200x and Active + Directory. The diagram in <a href="ntmigration.html#ch8-migration" title="Figure 9.1. Schematic Explaining the net rpc vampire Process">???</a> illustrates the effect of migration + from a Windows NT4 domain to a Samba domain. + </p><div class="figure"><a name="ch8-migration"></a><p class="title"><b>Figure 9.1. Schematic Explaining the <code class="literal">net rpc vampire</code> Process</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch8-migration.png" width="297" alt="Schematic Explaining the net rpc vampire Process"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id372052"></a> + <a class="indexterm" name="id372059"></a> + If you want to merge multiple NT4 domain account databases into one Samba domain, + you must now dump the contents of the first migration and edit it as appropriate. Now clean + out (remove) the tdbsam backend file (<code class="filename">passdb.tdb</code>) or the LDAP database + files. You must start each migration with a new database into which you merge your NT4 + domains. + </p><p><a class="indexterm" name="id372076"></a> + At this point, you are ready to perform the second migration, following the same steps as + for the first. In other words, dump the database, edit it, and then you may merge the + dump for the first and second migrations. + </p><p><a class="indexterm" name="id372090"></a><a class="indexterm" name="id372097"></a><a class="indexterm" name="id372105"></a> + You must be careful. If you choose to migrate to an LDAP backend, your dump file + now contains the full account information, including the domain SID. The domain SID for each + of the two NT4 domains will be different. You must choose one and change the domain + portion of the account SIDs so that all are the same. + </p><p> + <a class="indexterm" name="id372120"></a> + <a class="indexterm" name="id372127"></a> + <a class="indexterm" name="id372134"></a> + <a class="indexterm" name="id372141"></a> + <a class="indexterm" name="id372147"></a> + <a class="indexterm" name="id372154"></a> + <a class="indexterm" name="id372161"></a> + <a class="indexterm" name="id372168"></a> + <a class="indexterm" name="id372175"></a> + <a class="indexterm" name="id372181"></a> + <a class="indexterm" name="id372188"></a> + <a class="indexterm" name="id372195"></a> + If you choose to use a tdbsam (<code class="filename">passdb.tdb</code>) backend file, your best choice + is to use <code class="literal">pdbedit</code> to export the contents of the tdbsam file into an + smbpasswd data file. This automatically strips out all domain-specific information, + such as logon hours, logon machines, logon script, profile path, as well as the domain SID. + The resulting file can be easily merged with other migration attempts (each of which must start + with a clean file). It should also be noted that all users who end up in the merged smbpasswd + file must have an account in <code class="filename">/etc/passwd</code>. The resulting smbpasswd file + may be exported or imported into either a tdbsam (<code class="filename">passdb.tdb</code>) or + an LDAP backend. + </p><div class="figure"><a name="NT4DUM"></a><p class="title"><b>Figure 9.2. View of Accounts in NT4 Domain User Manager</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserMgrNT4.png" width="270" alt="View of Accounts in NT4 Domain User Manager"></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372273"></a>Political Issues</h3></div></div></div><p> + The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3 + domain may be seen by those who had power over them as a loss of prestige or a loss of + power. The imposition of a single domain may even be seen as a threat. So in migrating and + merging account databases, be consciously aware of the political fall-out in which you + may find yourself entangled when key staff feel a loss of prestige. + </p><p> + The best advice that can be given to those who set out to merge NT4 domains into a single + Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers + greater network interoperability and manageability. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372293"></a>Implementation</h2></div></div></div><p> + From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations + to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX + server. If you contemplate doing this, please note that the steps that follow in this + chapter assume familiarity with the information that has been previously covered in this + book. You are particularly encouraged to be familiar with <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> and <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p><p> + We present here the steps and example output for two NT4 to Samba-3 domain migrations. The + first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the + scripts you specify in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>add user script</code></em> + collection of parameters are used to effect the addition of accounts into the passdb backend. + </p><p> + Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to + review <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> for DNS and DHCP configuration. The importance of correctly + functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names + (machine names, computer names, domain names, workgroup names ALL names!). + </p><p> + The migration process involves the following steps: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Prepare the target Samba-3 server. This involves configuring Samba-3 for + migration to either a tdbsam or an ldapsam backend. + </p></li><li><p> + <a class="indexterm" name="id372368"></a> + <a class="indexterm" name="id372375"></a> + <a class="indexterm" name="id372382"></a> + Clean up the source NT4 PDC. Delete all accounts that need not be migrated. + Delete all files that should not be migrated. Where possible, change NT group + names so there are no spaces or uppercase characters. This is important if + the target UNIX host insists on POSIX-compliant all lowercase user and group + names. + </p></li><li><p> + Step through the migration process. + </p></li><li><p><a class="indexterm" name="id372400"></a> + Remove the NT4 PDC from the network. + </p></li><li><p> + Upgrade the Samba-3 server from a BDC to a PDC, and validate all account + information. + </p></li></ul></div><p> + It may help to use the above outline as a pre-migration checklist. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372418"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p> + In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about + to be migrated are shown in <a href="ntmigration.html#NT4DUM" title="Figure 9.2. View of Accounts in NT4 Domain User Manager">???</a>. In this example use is made of the + smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. + Four scripts are essential to the migration process. Other scripts will be required + for daily management, but these are not critical to migration. The critical scripts are dependant + on which passdb backend is being used. Refer to <a href="ntmigration.html#ch8-vampire" title="Table 9.1. Samba smb.conf Scripts Essential to Samba Operation">???</a> to see which scripts + must be provided so that the migration process can complete. + </p><p> + Verify that you have correctly specified in the <code class="filename">smb.conf</code> file the scripts and arguments + that should be passed to them before attempting to perform the account migration. Note also + that the deletion scripts must be commented out during migration. These should be uncommented + following successful migration of the NT4 Domain accounts. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Under absolutely no circumstances should the Samba daemons be started until instructed to do so. + Delete the <code class="filename">/etc/samba/secrets.tdb</code> file and all Samba control tdb files + before commencing the following configuration steps. + </p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table 9.1. Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id372608"></a> + <a class="indexterm" name="id372615"></a> + <a class="indexterm" name="id372621"></a> + The UNIX/Linux <code class="literal">usermod</code> utility does not permit simple user addition to (or deletion + of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this + capability, you must create your own tool to do this. Alternately, you can search the Web + to locate a utility called <code class="literal">groupmem</code> (by George Kraft) that provides this functionality. + The <code class="literal">groupmem</code> utility was contributed to the shadow package but has not surfaced + in the formal commands provided by Linux distributions (March 2004). + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id372654"></a> + The <code class="literal">tdbdump</code> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your + Linux distribution, you will need to build this yourself or else forgo its use. + </p></div><p> + <a class="indexterm" name="id372672"></a> + Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains. + </p><div class="procedure"><a name="id372682"></a><p class="title"><b>Procedure 9.1. User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example 9.1. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id372739"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id372752"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id372764"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id372777"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id372790"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id372802"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id372815"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id372828"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id372840"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id372853"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id372866"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id372879"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id372892"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id372904"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id372918"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id372931"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id372944"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id372957"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id372970"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id372982"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id372995"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id373007"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373020"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id373032"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373045"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id373058"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id373070"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id373083"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id373096"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id373108"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373121"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id373134"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id373146"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id373159"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id373171"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id373184"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id373197"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id373209"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373222"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373234"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example 9.2. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id373280"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id373293"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id373305"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id373327"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id373339"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id373352"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id373364"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id373377"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id373398"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id373411"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id373424"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373436"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373449"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id373461"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id373483"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id373495"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id373508"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id373521"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id373542"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id373555"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id373567"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id373580"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id373601"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id373614"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id373627"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id373639"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id373661"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id373673"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example 9.3. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + +access to * + by * read + by anonymous auth +</pre></div></div><br class="example-break"><div class="example"><a name="sbentslapd2"></a><p class="title"><b>Example 9.4. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> +#loglevel 256 + +#schemacheck on +idletimeout 30 +#backend bdb +database bdb +checkpoint 1024 5 +cachesize 10000 + +suffix "dc=terpstra-world,dc=org" +rootdn "cn=Manager,dc=terpstra-world,dc=org" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="sbrntldapconf"></a><p class="title"><b>Example 9.5. NT4 Migration NSS LDAP File: <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 127.0.0.1 + +base dc=terpstra-world,dc=org + +ldap_version 3 + +binddn cn=Manager,dc=terpstra-world,dc=org +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=terpstra-world,dc=org?one +nss_base_shadow ou=People,dc=terpstra-world,dc=org?one +nss_base_group ou=Groups,dc=terpstra-world,dc=org?one + +ssl off +</pre></div></div><br class="example-break"><div class="example"><a name="sbentnss"></a><p class="title"><b>Example 9.6. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:1)</b></p><div class="example-contents"><pre class="screen"> +passwd: files #ldap +shadow: files #ldap +group: files #ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files nis +aliases: files +#passwd_compat: ldap #Not needed. +#group_compat: ldap #Not needed. +</pre></div></div><br class="example-break"><div class="example"><a name="sbentnss2"></a><p class="title"><b>Example 9.7. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:2)</b></p><div class="example-contents"><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files nis +aliases: files +#passwd_compat: ldap #Not needed. +#group_compat: ldap #Not needed. +</pre></div></div><br class="example-break"><ol type="1"><li><p> + Configure the Samba <code class="filename">smb.conf</code> file to create a BDC. An example configuration is + given in <a href="ntmigration.html#sbent4smb" title="Example 9.1. NT4 Migration Samba-3 Server smb.conf Part: A">???</a>. + The delete scripts are commented out so that during the process of migration + no account information can be deleted. + </p></li><li><p> + <a class="indexterm" name="id373692"></a> + Configure OpenLDAP in preparation for the migration. An example + <code class="filename">sladp.conf</code> file is shown in <a href="ntmigration.html#sbentslapd" title="Example 9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A">???</a>. + The <code class="constant">rootpw</code> value is an encrypted password string that can + be obtained by executing the <code class="literal">slappasswd</code> command. + </p></li><li><p> + <a class="indexterm" name="id373791"></a> + <a class="indexterm" name="id373798"></a> + Install the PADL <code class="literal">nss_ldap</code> tool set, then configure the <code class="filename">/etc/ldap.conf</code> + as shown in <a href="ntmigration.html#sbrntldapconf" title="Example 9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id373854"></a> + Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown + in <a href="ntmigration.html#sbentnss" title="Example 9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)">???</a>. Note that the LDAP entries have been commented out. + This is deliberate. If these entries are active (not commented out), and the + <code class="filename">/etc/ldap.conf</code> file has been configured, when the LDAP server + is started, the process of starting the LDAP server will cause LDAP lookups. This + causes the LDAP server <code class="literal">slapd</code> to hang because it finds port 389 + open and therefore cannot gain exclusive control of it. By commenting these entries + out, it is possible to avoid this gridlock situation and thus the overall + installation and configuration will progress more smoothly. + </p></li><li><p> + Validate the the target NT4 PDC name is being correctly resolved to its IP address by + executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ping transgression +PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data. +64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms +64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms +64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms + +--- transgression.terpstra-world.org ping statistics --- +3 packets transmitted, 3 received, 0% packet loss, time 2000ms +rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms +</pre><p> + Do not proceed to the next step if this step fails. It is imperative that the name of the PDC + can be resolved to its IP address. If this is broken, fix it. + </p></li><li><p> + Pull the domain SID from the NT4 domain that is being migrated as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid -S TRANGRESSION -U Administrator%not24get +Storing SID S-1-5-21-1385457007-882775198-1210191635 \ + for Domain DAMNATION in secrets.tdb +</pre><p> + </p><p> + Another way to obtain the domain SID from the target NT4 domain that is being + migrated to Samba-3 is by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -S TRANSGRESSION +</pre><p> + If this method is used, do not forget to store the SID obtained into the + <code class="filename">secrets.tdb</code> file. This can be done by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id374001"></a> + <a class="indexterm" name="id374008"></a> + <a class="indexterm" name="id374015"></a> + <a class="indexterm" name="id374022"></a> + Install the Idealx <code class="literal">smbldap-tools</code> software package, following + the instructions given in <a href="happy.html#sbeidealx" title="Install and Configure Idealx smbldap-tools Scripts">???</a>. The resulting perl scripts + should be located in the <code class="filename">/opt/IDEALX/sbin</code> directory. + Change into that location, or wherever the scripts have been installed. Execute the + <code class="filename">configure.pl</code> script to configure the Idealx package for use. + Note: Use the domain SID obtained from the step above. The following is + an example configuration session: +</p><pre class="screen"> +<code class="prompt">root# </code> ./configure.pl +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined + (you can get it with the 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." character +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap Config file Location (global parameters) + [/etc/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) + [/etc/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [DAMNATION] > +. netbios name: netbios name of the samba controller + netbios name [MERLIN] > +. logon drive: local path to which the home directory + will be connected (for NT Workstations). Ex: 'H:' + logon drive [X:] > H: +. logon home: home directory location (for Win95/98 or NT Workstation) + (use %U as username) Ex:'\\MERLIN\home\%U' + logon home (leave blank if you don't want homeDirectory) + [\\MERLIN\home\%U] > \\%L\%U +. logon path: directory where roaming profiles are stored. + Ex:'\\MERLIN\profiles\%U' + logon path (leave blank if you don't want roaming profile) + [\\MERLIN\profiles\%U] > \\%L\profiles\%U +. home directory prefix (use %U as username) [/home/%U] > + /home/users/%U +. default user netlogon script (use %U as username) + [%U.cmd] > scripts\logon.cmd + default password validation time (time in days) [45] > 180 +. ldap suffix [dc=terpstra-world,dc=org] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People] > +. ldap machine suffix [ou=People] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) + [sambaDomainName=DAMNATION] > +. ldap master server: + IP address or DNS name of the master (writable) ldap server + ldap master server [] > 127.0.0.1 +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] > +. ldap master bind password [] > +. ldap slave server: IP address or DNS name of the slave ldap server: + can also be the master one + ldap slave server [] > 127.0.0.1 +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain DAMNATION: SID of the domain + (can be obtained with 'net getlocalsid MERLIN') + SID for domain DAMNATION [] + > S-1-5-21-1385457007-882775198-1210191635 +. unix password encryption: encryption used for unix passwords +unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default domain name to append to mail address [] > + terpstra-world.org +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/smbldap-tools/smbldap.conf-> + /etc/smbldap-tools/smbldap.conf.old + /etc/smbldap-tools/smbldap_bind.conf-> + /etc/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/smbldap-tools/smbldap.conf done. + /etc/smbldap-tools/smbldap_bind.conf done. +</pre><p> + <a class="indexterm" name="id374117"></a> + <a class="indexterm" name="id374124"></a> + <a class="indexterm" name="id374131"></a> + <a class="indexterm" name="id374138"></a> + Note that the NT4 domain SID that was previously obtained was entered above. Also, + the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is + the location into which the Idealx smbldap-tools store the next available UID/GID + information. It is also where Samba stores domain specific information such as the + next RID, the SID, and so on. In older version of the smbldap-tools this information + was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools + are being upgraded to version 0.9.1 it is appropriate to update this to the new location + only if the directory information is also relocated. + </p></li><li><p> + Start the LDAP server using the system interface script. On Novell SLES9 + this is done as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +</pre><p> + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown in + <a href="ntmigration.html#sbentnss2" title="Example 9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)">???</a>. Note that the LDAP entries have now been uncommented. + </p></li><li><p> + The LDAP management password must be installed into the <code class="filename">secrets.tdb</code> + file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +Setting stored password for + "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb +</pre><p> + </p></li><li><p> + Populate the LDAP directory as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0 +Using workgroup name from sambaUnixIdPooldn (smbldap.conf): + sambaDomainName=DAMNATION +Using builtin directory structure +adding new entry: dc=terpstra-world,dc=org +adding new entry: ou=People,dc=terpstra-world,dc=org +adding new entry: ou=Groups,dc=terpstra-world,dc=org +entry ou=People,dc=terpstra-world,dc=org already exist. +adding new entry: ou=Idmap,dc=terpstra-world,dc=org +adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org +adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org +adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org +adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org +</pre><p> + The script tries to add the ou=People container twice, hence the error message. + This is expected behavior. + </p></li><li><p> + <a class="indexterm" name="id374276"></a> + Restart the LDAP server following initialization of the LDAP directory. Execute the + system control script provided on your system. The following steps can be used on + Novell SUSE SLES 9: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap restart +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + </p></li><li><p> + Verify that the new user accounts that have been added to the LDAP directory can be + resolved as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash +man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash +news:x:9:13:News system:/etc/news:/bin/bash +uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash ++::0:0::: +root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +</pre><p> + Now repeat this for the group accounts as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +nobody:x:65533: +nogroup:x:65534:nobody +users:x:100: ++::0: +Domain Admins:x:512:root +Domain Users:x:513: +Domain Guests:x:514: +Domain Computers:x:515: +Administrators:x:544: +Print Operators:x:550: +Backup Operators:x:551: +Replicators:x:552: +</pre><p> + In both cases the LDAP accounts follow the “<span class="quote">+::0:</span>” entry. + </p></li><li><p> + Now it is time to join the Samba BDC to the target NT4 domain that is being + migrated to Samba-3 by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S TRANSGRESSION -U Administrator%not24get +merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \ + -U Administrator%not24get +Joined domain DAMNATION. +</pre><p> + </p></li><li><p> + Set the new domain administrator (root) password for both UNIX and Windows as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-passwd root +Changing password for root +New password : ******** +Retype new password : ******** +</pre><p> + Note: During account migration, the Windows Administrator account will not be migrated + to the Samba server. + </p></li><li><p> + Now validate that these accounts can be resolved using Samba's tools as + shown here for user accounts: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +root:0:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-425F6467: +nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX: + NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000: +</pre><p> + Now complete the following step to validate that group account mappings have + been correctly set: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512) + -> Domain Admins +Domain Users (S-1-5-21-1385457007-882775198-1210191635-513) + -> Domain Users +Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514) + -> Domain Guests +Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515) + -> Domain Computers +Administrators (S-1-5-32-544) -> Administrators +Print Operators (S-1-5-32-550) -> Print Operators +Backup Operators (S-1-5-32-551) -> Backup Operators +Replicators (S-1-5-32-552) -> Replicators +</pre><p> + These are the expected results for a correctly configured system. + </p></li><li><p> + Commence migration as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc vampire -S TRANSGRESSION \ + -U Administrator%not24get > /tmp/vampire.log 2>1 +</pre><p> + Check the vampire log to confirm that only expected errors have been + reported. See <a href="ntmigration.html#sbevam1" title="Migration Log Validation">???</a>. + </p></li><li><p> + The migration of user accounts can be quickly validated as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +root:0:84B0D8E14D158FF8417EAF50CFAC29C3:... +nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:... +Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:... +Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:... +TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:... +IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:... +MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:... +atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:... +barryf:6:B829BCDE01FF24376E45D5F10408CFBD:... +fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:... +gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:... +hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:... +jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:... +maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:... +jacko:12:8E8982D86BD037C364BBD09A598E07AD:... +bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:... +sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:... +jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:... +dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:... +dork:17:69E2D19E69A593D5AAD3B435B51404EE:... +blue:18:E355EBF9559979FEAAD3B435B51404EE:... +billw:19:EE35C3481CF7F7DB484448BC86A641A5:... +rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:... +MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:... +TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:... +MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:... +NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:... +LAPDOG$:25:14AA535885120943AAD3B435B51404EE:... +SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:... +merlin$:27:820C50523F368C54AB9D85AE603AD09D:... +</pre><p> + </p></li><li><p> + The mapping of UNIX and Windows groups can be validated as show here: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512) + -> Domain Admins +Domain Users (S-1-5-21-1385457007-882775198-1210191635-513) + -> Domain Users +Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514) + -> Domain Guests +Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515) + -> Domain Computers +Administrators (S-1-5-32-544) -> Administrators +Print Operators (S-1-5-32-550) -> Print Operators +Backup Operators (S-1-5-32-551) -> Backup Operators +Replicator (S-1-5-32-552) -> Replicators +Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers +Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids +Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes +Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst +Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving +Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot +Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales +Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting +Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping +Account Operators (S-1-5-32-548) -> Account Operators +Guests (S-1-5-32-546) -> Guests +Server Operators (S-1-5-32-549) -> Server Operators +Users (S-1-5-32-545) -> Users +</pre><p> + It is of vital importance that the domain SID portions of all group + accounts are identical. + </p></li><li><p> + The final responsibility in the migration process is to create identical + shares and printing resources on the new Samba-3 server, copy all data + across, set up privileges, and set share and file/directory access controls. + </p></li><li><p> + <a class="indexterm" name="id374531"></a> + <a class="indexterm" name="id374538"></a> + Edit the <code class="filename">smb.conf</code> file to reset the parameter + <a class="indexterm" name="id374551"></a>domain master = Yes so that + the Samba server functions as a PDC for the purpose of migration. + Also, uncomment the deletion scripts so they will now be fully functional, + enable the <em class="parameter"><code>wins support = yes</code></em> parameter and + comment out the <em class="parameter"><code>wins server</code></em>. Validate the configuration + with the <code class="literal">testparm</code> utility as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +Load smb config files from /etc/samba/smb.conf +Processing section "[apps]" +Processing section "[media]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[profdata]" +Processing section "[print$]" +Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + </p></li><li><p> + Now shut down the old NT4 PDC. Only when the old NT4 PDC and all + NT4 BDCs have been shut down can the Samba-3 PDC be started. + </p></li><li><p> + All workstations should function as they did with the old NT4 PDC. All + interdomain trust accounts should remain in place and fully functional. + All machine accounts and user logon accounts should also function correctly. + </p></li><li><p> + The configuration of Samba-3 BDC servers can be accomplished now or at any + convenient time in the future. Please refer to the carefully detailed process + for doing so is outlined in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p> + The following <code class="filename">vampire.log</code> file is typical of a valid migration. +</p><pre class="screen"> +adding user Administrator to group Domain Admins +adding user atrickhoffer to group Engineers +adding user dhenwick to group Engineers +adding user dork to group Engineers +adding user rfreshmill to group Marketoids +adding user jacko to group Gnomes +adding user jimbo to group Gnomes +adding user maryk to group Gnomes +adding user gdaison to group Gnomes +adding user dhenwick to group Catalyst +adding user jacko to group Catalyst +adding user jacko to group Recieving +adding user blue to group Recieving +adding user hrambotham to group Rubberboot +adding user billw to group Sales +adding user bridge to group Sales +adding user jrhapsody to group Sales +adding user maryk to group Sales +adding user rfreshmill to group Sales +adding user fsellerby to group Sales +adding user sharpec to group Sales +adding user jimbo to group Accounting +adding user gdaison to group Accounting +adding user jacko to group Shipping +adding user blue to group Shipping +Fetching DOMAIN database +Creating unix group: 'Engineers' +Creating unix group: 'Marketoids' +Creating unix group: 'Gnomes' +Creating unix group: 'Catalyst' +Creating unix group: 'Recieving' +Creating unix group: 'Rubberboot' +Creating unix group: 'Sales' +Creating unix group: 'Accounting' +Creating unix group: 'Shipping' +Creating account: Administrator +Creating account: Guest +Creating account: TRANSGRESSION$ +Creating account: IUSR_TRANSGRESSION +Creating account: MIDEARTH$ +Creating account: atrickhoffer +Creating account: barryf +Creating account: fsellerby +Creating account: gdaison +Creating account: hrambotham +Creating account: jrhapsody +Creating account: maryk +Creating account: jacko +Creating account: bridge +Creating account: sharpec +Creating account: jimbo +Creating account: dhenwick +Creating account: dork +Creating account: blue +Creating account: billw +Creating account: rfreshmill +Creating account: MAGGOT$ +Creating account: TRENTWARE$ +Creating account: MORTON$ +Creating account: NARM$ +Creating account: LAPDOG$ +Creating account: SCAVENGER$ +Creating account: merlin$ +Group members of Domain Admins: Administrator, +Group members of Domain Users: Administrator(primary), +TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary), +MIDEARTH$(primary),atrickhoffer(primary),barryf(primary), +fsellerby(primary),gdaison(primary),hrambotham(primary), +jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary), +sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary), +blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary), +TRENTWARE$(primary),MORTON$(primary),NARM$(primary), +LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary), +Group members of Domain Guests: Guest(primary), +Group members of Engineers: atrickhoffer,dhenwick,dork, +Group members of Marketoids: rfreshmill, +Group members of Gnomes: jacko,jimbo,maryk,gdaison, +Group members of Catalyst: dhenwick,jacko, +Group members of Recieving: jacko,blue, +Group members of Rubberboot: hrambotham, +Group members of Sales: billw,bridge,jrhapsody,maryk, +rfreshmill,fsellerby,sharpec, +Group members of Accounting: jimbo,gdaison, +Group members of Shipping: jacko,blue, +Fetching BUILTIN database +skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain) +Creating unix group: 'Account Operators' +Creating unix group: 'Guests' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' +</pre><p> + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id374706"></a>NT4 Migration Using tdbsam Backend</h3></div></div></div><p> + In this example, we change the domain name of the NT4 server from + <code class="constant">DRUGPREP</code> to <code class="constant">MEGANET</code> prior to the use + of the vampire (migration) tool. This migration process makes use of Linux system tools + (like <code class="literal">useradd</code>) to add the accounts that are migrated into the + UNIX/Linux <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> + databases. These entries must therefore be present, and correct options specified, + in your <code class="filename">smb.conf</code> file, or else the migration does not work as it should. + </p><div class="procedure"><a name="id374750"></a><p class="title"><b>Procedure 9.2. Migration Steps Using tdbsam</b></p><ol type="1"><li><p> + Prepare a Samba-3 server precisely per the instructions shown in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. + Set the workgroup name to <code class="constant">MEGANET</code>. + </p></li><li><p><a class="indexterm" name="id374776"></a><a class="indexterm" name="id374784"></a> + Edit the <code class="filename">smb.conf</code> file to temporarily change the parameter + <a class="indexterm" name="id374799"></a>domain master = No so + the Samba server functions as a BDC for the purpose of migration. + </p></li><li><p> + Start Samba as you have done previously. + </p></li><li><p><a class="indexterm" name="id374820"></a> + Join the NT4 Domain as a BDC, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get +Joined domain MEGANET. +</pre><p> + </p></li><li><p><a class="indexterm" name="id374853"></a> + You may vampire the accounts from the NT4 PDC by executing the command, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc vampire -S oldnt4pdc -U Administrator%not24get +Fetching DOMAIN database +SAM_DELTA_DOMAIN_INFO not handled +Creating unix group: 'Domain Admins' +Creating unix group: 'Domain Users' +Creating unix group: 'Domain Guests' +Creating unix group: 'Engineers' +Creating unix group: 'Marketoids' +Creating unix group: 'Account Operators' +Creating unix group: 'Administrators' +Creating unix group: 'Backup Operators' +Creating unix group: 'Guests' +Creating unix group: 'Print Operators' +Creating unix group: 'Replicator' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' +Creating account: Administrator +Creating account: Guest +Creating account: oldnt4pdc$ +Creating account: jacko +Creating account: maryk +Creating account: bridge +Creating account: sharpec +Creating account: jimbo +Creating account: dhenwick +Creating account: dork +Creating account: blue +Creating account: billw +Creating account: massive$ +Group members of Engineers: Administrator, + sharpec(primary),bridge,billw(primary),dhenwick +Group members of Marketoids: Administrator,jacko(primary), + maryk(primary),jimbo,blue(primary),dork(primary) +Creating unix group: 'Gnomes' +Fetching BUILTIN database +SAM_DELTA_DOMAIN_INFO not handled +</pre><p> + </p></li><li><p><a class="indexterm" name="id374896"></a> + At this point, we can validate our migration. Let's look at the accounts + in the form in which they are seen in a smbpasswd file. This achieves that: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F: +jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF: + CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC: +sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151: + 7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4: +dhenwick:513:DCD8886141E3F892AAD3B435B51404EE: + 2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41: +bridge:510:3FE6873A43101B46417EAF50CFAC29C3: + 891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291: +blue:515:256D41D2559BB3D2AAD3B435B51404EE: + 9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC: +diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B: + 3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000: +oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568: + 95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F: +Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008: +billw:516:85380CA7C21B6EBE168C8150662AF11B: + 5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1: +dork:514:78C70DDEC35A35B5AAD3B435B51404EE: + 0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A: +jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1: + 0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242: +maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C: + CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270: +</pre><p> + </p></li><li><p><a class="indexterm" name="id374936"></a> + An expanded view of a user account entry shows more of what was + obtained from the NT4 PDC: +</p><pre class="screen"> +sleeth:~ # pdbedit -Lv maryk +Unix username: maryk +NT username: maryk +Account Flags: [UX ] +User SID: S-1-5-21-1988699175-926296742-1295600288-1003 +Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007 +Full Name: Mary Kathleen +Home Directory: \\diamond\maryk +HomeDir Drive: X: +Logon Script: scripts\logon.bat +Profile Path: \\diamond\profiles\maryk +Domain: MEGANET +Account desc: Peace Maker +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 02 Apr 2003 13:05:04 GMT +Password can change: 0 +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +</pre><p> + </p></li><li><p><a class="indexterm" name="id374970"></a> + The following command lists the long names of the groups that have been + imported (vampired) from the NT4 PDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net group -l -Uroot%not24get -Smassive + +Group name Comment +----------------------------- +Engineers Snake Oil Engineers +Marketoids Untrustworthy Hype Vendors +Gnomes Plain Vanilla Garden Gnomes +Replicator Supports file replication in a domain +Guests Users granted guest access to the computer/domain +Administrators Members can fully administer the computer/domain +Users Ordinary users +</pre><p> + Everything looks well and in order. + </p></li><li><p><a class="indexterm" name="id375004"></a><a class="indexterm" name="id375012"></a> + Edit the <code class="filename">smb.conf</code> file to reset the parameter + <a class="indexterm" name="id375027"></a>domain master = Yes so + the Samba server functions as a PDC for the purpose of migration. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375038"></a>Key Points Learned</h3></div></div></div><p> + Migration of an NT4 PDC database to a Samba-3 PDC is possible. + </p><div class="itemizedlist"><ul type="disc"><li><p> + An LDAP backend is a suitable vehicle for NT4 migrations. + </p></li><li><p> + A tdbsam backend can be used to perform a migration. + </p></li><li><p> + Multiple NT4 domains can be merged into a single Samba-3 + domain. + </p></li><li><p> + The net Samba-3 domain most likely requires some + administration and updating before going live. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id375074"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="ntmigration.html#id375089"> + Why must I start each migration with a clean database? + </a></dt><dt> <a href="ntmigration.html#id375125"> + Is it possible to set my domain SID to anything I like? + </a></dt><dt> <a href="ntmigration.html#id375182"> + When using a tdbsam passdb backend, why must I have all domain user and group accounts + in /etc/passwd and /etc/group? + </a></dt><dt> <a href="ntmigration.html#id375348"> + Why did you validate connectivity before attempting migration? + </a></dt><dt> <a href="ntmigration.html#id375390"> + How would you merge 10 tdbsam-based domains into an LDAP database? + </a></dt><dt> <a href="ntmigration.html#id375506"> + I want to change my domain name after I migrate all accounts from an NT4 domain to a + Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? + </a></dt><dt> <a href="ntmigration.html#id375577"> + After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? + </a></dt><dt> <a href="ntmigration.html#id375635"> + How can I reset group membership after loading the account information into the LDAP database? + </a></dt><dt> <a href="ntmigration.html#id375667"> + What are the limits or constraints that apply to group names? + </a></dt><dt> <a href="ntmigration.html#id375764"> + My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 + LDAP backend system using the vampire process? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id375089"></a><a name="id375091"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375094"></a> + Why must I start each migration with a clean database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375109"></a> + This is a recommendation that permits the data from each NT4 domain to + be kept separate until you are ready to merge them. Also, if you do not start with a clean database, + you may find errors due to users or groups from multiple domains having the + same name but different SIDs. It is better to permit each migration to complete + without undue errors and then to handle the merging of vampired data under + proper supervision. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375125"></a><a name="id375127"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375130"></a> + Is it possible to set my domain SID to anything I like? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375145"></a><a class="indexterm" name="id375153"></a><a class="indexterm" name="id375161"></a> + Yes, so long as the SID you create has the same structure as an autogenerated SID. + The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where + the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why + would you really want to create your own SID? I cannot think of a good reason. + You may want to set the SID to one that is already in use somewhere on your network, + but that is a little different from straight out creating your own domain SID. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375182"></a><a name="id375184"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375187"></a><a class="indexterm" name="id375195"></a><a class="indexterm" name="id375203"></a><a class="indexterm" name="id375210"></a><a class="indexterm" name="id375218"></a><a class="indexterm" name="id375230"></a><a class="indexterm" name="id375241"></a> + When using a tdbsam passdb backend, why must I have all domain user and group accounts + in <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375272"></a><a class="indexterm" name="id375279"></a><a class="indexterm" name="id375287"></a><a class="indexterm" name="id375295"></a><a class="indexterm" name="id375303"></a><a class="indexterm" name="id375310"></a> + Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba + does not fabricate the UNIX IDs from thin air, but rather requires them to be located + in a suitable place. + </p><p> + When migrating a <code class="filename">smbpasswd</code> file to an LDAP backend, the + UID of each account is taken together with the account information in the + <code class="filename">/etc/passwd</code>, and both sets of data are used to create the account + entry in the LDAP database. + </p><p> + If you elect to create the POSIX account also, the entire UNIX account is copied to the + LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of + migration to the LDAP database, the accounts may be removed from the UNIX database files. + In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in + LDAP, require UIDs/GIDs. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375348"></a><a name="id375350"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375353"></a><a class="indexterm" name="id375361"></a><a class="indexterm" name="id375369"></a> + Why did you validate connectivity before attempting migration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Access validation before attempting to migrate NT4 domain accounts helps to pinpoint + potential problems that may otherwise affect or impede account migration. I am always + mindful of the 4 P's of migration: Planning Prevents Poor Performance. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375390"></a><a name="id375393"></a></td><td align="left" valign="top"><p> + How would you merge 10 tdbsam-based domains into an LDAP database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375403"></a><a class="indexterm" name="id375411"></a><a class="indexterm" name="id375419"></a><a class="indexterm" name="id375427"></a><a class="indexterm" name="id375434"></a><a class="indexterm" name="id375442"></a><a class="indexterm" name="id375450"></a><a class="indexterm" name="id375458"></a><a class="indexterm" name="id375465"></a><a class="indexterm" name="id375473"></a><a class="indexterm" name="id375481"></a> + If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of + accounts that have the same UNIX identifier (UID/GID). This means that you almost + certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd + file format and then manually edit all records to ensure that each has a unique UID. Each + file can then be imported a number of ways. You can use the <code class="literal">pdbedit</code> tool + to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to + tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that + you have migrated before handing over access to a user. After all, too many users with a bad + migration experience may threaten your career. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375506"></a><a name="id375508"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375511"></a><a class="indexterm" name="id375519"></a> + I want to change my domain name after I migrate all accounts from an NT4 domain to a + Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375538"></a><a class="indexterm" name="id375546"></a><a class="indexterm" name="id375554"></a><a class="indexterm" name="id375562"></a> + I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries + on each Windows NT4 and upward client that have a tattoo of the old domain name. If you + unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid + this tattooing effect. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375577"></a><a name="id375579"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375582"></a> + After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375598"></a><a class="indexterm" name="id375605"></a> + Samba-3 currently does not implement multiple group membership internally. If you use the Windows + NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group + membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend, + then multiple group membership is handled through the UNIX groups file. When you dump the user + accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each + file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <code class="filename">/etc/passwd</code> + and <code class="filename">/etc/group</code> information also. That is where the multiple group information + is most closely at your fingertips. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375635"></a><a name="id375637"></a></td><td align="left" valign="top"><p> + How can I reset group membership after loading the account information into the LDAP database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375648"></a> + You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The + installation file is called <code class="filename">SRVTOOLS.EXE</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375667"></a><a name="id375669"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375673"></a> + What are the limits or constraints that apply to group names? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id375688"></a><a class="indexterm" name="id375695"></a><a class="indexterm" name="id375703"></a><a class="indexterm" name="id375711"></a><a class="indexterm" name="id375719"></a><a class="indexterm" name="id375727"></a> + A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group + name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows + groups can contain upper- and lowercase characters, as well as spaces. + Many UNIX system do not permit the use of uppercase characters, and some do not permit the + space character either. A number of systems (i.e., Linux) work fine with both uppercase + and space characters in group names, but the shadow-utils package that provides the group + control functions (<code class="literal">groupadd</code>, <code class="literal">groupmod</code>, <code class="literal">groupdel</code>, and so on) do not permit them. + Also, a number of UNIX systems management tools enforce their own particular interpretation + of the POSIX standards and likewise do not permit uppercase or space characters in group + or user account names. You have to experiment with your system to find what its + peculiarities are. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id375764"></a><a name="id375766"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id375769"></a> + My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 + LDAP backend system using the vampire process? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux + kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs, + you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned + integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. + Please check this carefully before you attempt to effect a migration using the vampire process. + </p><p><a class="indexterm" name="id375792"></a> + Migration speed depends much on the processor speed, the network speed, disk I/O capability, and + LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP + to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts + per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Updating Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Migrating NetWare Server to Samba-3</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/nw4migration.html b/docs/htmldocs/Samba3-ByExample/nw4migration.html new file mode 100644 index 0000000000..195a12b128 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/nw4migration.html @@ -0,0 +1,1249 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Migrating NetWare Server to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3"><link rel="next" href="RefSection.html" title="Part III. Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Migrating NetWare Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter 10. Migrating NetWare Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id375956">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376063">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376162">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376233">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id376404">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id376413">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p> + <a class="indexterm" name="id375826"></a> + <a class="indexterm" name="id375832"></a> + Novell is a company any seasoned IT manager has to admire. It has become increasingly + Linux-friendly and is emerging out of a deep regression that almost saw the company + disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the + platform of choice to which many older NetWare servers are being migrated. + It will be interesting to see what becomes of NetWare over time. + Meanwhile, there can be no denying that Novell is a Linux company. + </p><p> + <a class="indexterm" name="id375850"></a> + <a class="indexterm" name="id375857"></a> + <a class="indexterm" name="id375864"></a> + <a class="indexterm" name="id375871"></a> + Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, + Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with + the knowledge that file locations may vary a little; even so, the information + in this chapter should provide something of value. + </p><p> + <a class="indexterm" name="id375883"></a> + Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many + years who surfaced on the Samba mailing list with a barrage of questions and who + regularly helps other administrators to solve thorny Samba migration questions. + </p><p> + <a class="indexterm" name="id375896"></a> + <a class="indexterm" name="id375902"></a> + <a class="indexterm" name="id375909"></a> + <a class="indexterm" name="id375916"></a> + One wonders how many NetWare servers remain in active service. Many are being migrated + to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are + ideal target platforms to which a NetWare server may be migrated. The migration method + of choice is much dependent on the tools that the administrator finds most natural to use. + The old-hand NetWare guru will likely want to use tools like the NetWare NLM for + <code class="literal">rsync</code> to migrate files from the NetWare server to the Samba server. + The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare + Emulator) open source package. The MS Windows network administrator will likely make use of the + NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, + migration will be filled with joyous and challenging moments though probably not + concurrently. + </p><p> + The priority that Misty faced was one of migration of the data files off the NetWare 4.11 + server and onto a Samba-based Windows file and print server. This chapter does not pretend + to document all the different methods that could be used to migrate user and group accounts + off a NetWare server. Its focus is on migration of data files. + </p><p> + This chapter tells its own story, so ride along. Maybe the information presented here + will help to smooth over a similar migration challenge in your favorite networking environment. + </p><p> + File paths have been modified to permit use of RPM packages provided by Novell. In the + original documentation contributed by Misty, the Courier-IMAP package had been built + directly from the original source tarball. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id375956"></a>Introduction</h2></div></div></div><p> + <a class="indexterm" name="id375964"></a> + Misty Stanley-Jones was recruited by Abmas to administer a network that had + not received much attention for some years and was much in need of a makeover. + As a brand-new sysadmin to this company, she inherited a very old Novell file server + and came with a determination to change things for the better. + </p><p> + A site survey turned up the following details for the old NetWare server: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>200 MHz MMX processor</p></td></tr><tr><td><p>512K RAM</p></td></tr><tr><td><p>24 GB disk space in RAID1</p></td></tr><tr><td><p>Novell 4.11 patched to service pack 7</p></td></tr><tr><td><p>60+ users</p></td></tr><tr><td><p>7 network-attached printers</p></td></tr></table><p> + The company had outgrown this server several years before and was dealing with + severe growing pains. Some of the problems experienced were: + </p><div class="itemizedlist"><ul type="disc"><li><p>Very slow performance</p></li><li><p>Available storage hovering around the 5% range</p><div class="itemizedlist"><ul type="circle"><li><p>Extremely slow print spooling.</p></li><li><p> + Users storing information on their local hard + drives, causing backup integrity problems + </p></li></ul></div></li></ul></div><p> + <a class="indexterm" name="id376052"></a> + At one point disk space had filled up to 100 percent, causing the payroll database + to become corrupt. This caused the accounting department to be down for over + a week and necessitated deployment of another file server. The replacement + server was created with very poor security and design considerations from + a discarded desktop PC. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376063"></a>Assignment Tasks</h3></div></div></div><p> + Misty has provided this summary of her migration experience in the hope + that it will help someone to avoid the challenges she faced. Perhaps her + configuration files and background will accelerate your learning as you + grapple with a similar migration challenge. Let there be no confusion, + the information presented in this chapter is provided to demonstrate + how Misty dealt with a particular NetWare migration requirement, and + it provides an overall approach to the implementation of a Samba-3 + environment that is significantly divergent from that presented in + <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p><p> + The complete removal of all site-specific information in order to produce + a generic migration solution would rob this chapter of its character. + It should be recognized, therefore, that the examples given require + significant adaptation to suit local needs and thus + there are some gaps in the example files. That is not Misty's fault;it + is the result of treatment given to her files in an attempt to make + the overall information more useful to you. + </p><p> + <a class="indexterm" name="id376092"></a> + After management reviewed a cost-benefit report as well as an estimated + time-to-completion, approval was given proceed with the solution proposed. + The server was built from purchased components. The total project cost + was $3,000. A brief description of the configuration follows: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td> + <p>3.0 GHz P4 Processor</p> + </td></tr><tr><td> + <p>1 GB RAM</p> + </td></tr><tr><td> + <p>120 GB SATA operating system drive</p> + </td></tr><tr><td> + <p>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</p> + </td></tr><tr><td> + <p>2 x 80 GB SATA removable drives for online backup</p> + </td></tr><tr><td> + <p>A DLT drive for asynchronous offline backup</p> + </td></tr><tr><td> + <p>SUSE Linux Professional 9.1</p> + </td></tr></table><p> + The new system has operated for 6 months without problems. Over the past months + much attention has been focused on cleaning up desktops and user profiles. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id376162"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id376170"></a> + <a class="indexterm" name="id376176"></a> + <a class="indexterm" name="id376183"></a> + <a class="indexterm" name="id376190"></a> + A decision to use LDAP was made even though I knew nothing about LDAP except that + I had been reading the book “<span class="quote">LDAP System Administration,</span>” by Gerald Carter. + LDAP seemed to provide some of the functionality of Novell's e-Directory Services + and would provide centralized authentication and identity management. + </p><p> + <a class="indexterm" name="id376206"></a> + <a class="indexterm" name="id376213"></a> + <a class="indexterm" name="id376220"></a> + Building the LDAP database took a while and a lot of trial and error. Following + the guidance I obtained from “<span class="quote">LDAP System + Administration,</span>” I installed OpenLDAP (from RPM; later I compiled + a more current version from source) and built my initial LDAP tree. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376233"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id376241"></a> + <a class="indexterm" name="id376248"></a> + <a class="indexterm" name="id376255"></a> + <a class="indexterm" name="id376262"></a> + <a class="indexterm" name="id376268"></a> + <a class="indexterm" name="id376275"></a> + <a class="indexterm" name="id376282"></a> + <a class="indexterm" name="id376289"></a> + <a class="indexterm" name="id376296"></a> + The first challenge was to create a company white pages, followed by manually + entering everything from the printed company directory. This used only the inetOrgPerson + object class from the OpenLDAP schemas. The next step was to write a shell script that + would look at the <code class="filename">/etc/passwd</code> and <code class="filename">/etc/shadow</code> + files on our mail server and create an LDIF file from which the information could be + imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, + and SMTP. + </p><p> + Because a decision was made to use Courier-IMAP the schema “<span class="quote">authldap.schema</span>” + from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory + needs. Where the Courier-IMAP file provided by SUSE is used, this file is named + <code class="filename">courier.schema</code>. + </p><p> + Looking back, it would have been much easier to populate the LDAP directory using a convenient + tool such as <code class="literal">phpLDAPAdmin</code> from the outset. An excessive amount of time was + spent trying to generate LDIF files that could be parsed using the <code class="literal">ldapmodify</code> + so that necessary changes could be written to the directory. This was a learning experience! + </p><p> + An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to + make them work. Instead, even though it is most inelegant, I wrote a simple script that did + what I needed. It is enclosed as a simple example to demonstrate that you do not need to be + a guru to make light of otherwise painful repetition. This file is listed in <a href="nw4migration.html#sbeamg" title="Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files">???</a>. + </p><div class="example"><a name="sbeamg"></a><p class="title"><b>Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +cat /etc/passwd | while read l; do + uid=`echo $l | cut -d : -f 1` + uidNumber=`echo $l | cut -d : -f 3` + gidNumber=`echo $1 | cut -d : -f 4` + gecos=`echo $l | cut -d : -f 5` + homeDirectory=`echo $l | cut -d : -f 6` + loginShell=`echo $l | cut -d : -f 6` + userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2` + + echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com" + echo "objectClass: account" + echo "objectClass: posixAccount" + echo "cn: $gecos" + echo "uid: $uid" + echo "uidNumber: $uidNumber" + echo "gidNumber: $gidNumber" + echo "homeDirectory: $homeDirectory" + echo "loginShell: $loginShell" + echo "userPassword: $userPassword" +done +</pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + + The PADL MigrationTools are recommended for migration of the UNIX account information into + the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, + aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text + files (or from a name service such as NIS). This too set can be obtained from the <a href="http://www.padl.com" target="_top">PADL Web site</a>. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id376404"></a>Implementation</h2></div></div></div><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376413"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p> + The following software must be installed on the SUSE Linux Enterprise Server to perform + this migration: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>courier-imap</p></td></tr><tr><td><p>courier-imap-ldap</p></td></tr><tr><td><p>nss_ldap</p></td></tr><tr><td><p>openldap2-client</p></td></tr><tr><td><p>openldap2-devel (only for Samba compilation)</p></td></tr><tr><td><p>openldap2</p></td></tr><tr><td><p>pam_ldap</p></td></tr><tr><td><p>samba-3.0.20 or later</p></td></tr><tr><td><p>samba-client-3.0.20 or later</p></td></tr><tr><td><p>samba-winbind-3.0.20 or later</p></td></tr><tr><td><p>smbldap-tools Version 0.9.1</p></td></tr></table><p> + Each software application must be carefully configured in preparation for migration. + The configuration files used at Abmas are provided as a guide and should be modified + to meet needs at your site. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376484"></a>LDAP Server Configuration</h4></div></div></div><p> + The <code class="filename">/etc/openldap/slapd.conf</code> file Misty used is shown here: +</p><pre class="programlisting"> +#/etc/openldap/slapd.conf +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema +include /etc/openldap/schema/dhcp.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/idpool.schema +include /etc/openldap/schema/eduperson.schema +include /etc/openldap/schema/commURI.schema +include /etc/openldap/schema/local.schema +include /etc/openldap/schema/courier.schema + +pidfile /var/run/slapd/run/slapd.pid +argsfile /var/run/slapd/run/slapd.args + +replogfile /data/ldap/log/slapd.replog + +# Load dynamic backend modules: +modulepath /usr/lib/openldap/modules + +####################################################################### +# Logging parameters +####################################################################### +loglevel 256 + +####################################################################### +# SASL and TLS options +####################################################################### +sasl-host ldap.corp.abmas.org +sasl-realm DIGEST-MD5 +sasl-secprops none +TLSCipherSuite HIGH:MEDIUM:+SSLV2 +TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem +TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem +password-hash {SSHA} +defaultsearchbase "dc=abmas,dc=biz" + +####################################################################### +# bdb database definitions +####################################################################### +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=manager,dc=abmas,dc=biz" +rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 +directory /data/ldap +mode 0600 +# The following is for BDB to make it flush its data to disk every +# 500 seconds or 5kb of data +checkpoint 500 5 + +## For running slapindex +#readonly on + +## Indexes for often-requested attributes +index objectClass eq +index cn eq,sub +index sn eq,sub +index uid eq,sub +index uidNumber eq +index gidNumber eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +cachesize 2000 + +replica host=baa.corp.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes +replica host=ns.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes + +####################################################################### +# ACL section +####################################################################### +## MOST RESTRICTIVE RULES MUST GO FIRST! +# Admins get access to everything. This way I do not have to rename. +access to * + by group/groupOfUniqueNames/uniqueMember="cn=LDAP +Administrators,ou=groups,dc=abmas,dc=biz" write + by * break + +## Users can change their own passwords. +access to +attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, +sambaPwdMustChange,sambaPwdCanChange + by self write + by * auth + +## Home contact info restricted to the logged-in user and the HR dept +access to attrs=hometelephoneNumber,homePostalAddress, +mobileTelephoneNumber,pagerTelephoneNumber + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by self write + by * none + +## Everyone can read email aliases +access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" + by * read + +## Only admins can manage email aliases +## If someone is the role occupant of an alias they can change it -- this +## is accomplished by the "organizationalRole" objectclass and is +## pretty cool -- like a groupOfUniqueNames but for individual +## users. +access to dn.children="ou=Email Aliases,dc=abmas,dc=biz" + by dnattr=roleOccupant write + by * read + +## Admins and HR can add and delete users +access to dn.sub="ou=people,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete bizputers +access to dn.sub="ou=bizputers,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete groups +access to dn.sub="ou=groups,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## This is used to quickly deactivate any LDAP object only +## Admins have access. +access to dn.sub="ou=inactive,dc=abmas,dc=biz" + by * none + +## This is for programs like Windows Address Book that can +## detect the default search base. +access to attrs=namingcontexts,supportedControl + by anonymous =cs + by * read + +## Default to read-only access +access to * + by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write + by * read +</pre><p> +</p><p> + <a class="indexterm" name="id376595"></a> + The <code class="filename">/etc/ldap.conf</code> file used is listed in <a href="nw4migration.html#ch8ldap" title="Example 10.2. NSS LDAP Control File /etc/ldap.conf">???</a>. + </p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example 10.2. NSS LDAP Control File /etc/ldap.conf</b></p><div class="example-contents"><pre class="screen"> +# /etc/ldap.conf +# This file is present on every *NIX client that authenticates to LDAP. +# For me, most of the defaults are fine. There is an amazing amount of +# customization that can be done see the man page for info. + +# Your LDAP server. Must be resolvable without using LDAP. The following +# is for the LDAP server all others use the FQDN of the server +URI ldap://127.0.0.1 + +# The distinguished name of the search base. +base ou=corp,dc=abmas,dc=biz + +# The LDAP version to use (defaults to 3 if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with if the effective +# user ID is root. Password is stored in /etc/ldap.secret (mode 600) +rootbinddn cn=Manager,dc=abmas,dc=biz + +# Filter to AND with uid=%s +pam_filter objectclass=posixAccount + +# The user ID attribute (defaults to uid) +pam_login_attribute uid + +# Group member attribute +pam_member_attribute memberUID + +# Use the OpenLDAP password change +# extended operation to update the password. +pam_password exop + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +ssl start_tls + +tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem +... +</pre></div></div><br class="example-break"><p> + The NSS control file <code class="filename">/etc/nsswitch.conf</code> has the following contents: +</p><pre class="screen"> +# /etc/nsswitch.conf +# This file controls the resolve order for system databases. + +# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. +passwd: compat ldap +group: compat ldap +# The above are all that I store in LDAP at this point. There are +# possibilities to store hosts, services, ethers, and lots of other things. +</pre><p> + </p><p> + <a class="indexterm" name="id376674"></a> + <a class="indexterm" name="id376681"></a> + In my setup, users authenticate via PAM and NSS using LDAP-based accounts. + The configuration file that controls the behavior of the PAM <code class="literal">pam_unix2</code> + module is shown in <a href="nw4migration.html#sbepu2" title="Example 10.3. The PAM Control File /etc/security/pam_unix2.conf">???</a> file. + This works out of the box with the configuration files in this chapter. It + enables you to have no local accounts for users (it is highly advisable + to have a local account for the root user). Traps for the unwary include the following: + </p><div class="example"><a name="sbepu2"></a><p class="title"><b>Example 10.3. The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></b></p><div class="example-contents"><pre class="screen"> +# pam_unix2 config file +# +# This file contains options for the pam_unix2.so module. +# It contains a list of options for every type of management group, +# which will be used for authentication, account management and +# password management. Not all options will be used from all types of +# management groups. +# +# At first, pam_unix2 will read this file and then uses the local +# options. Not all options can be set her global. +# +# Allowed options are: +# +# debug (account, auth, password, session) +# nullok (auth) +# md5 (password / overwrites /etc/default/passwd) +# bigcrypt (password / overwrites /etc/default/passwd) +# blowfish (password / overwrites /etc/default/passwd) +# crypt_rounds=XX +# none (session) +# trace (session) +# call_modules=x,y,z (account, auth, password) +# +# Example: +# auth: nullok +# account: +# password: nullok blowfish crypt_rounds=8 +# session: none +# +auth: use_ldap +account: use_ldap +password: use_ldap +session: none +</pre></div></div><br class="example-break"><a class="indexterm" name="id376733"></a><a class="indexterm" name="id376740"></a><a class="indexterm" name="id376747"></a><div class="itemizedlist"><ul type="disc"><li><p> + If your LDAP database goes down, nobody can authenticate except for root. + </p></li><li><p> + If failover is configured incorrectly, weird behavior can occur. For example, + DNS can fail to resolve. + </p></li></ul></div><p> + I do have two LDAP slave servers configured. That subject is beyond the scope + of this document, and steps for implementing it are well documented. + </p><p> + The following services authenticate using LDAP: + </p><a class="indexterm" name="id376779"></a><a class="indexterm" name="id376786"></a><a class="indexterm" name="id376793"></a><table class="simplelist" border="0" summary="Simple list"><tr><td><p>UNIX login/ssh</p></td></tr><tr><td><p>Postfix (SMTP)</p></td></tr><tr><td><p>Courier-IMAP/IMAPS/POP3/POP3S</p></td></tr></table><p> + <a class="indexterm" name="id376821"></a> + <a class="indexterm" name="id376828"></a> + Companywide white pages can be searched using an LDAP client + such as the one in the Windows Address Book. + </p><p> + <a class="indexterm" name="id376839"></a> + <a class="indexterm" name="id376846"></a> + Having gained a solid understanding of LDAP and a relatively workable LDAP tree + thus far, it was time to configure Samba. I compiled the latest stable Samba and + also installed the latest <code class="literal">smbldap-tools</code> from + <a href="http://idealx.com" target="_top">Idealx</a>. + </p><p> + The Samba <code class="filename">smb.conf</code> file was configured as shown in <a href="nw4migration.html#ch8smbconf" title="Example 10.4. Samba Configuration File smb.conf Part A">???</a>. + </p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example 10.4. Samba Configuration File smb.conf Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id376912"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id376925"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id376937"></a><em class="parameter"><code>server string = Corp File Server</code></em></td></tr><tr><td><a class="indexterm" name="id376950"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id376963"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id376976"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id376988"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id377001"></a><em class="parameter"><code>log file = /data/samba/log/%m.log</code></em></td></tr><tr><td><a class="indexterm" name="id377013"></a><em class="parameter"><code>name resolve order = wins host bcast</code></em></td></tr><tr><td><a class="indexterm" name="id377026"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377039"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id377051"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id377064"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id377076"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id377089"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id377102"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id377115"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id377129"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id377142"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</code></em></td></tr><tr><td><a class="indexterm" name="id377155"></a><em class="parameter"><code>logon script = logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id377167"></a><em class="parameter"><code>logon path = \\%L\profiles\%U\%a</code></em></td></tr><tr><td><a class="indexterm" name="id377180"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id377193"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id377205"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377218"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377230"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id377243"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id377256"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id377268"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id377281"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377294"></a><em class="parameter"><code>ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id377306"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id377319"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id377332"></a><em class="parameter"><code>admin users = root, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id377344"></a><em class="parameter"><code>printer admin = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id377357"></a><em class="parameter"><code>force printername = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example 10.5. Samba Configuration File smb.conf Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id377397"></a><em class="parameter"><code>comment = Network logon service</code></em></td></tr><tr><td><a class="indexterm" name="id377409"></a><em class="parameter"><code>path = /data/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id377422"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id377435"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id377456"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id377469"></a><em class="parameter"><code>path = /data/samba/profiles/</code></em></td></tr><tr><td><a class="indexterm" name="id377482"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id377494"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377507"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id377519"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id377541"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id377553"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id377566"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id377578"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id377591"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id377604"></a><em class="parameter"><code>hide files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id377616"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[software]</code></em></td></tr><tr><td><a class="indexterm" name="id377638"></a><em class="parameter"><code>comment = Software for %a computers</code></em></td></tr><tr><td><a class="indexterm" name="id377650"></a><em class="parameter"><code>path = /data/samba/shares/software/%a</code></em></td></tr><tr><td><a class="indexterm" name="id377663"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id377685"></a><em class="parameter"><code>comment = Public Files</code></em></td></tr><tr><td><a class="indexterm" name="id377697"></a><em class="parameter"><code>path = /data/samba/shares/public</code></em></td></tr><tr><td><a class="indexterm" name="id377710"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id377722"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[PDF]</code></em></td></tr><tr><td><a class="indexterm" name="id377744"></a><em class="parameter"><code>comment = Location of documents printed to PDFCreator printer</code></em></td></tr><tr><td><a class="indexterm" name="id377757"></a><em class="parameter"><code>path = /data/samba/shares/pdf</code></em></td></tr><tr><td><a class="indexterm" name="id377769"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example 10.6. Samba Configuration File smb.conf Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[EVERYTHING]</code></em></td></tr><tr><td><a class="indexterm" name="id377809"></a><em class="parameter"><code>comment = All shares</code></em></td></tr><tr><td><a class="indexterm" name="id377822"></a><em class="parameter"><code>path = /data/samba</code></em></td></tr><tr><td><a class="indexterm" name="id377834"></a><em class="parameter"><code>valid users = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id377847"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[CDROM]</code></em></td></tr><tr><td><a class="indexterm" name="id377868"></a><em class="parameter"><code>comment = CD-ROM on MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id377881"></a><em class="parameter"><code>path = /mnt</code></em></td></tr><tr><td><a class="indexterm" name="id377894"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id377915"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id377928"></a><em class="parameter"><code>path = /data/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id377940"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id377953"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id377974"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id377987"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id378000"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id378012"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378025"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[acct_hp8500]</code></em></td></tr><tr><td><a class="indexterm" name="id378046"></a><em class="parameter"><code>comment = "Accounting Color Laser Printer"</code></em></td></tr><tr><td><a class="indexterm" name="id378059"></a><em class="parameter"><code>path = /data/samba/spool/private</code></em></td></tr><tr><td><a class="indexterm" name="id378072"></a><em class="parameter"><code>valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</code></em></td></tr><tr><td><a class="indexterm" name="id378085"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id378097"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378110"></a><em class="parameter"><code>copy = printers</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[plotter]</code></em></td></tr><tr><td><a class="indexterm" name="id378131"></a><em class="parameter"><code>comment = Engineering Plotter</code></em></td></tr><tr><td><a class="indexterm" name="id378144"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id378157"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id378169"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378182"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378194"></a><em class="parameter"><code>copy = printers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example 10.7. Samba Configuration File smb.conf Part D</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[APPS]</code></em></td></tr><tr><td><a class="indexterm" name="id378234"></a><em class="parameter"><code>path = /data/samba/shares/Apps</code></em></td></tr><tr><td><a class="indexterm" name="id378247"></a><em class="parameter"><code>force group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id378260"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT]</code></em></td></tr><tr><td><a class="indexterm" name="id378281"></a><em class="parameter"><code>path = /data/samba/shares/Accounting</code></em></td></tr><tr><td><a class="indexterm" name="id378294"></a><em class="parameter"><code>valid users = @acct, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id378306"></a><em class="parameter"><code>force group = acct</code></em></td></tr><tr><td><a class="indexterm" name="id378319"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378331"></a><em class="parameter"><code>create mask = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id378344"></a><em class="parameter"><code>directory mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT_ADMIN]</code></em></td></tr><tr><td><a class="indexterm" name="id378365"></a><em class="parameter"><code>path = /data/samba/shares/Acct_Admin</code></em></td></tr><tr><td><a class="indexterm" name="id378378"></a><em class="parameter"><code>valid users = @â€acct_adminâ€</code></em></td></tr><tr><td><a class="indexterm" name="id378391"></a><em class="parameter"><code>force group = acct_admin</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[HR_PR]</code></em></td></tr><tr><td><a class="indexterm" name="id378413"></a><em class="parameter"><code>path = /data/samba/shares/HR_PR</code></em></td></tr><tr><td><a class="indexterm" name="id378425"></a><em class="parameter"><code>valid users = @hr, @acct_admin</code></em></td></tr><tr><td><a class="indexterm" name="id378438"></a><em class="parameter"><code>force group = hr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ENGR]</code></em></td></tr><tr><td><a class="indexterm" name="id378460"></a><em class="parameter"><code>path = /data/samba/shares/Engr</code></em></td></tr><tr><td><a class="indexterm" name="id378472"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id378485"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id378498"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378510"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[DATA]</code></em></td></tr><tr><td><a class="indexterm" name="id378532"></a><em class="parameter"><code>path = /data/samba/shares/DATA</code></em></td></tr><tr><td><a class="indexterm" name="id378544"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id378557"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id378570"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378582"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id378595"></a><em class="parameter"><code>copy = engr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example 10.8. Samba Configuration File smb.conf Part E</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[X]</code></em></td></tr><tr><td><a class="indexterm" name="id378634"></a><em class="parameter"><code>path = /data/samba/shares/X</code></em></td></tr><tr><td><a class="indexterm" name="id378647"></a><em class="parameter"><code>valid users = @engr, @acct</code></em></td></tr><tr><td><a class="indexterm" name="id378660"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id378672"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378685"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id378697"></a><em class="parameter"><code>copy = engr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[NETWORK]</code></em></td></tr><tr><td><a class="indexterm" name="id378719"></a><em class="parameter"><code>path = /data/samba/shares/network</code></em></td></tr><tr><td><a class="indexterm" name="id378732"></a><em class="parameter"><code>valid users = "@Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id378744"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378757"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id378769"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[UTILS]</code></em></td></tr><tr><td><a class="indexterm" name="id378791"></a><em class="parameter"><code>path = /data/samba/shares/Utils</code></em></td></tr><tr><td><a class="indexterm" name="id378803"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[SYS]</code></em></td></tr><tr><td><a class="indexterm" name="id378825"></a><em class="parameter"><code>path = /data/samba/shares/SYS</code></em></td></tr><tr><td><a class="indexterm" name="id378838"></a><em class="parameter"><code>valid users = chad</code></em></td></tr><tr><td><a class="indexterm" name="id378850"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id378863"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id378878"></a> + <a class="indexterm" name="id378885"></a> + <a class="indexterm" name="id378892"></a> + Most of these shares are only used by one company group, but they are required + because of some ancient Qbasic and Rbase applications were that written expecting + their own drive letters. + </p><p> + <a class="indexterm" name="id378904"></a> + <a class="indexterm" name="id378911"></a> + <a class="indexterm" name="id378917"></a> + Note: During the process of building the new server, I kept data files + up to date with the Novell server via use of <code class="literal">rsync</code>. + On a separate system (my workstation in fact), which could be rebooted + whenever necessary, I set up a mount point to the Novell server via + <code class="literal">ncpmount</code>. I then created a + <code class="filename">rsyncd.conf</code> to share that mount point out to my + new server, and synchronized once an hour. The script I used to synchronize + is shown in <a href="nw4migration.html#sbersync" title="Example 10.9. Rsync Script">???</a>. The files exclusion list I used + is shown in <a href="nw4migration.html#sbexcld" title="Example 10.10. Rsync Files Exclusion List /root/excludes.txt">???</a>. The reason I had to have the + <code class="literal">rsync</code> daemon running on a system that could be + rebooted frequently is because <code class="constant">ncpfs</code> + (part of the MARS NetWare Emulation package) has a nasty habit of creating stale + mount points that cannot be recovered without a reboot. The reason for hourly + synchronization is because some part of the chain was very slow and + performance-heavy (whether <code class="literal">rsync</code> itself, the network, + or the Novell server, I am not sure, but it was probably the Novell server). + </p><div class="example"><a name="sbersync"></a><p class="title"><b>Example 10.9. Rsync Script</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# Part 1 - rsync the Novell directories to the new server +echo "#############################################" +echo "New sync operation starting at `date`" +if ! pgrep -fl '^rsync\> ; then + echo "Good, no rsync is running!" + echo "Synchronizing oink to BHPRO" + rsync -av --exclude-from=/root/excludes.txt +baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1 + retval=$? + [ ${retval} = 0 ] && echo "Sync operation completed at `date`" + echo "Fixing permissions" + # I had a whole lot more permission-fixing stuff here. It got + # pared down as groups got moved over. The problem + # was that the way I was mounting the directory, everything + # was owned by the Novell administrator which translated to + # Root. This is also why I could only do one-way sync because + # I could not fix the ACLs on the Novell side. + find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \; + find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \; +else + # This rsync took ages and ages -- I had it set to run every hour but + # I needed a way to prevent it running into itself. + echo "Oh no, rsync is already running!" +echo "#############################################" +fi +</pre></div></div><br class="example-break"><div class="example"><a name="sbexcld"></a><p class="title"><b>Example 10.10. Rsync Files Exclusion List <code class="filename">/root/excludes.txt</code></b></p><div class="example-contents"><pre class="screen"> +/Acct/ +/Apps/ +/DATA/ +/Engr/*.pc3 +/Engr/plotter +/Engr/APPOLO/ +/Engr/LIBRARY/ +/Home/Accounting/ +/Home/Angie/ +/Home/AngieY/ +/Home/Brandon/ +/Home/Carl/ +</pre></div></div><br class="example-break"><p> + After Samba was configured, I initialized the LDAP database. The first + thing I had to do was store the LDAP password in the Samba configuration by + issuing the command (as root): +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w verysecret +</pre><p> + where “<span class="quote">verysecret</span>” is replaced by the LDAP bind password. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The Idealx smbldap-tools package can be configured using a script called +<code class="literal">configure.pl</code> that is provided as part of the tool. See <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> +for an example of its use. Many administrators, like Misty, choose to do this manually +so as to maintain greater awareness of how the tool-chain works and possibly to avoid +undesirable actions from occurring unnoticed. +</p></div><p> + Now Samba was ready for use and it was time to configure the smbldap-tools. There are two + relevant files, which are usually put into the directory + <code class="filename">/etc/smbldap-tools</code>. The main file, + <code class="filename">smbldap.conf</code> is shown in <a href="nw4migration.html#ch8ideal" title="Example 10.11. Idealx smbldap-tools Control File Part A">???</a>. + </p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example 10.11. Idealx smbldap-tools Control File Part A</b></p><div class="example-contents"><pre class="screen"> +######### +# +# located in /etc/smbldap-tools/smbldap.conf +# +###################################################################### +# +# General Configuration +# +###################################################################### + +# Put your own SID +# to obtain this number do: net getlocalsid +SID="S-1-5-21-725326080-1709766072-2910717368" + +###################################################################### +# +# LDAP Configuration +# +###################################################################### + +# Notes: to use to dual ldap servers backend for Samba, you must patch +# Samba with the dual-head patch from IDEALX. If not using this patch +# just use the same server for slaveLDAP and masterLDAP. +# Those two servers declarations can also be used when you have +# . one master LDAP server where all writing operations must be done +# . one slave LDAP server where all reading operations must be done +# (typically a replication directory) + +# Ex: slaveLDAP=127.0.0.1 +slaveLDAP="127.0.0.1" +slavePort="389" + +# Master LDAP : needed for write operations +# Ex: masterLDAP=127.0.0.1 +masterLDAP="127.0.0.1" +masterPort="389" + +# Use TLS for LDAP +# If set to 1, this option will use start_tls for connection +# (you should also used the port 389) +ldapTLS="0" + +# How to verify the server's certificate (none, optional or require) +# see "man Net::LDAP" in start_tls section for more details +verify="" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example 10.12. Idealx smbldap-tools Control File Part B</b></p><div class="example-contents"><pre class="screen"> +# CA certificate +# see "man Net::LDAP" in start_tls section for more details +cafile="" + certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientcert="" + +# key certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientkey="" + +# LDAP Suffix +# Ex: suffix=dc=IDEALX,dc=ORG +suffix="ou=MEGANET2,dc=abmas,dc=biz" + +# Where are stored Users +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" +usersdn="ou=People,${suffix}" + +# Where are stored Computers +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" +computersdn="ou=People,${suffix}" + +# Where are stored Groups +# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" +groupsdn="ou=Groups,${suffix}" + +# Where are stored Idmap entries +# (used if samba is a domain member server) +# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" +idmapdn="ou=Idmap,${suffix}" + +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}" + +# Default scope Used +scope="sub" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example 10.13. Idealx smbldap-tools Control File Part C</b></p><div class="example-contents"><pre class="screen"> +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +hash_encrypt="MD5" + +# if hash_encrypt is set to CRYPT, you may set a salt format. +# default is "%s", but many systems will generate MD5 hashed +# passwords if you use "$1$%.8s". This parameter is optional! +crypt_salt_format="%s" + +###################################################################### +# +# Unix Accounts Configuration +# +###################################################################### + +# Login defs +# Default Login Shell +# Ex: userLoginShell="/bin/bash" +userLoginShell="/bin/false" + +# Home directory +# Ex: userHome="/home/%U" +userHome="/home/%U" + +# Gecos +userGecos="Samba User" + +# Default User (POSIX and Samba) GID +defaultUserGid="513" + +# Default Computer (Samba) GID +defaultComputerGid="515" + +# Skel dir +skeletonDir="/etc/skel" + +# Default password validation time (time in days) Comment the next +# line if you don't want password to be enable for +# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange +# attribute's value) +defaultMaxPasswordAge="45" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example 10.14. Idealx smbldap-tools Control File Part D</b></p><div class="example-contents"><pre class="screen"> +###################################################################### +# +# SAMBA Configuration +# +###################################################################### + +# The UNC path to home drives location (%U username substitution) +# Ex: \\My-PDC-netbios-name\homes\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon home' directive and/or disable roaming profiles +userSmbHome="" + +# The UNC path to profiles locations (%U username substitution) +# Ex: \\My-PDC-netbios-name\profiles\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon path' directive and/or disable roaming profiles +userProfile="" + +# The default Home Drive Letter mapping +# (will be automatically mapped at logon time if home directory exist) +# Ex: H: for H: +userHomeDrive="" + +# The default user netlogon script name (%U username substitution) +# if not used, will be automatically username.cmd +# make sure script file is edited under DOS +# Ex: %U.cmd +# userScript="startup.cmd" # make sure script file is edited under DOS +userScript="" + +# Domain appended to the users "mail"-attribute +# when smbldap-useradd -M is used +mailDomain="abmas.org" + +###################################################################### +# +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) +# +###################################################################### +# Allows not to use smbpasswd +# (if with_smbpasswd == 0 in smbldap_conf.pm) but +# prefer Crypt::SmbHash library +with_smbpasswd="0" +smbpasswd="/usr/bin/smbpasswd" +</pre></div></div><br class="example-break"><p> + <a class="indexterm" name="id379248"></a> + Note: I chose not to take advantage of the TLS capability of this. + Eventually I may go back and tweak it. Also, I chose not to take advantage + of the master/slave configuration as I heard horror stories that it was + unstable. My slave servers are replicas only. + </p><p> + The <code class="filename">/etc/smbldap-tools/smbldap_bind.conf</code> file is shown here: +</p><pre class="screen"> +# smbldap_bind.conf +# +# This file simply tells smbldap-tools how to bind to your LDAP server. +# It has to be a DN with full write access to the Samba portion of +# the database. + +############################ +# Credential Configuration # +############################ +# Notes: you can specify two different configurations if you use a +# master ldap for writing access and a slave ldap server for reading access +# By default, we will use the same DN (so it will work for standard Samba +# release) +slaveDN="cn=Manager,dc=abmas,dc=biz" +slavePw="verysecret" +masterDN="cn=Manager,dc=abmas,dc=biz" +masterPw="verysecret" +</pre><p> + </p><p> + The next step was to run the <code class="literal">smbldap-populate</code> command, which populates + the LDAP tree with the appropriate default users, groups, and UID and GID pools. + It creates a user called Administrator with UID=0 and GID=0 matching the + Domain Admins group. This is fine because you can still log on as root to a Windows system, + but it will break cached credentials if you need to log on as the administrator + to a system that is not on the network. + </p><p> + After the LDAP database has been preloaded, it is prudent to validate that the + information needed is in the LDAP directory. This can be done done by restarting + the LDAP server, then performing an LDAP search by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -W -x -b "dc=abmas,dc=biz"\ + -D "cn=Manager,dc=abmas,dc=biz" \ + "(Objectclass=*)" +Enter LDAP Password: +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +o: abmas +dc: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People + +# Groups, abmas.biz +dn: ou=Groups,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Groups + +# Idmap, abmas.biz +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Idmap +... +</pre><p> + </p><p> + <a class="indexterm" name="id379322"></a> + <a class="indexterm" name="id379329"></a> + <a class="indexterm" name="id379336"></a> + <a class="indexterm" name="id379342"></a> + <a class="indexterm" name="id379349"></a> + With the LDAP directory now initialized, it was time to create the Windows and POSIX + (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. + The easiest way to do this was to use <code class="literal">smbldap-groupadd</code> command. + It creates the group with the posixGroup and sambaGroupMapping attributes, a + unique GID, and an automatically determined RID. I learned the hard way not to + try to do this by hand. + </p><p> + <a class="indexterm" name="id379368"></a> + <a class="indexterm" name="id379375"></a> + <a class="indexterm" name="id379382"></a> + After I had my group mappings in place, I added users to the groups (the users + don't really have to exist yet). I used the <code class="literal">smbldap-groupmod</code> + command to accomplish this. It can also be done manually by adding memberUID + attributes to the group entries in LDAP. + </p><p> + <a class="indexterm" name="id379400"></a> + <a class="indexterm" name="id379407"></a> + <a class="indexterm" name="id379414"></a> + The most monumental task of all was adding the sambaSamAccount information to each + already existent posixAccount entry. I did it one at a time as I moved people onto + the new server, by issuing the command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbldap-usermod -a -P username +</pre><p> + <a class="indexterm" name="id379434"></a> + <a class="indexterm" name="id379441"></a> + <a class="indexterm" name="id379447"></a> + I completed that step for every user after asking the person what his or her current + NetWare password was. The wiser way to have done it would probably have been to dump the + entire database to an LDIF file. This can be done by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat > somefile.ldif +</pre><p> + <a class="indexterm" name="id379468"></a> + <a class="indexterm" name="id379475"></a> + Then update the LDIF file created by using a Perl script to parse and add the + appropriate attributes and objectClasses to each entry, followed by re-importing + the entire database into the LDAP directory. + </p><p> + Rebuilding of the LDAP directory can be done as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap stop +<code class="prompt">root# </code> cd /data/ldap +<code class="prompt">root# </code> rm *bdb _* log* +<code class="prompt">root# </code> su - ldap -c "slapadd -l somefile.ldif" +<code class="prompt">root# </code> rcldap start +</pre><p> + This can be done at any time and for any reason, with no harm to the database. + </p><p> + I first added a test user, of course. The LDIF for this test user looks like + this, to give you an idea: +</p><pre class="screen"> +# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +cn: Test User +gecos: Test User +gidNumber: 513 +givenName: Test +homeDirectory: /home/test.user +homePhone: 555 +l: Somewhere +l: ST +mail: test.user +o: Corp +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +postalCode: 12345 +sn: User +street: 10 Some St. +uid: test.user +uidNumber: 1074 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +displayName: Samba User +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 +sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE +sambaAcctFlags: [U] +sambaNTPassword: D062088E99C95E37D7702287BB35E770 +sambaPwdLastSet: 1102537694 +sambaPwdMustChange: 1106425694 +userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 +loginShell: /bin/false +</pre><p> + </p><p> + Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. + It worked, and the machine's account entry under ou=Computers looks like this: +</p><pre class="screen"> +dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +cn: w2kengrspare$ +sn: w2kengrspare$ +uid: w2kengrspare$ +uidNumber: 1104 +gidNumber: 515 +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer +gecos: Computer +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 +sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 +displayName: W2KENGRSPARE$ +sambaPwdCanChange: 1103149236 +sambaPwdMustChange: 2147483647 +sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 +sambaPwdLastSet: 1103149236 +sambaAcctFlags: [W ] +</pre><p> + </p><p> + <a class="indexterm" name="id379568"></a> + So now I could log on with a test user from the machine w2kengrspare. It was all well and + good, but that user was in no groups yet and so had pretty boring access. I fixed that + by writing the login script! To write the login script, I used + <a href="http://www.kixtart.org" target="_top">Kixtart</a> because it will work + with every architecture of Windows, has an active and helpful user base, and was both + easier to learn and more powerful than the standard netlogon scripts I have seen. + I also did not have to do a logon script per user or per group. + </p><p> + <a class="indexterm" name="id379588"></a> + I downloaded Kixtart and put the following files in my netlogon share: +</p><pre class="screen"> +KIX32.EXE +KX32.dll +KX95.dll <-- Not needed unless you are running Win9x clients. +kx16.dll <-- Probably not needed unless you are running DOS clients. +kxrpc.exe <-- Probably useless as it has to run on the server and can + only be run on NT. It's for Windows 95 to become group-aware. + We can get around the need. +</pre><p> + </p><p> + <a class="indexterm" name="id379611"></a> + I then wrote the <code class="filename">logon.kix</code> file that is shown in + <a href="nw4migration.html#ch8kix" title="Example 10.15. Kixtart Control File File: logon.kix">???</a>. I chose to keep it all in one file, but it + can be split up and linked via include directives. + </p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example 10.15. Kixtart Control File File: logon.kix</b></p><div class="example-contents"><pre class="screen"> +; This script just calls the other scripts. + +; First we want to get things done for everyone. + +; Second, we do first-time login stuff. + +; Third, we go through the group-oriented scripts one at a time. + + +; We want to check for group membership here to avoid the overhead of running +; scripts which don't apply. +call "\\massive\netlogon\scripts\main.kix" +call "\\massive\netlogon\scripts\setup.kix" +IF INGROUP("MEGANET2\ACCT") + call "scripts\acct.kix" +ENDIF +IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") +call "\\massive\netlogon\scripts\engr.kix" +ENDIF +IF INGROUP("MEGANET2\FURN") + call "\\massive\netlogon\scripts\furn.kix" +ENDIF +IF INGROUP("MEGANET2\TRUSS") + call "\\massive\netlogon\scripts\truss.kix" +ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example 10.16. Kixtart Control File File: main.kix</b></p><div class="example-contents"><pre class="screen"> +break on + +; Choose whether to hide the login window or not +IF INGROUP("MEGANET2\Domain Admins") + USE Z: \\massive\everything + SETCONSOLE("show") +ELSE + ; Nobody cares about seeing the login script except admins + SETCONSOLE("hide") +ENDIF + +; Delete all previously connected shares +USE * /delete + +SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") + +; Set the time on the workstation +$Timeserver = "\\massive" +Settime $TimeServer + +; Map the home directory +USE H: @HOMESHR ; connect to user's home share +IF @ERROR = 0 + + H: + CD @HOMEDIR ; change directory to user's home directory +ENDIF + +; Everyone gets the N drive +USE N: \\massive\network +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example 10.17. Kixtart Control File File: setup.kix, Part A</b></p><div class="example-contents"><pre class="screen"> +; My setup.kix is where all of the redirection stuff happens. Note that with +; the use of registry keys, this only happens the first time they log in ,or if +; I delete the pertinent registry keys which triggers it to happen again: + +; Check to see if we have written the abmas sub-key before +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas") +IF NOT $RETURNCODE = 0 +; Add key for abmas-specific things on the first login + ADDKEY("HKEY_CURRENT_USER\abmas") + ; The following key gets deleted at the end of the first login + ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF + +; People with laptops need My Documents to be in their profile. People with +; desktops can have My Documents redirected to their home directory to avoid +; long delays with logging out and out-of-sync files. + +; Check to see if this is the first login -- doesn't make sense to do this +; at the very first login + +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF NOT $RETURNCODE = 0 + +; We don't want to do this stuff for people with laptops or people in the FURN +; group. (They store their profiles in a different server) + + IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") + $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied") + +; A crude way to tell what OS our profile is for and copy the "My Documents" +; to the redirected folder on the server. It works because the profiles +; are stored as \\server\profiles\user\architecture + IF NOT $RETURNCODE = 0 + IF EXIST("\\massive\profiles\@userID\WinXP") + copy "\\massive\profiles\@userID\WinXP\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\Win2K") + copy "\\massive\profiles\@userID\Win2K\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\WinNT") + copy "\\massive\profiles\@userID\WinNT\My Documents\*" +"\\massive\@userID\" + ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example 10.18. Kixtart Control File File: setup.kix, Part B</b></p><div class="example-contents"><pre class="screen"> +; Now we will write the registry values to redirect the locations of "My +Documents" +; and other folders. + ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "Personal","\\massive\@userID","REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") + IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP +Professional" + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") + ENDIF + ENDIF + ENDIF + +; Now we will delete the FIRST_LOGIN sub-key that we made before. +; Note - to run this script again you will want to delete the HKCU\abmas +; sub-key, log out, and log back in. +$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF $RETURNVALUE = 0 + DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example 10.19. Kixtart Control File File: acct.kix</b></p><div class="example-contents"><pre class="screen"> +; And here is one group-oriented script to show what can be +; done that way: acct.kix: + +IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") + USE I: \\MEGANET2\HR_PR +ENDIF + +; Set up printer +$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") +IF NOT $RETURNVALUE = 0 + ADDPRINTERCONNECTION("\\massive\acct_hp8500") + SETDEFAULTPRINTER("\\massive\acct_hp8500") +ENDIF +; Set up drive mappings + USE M: \\massive\ACCT + IF INGROUP("MEGANET2\ABRA") + USE T: \\trussrv\abra + ENDIF +</pre></div></div><br class="example-break"><p> + As you can see in the script, I redirected the My Documents to the user's home + share if he or she were not in the Laptop group. I also added printers on a + group-by-group basis, and if applicable I set the group printer. For this to + be effective, the print drivers must be installed on the Samba server in the + <code class="filename">[print$]</code> share. Ample documentation exists about how to + do that, so it is not covered here. + </p><p> + I call this script via the logon.bat script in the [netlogon] directory: +</p><pre class="screen"> +\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f +</pre><p> + I only had to fully qualify the paths for Windows 9x, as Windows NT and + greater automatically add [NETLOGON] to the path. + </p><p> + Also of note for Win9x is that the drive mappings and printer setup will not + work because they rely on RPC. You merely have to put the appropriate settings + into the <code class="filename">c:\autoexec.bat</code> file or map the drives manually. + One option is to check the OS as part of the Kixtart script, and if it + is Win9x and is the first login, copy a premade + <code class="filename">autoexec.bat</code> to the <code class="filename">C:</code> drive. I + have only three such machines, and one is going away in the very near future, + so it was easier to do it by hand. + </p><p> + <a class="indexterm" name="id379824"></a> + At this point I was able to add the users. This is the part that really falls + into upgrade. I moved the users over one group at a time, starting with the + people who used the least amount of resources on the network. With each group + that I moved, I first logged on as a standard user in that group and took + careful note of the environment, mainly the printers he or she used, the PATH, + and what network resources he or she had access to (most importantly, which ones + the user actually needed access to). + </p><p> + I then added the user's SambaSamAccount information as mentioned earlier, + and join the computer to the domain. The very first thing I had to do was to + copy the user's profile to the new server. This was very important, and I really + struggled with the most effective way to do it. Here is the method that worked + for every one of my users on Windows NT, 2000, and XP: + </p><div class="procedure"><ol type="1"><li><p> + Log in as the user on the domain. This creates the local copy + of the user's profile and copies it to the server as he or she logs out. + </p></li><li><p> + Reboot the computer and log in as the local machine administrator. + </p></li><li><p> + Right-click My Computer, click Properties, and navigate to the + user profiles tab (varies per version of Windows). + </p></li><li><p> + Select the user's local profile <code class="constant">(COMPUTERNAME\username)</code>, + and click the <code class="literal">Copy To</code> button. + </p></li><li><p> + In the next dialog, copy it directly to the profiles share on the + Samba server (in my case \\PDCname\profiles\user\<architecture>. + You will have had to make a connection to the share as that + user (e.g., Windows Explorer type \\PDCname\profiles\username). + </p></li><li><p> + When the copy is complete (it can take a while) log out, and log back in + as the user. All of his or her settings and all contents of My Documents, + Favorites, and the registry should have been copied successfully. + </p></li><li><p> + If it doesn't look right (the dead giveaway is the desktop background), + shut down the computer without logging out (power cycle) and try logging + in as the user again. If it still doesn't work, repeat the steps above. + I only had to ever repeat it once. + </p></li></ol></div><p> + Words to the Wise: + </p><div class="itemizedlist"><ul type="disc"><li><p> + If the user was anything other than a standard user on his or her system + before, you will save yourself some headaches by giving him or her identical + permissions (on the local machine) as his or her domain account <span class="emphasis"><em>before</em></span> + copying the profile over. Do this through the User Administrator + in the Control Panel, after joining the computer to the domain and + before logging on as that user for the first time. Otherwise the user will + have trouble with permissions on his or her registry keys. + </p></li><li><p> + If any application was installed for the user only, rather than for + the entire system, it will probably not work without being reinstalled. + </p></li></ul></div><p> + After all these steps are accomplished, only cleanup details are left. Make sure user's + shortcuts and Network Places point to the appropriate place on the new server, check + the important applications to be sure they work as expected and troubleshoot any problems + that might arise, and check to be sure the user's printers are present and working. By the + way, if there are any network printers installed as system printers (the Novell way), + you will need to log in as a local administrator and delete them. + </p><p> + For my non-laptop systems, I would then log in and out a couple times as the user + to be sure that his or her registry settings were modified, and then I was finished. + </p><p> + Some compatibility issues that cropped up included the following: + </p><p> + Blackberry client: It did not like having its registry settings moved around + and so had to be reinstalled. Also, it needed write permissions to a portion of + the hard drive, and I had to give it those manually on the one system where + this was an issue. + </p><p> + CAMedia: Digital camera software for Canon cameras caused all kinds of trouble + with the registry. I had to use the Run as service to open the registry of + the local user while logged in as the domain user, and give the domain user + the appropriate permissions to some registry keys, then export that portion + of the registry to a file. Then, as the domain user, I had to import that file + into the registry. + </p><p> + Crystal Reports version 7: More registry problems that were solved by recopying + the user's profile. + </p><p> + Printing from legacy applications: I found out that Novell sends its jobs to + the printer in a raw format. CUPS sends them in PostScript by default. I had + to make a second printer definition for one printer and tell CUPS specifically + to send raw data to the printer, then assign this printer to the LPT port with + Kixtart's version of the net use command. + </p><p> + These were all eventually solved by elbow grease, queries to the Samba mailing + list and others, and diligence. The complete migration took about 5 weeks. + My userbase is relatively small but includes multiple versions of Windows, + multiple Linux member servers, a mechanized saw, a pen plotter, and legacy + applications written in Qbasic and R:Base, just to name a few. I actually + ended up making some of these applications work better (or work again, as + some of them had stopped functioning on the old server) because as part of + the process I had to find out how things were supposed to work. + </p><p> + The one thing I have not been able to get working is a very old database that + we had around for reference purposes; it uses Novell's Btrieve engine. + </p><p> + As the resources compare, I went from 95 percent disk usage to just around 10 percent. + I went from a very high load on the server to an average load of between one + and two runnable processes on the server. I have improved the security and + robustness of the system. I have also implemented + <a href="http://www.clamav.net" target="_top">ClamAV</a> antivirus software, + which scans the entire Samba server for viruses every 2 hours and + quarantines them. I have found it much less problematic than our ancient + version of Norton Antivirus Corporate Edition, and much more up-to-date. + </p><p> + In short, my users are much happier now that the new server is running, and that + is what is important to me. + </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. Migrating NT4 Domain to Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Reference Section</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr01.html b/docs/htmldocs/Samba3-ByExample/pr01.html new file mode 100644 index 0000000000..39b7b7854b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr01.html @@ -0,0 +1,31 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>About the Cover Artwork</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="index.html" title="Samba-3 by Example"><link rel="next" href="pr02.html" title="Acknowledgments"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">About the Cover Artwork</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id282784"></a>About the Cover Artwork</h2></div></div></div><p> + The cover artwork of this book continues the freedom theme of the first + edition of “<span class="quote">Samba-3 by Example</span>”. The history of civilization + demonstrates the fragile nature of freedom. It can be lost in a moment, + and once lost, the cost of recovering liberty can be incredible. The last + edition cover featured Alfred the Great who liberated England from the + constant assault of Vikings and Norsemen. Events in England that + finally liberated the common people came about in small steps, but + the result should not be under-estimated. Today, as always, freedom and + liberty are seldom appreciated until they are lost. If we can not quantify + what is the value of freedom, we shall be little motivated to protect it. + </p><p> + <span class="emphasis"><em>Samba-3 by Example Cover Artwork:</em></span> The British houses + of parliament are a symbol of the Westminster system of government. This form + of government permits the people to govern themselves at the lowest level, yet + it provides for courts of appeal that are designed to protect freedom and to + hold back all forces of tyranny. The clock is a pertinent symbol of the + importance of time and place. + </p><p> + The information technology industry is being challenged by the imposition of + new laws, hostile litigation, and the imposition of significant constraint + of practice that threatens to remove the freedom to develop and deploy open + source software solutions. Samba is a software solution that epitomizes freedom + of choice in network interoperability for Microsoft Windows clients. + </p><p> + I hope you will take the time needed to deploy it well, and that you may realize + the greatest benefits that may be obtained. You are free to use it in ways never + considered, but in doing so there may be some obstacles. Every obstacle that is + overcome adds to the freedom you can enjoy. Use Samba well, and it will serve + you well. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Samba-3 by Example </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Acknowledgments</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr02.html b/docs/htmldocs/Samba3-ByExample/pr02.html new file mode 100644 index 0000000000..f37be98092 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr02.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Acknowledgments</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr01.html" title="About the Cover Artwork"><link rel="next" href="pr03.html" title="Foreword"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Acknowledgments</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id282148"></a>Acknowledgments</h2></div></div></div><p> + <span class="emphasis"><em>Samba-3 by Example</em></span> would not have been written except + as a result of feedback provided by reviewers and readers of the book <span class="emphasis"><em>The + Official Samba-3 HOWTO and Reference Guide.</em></span> This second edition + was made possible by generous feedback from Samba users. I hope this book + more than answers the challenge and needs of many more networks that are + languishing for a better networking solution. + </p><p> + I am deeply indebted to a large group of diligent people. Space prevents + me from listing all of them, but a few stand out as worthy of mention. + Jelmer Vernooij made the notable contribution of building the XML production + environment and thereby made possible the typesetting of this book. + </p><p> + Samba would not have come into existence if Andrew Tridgell had not taken + the first steps. He continues to lead the project. Under the shadow of his + mantle are some great folks who never give up and are always ready to help. + Thank you to: Jeremy Allison, Jerry Carter, Andrew Bartlett, Jelmer Vernooij, + Alexander Bokovoy, Volker Lendecke, and other team members who answered my + continuous stream of questions all of which resulted in improved content + in this book. + </p><p> + My heartfelt thanks go out also to a small set of reviewers (alphabetically + listed) who gave substantial feedback and significant suggestions for improvement: + Tony Earnshaw, William Enestvedt, Eric Hines, Roland Gruber, Gavin Henry, + Steven Henry, Luke Howard, Tarjei Huse, Jon Johnston, Alan Munter, Mike MacIsaac, + Scott Mann, Ed Riddle, Geoff Scott, Santos Soler, Misty Stanley-Jones, Mark Taylor, + and Jérôme Tournier. + </p><p> + My appreciation is extended to a team of more than 30 additional reviewers who + helped me to find my way around dark corners. + </p><p> + Particular mention is due to Lyndell, Amos, and Melissa who gave me the + latitude necessary to spend nearly an entire year writing Samba documentation, + and then gave more so this second edition could be created. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">About the Cover Artwork </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Foreword</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr03.html b/docs/htmldocs/Samba3-ByExample/pr03.html new file mode 100644 index 0000000000..025dbab815 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr03.html @@ -0,0 +1,55 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Foreword</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr02.html" title="Acknowledgments"><link rel="next" href="preface.html" title="Preface"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Foreword</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="preface.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id314230"></a>Foreword</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pr03.html#id314237">By John M. Weathersby, Executive Director, OSSI</a></span></dt></dl></div><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id314237"></a>By John M. Weathersby, Executive Director, OSSI</h2></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> +The Open Source Software Institute (OSSI) is comprised of representatives from a broad spectrum of business and +non-business organizations that share a common interest in the promotion of development and implementation +of open source software solutions globally, and in particular within the United States of America. +</p><p> +The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the +Open Source Consortium (OSC). Both the OSSI and the OSC share a common objective to expand the use of open source +software in federal, state, and municipal government agencies; and in academic institutions. We represent +businesses that provide professional support services that answer the needs of our target organizational +information technology consumers in an effective and cost-efficient manner. +</p><p> +Open source software has matured greatly over the past five years with the result that an increasing number of +people who hold key decisionmaking positions want to know how the business model works. They +want to understand how problems get resolved, how questions get answered, and how the development model +is sustained. Information and communications technology directors in defense organizations, and in other +government agencies that deal with sensitive information, want to become familiar with development road-maps +and, in particular, seek to evaluate the track record of the mainstream open source project teams. +</p><p> +Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the +benchmark against which open source software solutions are measured. Two open source software projects +are key to our ability to present a structured and convincing proposition that there are alternatives +to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server +and Samba. +</p><p> +Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard +for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both +open source applications have a truly remarkable track record that extends for more than a decade. Both have +demonstrated the unique capacity to innovate and maintain a level of development that has not only kept +pace with demands, but, in many areas, each project has also proven to be an industry leader. +</p><p> +One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI +was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly +well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking +installations. We were concerned that, given the large volume of documentation, the challenge to maintain +it and keep it current might prove difficult. +</p><p> +This second edition of the book, <span class="emphasis"><em>Samba-3 by Example</em></span>, barely one year following the release +of the first edition, has removed all concerns and is proof that open source solutions are a compelling choice. +The first edition was released shortly following the release of Samba version 3.0 itself, and has become +the authoritative instrument for training and for guiding deployment. +</p><p> +I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with +government bodies and with large organizations that have deployed Samba-3 since it was released. He also +worked to ensure that this book gained community following. He asked those who have worked at the coalface +of large and small organizations alike, to contribute their experiences. He has captured that in this book +and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people +who use Samba. +</p><p> +This book is the first source you should turn to before you deploy Samba and as you are mastering its +deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has +reached maturity that is demonstrated by reiteration that every step in deployment must be validated. +This book makes it easy to succeed, and difficult to fail, to gain a stable network environment. +</p><p> +I recommend this book for use by all IT managers and network administrators. +</p></blockquote></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="preface.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Acknowledgments </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Preface</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/preface.html b/docs/htmldocs/Samba3-ByExample/preface.html new file mode 100644 index 0000000000..6968cddd85 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/preface.html @@ -0,0 +1,386 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Preface</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr03.html" title="Foreword"><link rel="next" href="ExNetworks.html" title="Part I. Example Network Configurations"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Preface</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ExNetworks.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="preface"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="preface.html#id281893">Why Is This Book Necessary?</a></span></dt><dd><dl><dt><span class="sect2"><a href="preface.html#id281931">Samba 3.0.20 Update Edition</a></span></dt></dl></dd><dt><span class="sect1"><a href="preface.html#id281662">Prerequisites</a></span></dt><dt><span class="sect1"><a href="preface.html#id323198">Approach</a></span></dt><dt><span class="sect1"><a href="preface.html#id323250">Summary of Topics</a></span></dt><dt><span class="sect1"><a href="preface.html#id323874">Conventions Used</a></span></dt></dl></div><p> + Network administrators live busy lives. We face distractions and pressures + that drive us to seek proven, working case scenarios that can be easily + implemented. Often this approach lands us in trouble. There is a + saying that, geometrically speaking, the shortest distance between two + points is a straight line, but practically we find that the quickest + route to a stable network solution is the long way around. + </p><p> + This book is your means to the straight path. It provides step-by-step, + proven, working examples of Samba deployments. If you want to deploy + Samba-3 with the least effort, or if you want to become an expert at deploying + Samba-3 without having to search through lots of documentation, this + book is the ticket to your destination. + </p><p> + Samba is software that can be run on a platform other than Microsoft Windows, + for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. + Samba uses the TCP/IP protocol that is installed on the host server. When + correctly configured, it allows that host to interact with a Microsoft Windows + client or server as if it is a Windows file and print server. This book + will help you to implement Windows-compatible file and print services. + </p><p> + The examples presented in this book are typical of various businesses and + reflect the problems and challenges they face. Care has been taken to preserve + attitudes, perceptions, practices, and demands from real network case studies. + The maximum benefit may be obtained from this book by working carefully through + each exercise. You may be in a hurry to satisfy a specific need, so feel + free to locate the example that most closely matches your need, copy it, and + innovate as much as you like. Above all, enjoy the process of learning the + secrets of MS Windows networking that is truly liberated by Samba. + </p><p> + The focus of attention in this book is Samba-3. Specific notes are made in + respect of how Samba may be made secure. This book does not attempt to provide + detailed information regarding secure operation and configuration of peripheral + services and applications such as OpenLDAP, DNS and DHCP, the need for which + can be met from other resources that are dedicated to the subject. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id281893"></a>Why Is This Book Necessary?</h2></div></div></div><p> + This book is the result of observations and feedback. The feedback from + the Samba-HOWTO-Collection has been positive and complimentary. There + have been requests for far more worked examples, a + “<span class="quote">Samba Cookbook,</span>” and for training materials to + help kick-start the process of mastering Samba. + </p><p> + The Samba mailing lists users have asked for sample configuration files + that work. It is natural to question one's own ability to correctly + configure a complex tool such as Samba until a minimum necessary + knowledge level has been attained. + </p><p> + The Samba-HOWTO-Collection as does <span class="emphasis"><em>The Official Samba-3 HOWTO and + Reference Guide</em></span> documents Samba features and functionality in + a topical context. This book takes a completely different approach. It + walks through Samba network configurations that are working within particular + environmental contexts, providing documented step-by-step implementations. + All example case configuration files, scripts, and other tools are provided + on the CD-ROM. This book is descriptive, provides detailed diagrams, and + makes deployment of Samba-3 a breeze. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id281931"></a>Samba 3.0.20 Update Edition</h3></div></div></div><p> + The Samba 3.0.x series has been remarkably popular. At the time this book first + went to print samba-3.0.2 was being released. There have been significant modifications + and enhancements between samba-3.0.2 and samba-3.0.14 (the current release) that + necessitate this documentation update. This update has the specific intent to + refocus this book so that its guidance can be followed for samba-3.0.20 + and beyond. Further changes are expected as Samba-3 matures further and will + be reflected in future updates. + </p><p> + The changes shown in <a href="preface.html#pref-new" title="Table 1. Samba Changes 3.0.2 to 3.0.20">???</a> are incorporated in this update. + </p><div class="table"><a name="pref-new"></a><p class="title"><b>Table 1. Samba Changes 3.0.2 to 3.0.20</b></p><div class="table-contents"><table summary="Samba Changes 3.0.2 to 3.0.20" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left"> + <p> + New Feature + </p> + </th><th align="left"> + <p> + Description + </p> + </th></tr></thead><tbody><tr><td align="left"> + <p> + Winbind Case Handling + </p> + </td><td align="justify"> + <p> + User and group names returned by <code class="literal">winbindd</code> are now converted to lower case + for better consistency. Samba implementations that depend on the case of information returned + by winbind (such as %u and %U) must now convert the dependency to expecting lower case values. + This affects mail spool files, home directories, valid user lines in the <code class="filename">smb.conf</code> file, etc. + </p> + </td></tr><tr><td align="left"> + <p> + Schema Changes + </p> + </td><td align="justify"> + <p> + Addition of code to handle password aging, password uniqueness controls, bad + password instances at logon time, have made necessary extensions to the SambaSAM + schema. This change affects all sites that use LDAP and means that the directory + schema must be updated. + </p> + </td></tr><tr><td align="left"> + <p> + Username Map Handling + </p> + </td><td align="justify"> + <p> + Samba-3.0.8 redefined the behavior: Local authentication results in a username map file + lookup before authenticating the connection. All authentication via an external domain + controller will result in the use of the fully qualified name (i.e.: DOMAIN\username) + after the user has been successfully authenticated. + </p> + </td></tr><tr><td align="left"> + <p> + UNIX Extension Handling + </p> + </td><td align="justify"> + <p> + Symbolically linked files and directories on the UNIX host to absolute paths will + now be followed. This can be turned off using “<span class="quote">wide links = No</span>” in + the share stanza in the <code class="filename">smb.conf</code> file. Turning off “<span class="quote">wide links</span>” + support will degrade server performance because each path must be checked. + </p> + </td></tr><tr><td align="left"> + <p> + Privileges Support + </p> + </td><td align="justify"> + <p> + Versions of Samba prior to samba-3.0.11 required the use of the UNIX <code class="constant">root</code> + account from network Windows clients. The new “<span class="quote">enable privileges = Yes</span>” capability + means that functions such as adding machines to the domain, managing printers, etc. can now + be delegated to normal user accounts or to groups of users. + </p> + </td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id281662"></a>Prerequisites</h2></div></div></div><p> + This book is not a tutorial on UNIX or Linux administration. UNIX and Linux + training is best obtained from books dedicated to the subject. This book + assumes that you have at least the basic skill necessary to use these operating + systems, and that you can use a basic system editor to edit and configure files. + It has been written with the assumption that you have experience with Samba, + have read <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide</em></span> and + the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows. + </p><p> + If you do not have this experience, you can follow the examples in this book but may + find yourself at times intimidated by assumptions made. In this situation, you + may need to refer to administrative guides or manuals for your operating system + platform to find what is the best method to achieve what the text of this book describes. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323198"></a>Approach</h2></div></div></div><p> + The first chapter deals with some rather thorny network analysis issues. Do not be + put off by this. The information you glean, even without a detailed understanding + of network protocol analysis, can help you understand how Windows networking functions. + </p><p> + Each following chapter of this book opens with the description of a networking solution + sought by a hypothetical site. Bob Jordan is a hypothetical decision maker + for an imaginary company, <code class="constant">Abmas Biz NL</code>. We will use the + non-existent domain name <code class="constant">abmas.biz</code>. All <span class="emphasis"><em>facts</em></span> + presented regarding this company are fictitious and have been drawn from a variety of real + business scenarios over many years. Not one of these reveal the identify of the + real-world company from which the scenario originated. + </p><p> + In any case, Mr. Jordan likes to give all his staff nasty little assignments. + Stanley Saroka is one of his proteges; Christine Roberson is the network administrator + Bob trusts. Jordan is inclined to treat other departments well because they finance + Abmas IT operations. + </p><p> + Each chapter presents a summary of the network solution we have chosen to + demonstrate together with a rationale to help you to understand the + thought process that drove that solution. The chapter then documents in precise + detail all configuration files and steps that must be taken to implement the + example solution. Anyone wishing to gain serious value from this book will + do well to take note of the implications of points made, so watch out for the + <span class="emphasis"><em>this means that</em></span> notations. + </p><p> + Each chapter has a set of questions and answers to help you to + to understand and digest key attributes of the solutions presented. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323250"></a>Summary of Topics</h2></div></div></div><p> + The contents of this second edition of <span class="emphasis"><em>Samba-3 by Example</em></span> + have been rearranged based on feedback from purchasers of the first edition. + </p><p> + Clearly the first edition contained most of what was needed and that was missing + from other books that cover this difficult subject. The new arrangement adds + additional material to meet consumer requests and includes changes that originated + as suggestions for improvement. + </p><p> + Chapter 1 now dives directly into the heart of the implementation of Windows + file and print server networks that use Samba at the heart. + </p><div class="variablelist"><dl><dt><span class="term">Chapter 1 No Frills Samba Servers.</span></dt><dd><p> + Here you design a solution for three different business scenarios, each for a + company called Abmas. There are two simple networking problems and one slightly + more complex networking challenge. In the first two cases, Abmas has a small + simple office, and they want to replace a Windows 9x peer-to-peer network. The + third example business uses Windows 2000 Professional. This must be simple, + so let's see how far we can get. If successful, Abmas grows quickly and + soon needs to replace all servers and workstations. + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter demands: + </p><div class="itemizedlist"><ul type="disc"><li><p>Case 1: The simplest <code class="filename">smb.conf</code> file that may + reasonably be used. Works with Samba-2.x also. This + configuration uses Share Mode security. Encrypted + passwords are not used, so there is no + <code class="filename">smbpasswd</code> file. + </p></li><li><p>Case 2: Another simple <code class="filename">smb.conf</code> file that adds + WINS support and printing support. This case deals with + a special requirement that demonstrates how to deal with + purpose-built software that has a particular requirement + for certain share names and printing demands. This + configuration uses Share Mode security and also works with + Samba-2.x. Encrypted passwords are not used, so there is no + <code class="filename">smbpasswd</code> file. + </p></li><li><p>Case 3: This <code class="filename">smb.conf</code> configuration uses User Mode + security. The file share configuration demonstrates + the ability to provide master access to an administrator + while restricting all staff to their own work areas. + Encrypted passwords are used, so there is an implicit + <code class="filename">smbpasswd</code> file. + </p></li></ul></div><p> + </p></dd><dt><span class="term">Chapter 2 Small Office Networking.</span></dt><dd><p> + Abmas is a successful company now. They have 50 network users + and want a little more varoom from the network. This is a typical + small office and they want better systems to help them to grow. This is + your chance to really give advanced users a bit more functionality and usefulness. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, so there is an <code class="filename">smbpasswd</code> + file. It also demonstrates use of the <em class="parameter"><code>valid users</code></em> and + <em class="parameter"><code>valid groups</code></em> to restrict share access. The Windows + clients access the server as Domain members. Mobile users log onto + the Domain while in the office, but use a local machine account while on the + road. The result is an environment that answers mobile computing user needs. + </p></dd><dt><span class="term">Chapter 3 Secure Office Networking.</span></dt><dd><p> + Abmas is growing rapidly now. Money is a little tight, but with 130 + network users, security has become a concern. They have many new machines + to install and the old equipment will be retired. This time they want the + new network to scale and grow for at least two years. Start with a sufficient + system and allow room for growth. You are now implementing an Internet + connection and have a few reservations about user expectations. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, and you can use a <code class="filename">tdbsam</code> + password backend. Domain logons are introduced. Applications are served from the central + server. Roaming profiles are mandated. Access to the server is tightened up + so that only domain members can access server resources. Mobile computing + needs still are catered to. + </p></dd><dt><span class="term">Chapter 4 The 500 User Office.</span></dt><dd><p> + The two-year projections were met. Congratulations, you are a star. + Now Abmas needs to replace the network. Into the existing user base, they + need to merge a 280-user company they just acquired. It is time to build a serious + network. There are now three buildings on one campus and your assignment is + to keep everyone working while a new network is rolled out. Oh, isn't it nice + to roll out brand new clients and servers! Money is no longer tight, you get + to buy and install what you ask for. You will install routers and a firewall. + This is exciting! + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, and a <code class="filename">tdbsam</code> + password backend is used. You are not ready to launch into LDAP yet, so you + accept the limitation of having one central Domain Controller with a Domain + Member server in two buildings on your campus. A number of clever techniques + are used to demonstrate some of the smart options built into Samba. + </p></dd><dt><span class="term">Chapter 5 Making Happy Users.</span></dt><dd><p> + Congratulations again. Abmas is happy with your services and you have been given another raise. + Your users are becoming much more capable and are complaining about little + things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes + to log onto the network and it is killing her productivity. Email is a bit <span class="emphasis"><em> + unreliable</em></span> have you been sleeping on the job? We do not discuss the + technology of email but when the use of mail clients breaks because of networking + problems, you had better get on top of it. It's time for a change. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords; a distributed <code class="filename">ldapsam</code> + password backend is used. Roaming profiles are enabled. Desktop profile controls + are introduced. Check out the techniques that can improve the user experience + of network performance. As a special bonus, this chapter documents how to configure + smart downloading of printer drivers for drag-and-drop printing support. And, yes, + the secret of configuring CUPS is clearly documented. Go for it; this one will + tease you, too. + </p></dd><dt><span class="term">Chapter 6 A Distributed 2000 User Network.</span></dt><dd><p> + Only eight months have passed, and Abmas has acquired another company. You now need to expand + the network further. You have to deal with a network that spans several countries. + There are three new networks in addition to the original three buildings at the head-office + campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and + London. Your desktop standard is Windows XP Professional. In many ways, everything has changed + and yet it must remain the same. Your team is primed for another roll-out. You know there are + further challenges ahead. + </p><p><span class="emphasis"><em>TechInfo</em></span> Slave LDAP servers are introduced. Samba is + configured to use multiple LDAP backends. This is a brief chapter; it assumes that the + technology has been mastered and gets right down to concepts and how to deploy them. + </p></dd><dt><span class="term">Chapter 7 Adding UNIX/Linux Servers and Clients.</span></dt><dd><p> + Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network. + You want central control and central support and you need to cut costs. How can you reduce administrative + overheads and yet get better control of the network? + </p><p> + This chapter has been contributed by Mark Taylor <code class="email"><<a href="mailto:mark.taylor@siriusit.co.uk">mark.taylor@siriusit.co.uk</a>></code> + and is based on a live site. For further information regarding this example case, + please contact Mark directly. + </p><p><span class="emphasis"><em>TechInfo</em></span> It is time to consider how to add Samba servers + and UNIX and Linux network clients. Users who convert to Linux want to be able to log on + using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat + techniques for taking control. Are you ready for this? + </p></dd><dt><span class="term">Chapter 8 Updating Samba-3.</span></dt><dd><p> + This chapter is the result of repeated requests for better documentation of the steps + that must be followed when updating or upgrading a Samba server. It attempts to cover + the entire subject in broad-brush but at the same time provides detailed background + information that is not covered elsewhere in the Samba documentation. + </p><p><span class="emphasis"><em>TechInfo</em></span> Samba stores a lot of essential network + information in a large and growing collection of files. This chapter documents the + essentials of where those files may be located and how to find them. It also provides + an insight into inter-related matters that affect a Samba installation. + </p></dd><dt><span class="term">Chapter 9 Migrating NT4 Domain to Samba-3.</span></dt><dd><p> + Another six months have passed. Abmas has acquired yet another company. You will find a + way to migrate all users off the old network onto the existing network without loss + of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with + you, may you keep your back to the wind and may the sun shine on your face. + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter demonstrates the use of + the <code class="literal">net rpc migrate</code> facility using an LDAP ldapsam backend, and also + using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration. + </p></dd><dt><span class="term">Chapter 10 Migrating NetWare 4.11 Server to Samba.</span></dt><dd><p> + Misty Stanley-Jones has contributed information that summarizes her experience at migration + from a NetWare server to Samba-3. + </p><p><span class="emphasis"><em>TechInfo</em></span> The documentation provided demonstrates + how one site migrated from NetWare to Samba. Some alternatives tools are mentioned. These + could be used to provide another pathway to a successful migration. + </p></dd><dt><span class="term">Chapter 11 Active Directory, Kerberos and Security.</span></dt><dd><p> + Abmas has acquired another company that has just migrated to running Windows Server 2003 and + Active Directory. One of your staff makes offhand comments that land you in hot water. + A network security auditor is hired by the head of the new business and files a damning + report, and you must address the <span class="emphasis"><em>defects</em></span> reported. You have hired new + network engineers who want to replace Microsoft Active Directory with a pure Kerberos + solution. How will you handle this? + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter is your answer. Learn about + share access controls, proper use of UNIX/Linux file system access controls, and Windows + 200x Access Control Lists. Follow these steps to beat the critics. + </p></dd><dt><span class="term">Chapter 12 Integrating Additional Services.</span></dt><dd><p> + The battle is almost over, Samba-3 has won the day. Your team are delighted and now you + find yourself at yet another cross-roads. Abmas have acquired a snack food business, you + made promises you must keep. IT costs must be reduced, you have new resistance, but you + will win again. This time you choose to install the Squid proxy server to validate the + fact that Samba is far more than just a file and print server. SPNEGO authentication + support means that your Microsoft Windows clients gain transparent proxy access. + </p><p><span class="emphasis"><em>TechInfo</em></span> Samba provides the <code class="literal">ntlm_auth</code> + module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web + and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated + access control using the Active Directory Domain user security credentials. + </p></dd><dt><span class="term">Chapter 13 Performance, Reliability and Availability.</span></dt><dd><p> + Bob, are you sure the new Samba server is up to the load? Your network is serving many + users who risk becoming unproductive. What can you do to keep ahead of demand? Can you + keep the cost under control also? What can go wrong? + </p><p><span class="emphasis"><em>TechInfo</em></span> Hot tips that put chili into your + network. Avoid name resolution problems, identify potential causes of network collisions, + avoid Samba configuration options that will weigh the server down. MS distributed file + services to make your network fly and much more. This chapter contains a good deal of + “<span class="quote">Did I tell you about this...?</span>” type of hints to help keep your name on the top + performers list. + </p></dd><dt><span class="term">Chapter 14 Samba Support.</span></dt><dd><p> + This chapter has been added specifically to help those who are seeking professional + paid support for Samba. The critics of Open Source Software often assert that + there is no support for free software. Some critics argue that free software + undermines the service that proprietary commercial software vendors depend on. + This chapter explains what are the support options for Samba and the fact that + a growing number of businesses make money by providing commercial paid-for + Samba support. + </p></dd><dt><span class="term">Chapter 15 A Collection of Useful Tid-bits.</span></dt><dd><p> + Sometimes it seems that there is not a good place for certain odds and ends that + impact Samba deployment. Some readers would argue that everyone can be expected + to know this information, or at least be able to find it easily. So to avoid + offending a reader's sensitivities, the tid-bits have been placed in this chapter. + Do check out the contents, you may find something of value among the loose ends. + </p></dd><dt><span class="term">Chapter 16 Windows Networking Primer.</span></dt><dd><p> + Here we cover practical exercises to help us to understand how MS Windows + network protocols function. A network protocol analyzer helps you to + appreciate the fact that Windows networking is highly dependent on broadcast + messaging. Additionally, you can look into network packets that a Windows + client sends to a network server to set up a network connection. On completion, + you should have a basic understanding of how network browsing functions and + have seen some of the information a Windows client sends to + a file and print server to create a connection over which file and print + operations may take place. + </p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323874"></a>Conventions Used</h2></div></div></div><p> + The following notation conventions are used throughout this book: + </p><div class="itemizedlist"><ul type="disc"><li><p> + TOSHARG2 is used as an abbreviation for the book, “<span class="quote">The Official Samba-3 + HOWTO and Reference Guide, Second Edition</span>” Editors: John H. Terpstra and Jelmer R. Vernooij, + Publisher: Prentice Hall, ISBN: 0131882228. + </p></li><li><p> + S3bE2 is used as an abbreviation for the book, “<span class="quote">Samba-3 by Example, Second Edition</span>” + Editors: John H. Terpstra, Publisher: Prentice Hall, ISBN: 013188221X. + </p></li><li><p> + Directories and filenames appear in mono-font. For example, + <code class="filename">/etc/pam.conf</code>. + </p></li><li><p> + Executable names are bolded. For example, <code class="literal">smbd</code>. + </p></li><li><p> + Menu items and buttons appear in bold. For example, click <span class="guibutton">Next</span>. + </p></li><li><p> + Selecting a menu item is indicated as: + <span class="guimenu">Start</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Active Directory Users and Computers</span> + </p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ExNetworks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Foreword </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. Example Network Configurations</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/primer.html b/docs/htmldocs/Samba3-ByExample/primer.html new file mode 100644 index 0000000000..ceee1bfd2a --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/primer.html @@ -0,0 +1,548 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Networking Primer</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"><link rel="next" href="apa.html" title="Appendix A. GNU General Public License version 3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Networking Primer</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="primer"></a>Chapter 16. Networking Primer</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="primer.html#id393582">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id393718">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393768">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id393876">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id393989">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id395083">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id395544">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id396068">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id396170">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></div><p> + You are about to use the equivalent of a microscope to look at the information + that runs through the veins of a Windows network. We do more to observe the information than + to interrogate it. When you are done with this primer, you should have a good understanding + of the types of information that flow over the network. Do not worry, this is not + a biology lesson. We won't lose you in unnecessary detail. Think to yourself, “<span class="quote">This + is easy,</span>” then tackle each exercise without fear. + </p><p> + Samba can be configured with a minimum of complexity. Simplicity should be mastered + before you get too deeply into complexities. Let's get moving: we have work to do. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id393582"></a>Requirements and Notes</h2></div></div></div><p> + Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations + as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet + card connected using a hub. Also required is one additional server (either Windows + NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network + sniffer and analysis application (Wireshark is a good choice). All work should be undertaken + on a quiet network where there is no other traffic. It is best to use a dedicated hub + with only the machines under test connected at the time of the exercises. + </p><p><a class="indexterm" name="id393597"></a> + Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators. + You may find more information regarding this tool from the + <a href="http://www.wireshark.org" target="_top">Wireshark</a> Web site. Wireshark installation + files for Windows may be obtained from the Wireshark Web site. Wireshark is provided with + SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may + not be installed on your system by default. If it is not installed, you may also need + to install the <code class="literal">libpcap</code> software before you can install or use Wireshark. + Please refer to the instructions for your operating system or to the Wireshark Web site + for information regarding the installation and operation of Wireshark. + </p><p> + To obtain <code class="literal">Wireshark</code> for your system, please visit the Wireshark + <a href="http://www.wireshark.org/download.html" target="_top">download site</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The successful completion of this chapter requires that you capture network traffic + using <code class="literal">Wireshark</code>. It is recommended that you use a hub, not an + Ethernet switch. It is necessary for the device used to act as a repeater, not as a + filter. Ethernet switches may filter out traffic that is not directed at the machine + that is used to monitor traffic; this would not allow you to complete the projects. + </p></div><p> + <a class="indexterm" name="id393656"></a> + Do not worry too much if you do not have access to all this equipment; network captures + from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly + into the analytical part of the exercises if you so desire. + </p><p><a class="indexterm" name="id393670"></a><a class="indexterm" name="id393681"></a> + Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this + primer. We expose you only to a minimum of detail necessary to complete + the exercises. If you choose to use any other network sniffer and protocol + analysis tool, be advised that it may not allow you to examine the contents of + recently added security protocols used by Windows 200x/XP. + </p><p> + You could just skim through the exercises and try to absorb the key points made. + The exercises provide all the information necessary to convince the die-hard network + engineer. You possibly do not require so much convincing and may just want to move on, + in which case you should at least read <a href="primer.html#chap01conc" title="Dissection and Discussion">???</a>. + </p><p> + <a href="primer.html#chap01qa" title="Questions and Answers">???</a> also provides useful information + that may help you to avoid significantly time-consuming networking problems. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id393718"></a>Introduction</h2></div></div></div><p> + The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows + network computing. If you want a solid technical grounding, do not gloss over these exercises. + The points covered are recurrent issues on the Samba mailing lists. + </p><p><a class="indexterm" name="id393730"></a> + You can see from these exercises that Windows networking involves quite a lot of network + broadcast traffic. You can look into the contents of some packets, but only to see + some particular information that the Windows client sends to a server in the course of + establishing a network connection. + </p><p> + To many people, browsing is everything that happens when one uses Microsoft Internet Explorer. + It is only when you start looking at network traffic and noting the protocols + and types of information that are used that you can begin to appreciate the complexities of + Windows networking and, more importantly, what needs to be configured so that it can work. + Detailed information regarding browsing is provided in the recommended + preparatory reading. + </p><p> + Recommended preparatory reading: <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide, Second + Edition</em></span> (TOSHARG2) Chapter 9, “<span class="quote">Network Browsing,</span>” and Chapter 3, + “<span class="quote">Server Types and Security Modes.</span>” + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id393768"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id393775"></a> + You are about to witness how Microsoft Windows computer networking functions. The + exercises step through identification of how a client machine establishes a + connection to a remote Windows server. You observe how Windows machines find + each other (i.e., how browsing works) and how the two key types of user identification + (share mode security and user mode security) are affected. + </p><p><a class="indexterm" name="id393790"></a> + The networking protocols used by MS Windows networking when working with Samba + use TCP/IP as the transport protocol. The protocols that are specific to Windows + networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark) + is able to show you the contents of the TCP/IP packets (or messages). + </p><div class="procedure"><a name="chap01tasks"></a><p class="title"><b>Procedure 16.1. Diagnostic Tasks</b></p><ol type="1"><li><p><a class="indexterm" name="id393820"></a><a class="indexterm" name="id393831"></a><a class="indexterm" name="id393839"></a> + Examine network traces to witness SMB broadcasts, host announcements, + and name resolution processes. + </p></li><li><p> + Examine network traces to witness how share mode security functions. + </p></li><li><p> + Examine network traces to witness the use of user mode security. + </p></li><li><p> + Review traces of network logons for a Windows 9x/Me client as well as + a domain logon for a Windows XP Professional client. + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id393876"></a>Exercises</h2></div></div></div><p> + <a class="indexterm" name="id393883"></a> + You are embarking on a course of discovery. The first part of the exercise requires + two MS Windows 9x/Me systems. We called one machine <code class="constant">WINEPRESSME</code> and the + other <code class="constant">MILGATE98</code>. Each needs an IP address; we used <code class="literal">10.1.1.10</code> + and <code class="literal">10.1.1.11</code>. The test machines need to be networked via a <span class="emphasis"><em>hub</em></span>. A UNIX/Linux + machine is required to run <code class="literal">Wireshark</code> to enable the network activity to be captured. + It is important that the machine from which network activity is captured must not interfere with + the operation of the Windows workstations. It is helpful for this machine to be passive (does not + send broadcast information) to the network. + </p><p> + For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running + VMWare 4.5. The following VMWare images were prepared: + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows 98 name: MILGATE98</p></li><li><p>Windows Me name: WINEPRESSME</p></li><li><p>Windows XP Professional name: LightrayXP</p></li><li><p>Samba-3.0.20 running on a SUSE Enterprise Linux 9</p></li></ul></div><p> + Choose a workgroup name (MIDEARTH) for each exercise. + </p><p> + <a class="indexterm" name="id393965"></a> + The network captures provided on the CD-ROM included with this book were captured using <code class="constant">Ethereal</code> + version <code class="literal">0.10.6</code>. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not + expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all + packets has also been included. This makes it possible for you to do all the studying you like without the need to + perform the time-consuming equipment configuration and test work. This is a good time to point out that the value + that can be derived from this book really does warrant your taking sufficient time to practice each exercise with + care and attention to detail. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id393989"></a>Single-Machine Broadcast Activity</h3></div></div></div><p> + In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. + </p><div class="procedure"><a name="id393999"></a><p class="title"><b>Procedure 16.2. Monitoring Windows 9x Steps</b></p><ol type="1"><li><p> + Start the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>). + Launch <code class="literal">Wireshark</code>, click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click the following: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, + do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + </p></li><li><p> + At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later. + Leave this machine running in preparation for the task in <a href="primer.html#secondmachine" title="Second Machine Startup Broadcast Interaction">???</a>. + </p></li><li><p> + Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol + was used. Identify the timing between messages of identical types. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id394114"></a>Findings</h4></div></div></div><p> + The summary of the first 10 minutes of the packet capture should look like <a href="primer.html#pktcap01" title="Figure 16.1. Windows Me Broadcasts The First 10 Minutes">???</a>. + A screenshot of a later stage of the same capture is shown in <a href="primer.html#pktcap02" title="Figure 16.2. Windows Me Later Broadcast Sample">???</a>. + </p><div class="figure"><a name="pktcap01"></a><p class="title"><b>Figure 16.1. Windows Me Broadcasts The First 10 Minutes</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture.png" width="216" alt="Windows Me Broadcasts The First 10 Minutes"></div></div></div><br class="figure-break"><div class="figure"><a name="pktcap02"></a><p class="title"><b>Figure 16.2. Windows Me Later Broadcast Sample</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture2.png" width="226.8" alt="Windows Me Later Broadcast Sample"></div></div></div><br class="figure-break"><p><a class="indexterm" name="id394227"></a><a class="indexterm" name="id394238"></a> + Broadcast messages observed are shown in <a href="primer.html#capsstats01" title="Table 16.1. Windows Me Startup Broadcast Capture Statistics">???</a>. + Actual observations vary a little, but not by much. + Early in the startup process, the Windows Me machine broadcasts its name for two reasons: + first to ensure that its name would not result in a name clash, and second to establish its + presence with the Local Master Browser (LMB). + </p><div class="table"><a name="capsstats01"></a><p class="title"><b>Table 16.1. Windows Me Startup Broadcast Capture Statistics</b></p><div class="table-contents"><table summary="Windows Me Startup Broadcast Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">WINEPRESSME<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">84</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">__MSBROWSE__</td><td align="center">Reg</td><td align="center">8</td><td align="left">Registered after winning election to Browse Master</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 x 2. This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">2</td><td align="left">Observed at 10 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Get Backup List Request</td><td align="center">Qry</td><td align="center">12</td><td align="left">6 x 2 early in startup, 0.5 sec apart</td></tr><tr><td align="left">Browser Election Request</td><td align="center">Ann</td><td align="center">10</td><td align="left">5 x 2 early in startup</td></tr><tr><td align="left">Request Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">4</td><td align="left">Early in startup</td></tr></tbody></table></div></div><br class="table-break"><p><a class="indexterm" name="id394574"></a><a class="indexterm" name="id394581"></a> + From the packet trace, it should be noted that no messages were propagated over TCP/IP; + all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle + of various announcements, re-election of a browse master, and name queries. These create + the symphony of announcements by which network browsing is made possible. + </p><p><a class="indexterm" name="id394596"></a> + For detailed information regarding the precise behavior of the CIFS/SMB protocols, + refer to the book “<span class="quote">Implementing CIFS: The Common Internet File System,</span>” + by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X). + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="secondmachine"></a>Second Machine Startup Broadcast Interaction</h3></div></div></div><p> + At this time, the machine you used to capture the single-system startup trace should still be running. + The objective of this task is to identify the interaction of two machines in respect to broadcast activity. + </p><div class="procedure"><a name="id394627"></a><p class="title"><b>Procedure 16.3. Monitoring of Second Machine Activity</b></p><ol type="1"><li><p> + On the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>), + launch <code class="literal">Wireshark</code> and click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press + any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + </p></li><li><p> + At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you + can examine the network data capture again at a later date should that be necessary. + </p></li><li><p> + Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, + and what interaction took place between the two machines. Leave both machines running for the next task. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id394736"></a>Findings</h4></div></div></div><p> + <a href="primer.html#capsstats02" title="Table 16.2. Second Machine (Windows 98) Capture Statistics">???</a> summarizes capture statistics observed. As in the previous case, + all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second + Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash + (i.e., the name is already registered by another machine) on the network segment. Those wishing + to explore the inner details of the precise mechanism of how this functions should refer to + “<span class="quote">Implementing CIFS: The Common Internet File System.</span>” + </p><div class="table"><a name="capsstats02"></a><p class="title"><b>Table 16.2. Second Machine (Windows 98) Capture Statistics</b></p><div class="table-contents"><table summary="Second Machine (Windows 98) Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">MILGATE98<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">18</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">2</td><td align="left">This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement MILGATE98</td><td align="center">Ann</td><td align="center">14</td><td align="left">Every 120 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">6</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">6</td><td align="left">Insufficient detail to determine frequency</td></tr></tbody></table></div></div><br class="table-break"><p> + <a class="indexterm" name="id395009"></a> + <a class="indexterm" name="id395016"></a> + <a class="indexterm" name="id395022"></a> + Observation of the contents of Host Announcements, Domain/Workgroup Announcements, + and Local Master Announcements is instructive. These messages convey a significant + level of detail regarding the nature of each machine that is on the network. An example + dissection of a Host Announcement is given in <a href="primer.html#hostannounce" title="Figure 16.3. Typical Windows 9x/Me Host Announcement">???</a>. + </p><div class="figure"><a name="hostannounce"></a><p class="title"><b>Figure 16.3. Typical Windows 9x/Me Host Announcement</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/HostAnnouncment.png" width="221.4" alt="Typical Windows 9x/Me Host Announcement"></div></div></div><br class="figure-break"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395083"></a>Simple Windows Client Connection Characteristics</h3></div></div></div><p> + The purpose of this exercise is to discover how Microsoft Windows clients create (establish) + connections with remote servers. The methodology involves analysis of a key aspect of how + Windows clients access remote servers: the session setup protocol. + </p><div class="procedure"><a name="id395094"></a><p class="title"><b>Procedure 16.4. Client Connection Exploration Steps</b></p><ol type="1"><li><p> + Configure a Windows 9x/Me machine (MILGATE98) with a share called <code class="constant">Stuff</code>. + Create a <em class="parameter"><code>Full Access</code></em> control password on this share. + </p></li><li><p> + Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports + no shared resources. + </p></li><li><p> + Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both + machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding. + </p></li><li><p> + Start Wireshark (or the network sniffer of your choice). + </p></li><li><p> + From the WINEPRESSME machine, right-click <span class="guimenu">Network Neighborhood</span>, select + <span class="guimenuitem">Explore</span>, select + <span class="guimenuitem">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">MIDEARTH</span> → <span class="guimenuitem">MILGATE98</span> → <span class="guimenuitem">Stuff</span>. + Enter the password you set for the <code class="constant">Full Control</code> mode for the + <code class="constant">Stuff</code> share. + </p></li><li><p> + When the share called <code class="constant">Stuff</code> is being displayed, stop the capture. + Save the captured data in case it is needed for later analysis. + </p></li><li><p> + <a class="indexterm" name="id395218"></a> + From the top of the packets captured, scan down to locate the first packet that has + interpreted as <code class="constant">Session Setup AndX, User: anonymous; Tree Connect AndX, + Path: \\MILGATE98\IPC$</code>. + </p></li><li><p><a class="indexterm" name="id395236"></a><a class="indexterm" name="id395244"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request, + and Tree Connect AndX Request</code>. Examine both operations. Identify the name of + the user Account and what password was used. The Account name should be empty. + This is a <code class="constant">NULL</code> session setup packet. + </p></li><li><p> + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type <code class="constant">Session Setup AndX</code>. Locate the last such packet + that was targeted at the <code class="constant">\\MILGATE98\IPC$</code> service. + </p></li><li><p> + <a class="indexterm" name="id395284"></a> + <a class="indexterm" name="id395291"></a> + Dissect this packet as per the previous one. This packet should have a password length + of 24 (characters) and should have a password field, the contents of which is a + long hexadecimal number. Observe the name in the Account field. This is a User Mode + session setup packet. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id395302"></a>Findings and Comments</h4></div></div></div><p> + <a class="indexterm" name="id395310"></a> + The <code class="constant">IPC$</code> share serves a vital purpose<sup>[<a name="id395321" href="#ftn.id395321">15</a>]</sup> + in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of + resources that are available on the server. The server responds with the shares and print queues that + are available. In most but not all cases, the connection is made with a <code class="constant">NULL</code> + username and a <code class="constant">NULL</code> password. + </p><p> + <a class="indexterm" name="id395339"></a> + The two packets examined are material evidence of how Windows clients may + interoperate with Samba. Samba requires every connection setup to be authenticated using + valid UNIX account credentials (UID/GID). This means that even a <code class="constant">NULL</code> + session setup can be established only by automatically mapping it to a valid UNIX + account. + </p><p> + <a class="indexterm" name="id395355"></a><a class="indexterm" name="id395361"></a> + <a class="indexterm" name="id395370"></a> + Samba has a special name for the <code class="constant">NULL</code>, or empty, user account: + it calls it the <a class="indexterm" name="id395381"></a>guest account. The + default value of this parameter is <code class="constant">nobody</code>; however, this can be + changed to map the function of the guest account to any other UNIX identity. Some + UNIX administrators prefer to map this account to the system default anonymous + FTP account. A sample NULL Session Setup AndX packet dissection is shown in + <a href="primer.html#nullconnect" title="Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request">???</a>. + </p><div class="figure"><a name="nullconnect"></a><p class="title"><b>Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/NullConnect.png" width="221.4" alt="Typical Windows 9x/Me NULL SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id395445"></a> + <a class="indexterm" name="id395452"></a> + <a class="indexterm" name="id395459"></a> + When a UNIX/Linux system does not have a <code class="constant">nobody</code> user account + (<code class="filename">/etc/passwd</code>), the operation of the <code class="constant">NULL</code> + account cannot validate and thus connections that utilize the guest account + fail. This breaks all ability to browse the Samba server and is a common + problem reported on the Samba mailing list. A sample User Mode session setup AndX + is shown in <a href="primer.html#userconnect" title="Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request">???</a>. + </p><div class="figure"><a name="userconnect"></a><p class="title"><b>Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserConnect.png" width="221.4" alt="Typical Windows 9x/Me User SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id395531"></a> + The User Mode connection packet contains the account name and the domain name. + The password is provided in Microsoft encrypted form, and its length is shown + as 24 characters. This is the length of Microsoft encrypted passwords. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395544"></a>Windows 200x/XP Client Interaction with Samba-3</h3></div></div></div><p> + By now you may be asking, “<span class="quote">Why did you choose to work with Windows 9x/Me?</span>” + </p><p> + First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise + on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba. + Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly + follows the same principles. + </p><p> + The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service + updates also uses the <code class="constant">NULL</code> account, as well as user accounts. Simply follow the procedure + to complete this exercise. + </p><p> + To complete this exercise, you need a Windows XP Professional client that has been configured as + a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. + Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. + </p><div class="procedure"><a name="id395578"></a><p class="title"><b>Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up</b></p><ol type="1"><li><p> + Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark, + and then wait for the next step to complete. + </p></li><li><p> + Start the Windows XP Client and wait 5 minutes before proceeding. + </p></li><li><p> + On the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>), + launch <code class="literal">Wireshark</code> and click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + On the Windows XP Professional client, press <span class="guimenu">Ctrl-Alt-Delete</span> to bring + up the domain logon screen. Log in using valid credentials for a domain user account. + </p></li><li><p> + Now proceed to connect to the domain controller as follows: + <span class="guimenu">Start</span> → <span class="guimenuitem">(right-click) My Network Places</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">{Left Panel} [+] Entire Network</span> → <span class="guimenuitem">{Left Panel} [+] Microsoft Windows Network</span> → <span class="guimenuitem">{Left Panel} [+] Midearth</span> → <span class="guimenuitem">{Left Panel} [+] Frodo</span> → <span class="guimenuitem">{Left Panel} [+] data</span>. Close the explorer window. + </p><p> + In this step, our domain name is <code class="constant">Midearth</code>, the domain controller is called + <code class="constant">Frodo</code>, and we have connected to a share called <code class="constant">data</code>. + </p></li><li><p> + Stop the capture on the <code class="literal">Wireshark</code> monitoring machine. Be sure to save the captured data + to a file so that you can refer to it again later. + </p></li><li><p> + If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises + in this chapter. + </p></li><li><p> + <a class="indexterm" name="id395792"></a> + <a class="indexterm" name="id395798"></a> + From the top of the packets captured, scan down to locate the first packet that has + interpreted as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>. + </p></li><li><p> + <a class="indexterm" name="id395817"></a> + <a class="indexterm" name="id395824"></a> + <a class="indexterm" name="id395831"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>. + Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code> + entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code> + keys. This should reveal that this is a <code class="constant">NULL</code> session setup packet. + The <code class="constant">User name: NULL</code> so indicates. An example decode is shown in + <a href="primer.html#XPCap01" title="Figure 16.6. Typical Windows XP NULL Session Setup AndX Request">???</a>. + </p></li><li><p> + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type <code class="constant">Session Setup AndX Request</code>. Click the last such packet that + has been decoded as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>. + </p></li><li><p> + <a class="indexterm" name="id395888"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>. + Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code> + entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code> + keys. This should reveal that this is a <code class="constant">User Mode</code> session setup packet. + The <code class="constant">User name: jht</code> so indicates. An example decode is shown in + <a href="primer.html#XPCap02" title="Figure 16.7. Typical Windows XP User Session Setup AndX Request">???</a>. In this case the user name was <code class="constant">jht</code>. This packet + decode includes the <code class="constant">Lan Manager Response:</code> and the <code class="constant">NTLM Response:</code>. + The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan + password and then the NT (case-preserving) password hash. + </p></li><li><p> + <a class="indexterm" name="id395942"></a> + <a class="indexterm" name="id395949"></a> + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode + session setup packet. + </p></li></ol></div><div class="figure"><a name="XPCap01"></a><p class="title"><b>Figure 16.6. Typical Windows XP NULL Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-NullConnection.png" width="270" alt="Typical Windows XP NULL Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="figure"><a name="XPCap02"></a><p class="title"><b>Figure 16.7. Typical Windows XP User Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-UserConnection.png" width="270" alt="Typical Windows XP User Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396042"></a>Discussion</h4></div></div></div><p><a class="indexterm" name="id396048"></a> + This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled + in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles + remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a + <code class="constant">NULL-Session</code> connection to query and locate resources on an advanced network + technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated + connection must be made before resources can be used. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id396068"></a>Conclusions to Exercises</h3></div></div></div><p> + In summary, the following points have been established in this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. + </p></li><li><p> + Network browsing protocols query information stored on browse masters that manage + information provided by NetBIOS Name Registrations and by way of ongoing host + announcements and workgroup announcements. + </p></li><li><p> + All Samba servers must be configured with a mechanism for mapping the <code class="constant">NULL-Session</code> + to a valid but nonprivileged UNIX system account. + </p></li><li><p> + The use of Microsoft encrypted passwords is built right into the fabric of Windows + networking operations. Such passwords cannot be provided from the UNIX <code class="filename">/etc/passwd</code> + database and thus must be stored elsewhere on the UNIX system in a manner that Samba can + use. Samba-2.x permitted such encrypted passwords to be stored in the <code class="constant">smbpasswd</code> + file or in an LDAP database. Samba-3 permits use of multiple <em class="parameter"><code>passdb backend</code></em> + databases in concurrent deployment. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, “<span class="quote">Account Information Databases.</span>” + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01conc"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id396146"></a> + The exercises demonstrate the use of the <code class="constant">guest</code> account, the way that + MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections + between a client and a server are established. + </p><p> + Those wishing background information regarding NetBIOS name types should refer to + the Microsoft knowledgebase article + <a href="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp" target="_top">Q102878.</a> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id396170"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id396178"></a> + Network browsing involves SMB broadcast announcements, SMB enumeration requests, + connections to the <code class="constant">IPC$</code> share, share enumerations, and SMB connection + setup processes. The use of anonymous connections to a Samba server involve the use of + the <em class="parameter"><code>guest account</code></em> that must map to a valid UNIX UID. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01qa"></a>Questions and Answers</h2></div></div></div><p> + The questions and answers given in this section are designed to highlight important aspects of Microsoft + Windows networking. + </p><div class="qandaset"><dl><dt> <a href="primer.html#id396220"> + What is the significance of the MIDEARTH<1b> type query? + </a></dt><dt> <a href="primer.html#id396262"> + What is the significance of the MIDEARTH<1d> type name registration? + </a></dt><dt> <a href="primer.html#id396329"> + What is the role and significance of the <01><02>__MSBROWSE__<02><01> + name registration? + </a></dt><dt> <a href="primer.html#id396356"> + What is the significance of the MIDEARTH<1e> type name registration? + </a></dt><dt> <a href="primer.html#id396383"> + + What is the significance of the guest account in smb.conf? + </a></dt><dt> <a href="primer.html#id396450"> + Is it possible to reduce network broadcast activity with Samba-3? + </a></dt><dt> <a href="primer.html#id396548"> + Can I just use plain-text passwords with Samba? + </a></dt><dt> <a href="primer.html#id396624"> + What parameter in the smb.conf file is used to enable the use of encrypted passwords? + </a></dt><dt> <a href="primer.html#id396663"> + Is it necessary to specify encrypt passwords = Yes + when Samba-3 is configured as a domain member? + </a></dt><dt> <a href="primer.html#id396688"> + Is it necessary to specify a guest account when Samba-3 is configured + as a domain member server? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id396220"></a><a name="id396222"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1b> type query? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396233"></a> + <a class="indexterm" name="id396242"></a> + This is a broadcast announcement by which the Windows machine is attempting to + locate a Domain Master Browser (DMB) in the event that it might exist on the network. + Refer to <span class="emphasis"><em>TOSHARG2,</em></span> Chapter 9, Section 9.7, “<span class="quote">Technical Overview of Browsing,</span>” + for details regarding the function of the DMB and its role in network browsing. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396262"></a><a name="id396264"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1d> type name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396276"></a> + <a class="indexterm" name="id396284"></a> + This name registration records the machine IP addresses of the LMBs. + Network clients can query this name type to obtain a list of browser servers from the + master browser. + </p><p> + The LMB is responsible for monitoring all host announcements on the local network and for + collating the information contained within them. Using this information, it can provide answers to other Windows + network clients that request information such as: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The list of machines known to the LMB (i.e., the browse list) + </p></li><li><p> + The IP addresses of all domain controllers known for the domain + </p></li><li><p> + The IP addresses of LMBs + </p></li><li><p> + The IP address of the DMB (if one exists) + </p></li><li><p> + The IP address of the LMB on the local segment + </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id396329"></a><a name="id396331"></a></td><td align="left" valign="top"><p> + What is the role and significance of the <01><02>__MSBROWSE__<02><01> + name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396344"></a> + This name is registered by the browse master to broadcast and receive domain announcements. + Its scope is limited to the local network segment, or subnet. By querying this name type, + master browsers on networks that have multiple domains can find the names of master browsers + for each domain. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396356"></a><a name="id396358"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1e> type name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396370"></a> + This name is registered by all browse masters in a domain or workgroup. The registration + name type is known as the Browser Election Service. Master browsers register themselves + with this name type so that DMBs can locate them to perform cross-subnet + browse list updates. This name type is also used to initiate elections for Master Browsers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396383"></a><a name="id396385"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396390"></a> + What is the significance of the <em class="parameter"><code>guest account</code></em> in smb.conf? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This parameter specifies the default UNIX account to which MS Windows networking + NULL session connections are mapped. The default name for the UNIX account used for + this mapping is called <code class="constant">nobody</code>. If the UNIX/Linux system that + is hosting Samba does not have a <code class="constant">nobody</code> account and an alternate + mapping has not been specified, network browsing will not work at all. + </p><p> + It should be noted that the <em class="parameter"><code>guest account</code></em> is essential to + Samba operation. Either the operating system must have an account called <code class="constant">nobody</code> + or there must be an entry in the <code class="filename">smb.conf</code> file with a valid UNIX account, such as + <a class="indexterm" name="id396440"></a>guest account = ftp. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396450"></a><a name="id396452"></a></td><td align="left" valign="top"><p> + Is it possible to reduce network broadcast activity with Samba-3? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id396464"></a> + <a class="indexterm" name="id396470"></a> + Yes, there are two ways to do this. The first involves use of WINS (See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, + Section 9.5, “<span class="quote">WINS The Windows Inter-networking Name Server</span>”); the + alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires + a correctly configured DNS server (see <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, Section 9.3, “<span class="quote">Discussion</span>”). + </p><p> + <a class="indexterm" name="id396501"></a> + <a class="indexterm" name="id396507"></a> + <a class="indexterm" name="id396517"></a> + The use of WINS reduces network broadcast traffic. The reduction is greatest when all network + clients are configured to operate in <em class="parameter"><code>Hybrid Mode</code></em>. This can be effected through + use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is + beneficial to configure Samba to use <a class="indexterm" name="id396532"></a>name resolve order = wins host cast. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as + well as with Samba-3. + </p></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id396548"></a><a name="id396550"></a></td><td align="left" valign="top"><p> + Can I just use plain-text passwords with Samba? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. + </p><p> + First, the use of <code class="filename">/etc/passwd</code>-based plain-text passwords requires that registry + modifications be made on all MS Windows client machines to enable plain-text passwords support. This + significantly diminishes the security of MS Windows client operation. Many network administrators + are bitterly opposed to doing this. + </p><p> + Second, Microsoft has not maintained plain-text password support since the default setting was made + disabling this. When network connections are dropped by the client, it is not possible to re-establish + the connection automatically. Users need to log off and then log on again. Plain-text password support + may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing + environment. + </p><p> + Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling. + Just create user accounts by running <code class="literal">smbpasswd -a 'username'</code> + </p><p> + It is not possible to add a user to the <em class="parameter"><code>passdb backend</code></em> database unless there is + a UNIX system account for that user. On systems that run <code class="literal">winbindd</code> to access the Samba + PDC/BDC to provide Windows user and group accounts, the <em class="parameter"><code>idmap uid, idmap gid</code></em> ranges + set in the <code class="filename">smb.conf</code> file provide the local UID/GIDs needed for local identity management purposes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396624"></a><a name="id396626"></a></td><td align="left" valign="top"><p> + What parameter in the <code class="filename">smb.conf</code> file is used to enable the use of encrypted passwords? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The parameter in the <code class="filename">smb.conf</code> file that controls this behavior is known as <em class="parameter"><code>encrypt + passwords</code></em>. The default setting for this in Samba-3 is <code class="constant">Yes (Enabled)</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396663"></a><a name="id396665"></a></td><td align="left" valign="top"><p> + Is it necessary to specify <a class="indexterm" name="id396670"></a>encrypt passwords = Yes + when Samba-3 is configured as a domain member? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. This is the default behavior. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id396688"></a><a name="id396690"></a></td><td align="left" valign="top"><p> + Is it necessary to specify a <em class="parameter"><code>guest account</code></em> when Samba-3 is configured + as a domain member server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. This is a local function on the server. The default setting is to use the UNIX account + <code class="constant">nobody</code>. If this account does not exist on the UNIX server, then it is + necessary to provide a <a class="indexterm" name="id396712"></a>guest account = an_account, + where <code class="constant">an_account</code> is a valid local UNIX user account. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id395321" href="#id395321">15</a>] </sup>TOSHARG2, Sect 4.5.1</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. A Collection of Useful Tidbits </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/samba.css b/docs/htmldocs/Samba3-ByExample/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/htmldocs/Samba3-ByExample/secure.html b/docs/htmldocs/Samba3-ByExample/secure.html new file mode 100644 index 0000000000..a7b48fefc2 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/secure.html @@ -0,0 +1,1859 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Secure Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="small.html" title="Chapter 2. Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter 4. The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter 3. Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id331890">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id331930">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332152">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id332164">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id332528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id332562">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id333388">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id337670">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id337723">Questions and Answers</a></span></dt></dl></div><p> + Congratulations, your Samba networking skills are developing nicely. You started out + with three simple networks in <a href="simple.html" title="Chapter 1. No-Frills Samba Servers">???</a>, and then in <a href="small.html" title="Chapter 2. Small Office Networking">???</a> + you designed and built a network that provides a high degree of flexibility, integrity, + and dependability. It was enough for the basic needs each was designed to fulfill. In + this chapter you address a more complex set of needs. The solution you explore + introduces you to basic features that are specific to Samba-3. + </p><p> + You should note that a working and secure solution could be implemented using Samba-2.2.x. + In the exercises presented here, you are gradually using more Samba-3-specific features, + so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. + To avoid confusion, this book is all about Samba-3. Let's get the exercises in this + chapter underway. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331890"></a>Introduction</h2></div></div></div><p> + You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work + well done. It is one year since the last network upgrade. You have been quite busy. + Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over + general network management. Soon she will provide primary user support. You have + demonstrated that you can delegate responsibility and can plan and execute according + to that plan. Above all, you have shown Mr. Meany that you are a responsible person. + Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never + expected: You are going to take charge of business operations. Mr. Meany + is retiring and has entrusted the business to your capable hands. + </p><p> + Mr. Meany may be retiring from this company, but not from work. He is taking the + opportunity to develop Abmas Accounting into a larger and more substantial company. + He says that it took him many years to learn that there is no future in just running + a business. He now realizes there is great personal satisfaction in the creation of + career opportunities for people in the local community. He wants to do more for others, + as he is doing for you. Today he spent a lot of time talking about his grand plan + for growth, which you will deal with in the chapters ahead. + </p><p> + Over the past year, the growth projections were exceeded. The network has grown to + meet the needs of 130 users. Along with growth, the demand for improved services + and better functionality has also developed. You are about to make an interim + improvement and then hand over all Help desk and network maintenance to Christine. + Christine has professional certifications in Microsoft Windows as well as in Linux; + she is a hard worker and quite likable. Christine does not want to manage the department + (although she manages well). She gains job satisfaction when left to sort things out. + Occasionally she wants to work with you on a challenging problem. When you told her + about your move, she almost resigned, although she was reassured that a new manager would + be hired to run Information Technology, and she would be responsible only for operations. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331930"></a>Assignment Tasks</h3></div></div></div><p> + You promised the staff Internet services including Web browsing, electronic mail, virus + protection, and a company Web site. Christine is eager to help turn the vision into + reality. Let's see how close you can get to the promises made. + </p><p> + The network you are about to deliver will service 130 users today. Within a year, + Abmas will aquire another company. Mr. Meany claims that within 2 years there will be + well over 500 users on the network. You have bought into the big picture, so prepare + for growth. You have purchased a new server and will implement a new network infrastructure. + </p><p> + You have decided to not recycle old network components. The only items that will be + carried forward are notebook computers. You offered staff new notebooks, but not + one person wanted the disruption for what was perceived as a marginal update. + You decided to give everyone, even the notebook user, a new desktop computer. + </p><p> + You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) + and a 10 Mb/sec ethernet port. You registered the domain + <code class="constant">abmas.us</code>, and the Internet Service Provider (ISP) is supplying + secondary DNS. Information furnished by your ISP is shown in <a href="secure.html#chap4netid" title="Table 3.1. Abmas.US ISP Information">???</a>. + </p><p> + It is of paramount priority that under no circumstances will Samba offer + service access from an Internet connection. You are paying an ISP to + give, as part of its value-added services, full firewall protection for your + connection to the outside world. The only services allowed in from + the Internet side are the following destination ports: <code class="constant">http/https (ports + 80 and 443), email (port 25), DNS (port 53)</code>. All Internet traffic + will be allowed out after network address translation (NAT). No internal IP addresses + are permitted through the NAT filter because complete privacy of internal network + operations must be assured. + </p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table 3.1. Abmas.US ISP Information</b></p><div class="table-contents"><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div></div><br class="table-break"><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure 3.1. Abmas Network Topology 130 Users</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap4-net.png" width="351" alt="Abmas Network Topology 130 Users"></div></div></div><br class="figure-break"><p> + Christine recommended that desktop systems should be installed from a single cloned + master system that has a minimum of locally installed software and loads all software + off a central application server. The benefit of having the central application server + is that it allows single-point maintenance of all business applications, a more + efficient way to manage software. She further recommended installation of antivirus + software on workstations as well as on the Samba server. Christine knows the dangers + of potential virus infection and insists on a comprehensive approach to detective + as well as corrective action to protect network operations. + </p><p> + A significant concern is the problem of managing company growth. Recently, a number + of users had to share a PC while waiting for new machines to arrive. This presented + some problems with desktop computers and software installation into the new users' + desktop profiles. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332152"></a>Dissection and Discussion</h2></div></div></div><p> + Many of the conclusions you draw here are obvious. Some requirements are not very clear + or may simply be your means of drawing the most out of Samba-3. Much can be done more simply + than you will demonstrate here, but keep in mind that the network must scale to at least 500 + users. This means that some functionality will be overdesigned for the current 130-user + environment. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332164"></a>Technical Issues</h3></div></div></div><p> + In this exercise we use a 24-bit subnet mask for the two local networks. This, + of course, limits our network to a maximum of 253 usable IP addresses. The network + address range chosen is one assigned by RFC1918 for private networks. + When the number of users on the network begins to approach the limit of usable + addresses, it is a good idea to switch to a network address specified in RFC1918 + in the 172.16.0.0/16 range. This is done in subsequent chapters. + </p><p> + <a class="indexterm" name="id332179"></a> + <a class="indexterm" name="id332186"></a> + The high growth rates projected are a good reason to use the <code class="constant">tdbsam</code> + passdb backend. The use of <code class="constant">smbpasswd</code> for the backend may result in + performance problems. The <code class="constant">tdbsam</code> passdb backend offers features that + are not available with the older, flat ASCII-based <code class="constant">smbpasswd</code> database. + </p><p> + <a class="indexterm" name="id332213"></a> + The proposed network design uses a single server to act as an Internet services host for + electronic mail, Web serving, remote administrative access via SSH, + Samba-based file and print services. This design is often chosen by sites that feel + they cannot afford or justify the cost or overhead of having separate servers. It must + be realized that if security of this type of server should ever be violated (compromised), + the whole network and all data is at risk. Many sites continue to choose this type + of solution; therefore, this chapter provides detailed coverage of key implementation + aspects. + </p><p> + Samba will be configured to specifically not operate on the Ethernet interface that is + directly connected to the Internet. + </p><p> + <a class="indexterm" name="id332232"></a> + <a class="indexterm" name="id332239"></a> + <a class="indexterm" name="id332246"></a> + <a class="indexterm" name="id332255"></a> + You know that your ISP is providing full firewall services, but you cannot rely on that. + Always assume that human error will occur, so be prepared by using Linux firewall facilities + based on <code class="literal">iptables</code> to effect NAT. Block all + incoming traffic except to permitted well-known ports. You must also allow incoming packets + to establish outgoing connections. You will permit all internal outgoing requests. + </p><p> + The configuration of Web serving, Web proxy services, electronic mail, and the details of + generic antivirus handling are beyond the scope of this book and therefore are not + covered except insofar as this affects Samba-3. + </p><p> + <a class="indexterm" name="id332279"></a> + Notebook computers are configured to use a network login when in the office and a + local account to log in while away from the office. Users store all work done in + transit (away from the office) by using a local share for work files. Standard procedures + dictate that on completion of the work that necessitates mobile file access, all + work files are moved back to secure storage on the office server. Staff is instructed + to not carry on any company notebook computer any files that are not absolutely required. + This is a preventative measure to protect client information as well as private business + records. + </p><p> + <a class="indexterm" name="id332295"></a> + All applications are served from the central server from a share called <code class="constant">apps</code>. + Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network + (or administrative) installation. Accounting and financial management software can also + be run only from the central application server. Notebook users are provided with + locally installed applications on a need-to-have basis only. + </p><p> + <a class="indexterm" name="id332312"></a> + The introduction of roaming profiles support means that users can move between + desktop computer systems without constraint while retaining full access to their data. + The desktop travels with them as they move. + </p><p> + <a class="indexterm" name="id332324"></a> + The DNS server implementation must now address both internal and external + needs. You forward DNS lookups to your ISP-provided server as well as the + <code class="constant">abmas.us</code> external secondary DNS server. + </p><p> + <a class="indexterm" name="id332339"></a> + <a class="indexterm" name="id332346"></a> + <a class="indexterm" name="id332355"></a> + Compared with the DHCP server configuration in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>, <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>, the + configuration used in this example has to deal with the presence of an Internet connection. + The scope set for it ensures that no DHCP services will be offered on the external + connection. All printers are configured as DHCP clients so that the DHCP server assigns + the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional + feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic + DNS (DDNS) operation. + </p><p> + This is the first implementation that depends on a correctly functioning DNS server. + Comprehensive steps are included to provide for a fully functioning DNS server that also + is enabled for DDNS operation. This means that DHCP clients can be autoregistered + with the DNS server. + </p><p> + You are taking the opportunity to manually set the netbios name of the Samba server to + a name other than what will be automatically resolved. You are doing this to ensure that + the machine has the same NetBIOS name on both network segments. + </p><p> + As in the previous network configuration, printing in this network configuration uses + direct raw printing (i.e., no smart printing and no print driver autodownload to Windows + clients). Printer drivers are installed on the Windows client manually. This is not + a problem because Christine is to install and configure one single workstation and + then clone that configuration, using Norton Ghost, to all workstations. Each machine is + identical, so this should pose no problem. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id332397"></a>Hardware Requirements</h4></div></div></div><p> + <a class="indexterm" name="id332405"></a> + This server runs a considerable number of services. From similarly configured Linux + installations, the approximate calculated memory requirements are as shown in + <a href="secure.html#ch4memoryest" title="Example 3.1. Estimation of Memory Requirements">???</a>. + +</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example 3.1. Estimation of Memory Requirements</b></p><div class="example-contents"><pre class="screen"> +Application Memory per User 130 Users 500 Users + Name (MBytes) Total MBytes Total MBytes +----------- --------------- ------------ ------------ +DHCP 2.5 3 3 +DNS 16.0 16 16 +Samba (nmbd) 16.0 16 16 +Samba (winbind) 16.0 16 16 +Samba (smbd) 4.0 520 2000 +Apache 10.0 (20 User) 200 200 +CUPS 3.5 16 32 +Basic OS 256.0 256 256 + -------------- -------------- + Total: 1043 MBytes 2539 MBytes + -------------- -------------- +</pre></div></div><p><br class="example-break"> + You should add a safety margin of at least 50% to these estimates. The minimum + system memory recommended for initial startup 1 GB, but to permit the system + to scale to 500 users, it makes sense to provision the machine with 4 GB memory. + An initial configuration with only 1 GB memory would lead to early performance complaints + as the system load builds up. Given the low cost of memory, it does not make sense to + compromise in this area. + </p><p> + <a class="indexterm" name="id332448"></a> + Aggregate input/output loads should be considered for sizing network configuration as + well as disk subsystems. For network bandwidth calculations, one would typically use an + estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) + would deliver below acceptable capacity for the initial user load. It is therefore a good + idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached + to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T + switched ports. + </p><p> + <a class="indexterm" name="id332463"></a> + <a class="indexterm" name="id332470"></a> + Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, + the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O + demand that would require a fast disk storage I/O capability. Peak disk throughput is + limited by the disk subsystem chosen. It is desirable to provide the maximum + I/O bandwidth affordable. If a low-cost solution must be chosen, + 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a + 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI + controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). + Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, + it makes sense to purchase well-known, branded hardware that has appropriate performance + specifications. As a minimum, one should attempt to provide a disk subsystem that can + deliver I/O rates of at least 100 MB/sec. + </p><p> + Disk storage requirements may be calculated as shown in <a href="secure.html#ch4diskest" title="Example 3.2. Estimation of Disk Storage Requirements">???</a>. + +</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example 3.2. Estimation of Disk Storage Requirements</b></p><div class="example-contents"><pre class="screen"> +Corporate Data: 100 MBytes/user per year +Email Storage: 500 MBytes/user per year +Applications: 5000 MBytes +Safety Buffer: At least 50% + +Given 500 Users and 2 years: +----------------------------- + Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes + Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes + Applications: 5000 MBytes = 5 GBytes + ---------------------------- + Total: 605 GBytes + Add 50% buffer 303 GBytes + Recommended Storage: 908 GBytes +</pre></div></div><p><br class="example-break"> + <a class="indexterm" name="id332516"></a> + The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 + with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332528"></a>Political Issues</h3></div></div></div><p> + Your industry is coming under increasing accountability pressures. Increased paranoia + is necessary so you can demonstrate that you have acted with due diligence. You must + not trust your Internet connection. + </p><p> + Apart from permitting more efficient management of business applications through use of + an application server, your primary reason for the decision to implement this is that it + gives you greater control over software licensing. + </p><p> + <a class="indexterm" name="id332546"></a> + You are well aware that the current configuration results in some performance issues + as the size of the desktop profile grows. Given that users use Microsoft Outlook + Express, you know that the storage implications of the <code class="constant">.PST</code> file + is something that needs to be addressed later. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332562"></a>Implementation</h2></div></div></div><p> + <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a> demonstrates the overall design of the network that you will implement. + </p><p> + The information presented here assumes that you are already familiar with many basic steps. + As this stands, the details provided already extend well beyond just the necessities of + Samba configuration. This decision is deliberate to ensure that key determinants + of a successful installation are not overlooked. This is the last case that documents + the finite minutiae of DHCP and DNS server configuration. Beyond the information provided + here, there are many other good reference books on these subjects. + </p><p> + The <code class="filename">smb.conf</code> file has the following noteworthy features: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The NetBIOS name of the Samba server is set to <code class="constant">DIAMOND</code>. + </p></li><li><p> + The Domain name is set to <code class="constant">PROMISES</code>. + </p></li><li><p> + <a class="indexterm" name="id332622"></a> + <a class="indexterm" name="id332628"></a> + <a class="indexterm" name="id332635"></a> + Ethernet interface <code class="constant">eth0</code> is attached to the Internet connection + and is externally exposed. This interface is explicitly not available for Samba to use. + Samba listens on this interface for broadcast messages but does not broadcast any + information on <code class="constant">eth0</code>, nor does it accept any connections from it. + This is achieved by way of the <em class="parameter"><code>interfaces</code></em> parameter and the + <em class="parameter"><code>bind interfaces only</code></em> entry. + </p></li><li><p> + <a class="indexterm" name="id332668"></a> + <a class="indexterm" name="id332675"></a> + <a class="indexterm" name="id332682"></a> + The <em class="parameter"><code>passdb backend</code></em> parameter specifies the creation and use + of the <code class="constant">tdbsam</code> password backend. This is a binary database that + has excellent scalability for a large number of user account entries. + </p></li><li><p> + <a class="indexterm" name="id332704"></a> + <a class="indexterm" name="id332711"></a> + <a class="indexterm" name="id332718"></a> + WINS serving is enabled by the <a class="indexterm" name="id332725"></a>wins support = Yes, + and name resolution is set to use it by means of the + <a class="indexterm" name="id332732"></a>name resolve order = wins bcast hosts entry. + </p></li><li><p> + <a class="indexterm" name="id332744"></a> + The Samba server is configured for use by Windows clients as a time server. + </p></li><li><p> + <a class="indexterm" name="id332756"></a> + <a class="indexterm" name="id332763"></a> + <a class="indexterm" name="id332770"></a> + Samba is configured to directly interface with CUPS via the direct internal interface + that is provided by CUPS libraries. This is achieved with the + <a class="indexterm" name="id332778"></a>printing = CUPS as well as the + <a class="indexterm" name="id332785"></a>printcap name = CUPS entries. + </p></li><li><p> + <a class="indexterm" name="id332796"></a> + <a class="indexterm" name="id332803"></a> + <a class="indexterm" name="id332810"></a> + External interface scripts are provided to enable Samba to interface smoothly to + essential operating system functions for user and group management. This is important + to enable workstations to join the Domain and is also important so that you can use + the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools + are provided as part of the <code class="filename">SRVTOOLS.EXE</code> toolkit that can be + downloaded from the Microsoft FTP + <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site</a>. + </p></li><li><p> + <a class="indexterm" name="id332837"></a> + The <code class="filename">smb.conf</code> file specifies that the Samba server will operate in (default) <em class="parameter"><code> + security = user</code></em> mode<sup>[<a name="id332857" href="#ftn.id332857">5</a>]</sup> + (User Mode). + </p></li><li><p> + <a class="indexterm" name="id332874"></a> + <a class="indexterm" name="id332881"></a> + Domain logon services as well as a Domain logon script are specified. The logon script + will be used to add robustness to the overall network configuration. + </p></li><li><p> + <a class="indexterm" name="id332893"></a> + <a class="indexterm" name="id332900"></a> + <a class="indexterm" name="id332907"></a> + Roaming profiles are enabled through the specification of the parameter, + <a class="indexterm" name="id332915"></a>logon path = \\%L\profiles\%U. The value of this parameter translates the + <code class="constant">%L</code> to the name by which the Samba server is called by the client (for this + configuration, it translates to the name <code class="constant">DIAMOND</code>), and the <code class="constant">%U</code> + will translate to the name of the user within the context of the connection made to the profile share. + It is the administrator's responsibility to ensure there is a directory in the root of the + profile share for each user. This directory must be owned by the user also. An exception to this + requirement is when a profile is created for group use. + </p></li><li><p> + <a class="indexterm" name="id332941"></a> + <a class="indexterm" name="id332948"></a> + Precautionary veto is effected for particular Windows file names that have been targeted by + virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking + controls. This should help to prevent lock contention-related file access problems. + </p></li><li><p> + Every user has a private home directory on the UNIX/Linux host. This is mapped to + a network drive that is the same for all users. + </p></li></ul></div><p> + The configuration of the server is the most complex so far. The following steps are used: + </p><div class="orderedlist"><ol type="1"><li><p> + Basic System Configuration + </p></li><li><p> + Samba Configuration + </p></li><li><p> + DHCP and DNS Server Configuration + </p></li><li><p> + Printer Configuration + </p></li><li><p> + Process Start-up Configuration + </p></li><li><p> + Validation + </p></li><li><p> + Application Share Configuration + </p></li><li><p> + Windows Client Configuration + </p></li></ol></div><p> + The following sections cover each step in logical and defined detail. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p> + <a class="indexterm" name="id333032"></a> + The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been + freshly installed. It prepares basic files so that the system is ready for comprehensive + operation in line with the network diagram shown in <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a>. + </p><div class="procedure"><a name="id333047"></a><p class="title"><b>Procedure 3.1. Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id333058"></a> + Using the UNIX/Linux system tools, name the server <code class="constant">server.abmas.us</code>. + Verify that your hostname is correctly set by running: +</p><pre class="screen"> +<code class="prompt">root# </code> uname -n +server +</pre><p> + An alternate method to verify the hostname is: +</p><pre class="screen"> +<code class="prompt">root# </code> hostname -f +server.abmas.us +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id333100"></a> + <a class="indexterm" name="id333107"></a> + Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system can resolve all its own names to the IP address prior to + startup of the DNS server. An example of entries that should be in the + <code class="filename">/etc/hosts</code> file is: +</p><pre class="screen"> +127.0.0.1 localhost +192.168.1.1 sleeth1.abmas.biz sleeth1 diamond +192.168.2.1 sleeth2.abmas.biz sleeth2 +123.45.67.66 server.abmas.us server +</pre><p> + You should check the startup order of your system. If the CUPS print server is started before + the DNS server (<code class="literal">named</code>), you should also include an entry for the printers + in the <code class="filename">/etc/hosts</code> file, as follows: +</p><pre class="screen"> +192.168.1.20 qmsa.abmas.biz qmsa +192.168.1.30 hplj6a.abmas.biz hplj6a +192.168.2.20 qmsf.abmas.biz qmsf +192.168.2.30 hplj6f.abmas.biz hplj6f +</pre><p> + <a class="indexterm" name="id333155"></a> + <a class="indexterm" name="id333162"></a> + <a class="indexterm" name="id333169"></a> + The printer entries are not necessary if <code class="literal">named</code> is started prior to + startup of <code class="literal">cupsd</code>, the CUPS daemon. + </p></li><li><p> + <a class="indexterm" name="id333195"></a> + <a class="indexterm" name="id333202"></a> + <a class="indexterm" name="id333209"></a> + The host server is acting as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding be enabled. This can be + achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + To ensure that your kernel is capable of IP forwarding during configuration, you may + wish to execute that command manually also. This setting permits the Linux system to + act as a router.<sup>[<a name="id333232" href="#ftn.id333232">6</a>]</sup> + </p></li><li><p> + <a class="indexterm" name="id333244"></a> + <a class="indexterm" name="id333250"></a> + Installation of a basic firewall and NAT facility is necessary. + The following script can be installed in the <code class="filename">/usr/local/sbin</code> + directory. It is executed from the <code class="filename">/etc/rc.d/boot.local</code> startup + script. In your case, this script is called <code class="filename">abmas-netfw.sh</code>. The + script contents are shown in <a href="secure.html#ch4natfw" title="Example 3.3. NAT Firewall Configuration Script">???</a>. + +</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example 3.3. NAT Firewall Configuration Script</b></p><div class="example-contents"><pre class="screen"> +#!/bin/sh +echo -e "\n\nLoading NAT firewall.\n" +IPTABLES=/usr/sbin/iptables +EXTIF="eth0" +INTIFA="eth1" +INTIFB="eth2" + +/sbin/depmod -a +/sbin/modprobe ip_tables +/sbin/modprobe ip_conntrack +/sbin/modprobe ip_conntrack_ftp +/sbin/modprobe iptable_nat +/sbin/modprobe ip_nat_ftp +$IPTABLES -P INPUT DROP +$IPTABLES -F INPUT +$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -F OUTPUT +$IPTABLES -P FORWARD DROP +$IPTABLES -F FORWARD + +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A INPUT -i $INTIFA -j ACCEPT +$IPTABLES -A INPUT -i $INTIFB -j ACCEPT +$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT +# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS +for i in 22 25 53 80 443 +do + $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT +done +# Allow DNS(udp) +$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT +echo "Allow all connections OUT and only existing and specified ones IN" +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -j LOG +echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" +$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +echo "1" > /proc/sys/net/ipv4/ip_forward +echo -e "\nNAT firewall done.\n" +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + Execute the following to make the script executable: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 /usr/local/sbin/abmas-natfw.sh +</pre><p> + You must now edit <code class="filename">/etc/rc.d/boot.local</code> to add an entry + that runs your <code class="literal">abmas-natfw.sh</code> script. The following + entry works for you: +</p><pre class="screen"> +#! /bin/sh +# +# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. +# All rights reserved. +# +# Author: Werner Fink, 1996 +# Burchard Steinbild, 1996 +# +# /etc/init.d/boot.local +# +# script with local commands to be executed from init on system startup +# +# Here you should add things that should happen directly after booting +# before we're going to the first run level. +# +/usr/local/sbin/abmas-natfw.sh +</pre><p> + </p></li></ol></div><p> + <a class="indexterm" name="id333367"></a> + The server is now ready for Samba configuration. During the validation step, you remove + the entry for the Samba server <code class="constant">diamond</code> from the <code class="filename">/etc/hosts</code> + file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333388"></a>Samba Configuration</h3></div></div></div><p> + When you have completed this section, the Samba server is ready for testing and validation; + however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have + been configured. + </p><div class="procedure"><a name="id333398"></a><p class="title"><b>Procedure 3.2. Samba Configuration Steps</b></p><ol type="1"><li><p> + Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary + RPM file is called <code class="filename">samba-3.0.20-1.i386.rpm</code>, one way to install this + file is as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm +</pre><p> + This operation must be performed while logged in as the <code class="literal">root</code> user. + Successful operation is clearly indicated. If this installation should fail for any reason, + refer to the operating system manufacturer's documentation for guidance. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="secure.html#promisnet" title="Example 3.4. 130 User Network with tdbsam [globals] Section">???</a>, <a href="secure.html#promisnetsvca" title="Example 3.5. 130 User Network with tdbsam Services Section Part A">???</a>, + and <a href="secure.html#promisnetsvcb" title="Example 3.6. 130 User Network with tdbsam Services Section Part B">???</a>. Concatenate (join) all three files to make a single <code class="filename">smb.conf</code> + file. The final, fully qualified path for this file should be <code class="filename">/etc/samba/smb.conf</code>. + +</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example 3.4. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id333514"></a><em class="parameter"><code>workgroup = PROMISES</code></em></td></tr><tr><td><a class="indexterm" name="id333526"></a><em class="parameter"><code>netbios name = DIAMOND</code></em></td></tr><tr><td><a class="indexterm" name="id333539"></a><em class="parameter"><code>interfaces = eth1, eth2, lo</code></em></td></tr><tr><td><a class="indexterm" name="id333552"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333564"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id333577"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333589"></a><em class="parameter"><code>passwd program = /usr/bin/passwd %u</code></em></td></tr><tr><td><a class="indexterm" name="id333602"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id333615"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id333628"></a><em class="parameter"><code>unix password sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333640"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id333653"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id333666"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id333678"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id333691"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id333703"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id333716"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333728"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id333741"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id333754"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333766"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333779"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id333792"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id333805"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333818"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333831"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id333844"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id333856"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id333869"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id333882"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id333894"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id333907"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333919"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333932"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333944"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333957"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333970"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id333982"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id333995"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id334007"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr></table></div></div><p><br class="example-break"> + +</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example 3.5. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id334051"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id334064"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id334076"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id334089"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id334110"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id334123"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id334135"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334148"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334160"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334173"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334185"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id334207"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id334220"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id334232"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334245"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id334266"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id334279"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id334291"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id334304"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id334325"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id334338"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id334351"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><p><br class="example-break"> + +</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example 3.6. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id334394"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id334406"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id334419"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id334440"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id334453"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id334465"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id334487"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id334500"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id334512"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334525"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr></table></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id334545"></a><a class="indexterm" name="id334550"></a> + Add the <code class="constant">root</code> user to the password backend as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +<code class="prompt">root# </code> +</pre><p> + The <code class="constant">root</code> account is the UNIX equivalent of the Windows Domain Administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + </p></li><li><p> + <a class="indexterm" name="id334594"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id334632"></a> + <a class="indexterm" name="id334639"></a> + <a class="indexterm" name="id334650"></a> + <a class="indexterm" name="id334662"></a> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>, + <a href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example 3.7. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id334702"></a><pre class="screen"> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d + +# Map Windows NT machine local groups to local UNIX groups +# Mapping of local groups is not necessary and not functional +# for this installation. +</pre></div></div><p><br class="example-break"> + +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 initGrps.sh +<code class="prompt">root# </code> /etc/samba # ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +<code class="prompt">root# </code> /etc/samba # net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root +Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody +Domain Users (S-1-5-21-179504-2437109-488451-513) -> users +Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id334761"></a> + <a class="indexterm" name="id334768"></a> + <a class="indexterm" name="id334775"></a> + <a class="indexterm" name="id334782"></a> + <a class="indexterm" name="id334788"></a> + <a class="indexterm" name="id334795"></a> + <a class="indexterm" name="id334804"></a> + There is one preparatory step without which you will not have a working Samba + network environment. You must add an account for each network user. + For each user who needs to be given a Windows Domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + <code class="literal">smbpasswd</code> to create a Domain user account. + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code>, and <code class="literal">adduser</code>, as well as a plethora of custom + tools. You also want to create a home directory for each user. + You can do this by executing the following steps for each user: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em> +<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em> +Changing password for <em class="parameter"><code>username</code></em>. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user <em class="parameter"><code>username</code></em>. +</pre><p> + You do of course use a valid user login ID in place of <em class="parameter"><code>username</code></em>. + </p></li><li><p> + <a class="indexterm" name="id334911"></a> + <a class="indexterm" name="id334920"></a> + <a class="indexterm" name="id334929"></a> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control will be based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that can be mounted to provide + data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required, and mount the formatted + file system partition using appropriate system tools. + </p></li><li><p> + <a class="indexterm" name="id334966"></a> + Create the top-level file storage directories for data and applications as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsrvcs} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bjordan:acctsdep /data/accounts +<code class="prompt">root# </code> chown -R bjordan:finsrvcs /data/finsrvcs +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share + that provides the application server infrastructure. + </p></li><li><p> + The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential, + since desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/spool/samba +<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +<code class="prompt">root# </code> chown -R root:root /var/spool/samba +<code class="prompt">root# </code> chown -R root:root /var/lib/samba +<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba +<code class="prompt">root# </code> chmod 2775 /var/lib/samba/profiles +<code class="prompt">root# </code> chgrp users /var/lib/samba/profiles +</pre><p> + For each user account that is created on the system, the following commands should be + executed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id335168"></a> + <a class="indexterm" name="id335175"></a> + <a class="indexterm" name="id335181"></a> + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (<code class="constant">unix2dos</code> and <code class="constant">dos2unix</code>) are installed. + First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code> + with the following contents: +</p><pre class="screen"> +net time \\diamond /set /yes +net use h: /home +net use p: \\diamond\apps +</pre><p> + Convert the UNIX file to a DOS file using the <code class="literal">unix2dos</code> as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p> + DHCP services are a basic component of the entire network client installation. DNS operation is + foundational to Internet access as well as to trouble-free operation of local networking. When + you have completed this section, the server should be ready for solid duty operation. + </p><div class="procedure"><a name="id335248"></a><p class="title"><b>Procedure 3.3. DHCP and DNS Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id335259"></a> + Create a file called <code class="filename">/etc/dhcpd.conf</code> with the contents as + shown in <a href="secure.html#prom-dhcp" title="Example 3.8. DHCP Server Configuration File /etc/dhcpd.conf">???</a>. + +</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example 3.8. DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; ### Node type = Hybrid ### +ddns-updates on; ### Dynamic DNS enabled ### +ddns-update-style interim; + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host qmsa { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.20; + } + host hplj6a { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.30; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qmsf { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.20; + } + host hplj6f { + hardware ethernet 00:03:47:cf:83:e2; + fixed-address 192.168.2.30; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id335333"></a> + Create a file called <code class="filename">/etc/named.conf</code> that has the combined contents + of the <a href="secure.html#ch4namedcfg" title="Example 3.9. DNS Master Configuration File /etc/named.conf Master Section">???</a>, <a href="secure.html#ch4namedvarfwd" title="Example 3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">???</a>, and + <a href="secure.html#ch4namedvarrev" title="Example 3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">???</a> files that are concatenated (merged) in this + specific order. + </p></li><li><p> + Create the files shown in their respective directories as shown in <a href="secure.html#namedrscfiles" title="Table 3.2. DNS (named) Resource Files">DNS + (named) Resource Files</a>. + + </p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table 3.2. DNS (named) Resource Files</b></p><div class="table-contents"><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a href="secure.html#abmasus" title="Example 3.15. DNS Abmas.us Forward Zone File">???</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a href="secure.html#eth1zone" title="Example 3.12. DNS 192.168.1 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div></div><p><br class="table-break"> + +</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example 3.9. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</b></p><div class="example-contents"><a class="indexterm" name="id335539"></a><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 192.168.1.0/24; + 192.168.2.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; + +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example 3.10. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + any; + }; + allow-transfer { + seconddns; + }; +}; +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example 3.11. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> +zone "1.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.1.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "2.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.2.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example 3.12. DNS 192.168.1 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth1.abmas.biz. +$ORIGIN 1.168.192.in-addr.arpa. +1 PTR sleeth1.abmas.biz. +20 PTR qmsa.abmas.biz. +30 PTR hplj6a.abmas.biz. +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example 3.13. DNS 192.168.2 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth2.abmas.biz. +$ORIGIN 2.168.192.in-addr.arpa. +1 PTR sleeth2.abmas.biz. +20 PTR qmsf.abmas.biz. +30 PTR hplj6f.abmas.biz. +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example 3.14. DNS Abmas.biz Forward Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.biz. + MX 10 mail.abmas.biz. +$ORIGIN abmas.biz. +sleeth1 A 192.168.1.1 +sleeth2 A 192.168.2.1 +qmsa A 192.168.1.20 +hplj6a A 192.168.1.30 +qmsf A 192.168.2.20 +hplj6f A 192.168.2.30 +dns CNAME sleeth1 +diamond CNAME sleeth1 +mail CNAME sleeth1 +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example 3.15. DNS Abmas.us Forward Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server +</pre></div></div><p><br class="example-break"> + + </p></li><li><p> + <a class="indexterm" name="id335702"></a><a class="indexterm" name="id335708"></a> + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> to have the following + content: +</p><pre class="screen"> +search abmas.us abmas.biz +nameserver 127.0.0.1 +nameserver 123.45.54.23 +</pre><p> + <a class="indexterm" name="id335731"></a> + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. In the event that the local name server + is not available, ask the name server provided by the ISP. The latter, of course, does not resolve + purely local names to IP addresses. + </p></li><li><p> + <a class="indexterm" name="id335749"></a> + The final step is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + </p></li></ol></div><p> + The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, + there are a few more steps along the road. First, configure the print spooling and print + processing system. Then you can configure the server so that all services + start automatically on reboot. You must also manually start all services prior to validation testing. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p> + Network administrators who are new to CUPS based-printing typically experience some difficulty mastering + its powerful features. The steps outlined in this section are designed to navigate around the distractions + of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a + transparent print queue that performs no filtering, and only minimal handling of each print job that is + submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that + the correct printer driver must be installed on all clients. + </p><div class="procedure"><a name="id335796"></a><p class="title"><b>Procedure 3.4. Printer Configuration Steps</b></p><ol type="1"><li><p> + Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. + </p></li><li><p> + Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. + Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the + port as necessary in the following example commands. + This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id335818"></a> + <a class="indexterm" name="id335825"></a> + </p></li><li><p> + <a class="indexterm" name="id335838"></a><a class="indexterm" name="id335846"></a> + Configure the CUPS Print Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id335887"></a> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p><a class="indexterm" name="id335900"></a> + Print queues may not be enabled at creation. Use <code class="literal">lpc stat</code> to check + the status of the print queues and, if necessary, make certain that the queues you have + just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable qmsa +<code class="prompt">root# </code> /usr/bin/enable hplj6a +<code class="prompt">root# </code> /usr/bin/enable qmsf +<code class="prompt">root# </code> /usr/bin/enable hplj6f +</pre><p> + </p></li><li><p><a class="indexterm" name="id335952"></a> + Even though your print queues may be enabled, it is still possible that they + are not accepting print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queues are + set to accept incoming jobs by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/sbin/accept qmsa +<code class="prompt">root# </code> /usr/sbin/accept hplj6a +<code class="prompt">root# </code> /usr/sbin/accept qmsf +<code class="prompt">root# </code> /usr/sbin/accept hplj6f +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id336000"></a> + <a class="indexterm" name="id336006"></a> + <a class="indexterm" name="id336013"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id336039"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Printing drivers are installed on each network client workstation. + </p></li></ol></div><p> + Note: If the parameter <em class="parameter"><code>cups options = Raw</code></em> is specified in the <code class="filename">smb.conf</code> file, + the last two steps can be omitted with CUPS version 1.1.18, or later. + </p><p> + The UNIX system print queues have been configured and are ready for validation testing. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p> + <a class="indexterm" name="id336101"></a> + There are two essential steps to process startup configuration. First, the process + must be configured so that it automatically restarts each time the server + is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that + creates the appropriate symbolic links from the master daemon control file that is + located in the <code class="filename">/etc/rc.d</code> directory, to the <code class="filename">/etc/rc'x'.d</code> + directories. Links are created so that when the system run level is changed, the + necessary start or kill script is run. + </p><p> + <a class="indexterm" name="id336132"></a> + <a class="indexterm" name="id336139"></a> + <a class="indexterm" name="id336146"></a> + <a class="indexterm" name="id336153"></a> + <a class="indexterm" name="id336159"></a> + In the event that a service is not run as a daemon, but via the internetworking + super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code> + tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory + and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to + re-read its control files. + </p><p> + Last, each service must be started to permit system validation to proceed. + </p><div class="procedure"><ol type="1"><li><p> + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example, + <a class="indexterm" name="id336206"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhpcd on +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> chkconfig smb on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id336249"></a> + <a class="indexterm" name="id336256"></a> + <a class="indexterm" name="id336263"></a> + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + +</p><pre class="screen"> +<code class="prompt">root# </code> /etc/rc.d/init.d/dhcpd restart +<code class="prompt">root# </code> /etc/rc.d/init.d/named restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p> + <a class="indexterm" name="id336315"></a> + Complex networking problems are most often caused by simple things that are poorly or incorrectly + configured. The validation process adopted here should be followed carefully; it is the result of the + experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should + refrain from taking shortcuts, from making basic assumptions, and from not exercising due process + and diligence in network validation. By thoroughly testing and validating every step in the process + of network installation and configuration, you can save yourself from sleepless nights and restless + days. A well debugged network is a foundation for happy network users and network administrators. + Later in this book you learn how to make users happier. For now, it is enough to learn to + validate. Let's get on with it. + </p><div class="procedure"><a name="id336330"></a><p class="title"><b>Procedure 3.5. Server Validation Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id336341"></a> + One of the most important facets of Samba configuration is to ensure that + name resolution functions correctly. You can check name resolution + with a few simple tests. The most basic name resolution is provided from the + <code class="filename">/etc/hosts</code> file. To test its operation, make a + temporary edit to the <code class="filename">/etc/nsswitch.conf</code> file. Using + your favorite editor, change the entry for <code class="constant">hosts</code> to read: +</p><pre class="screen"> +hosts: files +</pre><p> + When you have saved this file, execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms + +--- sleeth1.abmas.biz ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time 3016ms +rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms +</pre><p> + This proves that name resolution via the <code class="filename">/etc/hosts</code> file + is working. + </p></li><li><p> + <a class="indexterm" name="id336406"></a> + So far, your installation is going particularly well. In this step we validate + DNS server and name resolution operation. Using your favorite UNIX system editor, + change the <code class="filename">/etc/nsswitch.conf</code> file so that the + <code class="constant">hosts</code> entry reads: +</p><pre class="screen"> +hosts: dns +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id336436"></a> + Before you test DNS operation, it is a good idea to verify that the DNS server + is running by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep named + 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log + 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 2552 pts/2 S 0:00 grep named +</pre><p> + This means that we are ready to check DNS operation. Do so by executing: + <a class="indexterm" name="id336460"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms + +--- sleeth1.abmas.biz ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 999ms +rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms +</pre><p> + You should take a few more steps to validate DNS server operation, as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> host -f diamond.abmas.biz +sleeth1.abmas.biz has address 192.168.1.1 +</pre><p> + <a class="indexterm" name="id336494"></a> + You may now remove the entry called <code class="constant">diamond</code> from the + <code class="filename">/etc/hosts</code> file. It does not hurt to leave it there, + but its removal reduces the number of administrative steps for this name. + </p></li><li><p> + <a class="indexterm" name="id336519"></a> + WINS is a great way to resolve NetBIOS names to their IP address. You can test + the operation of WINS by starting <code class="literal">nmbd</code> (manually or by way + of the Samba startup method shown in <a href="secure.html#procstart" title="Process Startup Configuration">???</a>). You must edit + the <code class="filename">/etc/nsswitch.conf</code> file so that the <code class="constant">hosts</code> + entry is as follows: +</p><pre class="screen"> +hosts: wins +</pre><p> + The next step is to make certain that Samba is running using <code class="literal">ps ax | grep mbd</code>. + The <code class="literal">nmbd</code> daemon will provide the WINS name resolution service when the + <code class="filename">smb.conf</code> file <em class="parameter"><code></code></em> parameter <a class="indexterm" name="id336579"></a>wins support = Yes has been specified. Having validated that Samba is operational, + excute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING diamond (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms +</pre><p> + <a class="indexterm" name="id336600"></a> + Now that you can relax with the knowledge that all three major forms of name + resolution to IP address resolution are working, edit the <code class="filename">/etc/nsswitch.conf</code> + again. This time you add all three forms of name resolution to this file. + Your edited entry for <code class="constant">hosts</code> should now look like this: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + The system is looking good. Let's move on. + </p></li><li><p> + It would give you peace of mind to know that the DHCP server is running + and available for service. You can validate DHCP services by running: + +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep dhcp + 2618 ? S 0:00 /usr/sbin/dhcpd ... + 8180 pts/2 S 0:00 grep dhcp +</pre><p> + This shows that the server is running. The proof of whether or not it is working + comes when you try to add the first DHCP client to the network. + </p></li><li><p> + <a class="indexterm" name="id336653"></a> + This is a good point at which to start validating Samba operation. You are + content that name resolution is working for basic TCP/IP needs. Let's move on. + If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[accounts]" +Processing section "[service]" +Processing section "[apps]" +Loaded services file OK. +# Global parameters +[global] + workgroup = PROMISES + netbios name = DIAMOND + interfaces = eth1, eth2, lo + bind interfaces only = Yes + passdb backend = tdbsam + pam password change = Yes + passwd program = /usr/bin/passwd '%u' + passwd chat = *New*Password* %n\n \ + *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + unix password sync = Yes + log level = 1 + syslog = 0 + log file = /var/log/samba/%m + max log size = 50 + smb ports = 139 + name resolve order = wins bcast hosts + time server = Yes + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m '%u' + delete user script = /usr/sbin/userdel -r '%u' + add group script = /usr/sbin/groupadd '%g' + delete group script = /usr/sbin/groupdel '%g' + add user to group script = /usr/sbin/usermod -G '%g' '%u' + add machine script = /usr/sbin/useradd \ + -s /bin/false -d /dev/null '%u' + shutdown script = /var/lib/samba/scripts/shutdown.sh + abort shutdown script = /sbin/shutdown -c + logon script = scripts\logon.bat + logon path = \\%L\profiles\%U + logon drive = X: + logon home = \\%L\%U + domain logons = Yes + preferred master = Yes + wins support = Yes + utmp = Yes + winbind use default domain = Yes + map acl inherit = Yes + cups options = Raw + veto files = /*.eml/*.nws/*.{*}/ + veto oplock files = /*.doc/*.xls/*.mdb/ + +[homes] + comment = Home Directories + valid users = %S + read only = No + browseable = No +... +### Remainder cut to save space ### +</pre><p> + Clear away all errors before proceeding. + </p></li><li><p> + <a class="indexterm" name="id336703"></a> + <a class="indexterm" name="id336710"></a> + <a class="indexterm" name="id336716"></a> + <a class="indexterm" name="id336723"></a> + Check that the Samba server is running: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</pre><p> + The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also + two instances<sup>[<a name="id336751" href="#ftn.id336751">7</a>]</sup> of it. + </p></li><li><p> + <a class="indexterm" name="id336779"></a> + <a class="indexterm" name="id336786"></a> + Check that an anonymous connection can be made to the Samba server: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + netlogon Disk Network Logon Service + profiles Disk Profile Share + accounts Disk Accounting Files + service Disk Financial Services Files + apps Disk Application Files + ADMIN$ IPC IPC Service (Samba 3.0.20) + hplj6a Printer hplj6a + hplj6f Printer hplj6f + qmsa Printer qmsa + qmsf Printer qmsf + + Server Comment + --------- ------- + DIAMOND Samba 3.0.20 + + Workgroup Master + --------- ------- + PROMISES DIAMOND +</pre><p> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and + a <code class="constant">NULL</code> password. + </p></li><li><p> + <a class="indexterm" name="id336834"></a> + <a class="indexterm" name="id336841"></a> + <a class="indexterm" name="id336848"></a> + Verify that each printer has the IP address assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They + should, of course, match. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> ping hplj6 +PING hplj6a (192.168.1.30) 56(84) bytes of data. +64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms + +<code class="prompt">root# </code> arp -a +hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 +</pre><p> + <a class="indexterm" name="id336889"></a> + The MAC address <code class="constant">00:03:47:CB:81:E0</code> matches that specified for the + IP address from which the printer has responded and with the entry for it in the + <code class="filename">/etc/dhcpd.conf</code> file. Repeat this for each printer configured. + </p></li><li><p> + <a class="indexterm" name="id336915"></a> + Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //diamond/accounts -U gholmes +Password: XXXXXXX +smb: \> dir + . D 0 Thu Nov 27 15:07:09 2003 + .. D 0 Sat Nov 15 17:40:50 2003 + zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 + zak.exe 6066384 Thu Nov 27 15:06:52 2003 + dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 + smb.conf 2131 Thu Nov 27 15:06:52 2003 + initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 + POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 + + 55974 blocks of size 65536. 33968 blocks available +smb: \> q +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id336959"></a> + Your new server is connected to an Internet-accessible connection. Before you start + your firewall, you should run a port scanner against your system. You should repeat that + after the firewall has been started. This helps you understand to what extent the + server may be vulnerable to external attack. One way you can do this is by using an + external service, such as the <a href="http://www.dslreports.com/scan" target="_top">DSL Reports</a> + tools. Alternately, if you can gain root-level access to a remote + UNIX/Linux system that has the <code class="literal">nmap</code> tool, you can run the following: +</p><pre class="screen"> +<code class="prompt">root# </code> nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 6000/tcp +Adding open port 873/tcp +Adding open port 445/tcp +Adding open port 10000/tcp +Adding open port 901/tcp +Adding open port 631/tcp +Adding open port 25/tcp +Adding open port 111/tcp +Adding open port 32770/tcp +Adding open port 3128/tcp +Adding open port 53/tcp +Adding open port 80/tcp +Adding open port 443/tcp +Adding open port 139/tcp +Adding open port 22/tcp +The Connect() Scan took 0 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1587 ports scanned but not shown below are in state: closed) +Port State Service +22/tcp open ssh +25/tcp open smtp +53/tcp open domain +80/tcp open http +111/tcp open sunrpc +139/tcp open netbios-ssn +443/tcp open https +445/tcp open microsoft-ds +631/tcp open ipp +873/tcp open rsync +901/tcp open samba-swat +3128/tcp open squid-http +6000/tcp open X11 +10000/tcp open snet-sensor-mgmt +32770/tcp open sometimes-rpc3 + +Nmap run completed -- 1 IP address (1 host up) scanned in 1 second +</pre><p> + The above scan was run before the external interface was locked down with the NAT-firewall + script you created above. The following results are obtained after the firewall rules + have been put into place: +</p><pre class="screen"> +<code class="prompt">root# </code> nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 53/tcp +Adding open port 22/tcp +The Connect() Scan took 168 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1593 ports scanned but not shown below are in state: filtered) +Port State Service +22/tcp open ssh +25/tcp closed smtp +53/tcp open domain +80/tcp closed http +443/tcp closed https + +Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p> + <a class="indexterm" name="id337044"></a> + <a class="indexterm" name="id337051"></a> + The use of an application server is a key mechanism by which desktop administration overheads + can be reduced. Check the application manual for your software to identify how best to + create an administrative installation. + </p><p> + Some Windows software will only run locally on the desktop computer. Such software + is typically not suited for administrative installation. Administratively installed software + permits one or more of the following installation choices: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Install software fully onto a workstation, storing data files on the same workstation. + </p></li><li><p> + Install software fully onto a workstation with central network data file storage. + </p></li><li><p> + Install software to run off a central application server with data files stored + on the local workstation. This is often called a minimum installation, or a + network client installation. + </p></li><li><p> + Install software to run off a central application server with data files stored + on a central network share. This type of installation often prevents storage + of work files on the local workstation. + </p></li></ul></div><p> + <a class="indexterm" name="id337094"></a> + A common application deployed in this environment is an office suite. + Enterprise editions of Microsoft Office XP Professional can be administratively installed + by launching the installation from a command shell. The command that achieves this is + <code class="literal">setup /a</code>. It results in a set of prompts through which various + installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource + Kit for more information regarding this mode of installation of MS Office XP Professional. + The full administrative installation of MS Office XP Professional requires approximately + 650 MB of disk space. + </p><p> + When the MS Office XP Professional product has been installed to the administrative network + share, the product can be installed onto a workstation by executing the normal setup program. + The installation process now provides a choice to either perform a minimum installation + or a full local installation. A full local installation takes over 100 MB of disk space. + A network workstation (minimum) installation requires typically 10 MB to 15 MB of + local disk space. In the latter case, when the applications are used, they load over the network. + </p><p> + <a class="indexterm" name="id337121"></a> + <a class="indexterm" name="id337128"></a> + Microsoft Office Service Packs can be unpacked to update an administrative share. This makes + it possible to update MS Office XP Professional for all users from a single installation + of the service pack and generally circumvents the need to run updates on each network + Windows client. + </p><p> + The default location for MS Office XP Professional data files can be set through registry + editing or by way of configuration options inside each Office XP Professional application. + </p><p> + <a class="indexterm" name="id337146"></a> + OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also + be installed to run off a network share. The latter is a most desirable solution for office-bound + network users and for administrative staff alike. It permits quick and easy updates + to be rolled out to all users with a minimum of disruption and with maximum flexibility. + </p><p> + The process for installation of administrative shared OpenOffice involves download of the + distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. + When fully extracted using the unzipping tool of your choosing, change into the Windows + installation files directory then execute <code class="literal">setup -net</code>. You are + prompted on screen for the target installation location. This is the administrative + share point. The full administrative OpenOffice share takes approximately 150 MB of disk + space. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337170"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p> + Many single-user products can be installed into an administrative share, but + personal versions of products such as Microsoft Office XP Professional do not permit this. + Many people do not like terms of use typical with commercial products, so a few comments + regarding software licensing seem important. + </p><p> + Please do not use an administrative installation of proprietary and commercially licensed + software products to violate the copyright holders' property. All software is licensed, + particularly software that is licensed for use free of charge. All software is the property + of the copyright holder unless the author and/or copyright holder has explicitly disavowed + ownership and has placed the software into the public domain. + </p><p> + Software that is under the GNU General Public License, like proprietary software, is + licensed in a way that restricts use. For example, if you modify GPL software and then + distribute the binary version of your modifications, you must offer to provide the source + code as well. This restriction is designed to maintain the momentum + of the diffusion of technology and to protect against the withholding of innovations. + </p><p> + Commercial and proprietary software generally restrict use to those who have paid the + license fees and who comply with the licensee's terms of use. Software that is released + under the GNU General Public License is restricted to particular terms and conditions + also. Whatever the licensing terms may be, if you do not approve of the terms of use, + please do not use the software. + </p><p> + <a class="indexterm" name="id337205"></a> + Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided + with the source code. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p> + Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs + to reinstall many of the notebook computers that will be recycled for use with the new network + configuration. The smartest way to handle the challenge of the roll-out program is to build + a staged system for each type of target machine, and then use an image replication tool such as Norton + Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can + be done with notebook computers as long as they are identical or sufficiently similar. + </p><div class="procedure"><a name="sbewinclntprep"></a><p class="title"><b>Procedure 3.6. Windows Client Configuration Procedure</b></p><ol type="1"><li><p> + <a class="indexterm" name="id337248"></a> + <a class="indexterm" name="id337255"></a> + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server + address that has been defined for the local subnet. + </p></li><li><p> + Join the Windows Domain <code class="constant">PROMISES</code>. Use the Domain Administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using the Domain Administrator account + (<code class="constant">root</code>). + </p></li><li><p> + Verify <code class="constant">DIAMOND</code> is visible in <span class="guimenu">My Network Places</span>, + that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, + <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, and that it is + possible to open each share to reveal its contents. + </p></li><li><p> + Create a drive mapping to the <code class="constant">apps</code> share on the server <code class="constant">DIAMOND</code>. + </p></li><li><p> + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you can choose to run applications over the network, correct? + </p></li><li><p> + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint + scanners, and the like. Probably the most significant application for local installation + is antivirus software. + </p></li><li><p> + Now install all four printers onto the staging system. The printers you install + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will + also configure identical printers that are located in the financial services department. + Install printers on each machine following the steps shown in the Windows client printer + preparation procedure below. + </p></li><li><p> + <a class="indexterm" name="id337379"></a> + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + </p></li><li><p> + Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the + machine to a network share on the server. + </p></li><li><p> + <a class="indexterm" name="id337404"></a> + <a class="indexterm" name="id337413"></a> + You may now replicate the image to the target machines using the appropriate Norton Ghost + procedure. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + </p></li><li><p> + Log on to the machine as the local Administrator (the only option), and join the machine to + the Domain, following the procedure set out in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + </p></li><li><p> + Instruct all users to log on to the workstation using their assigned username and password. + </p></li></ol></div><div class="procedure"><a name="sbewinclntptrprep"></a><p class="title"><b>Procedure 3.7. Windows Client Printer Preparation Procedure</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?,</span>” click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\DIAMOND\hplj6a</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id337670"></a>Key Points Learned</h3></div></div></div><p> + How do you feel? You have built a capable network, a truly ambitious project. + Future network updates can be handled by + your staff. You must be a satisfied manager. Let's review the achievements. + </p><div class="itemizedlist"><ul type="disc"><li><p> + A simple firewall has been configured to protect the server in the event that + the ISP firewall service should fail. + </p></li><li><p> + The Samba configuration uses measures to ensure that only local network users + can connect to SMB/CIFS services. + </p></li><li><p> + Samba uses the new <code class="constant">tdbsam</code> passdb backend facility. + Considerable complexity was added to Samba functionality. + </p></li><li><p> + A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS + server. + </p></li><li><p> + The DNS server was configured to permit DDNS only for local network clients. This + server also provides primary DNS services for the company Internet presence. + </p></li><li><p> + You introduced an application server as well as the concept of cloning a Windows + client in order to effect improved standardization of desktops and to reduce + the costs of network management. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id337723"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt>1. <a href="secure.html#id337739"> + What is the maximum number of account entries that the tdbsam + passdb backend can handle? + </a></dt><dt>2. <a href="secure.html#id337792"> + Would Samba operate any better if the OS level is set to a value higher than 35? + </a></dt><dt>3. <a href="secure.html#id337811"> + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + </a></dt><dt>4. <a href="secure.html#id337830"> + Why has a path been specified in the IPC$ share? + </a></dt><dt>5. <a href="secure.html#id337856"> + Why does the smb.conf file in this exercise include an entry for smb ports? + </a></dt><dt>6. <a href="secure.html#id337896"> + What is the difference between a print queue and a printer? + </a></dt><dt>7. <a href="secure.html#id337924"> + Can all MS Windows application software be installed onto an application server share? + </a></dt><dt>8. <a href="secure.html#id337945"> + Why use dynamic DNS (DDNS)? + </a></dt><dt>9. <a href="secure.html#id337963"> + Why would you use WINS as well as DNS-based name resolution? + </a></dt><dt>10. <a href="secure.html#id338033"> + What are the major benefits of using an application server? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id337739"></a><a name="id337741"></a><b>1.</b></td><td align="left" valign="top"><p> + What is the maximum number of account entries that the <em class="parameter"><code>tdbsam</code></em> + passdb backend can handle? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The tdb data structure and support system can handle more entries than the number of + accounts that are possible on most UNIX systems. A practical limit would come into + play long before a performance boundary would be anticipated. That practical limit + is controlled by the nature of Windows networking. There are few Windows file and + print servers that can handle more than a few hundred concurrent client connections. + The key limiting factors that predicate offloading of services to additional servers + are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. + All of these are readily exhausted by just a few hundred concurrent active users. + Such bottlenecks can best be removed by segmentation of the network (distributing + network load across multiple networks). + </p><p> + As the network grows, it becomes necessary to provide additional authentication + servers (domain controllers). The tdbsam is limited to a single machine and cannot + be reliably replicated. This means that practical limits on network design dictate + the point at which a distributed passdb backend is required; at this time, there is + no real alternative other than ldapsam (LDAP). + </p><p> + The guideline provided in <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, Section 10.1.2, + is to limit the number of accounts in the tdbsam backend to 250. This is the point + at which most networks tend to want backup domain controllers (BDCs). Samba-3 does + not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The + limitation of 250 users per tdbsam is predicated only on the need for replication, + not on the limits<sup>[<a name="id337782" href="#ftn.id337782">8</a>]</sup> of the tdbsam backend itself. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337792"></a><a name="id337794"></a><b>2.</b></td><td align="left" valign="top"><p> + Would Samba operate any better if the OS level is set to a value higher than 35? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value + of 35 already assures Samba of precedence over MS Windows products in browser elections. There is + no gain to be had from setting this higher. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337811"></a><a name="id337813"></a><b>3.</b></td><td align="left" valign="top"><p> + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at + a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special + Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337830"></a><a name="id337832"></a><b>4.</b></td><td align="left" valign="top"><p> + Why has a path been specified in the <em class="parameter"><code>IPC$</code></em> share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This is done so that in the event that a software bug may permit a client connection to the IPC$ share to + obtain access to the file system, it does so at a location that presents least risk. Under normal operation + this type of paranoid step should not be necessary. The use of this parameter should not be necessary. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337856"></a><a name="id337858"></a><b>5.</b></td><td align="left" valign="top"><p> + Why does the <code class="filename">smb.conf</code> file in this exercise include an entry for <a class="indexterm" name="id337869"></a>smb ports? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port + used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS + over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By + specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. + The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain + member, the default behavior is highly beneficial and should not be changed. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337896"></a><a name="id337898"></a><b>6.</b></td><td align="left" valign="top"><p> + What is the difference between a print queue and a printer? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + A printer is a physical device that is connected either directly to the network or to a computer + via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a + hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a + single print data stream and block all secondary attempts to dispatch jobs concurrently to the + same device. If many clients were to concurrently print directly via TCP/IP to the same printer, + it would result in a huge amount of network traffic through continually failing connection attempts. + </p><p> + A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or + print requests. When the data stream has been fully received, the input stream is closed, + and the job is then submitted to a sequential print queue where the job is stored until + the printer is ready to receive the job. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337924"></a><a name="id337926"></a><b>7.</b></td><td align="left" valign="top"><p> + Can all MS Windows application software be installed onto an application server share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Much older Windows software is not compatible with installation to and execution from + an application server. Enterprise versions of Microsoft Office XP Professional can + be installed to an application server. Retail consumer versions of Microsoft Office XP + Professional do not permit installation to an application server share and can be installed + and used only to/from a local workstation hard disk. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337945"></a><a name="id337947"></a><b>8.</b></td><td align="left" valign="top"><p> + Why use dynamic DNS (DDNS)? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + When DDNS records are updated directly from the DHCP server, it is possible for + network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate + Windows clients via DNS. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id337963"></a><a name="id337965"></a><b>9.</b></td><td align="left" valign="top"><p> + Why would you use WINS as well as DNS-based name resolution? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is + a name like “<span class="quote">myhost.mydomain.tld</span>” where <em class="parameter"><code>tld</code></em> + means <code class="constant">top-level domain</code>. A FQDN is a longhand but easy-to-remember + expression that may be up to 1024 characters in length and that represents an IP address. + A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character + is a name type indicator. A specific name type is registered<sup>[<a name="id337996" href="#ftn.id337996">9</a>]</sup> for each + type of service that is provided by the Windows server or client and that may be registered + where a WINS server is in use. + </p><p> + WINS is a mechanism by which a client may locate the IP Address that corresponds to a + NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name + that includes a particular registered NetBIOS name type. DNS does not provide a mechanism + that permits handling of the NetBIOS name type information. + </p><p> + DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular + hostname or service name that has been registered in the DNS database for a particular domain. + A DNS server has limited scope of control and is said to be authoritative for the zone over + which it has control. + </p><p> + Windows 200x Active Directory requires the registration in the DNS zone for the domain it + controls of service locator<sup>[<a name="id338022" href="#ftn.id338022">10</a>]</sup> records + that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also + requires the registration of special records that are called global catalog (GC) entries + and site entries by which domain controllers and other essential ADS servers may be located. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id338033"></a><a name="id338035"></a><b>10.</b></td><td align="left" valign="top"><p> + What are the major benefits of using an application server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of an application server can significantly reduce application update maintenance. + By providing a centralized application share, software updates need be applied to only + one location for all major applications used. This results in faster update roll-outs and + significantly better application usage control. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id332857" href="#id332857">5</a>] </sup>See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 3. + This is necessary so that Samba can act as a Domain Controller (PDC); see + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 4, for additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id333232" href="#id333232">6</a>] </sup>You may want to do the echo command last and include + "0" in the init scripts, since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id336751" href="#id336751">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG2</em></span>, + Chapter 23, Section 23.3. The single instance of <code class="literal">smbd</code> is normal. One additional + <code class="literal">smbd</code> slave process is spawned for each SMB/CIFS client + connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id337782" href="#id337782">8</a>] </sup>Bench tests have shown that tdbsam is a very + effective database technology. There is surprisingly little performance loss even + with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id337996" href="#id337996">9</a>] </sup> + See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id338022" href="#id338022">10</a>] </sup>See TOSHARG2, Chapter 9, Section 9.3.3.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Small Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The 500-User Office</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/simple.html b/docs/htmldocs/Samba3-ByExample/simple.html new file mode 100644 index 0000000000..44446fb1b7 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/simple.html @@ -0,0 +1,861 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. No-Frills Samba Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="next" href="small.html" title="Chapter 2. Small Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. No-Frills Samba Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="simple"></a>Chapter 1. No-Frills Samba Servers</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="simple.html#id324059">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id324090">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id324129">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id324836">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id328349">Questions and Answers</a></span></dt></dl></div><p> + This is the start of the real journey toward the successful deployment of Samba. For some this chapter + is the end of the road because their needs will have been adequately met. For others, this chapter is + the beginning of a journey that will take them well past the contents of this book. This book provides + example configurations of, for the greater part, complete networking solutions. The intent of this book + is to help you to get your Samba installation working with the least amount of pain and aggravation. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324059"></a>Introduction</h2></div></div></div><p> + This chapter lays the groundwork for understanding the basics of Samba operation. + Instead of a bland technical discussion, each principle is demonstrated by way of a + real-world scenario for which a working solution<sup>[<a name="id324068" href="#ftn.id324068">1</a>]</sup> is fully described. + </p><p> + The practical exercises take you on a journey through a drafting office, a charity administration + office, and an accounting office. You may choose to apply any or all of these exercises to your own environment. + </p><p> + Every assignment case can be implemented far more creatively, but remember that the solutions you + create are designed to demonstrate a particular solution possibility. With experience, you should + find much improved solutions compared with those presented here. By the time you complete this book, + you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your + way through the examples. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324090"></a>Assignment Tasks</h2></div></div></div><p> + Each case presented highlights different aspects of Windows networking for which a simple + Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases. + The cases are briefly reviewed to cover important points. Instructions are based + on the assumption that the official Samba Team RPM package has been installed. + </p><p> + This chapter has three assignments built around fictitious companies: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>A drafting office</p></li><li><p>A charity administration office</p></li><li><p>An accounting office</p></li></ul></div><p> + </p><p> + Let's get started. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id324129"></a>Drafting Office</h3></div></div></div><p> + Our fictitious company is called <span class="emphasis"><em>Abmas Design, Inc.</em></span> This is a three-person + computer-aided design (CAD) business that often has more work than can be handled. The + business owner hires contract draftspeople from wherever he can. They bring their own + notebook computers into the office. There are four permanent drafting machines. Abmas has a + collection of over 10 years of plans that must be available for all draftsmen to reference. + Abmas hires the services of an experienced network engineer to update the + plans that are stored on a central server one day per month. She knows how to upload + plans from each machine. The files available from the server must remain read-only. + Anyone should be able to access the plans at any time and without barriers or difficulty. + </p><p><a class="indexterm" name="id324149"></a> + <a class="indexterm" name="id324156"></a> + Mr. Bob Jordan has asked you to install the new server as economically as possible. The central + server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk + to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora CoreX and + have upgraded Samba to version 3.0.20 using the RPM package that is provided from the Samba + <a href="http://www.samba.org" target="_top">FTP</a> sites. (Note: Fedora CoreX indicates your favorite + version.) + </p><p><a class="indexterm" name="id324178"></a> + The four permanent drafting machines (Microsoft Windows workstations) have attached printers + and plotters that are shared on a peer-to-peer basis by any and all network users. The intent + is to continue to share printers in this manner. The three permanent staff work together with + all contractors to store all new work on one PC. A daily copy is made of the work storage + area to another PC for safekeeping. When the network consultant arrives, the weekly work + area is copied to the central server and the files are removed from the main weekly storage + machine. The office works best with this arrangement and does not want to change anything. + Old habits are too ingrained. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324194"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id324201"></a> + The requirements for this server installation demand simplicity. An anonymous read-only + file server adequately meets all needs. The network consultant determines how + to upload all files from the weekly storage area to the server. This installation should + focus only on critical aspects of the installation. + </p><p> + It is not necessary to have specific users on the server. The site has a method for storing + all design files (plans). Each plan is stored in a directory that is named YYYYWW,<sup>[<a name="id324218" href="#ftn.id324218">2</a>]</sup> where + YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored + by week of year to preserve the filing technique the site is familiar with. + There is also a customer directory that is alphabetically listed. At the top level are 26 + directories (A-Z), in each is a second-level of directory for the first plus second letters of the name + (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic + link to each design drawing or plan. This way of storing customer data files permits all + plans to be located both by customer name and by the date the work was performed, without + demanding the disk space that would be needed if a duplicate file copy were to be stored. + The share containing the plans is called <span class="emphasis"><em>Plans</em></span>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324238"></a>Implementation</h4></div></div></div><p> + It is assumed that the server is fully installed and ready for installation and + configuration of Samba 3.0.20 and any support files needed. All TCP/IP addresses + have been hard-coded. In our case the IP address of the Samba server is + <code class="constant">192.168.1.1</code> and the netmask is <code class="constant">255.255.255.0</code>. + The hostname of the server used is <code class="constant">server</code>. + </p><div class="procedure"><a name="id324261"></a><p class="title"><b>Procedure 1.1. Samba Server Configuration</b></p><ol type="1"><li><p> + Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba + <a href="http://www.samba.org" target="_top">FTP servers.</a> + </p></li><li><p> + <a class="indexterm" name="id324285"></a> + <a class="indexterm" name="id324294"></a> + Install the RPM package using either the Red Hat Linux preferred GUI + tool or the <code class="literal">rpm</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm +</pre><p> + </p></li><li><p> + Create a mount point for the file system that will be used to store all data files. + You can create a directory called <code class="filename">/plans</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /plans +<code class="prompt">root# </code> chmod 755 /plans +</pre><p> + The 755 permissions on this directory (mount point) permit the owner to read, write, + and execute, and the group and everyone else to read and execute only. + </p><p> + <a class="indexterm" name="id324354"></a> + Use Red Hat Linux system tools (refer to Red Hat instructions) + to format the 160GB hard drive with a suitable file system. An Ext3 file system + is suitable. Configure this drive to automatically mount using the <code class="filename">/plans</code> + directory as the mount point. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="simple.html#draft-smbconf" title="Example 1.1. Drafting Office smb.conf File">???</a> in the + <code class="filename">/etc/samba</code> directory. + +</p><div class="example"><a name="draft-smbconf"></a><p class="title"><b>Example 1.1. Drafting Office <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324430"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id324442"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Plans]</code></em></td></tr><tr><td><a class="indexterm" name="id324464"></a><em class="parameter"><code>path = /plans</code></em></td></tr><tr><td><a class="indexterm" name="id324476"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324489"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id324509"></a> + Verify that the <code class="filename">/etc/hosts</code> file contains the following entry: +</p><pre class="screen"> +192.168.1.1 server +</pre><p> + + </p></li><li><p> + <a class="indexterm" name="id324534"></a> + <a class="indexterm" name="id324543"></a> + <a class="indexterm" name="id324550"></a> + Use the standard system tool to start Samba and to configure it to restart + automatically at every system reboot. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +</pre><p> + </p></li></ol></div><div class="procedure"><a name="id324578"></a><p class="title"><b>Procedure 1.2. Windows Client Configuration</b></p><ol type="1"><li><p> + Make certain that all clients are set to the same network address range as + used for the Samba server. For example, one client might have an IP + address 192.168.1.10. + </p></li><li><p> + <a class="indexterm" name="id324597"></a> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask, such as + 255.255.255.0. + </p></li><li><p> + <a class="indexterm" name="id324612"></a> + Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. + </p></li><li><p> + Verify on each client that the machine called <code class="constant">SERVER</code> + is visible in the <span class="guimenu">Network Neighborhood</span>, that it is + possible to connect to it and see the share <span class="guimenuitem">Plans</span>, + and that it is possible to open that share to reveal its contents. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="validate1"></a>Validation</h4></div></div></div><p> + <a class="indexterm" name="id324661"></a> + The first priority in validating the new Samba configuration should be to check + that Samba answers on the loop-back interface. Then it is time to check that Samba + answers its own name correctly. Last, check that a client can connect to the Samba + server. + </p><div class="procedure"><ol type="1"><li><p> + <a class="indexterm" name="id324679"></a> + <a class="indexterm" name="id324686"></a> + <a class="indexterm" name="id324693"></a> + To check the ability to access the <code class="literal">smbd</code> daemon + services, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + Sharename Type Comment + --------- ---- ------- + Plans Disk + IPC$ IPC IPC Service (Samba 3.0.20) + ADMIN$ IPC IPC Service (Samba 3.0.20) + + Server Comment + --------- ------- + SERVER Samba 3.0.20 + + Workgroup Master + --------- -------- + MIDEARTH SERVER +</pre><p> + <a class="indexterm" name="id324721"></a> + <a class="indexterm" name="id324728"></a> + This indicates that Samba is able to respond on the loopback interface to + a NULL connection. The <em class="parameter"><code>-U%</code></em> means send an empty + username and an empty password. This command should be repeated after + Samba has been running for 15 minutes. + </p></li><li><p> + Now verify that Samba correctly handles being passed a username + and password, and that it answers its own name. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L server -Uroot%password +</pre><p> + The output should be identical to the previous response. Samba has been + configured to ignore all usernames given; instead it uses the + <em class="parameter"><code>guest account</code></em> for all connections. + </p></li><li><p> + <a class="indexterm" name="id324776"></a> + <a class="indexterm" name="id324783"></a> + From the Windows 9x/Me client, launch Windows Explorer: + <span class="guiicon">[Desktop: right-click] Network Neighborhood</span>+<span class="guimenu">Explore</span> → <span class="guimenuitem">[Left Panel] [+] Entire Network</span> → <span class="guimenuitem">[Left Panel] [+] Server</span> → <span class="guimenuitem">[Left Panel] [+] Plans</span>. In the right panel you should see the files and directories + (folders) that are in the <span class="guiicon">Plans</span> share. + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id324836"></a>Charity Administration Office</h3></div></div></div><p> + The fictitious charity organization is called <span class="emphasis"><em>Abmas Vision NL</em></span>. This office + has five networked computers. Staff are all volunteers, staff changes are frequent. + Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to + use any PC. Only two Windows applications are used: a custom funds tracking and management package + that stores all files on the central server and Microsoft Word. The office prepares mail-out + letters, invitations, and thank-you notes. All files must be stored in perpetuity. + The custom funds tracking and management (FTM) software is configured to use a server named + <code class="constant">SERVER</code>, a share named <code class="constant">FTMFILES</code>, and a printer queue + named <code class="constant">PRINTQ</code> that uses preprinted stationery, thus demanding a + dedicated printer. This printer does not need to be mapped to a local printer on the workstations. + </p><p> + The FTM software has been in use since the days of Windows 3.11. The software was configured + by the vendor who has since gone out of business. The identities of the file + server and the printer are hard-coded in a configuration file that was created using a + setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors. The + company that produced the software is no longer in business. In order to avoid risk of + any incompatibilities, the share name and the name of the target print queue must be set + precisely as the application expects. In fact, share names and print queue names + should be treated as case insensitive (i.e., case does not matter), but Abmas Vision advises + that if the share name is not in lowercase, the application claims it cannot find the + file share. + </p><p> + <a class="indexterm" name="id324884"></a> + <a class="indexterm" name="id324890"></a> + Printer handling in Samba results in a significant level of confusion. Samba presents to the + MS Windows client only a print queue. The Samba <code class="literal">smbd</code> process passes a + print job sent to it from the Windows client to the native UNIX printing system. The native + UNIX printing system (spooler) places the job in a print queue from which it is + delivered to the printer. In this book, network diagrams refer to a printer by the name + of the print queue that services that printer. It does not matter what the fully qualified + name (or the hostname) of a network-attached printer is. The UNIX print spooler is configured + to correctly deliver all jobs to the printer. + </p><p> + This organization has a policy forbidding use of privately owned computers on site as a measure + to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are + used on this network. + </p><p> + <a class="indexterm" name="id324917"></a> + The central server was donated by a local computer store. It is a dual processor Pentium-III + server, has 1GB RAM, a 3-Ware IDE RAID Controller that has four 200GB IDE hard drives, and a + 100-base-T network card. The office has 100-base-T permanent network connections that go to + a central hub, and all equipment is new. The five network computers all are equipped with Microsoft + Windows Me. Funding is limited, so the server has no operating system on it. You have approval + to install Samba on Linux, provided it works without problems. There are two HP LaserJet + 5 PS printers that are network connected. The second printer is to be used for general + office and letter printing. Your recommendation to allow only the Linux server to print directly + to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and + have upgraded Samba to version 3.0.20. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324932"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id324940"></a> + <a class="indexterm" name="id324947"></a> + <a class="indexterm" name="id324954"></a> + <a class="indexterm" name="id324960"></a> + This installation demands simplicity. Frequent turnover of volunteer staff indicates that + a network environment that requires users to logon might be problematic. It is suggested that the + best solution for this office would be one where the user can log onto any PC with any username + and password. Samba can accommodate an office like this by using the <em class="parameter"><code>force user</code></em> + parameter in share and printer definitions. Using the <em class="parameter"><code>force user</code></em> + parameter ensures that all files are owned by same user identifier (UID) and thus that there + will never be a problem with file access due to file access permissions. Additionally, you elect + to use the <em class="parameter"><code>nt acl support = No</code></em> option to ensure that + access control lists (Posix type) cannot be written to any file or directory. This prevents + an inadvertent ACL from overriding actual file permissions. + </p><p> + <a class="indexterm" name="id324998"></a> + <a class="indexterm" name="id325005"></a> + <a class="indexterm" name="id325012"></a> + This organization is a prime candidate for Share Mode security. The <em class="parameter"><code>force user</code></em> + allows all files to be owned by the same user and group. In addition, it would not hurt to + set SUID and set SGID shared directories. This means that all new files that are created, no matter + who creates it, are owned by the owner or group of the directory in which they are created. + For further information regarding the significance of the SUID/SGID settings, see <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#ch12-SUIDSGID" title="Effect of Setting File and Directory SUID/SGID Permissions Explained">???</a>. + </p><p> + <a class="indexterm" name="id325046"></a> + <a class="indexterm" name="id325053"></a> + <a class="indexterm" name="id325062"></a> + <a class="indexterm" name="id325069"></a> + All client workstations print to a print queue on the server. This ensures that print jobs + continue to print in the event that a user shuts down the workstation immediately after + sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing. + Older Linux systems offered a choice between the LPRng printing system or CUPS. It appears, however, + that CUPS has become the leading UNIX printing technology. + </p><p> + <a class="indexterm" name="id325083"></a> + The print queues are set up as <code class="constant">Raw</code> devices, which means that CUPS will + not do intelligent print processing, and vendor-supplied drivers must be installed locally on the + Windows clients. + </p><p> + The hypothetical software, FTM, is representative of + custom-built software that directly uses a NetBIOS interface. Most such software originated in + the days of MS/PC DOS. NetBIOS names are uppercase (and functionally are case insensitive), + so some old software applications would permit only uppercase names to be entered. + Some such applications were later ported to MS Windows but retain the uppercase network + resource naming conventions because customers are familiar with that. We made the decision + to name shares and print queues for this application in uppercase for the same reason. + Nothing would break if we were to use lowercase names, but that decision might create a need + to retrain staff something well avoided at this time. + </p><p> + NetBIOS networking does not print directly to a printer. Instead, all printing is done to a + print queue. The print spooling system is responsible for communicating with the physical + printer. In this example, therefore, the resource called <code class="constant">PRINTQ</code> + really is just a print queue. The name of the print queue is representative of + the device to which the print spooler delivers print jobs. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325119"></a>Implementation</h4></div></div></div><p> + It is assumed that the server is fully installed and ready for configuration of + Samba 3.0.20 and for necessary support files. All TCP/IP addresses should be hard-coded. + In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is + 255.255.255.0. The hostname of the server used is <code class="constant">server</code>. + The office network is built as shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + </p><div class="figure"><a name="charitynet"></a><p class="title"><b>Figure 1.1. Charity Administration Office Network</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/Charity-Network.png" width="432" alt="Charity Administration Office Network"></div></div></div><br class="figure-break"><div class="procedure"><a name="id325181"></a><p class="title"><b>Procedure 1.3. Samba Server Configuration</b></p><ol type="1"><li><p> + <a class="indexterm" name="id325192"></a> + Create a group account for office file storage: +</p><pre class="screen"> +<code class="prompt">root# </code> groupadd office +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id325218"></a> + <a class="indexterm" name="id325225"></a> + Create a user account for office file storage: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m abmas +<code class="prompt">root# </code> passwd abmas +Changing password for abmas. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +</pre><p> + where XXXXXXXX is a secret password. + </p></li><li><p> + Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB + drives as a single RAID level 5 drive, with one drive set aside as the hot spare. + (Refer to the 3-Ware RAID Controller Manual for the manufacturer's preferred procedure.) + The resulting drive has a capacity of approximately 500GB of usable space. + </p></li><li><p> + <a class="indexterm" name="id325267"></a> + Create a mount point for the file system that can be used to store all data files. + Create a directory called <code class="filename">/data</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /data +<code class="prompt">root# </code> chmod 755 /data +</pre><p> + The 755 permissions on this directory (mount point) permit the owner to read, write, and execute, + and the group and everyone else to read and execute only. + </p></li><li><p> + Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct + procedures) to format the partition with a suitable file system. The reiserfs file system + is suitable. Configure this drive to automount using the <code class="filename">/data</code> + directory as the mount point. It must be mounted before proceeding. + </p></li><li><p> + Under the directory called <code class="filename">/data</code>, create two directories + named <code class="filename">ftmfiles</code> and <code class="filename">officefiles</code>, and set + ownership and permissions: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}} +<code class="prompt">root# </code> chown -R abmas:office /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-w,o+rx /data +</pre><p> + These demonstrate compound operations. The <code class="literal">mkdir</code> command + creates in one step these directories: +</p><pre class="programlisting"> +/data/fmtfiles +/data/officefiles +/data/officefiles/letters +/data/officefiles/invitations +/data/officefiles/misc +</pre><p> + <a class="indexterm" name="id325378"></a> + The <code class="literal">chown</code> operation sets the owner to the user <code class="constant">abmas</code> + and the group to <code class="constant">office</code> on all directories just created. It recursively + sets the permissions so that the owner and group have SUID/SGID with read, write, and execute + permission, and everyone else has read and execute permission. This means that all files and + directories are created with the same owner and group as the directory in which they are + created. Any new directories created still have the same owner, group, and permissions as the + directory they are in. This should eliminate all permissions-based file access problems. For + more information on this subject, refer to TOSHARG2<sup>[<a name="id325403" href="#ftn.id325403">3</a>]</sup> or refer + to the UNIX man page for the <code class="literal">chmod</code> and the <code class="literal">chown</code> commands. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="simple.html#charity-smbconfnew" title="Example 1.2. Charity Administration Office smb.conf New-style File">???</a> in the + <code class="filename">/etc/samba</code> directory. This newer <code class="filename">smb.conf</code> file uses user-mode security + and is more suited to the mode of operation of Samba-3 than the older share-mode security + configuration that was shown in the first edition of this book. + </p><p> + Note: If you want to use the older-style configuration that uses share-mode security, you + can install the file shown in <a href="simple.html#charity-smbconf" title="Example 1.3. Charity Administration Office smb.conf Old-style File">???</a> in the + <code class="filename">/etc/samba</code> directory. + </p></li><li><p> + <a class="indexterm" name="id325476"></a> + We must ensure that the <code class="literal">smbd</code> can resolve the name of the Samba + server to its IP address. Verify that the <code class="filename">/etc/hosts</code> file + contains the following entry: +</p><pre class="screen"> +192.168.1.1 server +</pre><p> + </p></li><li><p> + Configure the printers with the IP address as shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + Follow the instructions in the manufacturer's manual to permit printing to port 9100 + so that the CUPS spooler can print using raw mode protocols. + </p></li><li><p> + <a class="indexterm" name="id325522"></a> + Configure the CUPS Print Queues: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E +</pre><p> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id325555"></a> + <a class="indexterm" name="id325561"></a> + <a class="indexterm" name="id325568"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id325594"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id325620"></a> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id325631"></a> + <a class="indexterm" name="id325638"></a> + <a class="indexterm" name="id325645"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li></ol></div><div class="example"><a name="charity-smbconfnew"></a><p class="title"><b>Example 1.2. Charity Administration Office <code class="filename">smb.conf</code> New-style File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters - Newer Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id325716"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id325729"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id325741"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id325754"></a><em class="parameter"><code>map to guest = Bad User</code></em></td></tr><tr><td><a class="indexterm" name="id325766"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id325779"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id325801"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id325813"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id325826"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id325838"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id325851"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id325864"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325876"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id325898"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id325910"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id325923"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id325935"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id325948"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id325960"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325973"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id325994"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id326007"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id326020"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326032"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326045"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326057"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="charity-smbconf"></a><p class="title"><b>Example 1.3. Charity Administration Office <code class="filename">smb.conf</code> Old-style File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters - Older Style Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326104"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id326116"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id326129"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id326142"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id326154"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326167"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id326179"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id326201"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id326214"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id326226"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id326239"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id326251"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id326264"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326276"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id326298"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id326310"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id326323"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id326336"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id326348"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id326361"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326373"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id326395"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id326407"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id326420"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326432"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326445"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326458"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="procedure"><a name="id326471"></a><p class="title"><b>Procedure 1.4. Windows Client Configuration</b></p><ol type="1"><li><p> + Configure clients to the network settings shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + </p></li><li><p> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask, such as + <code class="constant">255.255.255.0</code>. + </p></li><li><p> + <a class="indexterm" name="id326507"></a> + On all Windows clients, set the WINS Server address to <code class="constant">192.168.1.1</code>, + the IP address of the server. + </p></li><li><p> + Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. + </p></li><li><p> + <a class="indexterm" name="id326536"></a> + Install the “<span class="quote">Client for Microsoft Networks.</span>” Ensure that the only option + enabled in its properties is the option “<span class="quote">Logon and restore network connections.</span>” + </p></li><li><p> + Click <span class="guibutton">OK</span> when you are prompted to reboot the system. Reboot the + system, then log on using any username and password you choose. + </p></li><li><p> + <a class="indexterm" name="id326571"></a> + Verify on each client that the machine called <code class="constant">SERVER</code> + is visible in <span class="guimenu">My Network Places</span>, that it is + possible to connect to it and see the share <span class="guimenuitem">office</span>, + and that it is possible to open that share to reveal its contents. + </p></li><li><p> + <a class="indexterm" name="id326601"></a> + <a class="indexterm" name="id326608"></a> + Disable password caching on all Windows 9x/Me machines using the registry change file + shown in <a href="simple.html#MEreg" title="Example 1.4. Windows Me Registry Edit File: Disable Password Caching">???</a>. Be sure to remove all files that have the + <code class="filename">PWL</code> extension that are in the <code class="filename">C:\WINDOWS</code> + directory. +</p><div class="example"><a name="MEreg"></a><p class="title"><b>Example 1.4. Windows Me Registry Edit File: Disable Password Caching</b></p><div class="example-contents"><pre class="screen"> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ + Windows\CurrentVersion\Policies\Network] + "DisablePwdCaching"=dword:00000001 +</pre></div></div><p><br class="example-break"> + The best way to apply this change is to save the patch in a file called + <code class="filename">ME-dpwc.reg</code> and then execute: +</p><pre class="screen"> +C:\WINDOWS: regedit ME-dpwc.reg +</pre><p> + </p></li><li><p> + Instruct all users to log onto the workstation using a name and password of their own + choosing. The Samba server has been + configured to ignore the username and password given. + </p></li><li><p> + On each Windows Me workstation, configure a network drive mapping to drive <code class="filename">G:</code> + that redirects to the uniform naming convention (UNC) resource + <code class="filename">\\server\office</code>. Make this a permanent drive connection: + </p><div class="procedure"><ol type="1"><li><p> + <span class="guimenu">My Network</span> → <span class="guimenuitem">Map Network Drive...</span> + </p></li><li><p> + In the box labeled “<span class="quote">Drive:</span>”, type G. + </p></li><li><p> + In the box labeled “<span class="quote">Path:</span>”, enter + <code class="filename">\\server\officefiles</code>. + </p></li><li><p> + Click <span class="guimenuitem">Reconnect at logon</span>. + Click <span class="guibutton">OK</span>. + </p></li></ol></div></li><li><p> + On each workstation, install the FTM software following the + manufacturer's instructions. + </p><div class="procedure"><ol type="1"><li><p> + During installation, you are prompted for the name of the Windows 98 + server. Enter the name <code class="constant">SERVER</code>. + </p></li><li><p> + You are prompted for the name of the data share. + The prompt defaults to <code class="constant">FTMFILES</code>. Press enter to accept the default value. + </p></li><li><p> + You are now prompted for the print queue name. The default prompt is the name of + the server you entered (<code class="constant">SERVER</code> as follows: + <code class="constant">\\SERVER\PRINTQ</code>). Simply accept the default and press enter to + continue. The software now completes the installation. + </p></li></ol></div></li><li><p> + Install an office automation software package of the customer's choice. Either Microsoft + Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may + need to perform. Repeat this on each workstation. + </p></li><li><p> + Install a printer on each workstation using the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the Manufacturer: panel, select + <code class="constant">HP</code>. In the Printers: panel, select the printer called + <code class="constant">HP LaserJet 5/5M Postscript</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the Available ports: panel, select <code class="constant">FILE:</code>. Accept the + default printer name by clicking <span class="guibutton">Next</span>. When asked, + “<span class="quote">Would you like to print a test page?</span>”, click + <span class="guimenuitem">No</span>. Click <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 5/5M Postscript</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the Network panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\SERVER\hplj5</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + It is a good idea to test the functionality of the complete installation before + handing the newly configured network over to the Charity Administration Office + for production use. + </p></li></ol></div></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327028"></a>Validation</h4></div></div></div><p> + Use the same validation process as was followed in <a href="simple.html#validate1" title="Validation">???</a>. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="AccountingOffice"></a>Accounting Office</h3></div></div></div><p> + Abmas Accounting is a 40-year-old family-run business. There are nine permanent + computer users. The network clients were upgraded two years ago. All computers run Windows 2000 + Professional. This year the server will be upgraded from an old Windows NT4 server (actually + running Windows NT4 Workstation, which worked fine for fewer than 10 users) that has + run in workgroup (standalone) mode, to a new Linux server running Samba. + </p><p> + The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional + clients running as workgroup machines so that any staff member can take a machine home and keep + working. It has worked well so far, and your task is to replace the old server. All users have + their own workstation logon (you configured it that way when the machines were installed). + Mr. Meany wants the new system to operate the same way as the old Windows NT4 server users + cannot access each others' files, but he can access everyone's files. Each person's work files are + in a separate share on the server. Users log on to their Windows workstation with their username + and enter an assigned password; they do not need to enter a password when accessing their files + on the server. + </p><p> + <a class="indexterm" name="id327076"></a> + The new server will run Red Hat Fedora Core2. You should install Samba-3.0.20 and + copy all files from the old system to the new one. The existing Windows NT4 server has a parallel + port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each + workstation. You must not change anything on the workstations. Mr. Meany gave instructions to + replace the server, “<span class="quote">but leave everything else alone to avoid staff unrest.</span>” + </p><p> + You have tried to educate Mr. Meany and found that he has no desire to understand networking. + He believes that Windows for Workgroups 3.11 was “<span class="quote">the best server Microsoft ever sold + </span>” and that Windows NT and 2000 are “<span class="quote">too fang-dangled complex!</span>” + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327103"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id327110"></a> + The requirements of this network installation are not unusual. The staff are not interested in the + details of networking. Passwords are never changed. In this example solution, we demonstrate the use + of User Mode security in a simple context. Directories should be set SGID to ensure that members + of a common group can access the contents. Each user has his or her own share to which only they + can connect. Mr. Meany's share will be a top-level directory above the share point for each employee. + Mr. Meany is a member of the same group as his staff and can access their work files. + The well-used HP LaserJet 4 is available as a service called <code class="constant">hplj</code>. + </p><p> + You have finished configuring the new hardware and have just completed installation of Red Hat + Fedora Core2. Roll up your sleeves and let's get to work. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="AcctgNet"></a>Implementation</h4></div></div></div><p> + The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it + cannot be running as a WINS server. It is best that the new configuration preserves the same + configuration. The office does not use Internet access, so security really is not an issue. + </p><p> + The core information regarding the users, their passwords, the directory share point, and the + share name is given in <a href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">???</a>. The overall network topology is shown in + <a href="simple.html#acctingnet2" title="Figure 1.2. Accounting Office Network Topology">???</a>. All machines have been configured as indicated prior to the + start of Samba configuration. The following prescriptive steps may now commence. + </p><div class="figure"><a name="acctingnet2"></a><p class="title"><b>Figure 1.2. Accounting Office Network Topology</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/AccountingNetwork.png" width="459" alt="Accounting Office Network Topology"></div></div></div><br class="figure-break"><div class="table"><a name="acctingnet"></a><p class="title"><b>Table 1.1. Accounting Office Network Information</b></p><div class="table-contents"><table summary="Accounting Office Network Information" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="left">User</th><th align="left">Login-ID</th><th align="left">Password</th><th align="left">Share Name</th><th align="left">Directory</th><th align="left">Wkst</th></tr></thead><tbody><tr><td align="left">Alan Meany</td><td align="left">alan</td><td align="left">alm1961</td><td align="left">alan</td><td align="left">/data</td><td align="left">PC1</td></tr><tr><td align="left">James Meany</td><td align="left">james</td><td align="left">jimm1962</td><td align="left">james</td><td align="left">/data/james</td><td align="left">PC2</td></tr><tr><td align="left">Jeannie Meany</td><td align="left">jeannie</td><td align="left">jema1965</td><td align="left">jeannie</td><td align="left">/data/jeannie</td><td align="left">PC3</td></tr><tr><td align="left">Suzy Millicent</td><td align="left">suzy</td><td align="left">suzy1967</td><td align="left">suzy</td><td align="left">/data/suzy</td><td align="left">PC4</td></tr><tr><td align="left">Ursula Jenning</td><td align="left">ujen</td><td align="left">ujen1974</td><td align="left">ursula</td><td align="left">/data/ursula</td><td align="left">PC5</td></tr><tr><td align="left">Peter Pan</td><td align="left">peter</td><td align="left">pete1984</td><td align="left">peter</td><td align="left">/data/peter</td><td align="left">PC6</td></tr><tr><td align="left">Dale Roland</td><td align="left">dale</td><td align="left">dale1986</td><td align="left">dale</td><td align="left">/data/dale</td><td align="left">PC7</td></tr><tr><td align="left">Bertrand E Paoletti</td><td align="left">eric</td><td align="left">eric1993</td><td align="left">eric</td><td align="left">/data/eric</td><td align="left">PC8</td></tr><tr><td align="left">Russell Lewis</td><td align="left">russ</td><td align="left">russ2001</td><td align="left">russell</td><td align="left">/data/russell</td><td align="left">PC9</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="id327495"></a><p class="title"><b>Procedure 1.5. Migration from Windows NT4 Workstation System to Samba-3</b></p><ol type="1"><li><p><a class="indexterm" name="id327506"></a> + Rename the old server from <code class="constant">CASHPOOL</code> to <code class="constant">STABLE</code> + by logging onto the console as the <code class="constant">Administrator</code>. Restart the machine + following system prompts. + </p></li><li><p> + Name the new server <code class="constant">CASHPOOL</code> using the standard configuration method. + Restart the machine following system prompts. + </p></li><li><p> + Install the latest Samba-3 binary Red Hat Linux RPM that is available from the + Samba FTP site. + </p></li><li><p> + <a class="indexterm" name="id327552"></a> + <a class="indexterm" name="id327559"></a> + Add a group account for the office to use. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> groupadd accts +</pre><p> + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown<sup>[<a name="id327590" href="#ftn.id327590">4</a>]</sup> + in <a href="simple.html#acctconf" title="Example 1.5. Accounting Office Network smb.conf Old Style Configuration File">???</a>. + </p></li><li><p> + <a class="indexterm" name="id327627"></a> + <a class="indexterm" name="id327634"></a> + <a class="indexterm" name="id327641"></a> + For each user who uses this system (see <a href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">???</a>), + execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m -G accts -c "Name of User" "LoginID" +<code class="prompt">root# </code> passwd "LoginID" +Changing password for user "LoginID" +New Password: XXXXXXXXX <-- the password from the table +Retype new password: XXXXXXXXX +<code class="prompt">root# </code> smbpasswd -a "LoginID" +New SMB password: XXXXXXXXX <-- the password from the table +Retype new SMB password: XXXXXXXXX +Added user "LoginID" +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327688"></a> + Create the directory structure for the file shares by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data +<code class="prompt">root# </code> chown alan /data +<code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ +> do +> mkdir -p /data/$i +> chown $i /data/$i +> done +<code class="prompt">root# </code> chgrp -R accts /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data +</pre><p> + The data storage structure is now prepared for use. + </p></li><li><p> + <a class="indexterm" name="id327739"></a> + Configure the CUPS Print Queues: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p hplj -v parallel:/dev/lp0 -E +</pre><p> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id327766"></a> + <a class="indexterm" name="id327772"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327798"></a> + <a class="indexterm" name="id327805"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327831"></a> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id327842"></a> + <a class="indexterm" name="id327849"></a> + <a class="indexterm" name="id327856"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li><li><p> + On Alan's workstation, use Windows Explorer to migrate the files from the old server + to the new server. The new server should appear in the <span class="guimenu">Network Neighborhood</span> + with the name of the old server (<code class="constant">CASHPOOL</code>). + </p><div class="procedure"><ol type="1"><li><p> + Log on to Alan's workstation as the user <code class="constant">alan</code>. + </p></li><li><p> + Launch a second instance of Windows Explorer and navigate to the share called + <span class="guiicon">files</span> on the server called <span class="guimenu">STABLE</span>. + </p></li><li><p> + Click in the right panel, and press <span class="guimenu">Ctrl-A</span> to select all files and + directories. Press <span class="guimenu">Ctrl-C</span> to instruct Windows that you wish to + copy all selected items. + </p></li><li><p> + Launch the Windows Explorer, and navigate to the share called <span class="guiicon">files</span> + on the server called <span class="guimenu">CASHPOOL</span>. Click in the right panel, and then press + <span class="guimenu">Ctrl-V</span> to commence the copying process. + </p></li></ol></div></li><li><p> + Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server. + This is best done on the Samba-3 server. Check the contents of the directory tree under + <code class="filename">/data</code> by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -aR /data +</pre><p> + Make certain to check the ownership and permissions on all files. If in doubt, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chown alan /data +<code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ +> do +> chown $i /data/$i +> done +<code class="prompt">root# </code> chgrp -R accts /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data +</pre><p> + </p></li><li><p> + The migration of all data should now be complete. It is time to validate the installation. + For this, you should make sure all applications, including printing, work before asking the + customer to test drive the new network. + </p></li></ol></div><div class="example"><a name="acctconf"></a><p class="title"><b>Example 1.5. Accounting Office Network <code class="filename">smb.conf</code> Old Style Configuration File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328092"></a><em class="parameter"><code>workgroup = BILLMORE</code></em></td></tr><tr><td><a class="indexterm" name="id328104"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id328117"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328129"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id328142"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[files]</code></em></td></tr><tr><td><a class="indexterm" name="id328164"></a><em class="parameter"><code>comment = Work area files</code></em></td></tr><tr><td><a class="indexterm" name="id328176"></a><em class="parameter"><code>path = /data/%U</code></em></td></tr><tr><td><a class="indexterm" name="id328189"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[master]</code></em></td></tr><tr><td><a class="indexterm" name="id328210"></a><em class="parameter"><code>comment = Master work area files</code></em></td></tr><tr><td><a class="indexterm" name="id328223"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id328235"></a><em class="parameter"><code>valid users = alan</code></em></td></tr><tr><td><a class="indexterm" name="id328248"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id328269"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id328282"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id328295"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328307"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328320"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328332"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id328349"></a>Questions and Answers</h2></div></div></div><p> + The following questions and answers draw from the examples in this chapter. + Many design decisions are impacted by the configurations chosen. The intent + is to expose some of the hidden implications. + </p><div class="qandaset"><dl><dt> <a href="simple.html#id328366"> + What makes an anonymous Samba server more simple than a non-anonymous Samba server? + </a></dt><dt> <a href="simple.html#id328389"> + How is the operation of the parameter force user different from + setting the root directory of the share SUID? + </a></dt><dt> <a href="simple.html#id328436"> + When would you both use the per share parameter force user and set + the share root directory SUID? + </a></dt><dt> <a href="simple.html#id328461"> + What is better about CUPS printing than LPRng printing? + </a></dt><dt> <a href="simple.html#id328495"> + When should Windows client IP addresses be hard-coded? + </a></dt><dt> <a href="simple.html#id328516"> + Under what circumstances is it best to use a DHCP server? + </a></dt><dt> <a href="simple.html#id328547"> + What is the purpose of setting the parameter guest ok on a share? + </a></dt><dt> <a href="simple.html#id328571"> + When would you set the global parameter disable spoolss? + </a></dt><dt> <a href="simple.html#id328650"> + Why would you disable password caching on Windows 9x/Me clients? + </a></dt><dt> <a href="simple.html#id328671"> + The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id328366"></a><a name="id328369"></a></td><td align="left" valign="top"><p> + What makes an anonymous Samba server more simple than a non-anonymous Samba server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + In the anonymous server, the only account used is the <code class="constant">guest</code> account. + In a non-anonymous configuration, it is necessary to add real user accounts to both the + UNIX system and to the Samba configuration. Non-anonymous servers require additional + administration. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328389"></a><a name="id328392"></a></td><td align="left" valign="top"><p> + How is the operation of the parameter <em class="parameter"><code>force user</code></em> different from + setting the root directory of the share SUID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The parameter <em class="parameter"><code>force user</code></em> causes all operations on the share to assume the UID + of the forced user. The new default GID that applies is the primary GID of the forced user. + This gives all users of this resource the actual privilege of the forced user. + </p><p> + When a directory is set SUID, the operating system forces files that are written within it + to be owned by the owner of the directory. While this happens, the user who is using the share + has only the level of privilege he or she is assigned within the operating system context. + </p><p> + The parameter <em class="parameter"><code>force user</code></em> has potential security implications that go + beyond the actual share root directory. Be careful and wary of using this parameter. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328436"></a><a name="id328439"></a></td><td align="left" valign="top"><p> + When would you both use the per share parameter <em class="parameter"><code>force user</code></em> and set + the share root directory SUID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You would use both parameters when it is necessary to guarantee that all share handling operations + are conducted as the forced user, while all file and directory creation are done as the SUID + directory owner. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328461"></a><a name="id328463"></a></td><td align="left" valign="top"><p> + What is better about CUPS printing than LPRng printing? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + CUPS is a print spooling system that has integrated remote management facilities, provides completely + automated print processing/preprocessing, and can be configured to automatically + apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the + target printer. CUPS includes an image file RIP that supports printing of image files to + non-PostScript printers. CUPS has lots of bells and whistles and is more like a supercharged MS Windows + NT/200x print monitor and processor. Its complexity can be eliminated or turbocharged to suit + any fancy. + </p><p> + The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print + spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng can be + configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd + spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd. + </p><p> + Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to + do it and manage it. Most modern Linux systems ship with CUPS as the default print management system. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328495"></a><a name="id328497"></a></td><td align="left" valign="top"><p> + When should Windows client IP addresses be hard-coded? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + When there are few MS Windows clients, little client change, no mobile users, and users are not + inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows + client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove + user ability to access network configuration controls, fixed configuration eliminates the need + for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network + failure. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328516"></a><a name="id328518"></a></td><td align="left" valign="top"><p> + Under what circumstances is it best to use a DHCP server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + In network configurations where there are mobile users, or where Windows client PCs move around + (particularly between offices or between subnets), it makes complete sense to control all Windows + client configurations using a DHCP server. Additionally, when users do tamper with the network + settings, DHCP can be used to normalize all client settings. + </p><p> + One underappreciated benefit of using a DHCP server to assign all network client + device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP + settings, change network addressing, or enhance the ability of client devices to + benefit from new network services. + </p><p> + Another benefit of modern DHCP servers is their ability to register dynamically + assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in + a large Windows network environment. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328547"></a><a name="id328549"></a></td><td align="left" valign="top"><p> + What is the purpose of setting the parameter <em class="parameter"><code>guest ok</code></em> on a share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + If this parameter is set to yes for a service, then no password is required to connect to the service. + Privileges are those of the guest account. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328571"></a><a name="id328573"></a></td><td align="left" valign="top"><p> + When would you set the global parameter <em class="parameter"><code>disable spoolss</code></em>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Setting this parameter to <code class="constant">Yes</code> disables Samba's support for the SPOOLSS set of + MS-RPCs and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to + using LanMan style printing commands. Windows 9x/Me are unaffected by the parameter. However, this + disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer + Wizard or by using the NT printer properties dialog window. It also disables the capability of + Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about + setting this parameter. + </p><p> + The alternate parameter <em class="parameter"><code>use client driver</code></em> applies only to Windows NT/200x clients. It has no + effect on Windows 95/98/Me clients. When serving a printer to Windows NT/200x clients without first installing a valid + printer driver on the Samba host, the client is required to install a local printer driver. From this point on, + the client treats the printer as a local printer and not a network printer connection. This is much the same behavior + that occurs when <em class="parameter"><code>disable spoolss = yes</code></em>. + </p><p> + Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client + considers the printer to be local, it attempts to issue the <em class="parameter"><code>OpenPrinterEx()</code></em> call requesting + access rights associated with the logged on user. If the user possesses local administrator rights but not root + privilege on the Samba host (often the case), the <em class="parameter"><code>OpenPrinterEx()</code></em> call fails. The result is + that the client now displays an “<span class="quote">Access Denied; Unable to connect</span>” message in the printer queue window + (even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid + print driver installed on the Samba server. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328650"></a><a name="id328652"></a></td><td align="left" valign="top"><p> + Why would you disable password caching on Windows 9x/Me clients? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Windows 9x/Me workstations that are set at default (password caching enabled) store the username and + password in files located in the Windows master directory. Such files can be scavenged (read off a client + machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. + It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id328671"></a><a name="id328673"></a></td><td align="left" valign="top"><p> + The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, + and given that users are logging onto their machines, by default the client attempts to connect to + a remote server using currently logged in user credentials. By ensuring that the user's login ID and + password are the same as those set on the Samba server, access is transparent and does not require + separate user authentication. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id324068" href="#id324068">1</a>] </sup>The examples given mirror those documented + in The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 2, Section 2.3.1. You may gain additional + insight from the standalone server configurations covered in TOSHARG2, sections 2.3.1.2 through 2.3.1.4. + </p></div><div class="footnote"><p><sup>[<a name="ftn.id324218" href="#id324218">2</a>] </sup> + This information is given purely as an example of how data may be stored in such a way that it + will be easy to locate records at a later date. The example is not meant to imply any instructions + that may be construed as essential to the design of the solution; this is something you will almost + certainly want to determine for yourself.</p></div><div class="footnote"></div><div class="footnote"><p><sup>[<a name="ftn.id327590" href="#id327590">4</a>] </sup>This example uses the + <em class="parameter"><code>smbpasswd</code></em> file in an obtuse way, since the use of + the <em class="parameter"><code>passdb backend</code></em> has not been specified in the <code class="filename">smb.conf</code> + file. This means that you are depending on correct default behavior.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. Example Network Configurations </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Small Office Networking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/small.html b/docs/htmldocs/Samba3-ByExample/small.html new file mode 100644 index 0000000000..61d1524147 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/small.html @@ -0,0 +1,805 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Small Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="simple.html" title="Chapter 1. No-Frills Samba Servers"><link rel="next" href="secure.html" title="Chapter 3. Secure Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Small Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="simple.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="secure.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="small"></a>Chapter 2. Small Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="small.html#id328760">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328778">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id328824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id328873">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id329059">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id329077">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id330725">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id331347">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id331367">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id331433">Questions and Answers</a></span></dt></dl></div><p> + <a href="simple.html" title="Chapter 1. No-Frills Samba Servers">???</a> focused on the basics of simple yet effective + network solutions. Network administrators who take pride in their work + (that's most of us, right?) take care to deliver what our users want, + but not too much more. If we make things too complex, we confound our users + and increase costs of network ownership. A professional network manager + avoids the temptation to put too much pizazz into the way that the network + operates. Some creativity is helpful, but keep it under control + good advice that the following two scenarios illustrate. + </p><p> + <a class="indexterm" name="id328725"></a> + In one case the network administrator of a mid-sized company spent three + months building a new network to replace an old Netware server. What he + delivered had all the bells and whistles he could muster. There were a + few teething problems during the changeover, nothing serious but a little + disruptive all the same. Users were exposed to many changes at once. The + network administrator was asked to resign two months after implementing + the new system because so many staff complained they had lost time and + were not happy with the new network. Everything was automated, and he + delivered more features than any advanced user could think of. He was + just too smart for his own good. + </p><p> + In the case of the other company, a new network manager was appointed + to oversee the replacement of a LanTastic network with an MS Windows + NT 4.0 network. He had the replacement installed and operational within + two weeks. Before installation and changeover, he called a meeting to + explain to all users what was going to happen, how it would affect them, + and that he would be available 24 hours a day to help them transition. + One week after conversion, he held another meeting asking for cooperation + in the introduction of a few new features that would help to make life + easier. Network users were thrilled with the help he provided. The network + he implemented was nowhere near as complex as in the first example, had fewer + features, and yet he had happy users. Months later he was still adding + new innovations. He always asked the users if a + particular feature was what they wanted. He asked his boss for a raise + and got it. He often told me, “<span class="quote">Always keep a few new tricks up your + sleeves for when you need them.</span>” Was he smart? You decide. Let's + get on with our next exercise. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id328760"></a>Introduction</h2></div></div></div><p> + Abmas Accounting has grown. Mr. Meany likes you and says he knew you + were the right person for the job. That's why he asked you to install the + new server. The past few months have been hard work. You advised Mr. Meany + that it is time for a change. Abmas now has 52 users, having acquired an + investment consulting business recently. The new users were added to the + network without any problems. + </p><p> + Some of the Windows clients are nearly past their use-by date. You found damaged and unusable software on + some of the workstations that came with the acquired business and found some machines in need of both + hardware and software maintenance. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328778"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id328785"></a> + Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure + that the business is running efficiently. Many of the new staff want notebook + computers. They visit customer business premises and need to use local network + facilities; these users are technically competent. The company uses a + business application that requires Windows XP Professional. In short, a complete + client upgrade is about to happen. Mr. Meany told you that he is working + on another business acquisition and that by the time he retires there will be + 80 to 100 users. + </p><p> + Mr. Meany is not concerned about security. He wants to make it easier for + staff to do their work. He has hired you to help him appoint a full-time + network manager before he retires. Above all, he says he is investing in + the ability to grow. He is determined to live his lifelong dream and + hand the business over to a bright and capable executive who can make + things happen. This means your network design must cope well with + growth. + </p><p> + In a few months, Abmas will require an Internet connection for email and so + that staff can easily obtain software updates. Mr. Meany is warming up to + the installation of antivirus software but is not yet ready to approve + this expense. He told you to spend the money a virus scanner costs + on better quality notebook computers for mobile users. + </p><p> + One of Mr. Meany's golfing partners convinced him to buy new laser + printers, one black only, the other a color laser printer. Staff support + the need for a color printer so they can present more attractive proposals + and reports. + </p><p> + Mr. Meany also asked if it would be possible for one of the staff to manage + user accounts from the Windows desktop. That person will be responsible for + basic operations. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id328824"></a>Dissection and Discussion</h2></div></div></div><p> + What are the key requirements in this business example? A quick review indicates + a need for + </p><div class="itemizedlist"><ul type="disc"><li><p> + Scalability, from 52 to over 100 users in 12 months + </p></li><li><p> + Mobile computing capability + <a class="indexterm" name="id328844"></a> + </p></li><li><p> + Improved reliability and usability + </p></li><li><p> + Easier administration + </p></li></ul></div><p> + In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server + (as in <a href="simple.html#AccountingOffice" title="Accounting Office">???</a>). + + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328873"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id328881"></a> + <a class="indexterm" name="id328888"></a> + <a class="indexterm" name="id328894"></a> + <a class="indexterm" name="id328901"></a> + <a class="indexterm" name="id328908"></a> + It is time to implement a domain security environment. You will use the <code class="constant"> + smbpasswd</code> (default) backend. You should implement a DHCP server. There is no need to + run DNS at this time, but the system will use WINS. The domain name will be <code class="constant"> + BILLMORE</code>. This time, the name of the server will be <code class="constant">SLEETH</code>. + </p><p> + All printers will be configured as DHCP clients. The DHCP server will assign + the printer a fixed IP address by way of its Ethernet interface (MAC) address. + See <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The <code class="filename">smb.conf</code> file you are creating in this exercise can be used with equal effectiveness + with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is + possible to start with the installation that you have created here, migrate it + to a Samba-3 configuration, and then secure the system further. Configurations following + this one utilize features that may not be supported in Samba-2.2.x releases. + However, you should note that the examples in each chapter start with the assumption + that a fresh new installation is being effected. + </p></div><p> + Later on, when the Internet connection is implemented, you will add DNS as well as + other enhancements. It is important that you plan accordingly. + </p><p> + <a class="indexterm" name="id328962"></a> + You have split the network into two separate areas. Each has its own Ethernet switch. + There are 20 users on the accounting network and 32 users on the financial services + network. The server has two network interfaces, one serving each network. The + network printers will be located in a central area. You plan to install the new + printers and keep the old printer in use also. + </p><p> + You will provide separate file storage areas for each business entity. The old system + will go away, accounting files will be handled under a single directory, and files will + be stored under customer name, not under a personal work area. Staff will be made + responsible for file location, so the old share point must be maintained. + </p><p> + Given that DNS will not be used, you will configure WINS name resolution for UNIX + hostname name resolution. + </p><p> + <a class="indexterm" name="id328986"></a> + <a class="indexterm" name="id328995"></a> + It is necessary to map Windows Domain Groups to UNIX groups. It is + advisable to also map Windows Local Groups to UNIX groups. Additionally, the two + key staff groups in the firm are accounting staff and financial services staff. + For these, it is necessary to create UNIX groups as well as Windows Domain Groups. + </p><p> + In the sample <code class="filename">smb.conf</code> file, you have configured Samba to call the UNIX + <code class="literal">groupadd</code> to add group entries. This utility does not permit + the addition of group names that contain uppercase characters or spaces. This + is considered a bug. The <code class="literal">groupadd</code> is part of the + <code class="literal">shadow-utils</code> open source software package. A later release + of this package may have been patched to resolve this bug. If your operating + platform has this bug, it means that attempts to add a Windows Domain Group that + has either a space or uppercase characters in it will fail. See + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 11, Section 11.3.1, Example 11.1, for + more information. + </p><p> + <a class="indexterm" name="id329045"></a> + Vendor-supplied printer drivers will be installed on each client. The CUPS print + spooler on the UNIX host will be operated in <code class="constant">raw</code> mode. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329059"></a>Political Issues</h3></div></div></div><p> + Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. + He is willing to spend money on things he believes are of value. You need more + time to convince him of real priorities. + </p><p> + Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be + supplied with antivirus software? Above all, demonstrate good purchase value and remember + to make your users happy. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id329077"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id329084"></a> + In this example, the assumption is made that this server is being configured from a clean start. + The alternate approach could be to demonstrate the migration of the system that is documented + in <a href="simple.html#AcctgNet" title="Implementation">???</a> to meet the new requirements. The decision to treat this case, as with + future examples, as a new installation is based on the premise that you can determine + the migration steps from the information provided in <a href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3">???</a>. + Additionally, a fresh installation makes the example easier to follow. + </p><p> + <a class="indexterm" name="id329111"></a> + Each user will be given a home directory on the UNIX system, which will be available as a private + share. Two additional shares will be created, one for the accounting department and the other for + the financial services department. Network users will be given access to these shares by way + of group membership. + </p><p> + <a class="indexterm" name="id329124"></a> + UNIX group membership is the primary mechanism by which Windows Domain users will be granted + rights and privileges within the Windows environment. + </p><p> + <a class="indexterm" name="id329137"></a> + The user <code class="literal">alanm</code> will be made the owner of all files. This will be preserved + by setting the sticky bit (set UID/GID) on the top-level directories. + </p><div class="figure"><a name="acct2net"></a><p class="title"><b>Figure 2.1. Abmas Accounting 52-User Network Topology</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/acct2net.png" alt="Abmas Accounting 52-User Network Topology"></div></div></div><br class="figure-break"><div class="procedure"><a name="id329195"></a><p class="title"><b>Procedure 2.1. Server Installation Steps</b></p><ol type="1"><li><p> + Using UNIX/Linux system tools, name the server <code class="constant">sleeth</code>. + </p></li><li><p> + <a class="indexterm" name="id329217"></a> + Place an entry for the machine <code class="constant">sleeth</code> in the <code class="filename">/etc/hosts</code>. + The printers are network attached, so there should be entries for the + network printers also. An example <code class="filename">/etc/hosts</code> file is shown here: +</p><pre class="screen"> +192.168.1.1 sleeth sleeth1 +192.168.2.1 sleeth2 +192.168.1.10 hplj6 +192.168.1.11 hplj4 +192.168.2.10 qms +</pre><p> + </p></li><li><p> + Install the Samba-3 binary RPM from the Samba-Team FTP site. + </p></li><li><p> + Install the ISC DHCP server using the UNIX/Linux system tools available to you. + </p></li><li><p> + <a class="indexterm" name="id329269"></a> + <a class="indexterm" name="id329276"></a> + <a class="indexterm" name="id329282"></a> + <a class="indexterm" name="id329289"></a> + Because Samba will be operating over two network interfaces and clients on each side + may want to be able to reach clients on the other side, it is imperative that IP forwarding + is enabled. Use the system tool of your choice to enable IP forwarding. In the + absence of such a tool on the Linux system, add to the <code class="filename">/etc/rc.d/rc.local</code> + file an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + This causes the Linux kernel to forward IP packets so that it acts as a router. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file as shown in <a href="small.html#acct2conf" title="Example 2.3. Accounting Office Network smb.conf File [globals] Section">???</a> and + <a href="small.html#acct3conf" title="Example 2.4. Accounting Office Network smb.conf File Services and Shares Section">???</a>. Combine these two examples to form a single + <code class="filename">/etc/samba/smb.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id329351"></a> + Add the user <code class="literal">root</code> to the Samba password backend: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXX +Retype new SMB password: XXXXXXX +<code class="prompt">root# </code> +</pre><p> + <a class="indexterm" name="id329382"></a> + This is the Windows Domain Administrator password. Never delete this account from + the password backend after Windows Domain Groups have been initialized. If you delete + this account, your system is crippled. You cannot restore this account, + and your Samba server can no longer be administered. + </p></li><li><p> + <a class="indexterm" name="id329398"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id329435"></a> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + <a href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +</p><div class="example"><a name="initGrps"></a><p class="title"><b>Example 2.1. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id329466"></a><pre class="screen"> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +</pre></div></div><p><br class="example-break"> + +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 initGrps.sh +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root +Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody +Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users +Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id329534"></a> + <a class="indexterm" name="id329541"></a> + <a class="indexterm" name="id329550"></a> + For each user who needs to be given a Windows Domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system accounts, and use the Samba + <code class="literal">smbpasswd</code> program to create the Domain user accounts. + </p><p> + <a class="indexterm" name="id329574"></a> + <a class="indexterm" name="id329581"></a> + <a class="indexterm" name="id329588"></a> + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code> and <code class="literal">adduser</code>, as well as a plethora of custom + tools. With the tool of your choice, create a home directory for each user. + </p></li><li><p> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously, as necessary. File system access control will be based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that is mounted to provide + data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required, mount the formatted + file system partition using <code class="literal">mount</code>, + and make the appropriate changes in <code class="filename">/etc/fstab</code>. + </p></li><li><p> + Create the top-level file storage directories are follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs} +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R alanm:accounts /data/accounts +<code class="prompt">root# </code> chown -R alanm:finsvcs /data/finsvcs +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /data +</pre><p> + Each department is responsible for creating its own directory structure within its + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + </p></li><li><p> + Configure the printers with the IP addresses as shown in <a href="small.html#acct2net" title="Figure 2.1. Abmas Accounting 52-User Network Topology">???</a>. + Follow the instructions in the manufacturers' manuals to permit printing to port 9100. + This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id329736"></a> + <a class="indexterm" name="id329742"></a> + </p></li><li><p> + <a class="indexterm" name="id329756"></a> + <a class="indexterm" name="id329765"></a> + Configure the CUPS Print Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E +<code class="prompt">root# </code> lpadmin -p qms -v socket://192.168.2.10:9100 -E +</pre><p> + <a class="indexterm" name="id329796"></a> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id329811"></a> + <a class="indexterm" name="id329817"></a> + <a class="indexterm" name="id329824"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id329850"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id329876"></a> + Using your favorite system editor, create an <code class="filename">/etc/dhcpd.conf</code> with the + contents as shown in <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>. +</p><div class="example"><a name="dhcp01"></a><p class="title"><b>Example 2.2. Abmas Accounting DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><a class="indexterm" name="id329911"></a><pre class="screen"> +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; + +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; +### NOTE ### +# netbios-node-type=8 means set clients to Hybrid Mode +# so they will use Unicast communication with the WINS +# server and thus reduce the level of UDP broadcast +# traffic by up to 90%. +############ + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host hplj4 { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.10; + } + host hplj6 { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.11; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qms { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.10; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + Use the standard system tool to start Samba and CUPS and configure them to start + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id329945"></a> + <a class="indexterm" name="id329952"></a> + <a class="indexterm" name="id329958"></a> + <a class="indexterm" name="id329965"></a> + <a class="indexterm" name="id329972"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhcp on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/dhcp restart +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id330027"></a> + <a class="indexterm" name="id330034"></a> + <a class="indexterm" name="id330043"></a> + <a class="indexterm" name="id330050"></a> + <a class="indexterm" name="id330056"></a> + <a class="indexterm" name="id330063"></a> + Configure the name service switch (NSS) to handle WINS-based name resolution. + Since this system does not use a DNS server, it is safe to remove this option from + the NSS configuration. Edit the <code class="filename">/etc/nsswitch.conf</code> file so that + the <code class="constant">hosts:</code> entry looks like this: +</p><pre class="screen"> +hosts: files wins +</pre><p> + </p></li></ol></div><div class="example"><a name="acct2conf"></a><p class="title"><b>Example 2.3. Accounting Office Network <code class="filename">smb.conf</code> File [globals] Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id330125"></a><em class="parameter"><code>workgroup = BILLMORE</code></em></td></tr><tr><td><a class="indexterm" name="id330138"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id330151"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id330163"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id330176"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id330188"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id330201"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id330214"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m -G users '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id330226"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id330239"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id330252"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id330265"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -A '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id330278"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id330291"></a><em class="parameter"><code>logon script = scripts\login.bat</code></em></td></tr><tr><td><a class="indexterm" name="id330304"></a><em class="parameter"><code>logon path = </code></em></td></tr><tr><td><a class="indexterm" name="id330316"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id330329"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330341"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330354"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330366"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="acct3conf"></a><p class="title"><b>Example 2.4. Accounting Office Network <code class="filename">smb.conf</code> File Services and Shares Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id330412"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id330425"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id330437"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id330450"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id330471"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id330484"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id330496"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330509"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330521"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330534"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id330555"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id330568"></a><em class="parameter"><code>path = /data/%U</code></em></td></tr><tr><td><a class="indexterm" name="id330581"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id330593"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id330615"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id330627"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id330640"></a><em class="parameter"><code>valid users = %G</code></em></td></tr><tr><td><a class="indexterm" name="id330652"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[finsvcs]</code></em></td></tr><tr><td><a class="indexterm" name="id330674"></a><em class="parameter"><code>comment = Financial Service Files</code></em></td></tr><tr><td><a class="indexterm" name="id330686"></a><em class="parameter"><code>path = /data/finsvcs</code></em></td></tr><tr><td><a class="indexterm" name="id330699"></a><em class="parameter"><code>valid users = %G</code></em></td></tr><tr><td><a class="indexterm" name="id330712"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330725"></a>Validation</h3></div></div></div><p> + Does everything function as it ought? That is the key question at this point. + Here are some simple steps to validate your Samba server configuration. + </p><div class="procedure"><a name="id330735"></a><p class="title"><b>Procedure 2.2. Validation Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id330746"></a> + If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[accounts]" +Processing section "[service]" +Loaded services file OK. +# Global parameters +[global] + workgroup = BILLMORE + passwd chat = *New*Password* \ + %n\n *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + syslog = 0 + name resolve order = wins bcast hosts + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m -G users '%u' + delete user script = /usr/sbin/userdel -r '%u' + add group script = /usr/sbin/groupadd '%g' + delete group script = /usr/sbin/groupdel '%g' + add user to group script = /usr/sbin/usermod -A '%g' '%u' + add machine script = /usr/sbin/useradd + -s /bin/false -d /var/lib/nobody '%u' + logon script = scripts\logon.bat + logon path = + logon drive = X: + domain logons = Yes + preferred master = Yes + wins support = Yes +... +### Remainder cut to save space ### +</pre><p> + The inclusion of an invalid parameter (say one called dogbert) would generate an + error as follows: +</p><pre class="screen"> +Unknown parameter encountered: "dogbert" +Ignoring unknown parameter "dogbert" +</pre><p> + Clear away all errors before proceeding, and start or restart samba as necessary. + </p></li><li><p> + <a class="indexterm" name="id330797"></a> + <a class="indexterm" name="id330803"></a> + <a class="indexterm" name="id330810"></a> + <a class="indexterm" name="id330817"></a> + Check that the Samba server is running: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</pre><p> + The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also + two instances of it. For more information regarding <code class="literal">winbindd</code>, see + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 23, Section 23.3. The single instance of + <code class="literal">smbd</code> is normal. + </p></li><li><p> + <a class="indexterm" name="id330868"></a> + Check that an anonymous connection can be made to the Samba server: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + netlogon Disk Network Logon Service + accounts Disk Accounting Files + finsvcs Disk Financial Service Files + IPC$ IPC IPC Service (Samba3) + ADMIN$ IPC IPC Service (Samba3) + hplj4 Printer Hewlett-Packard LaserJet 4 + hplj6 Printer Hewlett-Packard LaserJet 6 + qms Printer QMS Magicolor Laser Printer XXXX + + Server Comment + --------- ------- + SLEETH Samba 3.0.20 + + Workgroup Master + --------- ------- + BILLMORE SLEETH +</pre><p> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and + a <code class="constant">NULL</code> password. + </p></li><li><p> + <a class="indexterm" name="id330913"></a> + <a class="indexterm" name="id330919"></a> + <a class="indexterm" name="id330926"></a> + Verify that the printers have the IP addresses assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They + should, of course, match. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> ping hplj4 +PING hplj4 (192.168.1.11) 56(84) bytes of data. +64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms + +<code class="prompt">root# </code> arp -a +hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0 +</pre><p> + The MAC address <code class="constant">08:00:46:7A:35:E4</code> matches that specified for the + IP address from which the printer has responded and the entry for it in the + <code class="filename">/etc/dhcpd.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id330985"></a> + Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //sleeth/accounts -U alanm +Password: XXXXXXX +smb: \> dir + . D 0 Sun Nov 9 01:28:34 2003 + .. D 0 Sat Aug 16 17:24:26 2003 + .mc DH 0 Sat Nov 8 21:57:38 2003 + .qt DH 0 Fri Sep 5 00:48:25 2003 + SMB D 0 Sun Oct 19 23:04:30 2003 + Documents D 0 Sat Nov 1 00:31:51 2003 + xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003 + + 65387 blocks of size 65536. 28590 blocks available +smb: \> q +</pre><p> + </p></li></ol></div></div><div class="procedure"><a name="id331024"></a><p class="title"><b>Procedure 2.3. Windows XP Professional Client Configuration</b></p><ol type="1"><li><p> + Configure clients to the network settings shown in <a href="small.html#acct2net" title="Figure 2.1. Abmas Accounting 52-User Network Topology">???</a>. + All clients use DHCP for TCP/IP protocol stack configuration. + <a class="indexterm" name="id331042"></a> + <a class="indexterm" name="id331049"></a> + DHCP configures all Windows clients to use the WINS Server address <code class="constant">192.168.1.1</code>. + </p></li><li><p> + Join the Windows Domain called <code class="constant">BILLMORE</code>. Use the Domain Administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using a Domain User account. + </p></li><li><p> + Verify on each client that the machine called <code class="constant">SLEETH</code> + is visible in <span class="guimenu">My Network Places</span>, that it is + possible to connect to it and see the shares <span class="guimenuitem">accounts</span> + and <span class="guimenuitem">finsvcs</span>, + and that it is possible to open that share to reveal its contents. + </p></li><li><p> + Instruct all users to log onto the workstation using their assigned username and password. + </p></li><li><p> + Install a printer on each using the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 4</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?</span>”, click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 4</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\SERVER\hplj4</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for the HP LaserJet 6 printer + as well as for the QMS Magicolor XXXX laser printer. + </p></li></ol></div></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331347"></a>Notebook Computers: A Special Case</h3></div></div></div><p> + As a network administrator, you already know how to create local machine accounts for Windows 200x/XP + Professional systems. This is the preferred solution to provide continuity of work for notebook users + so that absence from the office network environment does not become a barrier to productivity. + </p><p> + By creating a local machine account that has the same username and password as you create for that + user in the Windows Domain environment, the user can log onto the machine locally and still + transparently access network resources as if logged onto the domain itself. There are some trade-offs + that mean that as the network is more tightly secured, it becomes necessary to modify Windows client + configuration somewhat. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331367"></a>Key Points Learned</h3></div></div></div><p> + In this network design and implementation exercise, you created a Windows NT4-style Domain + Controller using Samba-3.0.20. Following these guidelines, you experienced + and implemented several important aspects of Windows networking. In the next chapter, + you build on the experience. These are the highlights from this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id331384"></a> + You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary + network configuration settings from this server. + </p></li><li><p> + <a class="indexterm" name="id331396"></a> + You created a Windows Domain Controller. You were able to use the network logon service + and successfully joined Windows 200x/XP Professional clients to the Domain. + </p></li><li><p> + <a class="indexterm" name="id331409"></a> + You created raw print queues in the CUPS printing system. You maintained a simple + printing system so that all users can share centrally managed printers. You installed + native printer drivers on the Windows clients. + </p></li><li><p> + You experienced the benefits of centrally managed user accounts on the server. + </p></li><li><p> + You offered Mobile notebook users a solution that allows them to continue to work + while away from the office and not connected to the corporate network. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331433"></a>Questions and Answers</h2></div></div></div><p> + Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that + may help. + </p><div class="qandaset"><dl><dt>1. <a href="small.html#id331445"> + What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? + </a></dt><dt>2. <a href="small.html#id331467"> + Are there any DHCP server configuration parameters in the /etc/dhcpd.conf + that should be noted in particular? + </a></dt><dt>3. <a href="small.html#id331493"> + Is it possible to create a Windows Domain account that is specifically called Administrator? + </a></dt><dt>4. <a href="small.html#id331529"> + Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0? + </a></dt><dt>5. <a href="small.html#id331565"> + One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him + root access. How can we do this? + </a></dt><dt>6. <a href="small.html#id331603"> + Why must I map Windows Domain Groups to UNIX groups? + </a></dt><dt>7. <a href="small.html#id331639"> + I deleted my root account and now I cannot add it back! What can I do? + </a></dt><dt>8. <a href="small.html#id331709"> + When I run net groupmap list, it reports a group called Administrators + as well as Domain Admins. What is the difference between them? + </a></dt><dt>9. <a href="small.html#id331753"> + What is the effect of changing the name of a Samba server or of changing the Domain name? + </a></dt><dt>10. <a href="small.html#id331797"> + How can I manage user accounts from my Windows XP Professional workstation? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id331445"></a><a name="id331447"></a><b>1.</b></td><td align="left" valign="top"><p> + What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + First and foremost, portability. It means that notebook users can move between + the Abmas office and client offices (so long as they, too, use DHCP) without having to manually + reconfigure their machines. It also means that when they work from their home environments + either using DHCP assigned addressing or when using dial-up networking, settings such as + default routes and DNS server addresses that apply only to the Abmas office environment do + not interfere with remote operations. This is an extremely important feature of DHCP. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331467"></a><a name="id331469"></a><b>2.</b></td><td align="left" valign="top"><p> + Are there any DHCP server configuration parameters in the <code class="filename">/etc/dhcpd.conf</code> + that should be noted in particular? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. The configuration you created automatically provides each client with the IP address + of your WINS server. It also configures the client to preferentially register NetBIOS names + with the WINS server, and then instructs the client to first query the WINS server when a + NetBIOS machine name needs to be resolved to an IP Address. This configuration + results in far lower UDP broadcast traffic than would be the case if WINS was not used. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331493"></a><a name="id331496"></a><b>3.</b></td><td align="left" valign="top"><p> + Is it possible to create a Windows Domain account that is specifically called <code class="constant">Administrator</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You can surely create a Windows Domain account called <code class="constant">Administrator</code>. It is also + possible to map that account so that it has the effective UNIX UID of 0. This way it isn't + necessary to use the <em class="parameter"><code>username map</code></em> facility to map this account to the UNIX + account called <code class="constant">root</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331529"></a><a name="id331532"></a><b>4.</b></td><td align="left" valign="top"><p> + Why is it necessary to give the Windows Domain <code class="constant">Administrator</code> a UNIX UID of 0? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The Windows Domain <code class="constant">Administrator</code> account is the most privileged account that + exists on the Windows platform. This user can change any setting, add, delete, or modify user + accounts, and completely reconfigure the system. The equivalent to this account in the UNIX + environment is the <code class="constant">root</code> account. If you want to permit the Windows Domain + Administrator to manage accounts as well as permissions, privileges, and security + settings within the Domain and on the Samba server, equivalent rights must be assigned. This is + achieved with the <code class="constant">root</code> UID equal to 0. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331565"></a><a name="id331567"></a><b>5.</b></td><td align="left" valign="top"><p> + One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him + <code class="constant">root</code> access. How can we do this? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Users who are members of the <code class="constant">Domain Admins</code> group can add machines to the + Domain. This group is mapped to the UNIX group account called <code class="constant">root</code> + (or the equivalent <code class="constant">wheel</code> on some UNIX systems) that has a GID of 0. + This must be the primary GID of the account of the user who is a member of the Windows <code class="constant"> + Domain Admins</code> account. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331603"></a><a name="id331605"></a><b>6.</b></td><td align="left" valign="top"><p> + Why must I map Windows Domain Groups to UNIX groups? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account + has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are + <span class="guimenu">Domain Guests</span>, <span class="guimenu">Domain Users</span>, and <span class="guimenu">Domain Admins</span>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331639"></a><a name="id331641"></a><b>7.</b></td><td align="left" valign="top"><p> + I deleted my <code class="constant">root</code> account and now I cannot add it back! What can I do? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This is a nasty problem. Fortunately, there is a solution. + </p><div class="procedure"><ol type="1"><li><p> + Back up your existing configuration files in case you need to restore them. + </p></li><li><p> + Rename the <code class="filename">group_mapping.tdb</code> file. + </p></li><li><p> + Use the <code class="literal">smbpasswd</code> to add the root account. + </p></li><li><p> + Restore the <code class="filename">group_mapping.tdb</code> file. + </p></li></ol></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id331709"></a><a name="id331712"></a><b>8.</b></td><td align="left" valign="top"><p> + When I run <code class="literal">net groupmap list</code>, it reports a group called <span class="guimenu">Administrators</span> + as well as <span class="guimenu">Domain Admins</span>. What is the difference between them? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The group called <span class="guimenu">Administrators</span> is representative of the same account that would be + present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain + Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This + may change at some later date. These accounts are provided only so that security objects are correctly shown. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331753"></a><a name="id331755"></a><b>9.</b></td><td align="left" valign="top"><p> + What is the effect of changing the name of a Samba server or of changing the Domain name? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + If you elect to change the name of the Samba server, on restarting <code class="literal">smbd</code>, + Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, + the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name + (Workgroup name), the Domain SID is changed. This affects all Domain memberships. + </p><p> + If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective + SID before the change is made. You can back up the SID using the <code class="literal">net getlocalsid</code> (Samba-3) + or the <code class="literal">smbpasswd</code> (Samba-2.2.x). To change the SID, you use the same tool. Be sure + to check the man page for this command for detailed instructions regarding the steps involved. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id331797"></a><a name="id331799"></a><b>10.</b></td><td align="left" valign="top"><p> + How can I manage user accounts from my Windows XP Professional workstation? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot + be managed using tools present on a Windows XP Professional installation. You may download from the + Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use + it. This package extracts the tools: <code class="literal">User Manager for Domains</code>, <code class="literal">Server Manager</code>, and <code class="literal">Event + Viewer</code>. You may use the <span class="guimenu">User Manager for Domains</span> to manage your Samba-3 + Domain user and group accounts. Of course, you do need to be logged on as the <code class="constant">Administrator</code> + for the Samba-3 Domain. It may help to log on as the <code class="constant">root</code> account. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="simple.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="secure.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. No-Frills Samba Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Secure Office Networking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/unixclients.html b/docs/htmldocs/Samba3-ByExample/unixclients.html new file mode 100644 index 0000000000..2dd1a1b35e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/unixclients.html @@ -0,0 +1,1790 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id360510">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360558">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360587">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360610">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id361198">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id361279">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367699">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id367744">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id360421"></a><a class="indexterm" name="id360429"></a> + The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. + It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found + that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the + <a href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> + Web site for current information. The survey results as found on January 14, 2004, are shown in + <a href="unixclients.html#ch09openmag" title="Figure 7.1. Open Magazine Samba Survey">???</a>. + </p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure 7.1. Open Magazine Samba Survey</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div></div><br class="figure-break"><p> + While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter + function that Samba provides. Yet this book may give the appearance of having focused too much on more + exciting aspects of Samba deployment. This chapter directs your attention to provide important information on + the addition of Samba servers into your present Windows network whatever the controlling technology + may be. So let's get back to our good friends at Abmas. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id360510"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id360516"></a><a class="indexterm" name="id360524"></a> + Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward + with not too many distractions or problems. Your team is doing well, but a number of employees + are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's + get on with this; Christine and Stan are ready to go. + </p><p><a class="indexterm" name="id360542"></a> + Stan is firmly in control of the department of the future, while Christine is enjoying a stable and + predictable network environment. It is time to add more servers and to add Linux desktops. It is + time to meet the demands of future growth and endure trial by fire. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360558"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id360565"></a> + You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 + Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him + out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use + her help to get validation that Samba really does live up to expectations. + </p><p> + Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate + these systems to make sure that Abmas is not building islands of technology. You ask Christine to + do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make + the right decision, don't you? + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id360587"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id360594"></a> + Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble + at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning + an inability to achieve identical user and group IDs between Windows and UNIX environments. + </p><p> + You provide step-by-step implementations of the various tools that can be used for identity + resolution. You also provide working examples of solutions for integrated authentication for + both UNIX/Linux and Windows environments. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360610"></a>Technical Issues</h3></div></div></div><p> + One of the great challenges we face when people ask us, “<span class="quote">What is the best way to solve + this problem?</span>” is to get beyond the facts so we not only can clearly comprehend + the immediate technical problem, but also can understand how needs may change. + </p><p> + <a class="indexterm" name="id360627"></a> + There are a few facts we should note when dealing with the question of how best to + integrate UNIX/Linux clients and servers into a Windows networking environment: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id360642"></a> + <a class="indexterm" name="id360649"></a> + <a class="indexterm" name="id360655"></a> + <a class="indexterm" name="id360665"></a> + <a class="indexterm" name="id360671"></a> + A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. + This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs + to the same values that the PDC resolved them to. + </p></li><li><p> + <a class="indexterm" name="id360684"></a> + <a class="indexterm" name="id360691"></a> + <a class="indexterm" name="id360702"></a> + <a class="indexterm" name="id360709"></a> + A domain member can be authoritative for local accounts, but is never authoritative for + domain accounts. If a user is accessing a domain member server and that user's account + is not known locally, the domain member server must resolve the identity of that user + from the domain in which that user's account resides. It must then map that ID to a + UID/GID pair that it can use locally. This is handled by <code class="literal">winbindd</code>. + </p></li><li><p> + Samba, when running on a domain member server, can resolve user identities from a + number of sources: + </p><div class="itemizedlist"><ul type="circle"><li><p> + <a class="indexterm" name="id360737"></a> + <a class="indexterm" name="id360744"></a> + <a class="indexterm" name="id360751"></a> + <a class="indexterm" name="id360758"></a> + <a class="indexterm" name="id360764"></a> + By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call. + On systems that support it, this utilizes the name service switch (NSS) facility to + resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code> + file. NSS can be configured to use LDAP, winbind, NIS, or local files. + </p></li><li><p> + <a class="indexterm" name="id360795"></a> + <a class="indexterm" name="id360802"></a> + <a class="indexterm" name="id360809"></a> + Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). + This requires the use of the PADL nss_ldap tool (or equivalent). + </p></li><li><p> + <a class="indexterm" name="id360822"></a> + <a class="indexterm" name="id360828"></a> + <a class="indexterm" name="id360835"></a> + <a class="indexterm" name="id360842"></a> + Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code> + contacts a domain controller to attempt to resolve the identity of the user or group. It + receives the Windows networking security identifier (SID) for that appropriate + account and then allocates a local UID or GID from the range of available IDs and + creates an entry in its <code class="filename">winbindd_idmap.tdb</code> and + <code class="filename">winbindd_cache.tdb</code> files. + </p><p> + <a class="indexterm" name="id360878"></a> + <a class="indexterm" name="id360885"></a> + If the parameter <a class="indexterm" name="id360892"></a>idmap backend = ldap:ldap://myserver.domain + was specified and the LDAP server has been configured with a container in which it may + store the IDMAP entries, all domain members may share a common mapping. + </p></li></ul></div><p> + Irrespective of how <code class="filename">smb.conf</code> is configured, winbind creates and caches a local copy of + the ID mapping database. It uses the <code class="filename">winbindd_idmap.tdb</code> and + <code class="filename">winbindd_cache.tdb</code> files to do this. + </p><p> + Which of the resolver methods is chosen is determined by the way that Samba is configured + in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the + casual user. + </p></li><li><p> + <a class="indexterm" name="id360940"></a> + <a class="indexterm" name="id360946"></a> + <a class="indexterm" name="id360956"></a> + If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable + of being resolved using) the NSS facility, it is possible to use the + <a class="indexterm" name="id360964"></a>winbind trusted domains only = Yes + in the <code class="filename">smb.conf</code> file. This parameter specifically applies to domain controllers, + and to domain member servers. + </p></li></ul></div><p> + <a class="indexterm" name="id360982"></a> + <a class="indexterm" name="id360989"></a> + <a class="indexterm" name="id360996"></a> + For many administrators, it should be plain that the use of an LDAP-based repository for all network + accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and + controllable facility. You eventually appreciate the decision to use LDAP. + </p><p> + <a class="indexterm" name="id361008"></a> + <a class="indexterm" name="id361015"></a> + <a class="indexterm" name="id361022"></a> + If your network account information resides in an LDAP repository, you should use it ahead of any + alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code> + tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides + a more readily controllable method for asserting the exact same user and group identifiers + throughout the network. + </p><p> + <a class="indexterm" name="id361041"></a> + <a class="indexterm" name="id361051"></a> + <a class="indexterm" name="id361058"></a> + <a class="indexterm" name="id361064"></a> + <a class="indexterm" name="id361071"></a> + <a class="indexterm" name="id361078"></a> + In the situation where UNIX accounts are held on the domain member server itself, the only effective + way to use them involves the <code class="filename">smb.conf</code> entry + <a class="indexterm" name="id361092"></a>winbind trusted domains only = Yes. This forces + Samba (<code class="literal">smbd</code>) to perform a <code class="literal">getpwnam()</code> system call that can + then be controlled via <code class="filename">/etc/nsswitch.conf</code> file settings. The use of this parameter + disables the use of Samba with trusted domains (i.e., external domains). + </p><p> + <a class="indexterm" name="id361122"></a> + <a class="indexterm" name="id361129"></a> + <a class="indexterm" name="id361138"></a> + <a class="indexterm" name="id361145"></a> + Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code> + is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation + is made for all accounts that connect to that domain member server, whether within its own domain or from + trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. + This means that it is almost certain that a given user who accesses two domain member servers does not have the + same UID/GID on both servers however, this is transparent to the Windows network user. This data + is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files. + </p><p> + <a class="indexterm" name="id361186"></a> + The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs + mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member + servers so configured. This solves one of the major headaches for network administrators who need to copy + files between or across network file servers. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id361198"></a>Political Issues</h3></div></div></div><p> + <a class="indexterm" name="id361206"></a> + <a class="indexterm" name="id361213"></a> + <a class="indexterm" name="id361220"></a> + <a class="indexterm" name="id361228"></a> + One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in + particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP + is different and requires a new approach to the need for a better identity management solution. The more + you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm. + </p><p> + LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. + The reason these are preferable is because they are heterogenous. Windows solutions of this sort are <span class="emphasis"><em>not</em></span> + heterogenous by design. This is fundamental it isn't religious or political. This also doesn't say that + you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires + commercial integration products. But it's not what Active Directory was designed for. + </p><p> + <a class="indexterm" name="id361259"></a> + <a class="indexterm" name="id361265"></a> + A number of long-term UNIX devotees have recently commented in various communications that the Samba Team + is the first application group to almost force network administrators to use LDAP. It should be pointed + out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has + finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total + organizational directory needs. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id361279"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id361287"></a> + <a class="indexterm" name="id361296"></a> + <a class="indexterm" name="id361305"></a> + The domain member server and the domain member client are at the center of focus in this chapter. + Configuration of Samba-3 domain controller is covered in earlier chapters, so if your + interest is in domain controller configuration, you will not find that here. You will find good + oil that helps you to add domain member servers and clients. + </p><p> + <a class="indexterm" name="id361318"></a> + In practice, domain member servers and domain member workstations are very different entities, but in + terms of technology they share similar core infrastructure. A technologist would argue that servers + and workstations are identical. Many users would argue otherwise, given that in a well-disciplined + environment a workstation (client) is a device from which a user creates documents and files that + are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, + but a server is viewed as a core component of the business. + </p><p> + <a class="indexterm" name="id361335"></a> + We can look at this another way. If a workstation breaks down, one user is affected, but if a + server breaks down, hundreds of users may not be able to work. The services that a workstation + must provide are document- and file-production oriented; a server provides information storage + and is distribution oriented. + </p><p> + <a class="indexterm" name="id361351"></a> + <a class="indexterm" name="id361358"></a> + <a class="indexterm" name="id361364"></a> + <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what + components of the operating system and its environment must be configured. Also, it is necessary + to recognize where the interdependencies between the various services to be used are. + In particular, it is important to understand the operation of each critical part of the + authentication process, the logon process, and how user identities get resolved and applied + within the operating system and applications (like Samba) that depend on this and may + actually contribute to it. + </p><p> + So, in this chapter we demonstrate how to implement the technology. It is done within a context of + what type of service need must be fulfilled. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using NSS LDAP</h3></div></div></div><p> + <a class="indexterm" name="id361399"></a> + <a class="indexterm" name="id361406"></a> + <a class="indexterm" name="id361412"></a> + <a class="indexterm" name="id361419"></a> + <a class="indexterm" name="id361428"></a> + <a class="indexterm" name="id361435"></a> + In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using + an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) + containers for use by the IDMAP facility. This makes it possible to have globally consistent + mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run + <code class="literal">winbindd</code> as part of your configuration. The primary purpose of running + <code class="literal">winbindd</code> (within this operational context) is to permit mapping of foreign + SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any + domain member client or server, or from Windows clients that do not belong to a domain. Another + way to explain the necessity to run <code class="literal">winbindd</code> is that Samba can locally + resolve only accounts that belong to the security context of its own machine SID. Winbind + handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated + from the parameter values set in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>idmap uid</code></em> and + <em class="parameter"><code>idmap gid</code></em> ranges. Where LDAP is used, the mappings can be stored in LDAP + so that all domain member servers can use a consistent mapping. + </p><p> + <a class="indexterm" name="id361490"></a> + <a class="indexterm" name="id361497"></a> + <a class="indexterm" name="id361504"></a> + If your installation is accessed only from clients that are members of your own domain, and all + user accounts are present in a local passdb backend then it is not necessary to run + <code class="literal">winbindd</code>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. + </p><p> + It is possible to use a local passdb backend with any convenient means of resolving the POSIX + user and group account information. The POSIX information is usually obtained using the + <code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account + source can be provided from + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id361536"></a> + <a class="indexterm" name="id361543"></a> + Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>. + </p></li><li><p> + <a class="indexterm" name="id361566"></a> + <a class="indexterm" name="id361573"></a> + <a class="indexterm" name="id361580"></a> + <a class="indexterm" name="id361587"></a> + <a class="indexterm" name="id361593"></a> + <a class="indexterm" name="id361600"></a> + <a class="indexterm" name="id361607"></a> + <a class="indexterm" name="id361614"></a> + <a class="indexterm" name="id361621"></a> + Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs + via multiple methods. The methods typically include <code class="literal">files</code>, + <code class="literal">compat</code>, <code class="literal">db</code>, <code class="literal">ldap</code>, + <code class="literal">nis</code>, <code class="literal">nisplus</code>, <code class="literal">hesiod.</code> When + correctly installed, Samba adds to this list the <code class="literal">winbindd</code> facility. + The ldap facility is frequently the nss_ldap tool provided by PADL Software. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + To advoid confusion the use of the term <code class="literal">local passdb backend</code> means that + the user account backend is not shared by any other Samba server instead, it is + used only locally on the Samba domain member server under discussion. + </p></div><p> + <a class="indexterm" name="id361695"></a> + The diagram in <a href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">???</a> demonstrates the relationship of Samba and system + components that are involved in the identity resolution process where Samba is used as a domain + member server within a Samba domain control network. + </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure 7.2. Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id361755"></a> + <a class="indexterm" name="id361761"></a> + In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam + to obtain authentication and user identity information. The IDMAP information is stored in the LDAP + backend so that it can be shared by all domain member servers so that every user will have a + consistent UID and GID across all of them. The IDMAP facility will be used for all foreign + (i.e., not having the same SID as the domain it is a member of) domains. The configuration of + NSS will ensure that all UNIX processes will obtain a consistent UID/GID. + </p><p> + The instructions given here apply to the Samba environment shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> and <a href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">???</a>. + If the network does not have an LDAP slave server (i.e., <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> configuration), + change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code> + </p><div class="procedure"><a name="id361803"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> + Create the <code class="filename">smb.conf</code> file as shown in <a href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">???</a>. Locate + this file in the directory <code class="filename">/etc/samba</code>. + </p></li><li><p> + <a class="indexterm" name="id361840"></a> + Configure the file that will be used by <code class="constant">nss_ldap</code> to + locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>. + If your implementation of <code class="constant">nss_ldap</code> is consistent with + the defaults suggested by PADL (the authors), it will be located in the + <code class="filename">/etc</code> directory. On some systems, the default location is + the <code class="filename">/etc/openldap</code> directory, however this file is intended + for use by the OpenLDAP utilities and should not really be used by the nss_ldap + utility since its content and structure serves the specific purpose of enabling + the resolution of user and group IDs via NSS. + </p><p> + Change the parameters inside the file that is located on your OS so it matches + <a href="unixclients.html#ch9-sdmlcnf" title="Example 7.3. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a>. To find the correct location of this file, you + can obtain this from the library that will be used by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /lib/libnss_ldap* | grep ldap.conf +/etc/ldap.conf +</pre><p> + </p></li><li><p> + Configure the NSS control file so it matches the one shown in + <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id361920"></a> + <a class="indexterm" name="id361927"></a> + Before proceeding to configure Samba, validate the operation of the NSS identity + resolution via LDAP by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +root:x:0:512:Netbios Domain Administrator:/root:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash +stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash +chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash +maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash +jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash +bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false +temptation$:x:1009:553:temptation$:/dev/null:/bin/false +vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false +fran$:x:1008:553:fran$:/dev/null:/bin/false +josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash +</pre><p> + You should notice the location of the users' home directories. First, make certain that + the home directories exist on the domain member server; otherwise, the home directory + share is not available. The home directories could be mounted off a domain controller + using NFS or by any other suitable means. Second, the absence of the domain name in the + home directory path is indicative that identity resolution is not being done via winbind. +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root,jht +Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj +Domain Guests:x:514: +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +sammy:x:4321: +</pre><p> + <a class="indexterm" name="id361968"></a> + <a class="indexterm" name="id361975"></a> + <a class="indexterm" name="id361982"></a> + This shows that all is working as it should be. Notice that in the LDAP database + the users' primary and secondary group memberships are identical. It is not + necessary to add secondary group memberships (in the group database) if the + user is already a member via primary group membership in the password database. + When using winbind, it is in fact undesirable to do this because it results in + doubling up of group memberships and may cause problems with winbind under certain + conditions. It is intended that these limitations with winbind will be resolved soon + after Samba-3.0.20 has been released. + </p></li><li><p> + <a class="indexterm" name="id362001"></a> + The LDAP directory must have a container object for IDMAP data. There are several ways you can + check that your LDAP database is able to receive IDMAP information. One of the simplest is to + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep -i idmap +dn: ou=Idmap,dc=abmas,dc=biz +ou: idmap +</pre><p> + <a class="indexterm" name="id362021"></a> + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see <a href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ + -w not24get < /etc/openldap/idmap.LDIF +</pre><p> + </p></li><li><p> + Samba automatically populates the LDAP directory container when it needs to. To permit Samba + write access to the LDAP directory it is necessary to set the LDAP administrative password + in the <code class="filename">secrets.tdb</code> file as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id362080"></a> + <a class="indexterm" name="id362092"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeeded. + </p><p> + Failure to join the domain could be caused by any number of variables. The most common + causes of failure to join are: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li><p>Incorrect username and password credentials.</p></li><li><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous + connections.</p></li></ul></div><p> + </p><p> + The connection setup can be diagnosed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5 +</pre><p> + <a class="indexterm" name="id362158"></a> + <a class="indexterm" name="id362165"></a> + <a class="indexterm" name="id362172"></a> + <a class="indexterm" name="id362179"></a> + Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of + the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that + says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the + <code class="constant">restrict anonymous</code> setting. Set this to the value 0 so that an anonymous connection + can be sustained, then try again. + </p><p> + It is possible (perhaps even recommended) to use the following to validate the ability to connect + to an NT4 PDC/BDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -S 'pdc-name' -U Administrator%not24get +Domain Name: MEGANET2 +Domain SID: S-1-5-21-422319763-4138913805-7168186429 +Sequence number: 1519909596 +Num users: 7003 +Num domain groups: 821 +Num local groups: 8 + +<code class="prompt">root# </code> net rpc testjoin -S 'pdc-name' -U Administrator%not24get +Join to 'MEGANET2' is OK +</pre><p> + If for any reason the following response is obtained to the last command above,it is time to + call in the Networking Super-Snooper task force (i.e., start debugging): +</p><pre class="screen"> +NT_STATUS_ACCESS_DENIED +Join to 'MEGANET2' failed. +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id362231"></a> + Just joining the domain is not quite enough; you must now provide a privileged set + of credentials through which <code class="literal">winbindd</code> can interact with the + domain servers. Execute the following to implant the necessary credentials: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo --set-auth-user=Administrator%not24get +</pre><p> + The configuration is now ready to obtain the Samba domain user and group information. + </p></li><li><p> + You may now start Samba in the usual manner, and your Samba domain member server + is ready for use. Just add shares as required. + </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id362304"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id362316"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id362329"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id362341"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id362354"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id362366"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id362379"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id362392"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id362404"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id362417"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id362429"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id362442"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id362455"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id362467"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id362480"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id362493"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id362505"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id362518"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id362531"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id362544"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id362556"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id362569"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362581"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id362594"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id362615"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id362628"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id362641"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id362653"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id362675"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id362687"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id362700"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362712"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362725"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id362746"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id362759"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id362772"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id362784"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: idmap +structuralObjectClass: organizationalUnit +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmlcnf"></a><p class="title"><b>Example 7.3. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636 +host 192.168.2.1 +base dc=abmas,dc=biz +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one +ssl no +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmnss"></a><p class="title"><b>Example 7.4. NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files +aliases: files +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p> + You need to use this method for creating a Samba domain member server if any of the following conditions + prevail: + </p><div class="itemizedlist"><ul type="disc"><li><p> + LDAP support (client) is not installed on the system. + </p></li><li><p> + There are mitigating circumstances forcing a decision not to use LDAP. + </p></li><li><p> + The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain. + </p></li></ul></div><p> + <a class="indexterm" name="id362905"></a> + <a class="indexterm" name="id362912"></a> + <a class="indexterm" name="id362918"></a> + Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. + Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style + domain and/or does not use LDAP. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id362932"></a> + If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no + duplicate accounts. + </p><p> + <a class="indexterm" name="id362948"></a> + For example, do not have more than one account that has UID=0 in the password database. If there + is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database, + it is okay to have an account called <code class="constant">root</code> in the LDAP ldapsam or in the + tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will + break. This means that the <code class="constant">Administrator</code> account must be called + <code class="constant">root</code>. + </p><p> + <a class="indexterm" name="id362982"></a> + <a class="indexterm" name="id362989"></a> + <a class="indexterm" name="id362996"></a> + Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has + the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. + </p></div><p> + <a class="indexterm" name="id363013"></a> + <a class="indexterm" name="id363020"></a> + <a class="indexterm" name="id363026"></a> + <a class="indexterm" name="id363033"></a> + <a class="indexterm" name="id363042"></a> + The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. + The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code> + files. This provides considerable performance benefits compared with the LDAP solution, particularly + where the LDAP lookups must traverse WAN links. You may examine the contents of these + files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba + source code if it has not been supplied as part of a binary package distribution that you may be using. + </p><div class="procedure"><a name="id363067"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> + Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents + shown in <a href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">???</a>. + </p></li><li><p> + <a class="indexterm" name="id363098"></a> + Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in + <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id363123"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +net rpc join -U root%not2g4et +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeed. + + </p></li><li><p> + <a class="indexterm" name="id363148"></a> + <a class="indexterm" name="id363155"></a> + Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code> + tool as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +MEGANET2+root +MEGANET2+nobody +MEGANET2+jht +MEGANET2+maryv +MEGANET2+billr +MEGANET2+jelliott +MEGANET2+dbrady +MEGANET2+joeg +MEGANET2+balap +</pre><p> + This shows that domain users have been listed correctly. +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +MEGANET2+Domain Admins +MEGANET2+Domain Users +MEGANET2+Domain Guests +MEGANET2+Accounts +MEGANET2+Finances +MEGANET2+PIOps +</pre><p> + This shows that domain groups have been correctly obtained also. + </p></li><li><p> + <a class="indexterm" name="id363207"></a> + <a class="indexterm" name="id363213"></a> + <a class="indexterm" name="id363220"></a> + The next step verifies that NSS is able to obtain this information + correctly from <code class="literal">winbind</code> also. +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +MEGANET2+root:x:10000:10001:NetBIOS Domain Admin: + /home/MEGANET2/root:/bin/bash +MEGANET2+nobody:x:10001:10001:nobody: + /home/MEGANET2/nobody:/bin/bash +MEGANET2+jht:x:10002:10001:John H Terpstra: + /home/MEGANET2/jht:/bin/bash +MEGANET2+maryv:x:10003:10001:Mary Vortexis: + /home/MEGANET2/maryv:/bin/bash +MEGANET2+billr:x:10004:10001:William Randalph: + /home/MEGANET2/billr:/bin/bash +MEGANET2+jelliott:x:10005:10001:John G Elliott: + /home/MEGANET2/jelliott:/bin/bash +MEGANET2+dbrady:x:10006:10001:Darren Brady: + /home/MEGANET2/dbrady:/bin/bash +MEGANET2+joeg:x:10007:10001:Joe Green: + /home/MEGANET2/joeg:/bin/bash +MEGANET2+balap:x:10008:10001:Bala Pillay: + /home/MEGANET2/balap:/bin/bash +</pre><p> + The user account information has been correctly obtained. This information has + been merged with the winbind template information configured in the <code class="filename">smb.conf</code> file. +</p><pre class="screen"> +<code class="prompt">root# </code># getent group +... +MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht +MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\ + MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\ + MEGANET2+joeg,MEGANET2+balap +MEGANET2+Domain Guests:x:10002:MEGANET2+nobody +MEGANET2+Accounts:x:10003: +MEGANET2+Finances:x:10004: +MEGANET2+PIOps:x:10005: +</pre><p> + </p></li><li><p> + The Samba member server of a Windows NT4 domain is ready for use. + </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id363316"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id363329"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id363341"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id363354"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id363366"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id363379"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363392"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id363404"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363417"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id363429"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id363442"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id363454"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id363467"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id363480"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id363492"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id363505"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id363518"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id363530"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id363543"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id363555"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id363577"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id363590"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id363602"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id363615"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id363636"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id363649"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id363661"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id363674"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id363686"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id363708"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id363720"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id363733"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id363746"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p> + No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating + system that does not have NSS and PAM support to be outdated, the fact is there + are still many such systems in use today. Samba can be used without NSS support, but this + does limit it to the use of local user and group accounts only. + </p><p> + The following steps may be followed to implement Samba with support for local accounts. + In this configuration Samba is made a domain member server. All incoming connections + to the Samba server will cause the look-up of the incoming username. If the account + is found, it is used. If the account is not found, one will be automatically created + on the local machine so that it can then be used for all access controls. + </p><div class="procedure"><a name="id363783"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p> + Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents + shown in <a href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">???</a>. + </p></li><li><p><a class="indexterm" name="id363814"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeed. + </p></li><li><p> + Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>. + </p></li><li><p> + The Samba member server of a Windows NT4 domain is ready for use. + </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id363899"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id363912"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id363924"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id363937"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id363950"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id363962"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id363975"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363987"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id364000"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id364013"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id364026"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id364038"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id364051"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id364063"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id364076"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id364089"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id364101"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id364114"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id364127"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id364148"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id364161"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id364173"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id364186"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id364207"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id364220"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id364232"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id364245"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id364258"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id364279"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id364292"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id364304"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id364317"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p> + <a class="indexterm" name="id364343"></a> + <a class="indexterm" name="id364352"></a> + <a class="indexterm" name="id364359"></a> + One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory + domain using Kerberos protocols. This makes it possible to operate an entire Windows network + without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An + exhaustively complete discussion of the protocols is not possible in this book; perhaps a + later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate + in. For now, we simply focus on how a Samba-3 server can be made a domain member server. + </p><p> + <a class="indexterm" name="id364376"></a> + <a class="indexterm" name="id364383"></a> + <a class="indexterm" name="id364390"></a> + <a class="indexterm" name="id364396"></a> + The diagram in <a href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">???</a> demonstrates how Samba-3 interfaces with + Microsoft Active Directory components. It should be noted that if Microsoft Windows Services + for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP + for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. + The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL + Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of + LDAP-based identity resolution is a little less secure. In view of the fact that this solution + requires additional software to be installed on the Windows 200x ADS domain controllers, + and that means more management overhead, it is likely that most Samba-3 ADS client sites + may elect to use winbind. + </p><p> + Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3 + you are using has been compiled and linked with all the tools necessary for this to work. + Given the importance of this step, you must first validate that the Samba-3 message block + daemon (<code class="literal">smbd</code>) has the necessary features. + </p><p> + The hypothetical domain you are using in this example assumes that the Abmas London office + decided to take its own lead (some would say this is a typical behavior in a global + corporate world; besides, a little divergence and conflict makes for an interesting life). + The Windows Server 2003 ADS domain is called <code class="constant">london.abmas.biz</code> and the + name of the server is <code class="constant">W2K3S</code>. In ADS realm terms, the domain controller + is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the + domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>. + </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id364496"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p> + <a class="indexterm" name="id364507"></a> + Before you try to use Samba-3, you want to know for certain that your executables have + support for Kerberos and for LDAP. Execute the following to identify whether or + not this build is perhaps suitable for use: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/sbin +<code class="prompt">root# </code> smbd -b | grep KRB + HAVE_KRB5_H + HAVE_ADDR_TYPE_IN_KRB5_ADDRESS + HAVE_KRB5 + HAVE_KRB5_AUTH_CON_SETKEY + HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES + HAVE_KRB5_GET_PW_SALT + HAVE_KRB5_KEYBLOCK_KEYVALUE + HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK + HAVE_KRB5_MK_REQ_EXTENDED + HAVE_KRB5_PRINCIPAL_GET_COMP_STRING + HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES + HAVE_KRB5_STRING_TO_KEY + HAVE_KRB5_STRING_TO_KEY_SALT + HAVE_LIBKRB5 +</pre><p> + This output was obtained on a SUSE Linux system and shows the output for + Samba that has been compiled and linked with the Heimdal Kerberos libraries. + The following is a typical output that will be found on a Red Hat Linux system that + has been linked with the MIT Kerberos libraries: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/sbin +<code class="prompt">root# </code> smbd -b | grep KRB + HAVE_KRB5_H + HAVE_ADDRTYPE_IN_KRB5_ADDRESS + HAVE_KRB5 + HAVE_KRB5_AUTH_CON_SETUSERUSERKEY + HAVE_KRB5_ENCRYPT_DATA + HAVE_KRB5_FREE_DATA_CONTENTS + HAVE_KRB5_FREE_KTYPES + HAVE_KRB5_GET_PERMITTED_ENCTYPES + HAVE_KRB5_KEYTAB_ENTRY_KEY + HAVE_KRB5_LOCATE_KDC + HAVE_KRB5_MK_REQ_EXTENDED + HAVE_KRB5_PRINCIPAL2SALT + HAVE_KRB5_PRINC_COMPONENT + HAVE_KRB5_SET_DEFAULT_TGS_KTYPES + HAVE_KRB5_SET_REAL_TIME + HAVE_KRB5_STRING_TO_KEY + HAVE_KRB5_TKT_ENC_PART2 + HAVE_KRB5_USE_ENCTYPE + HAVE_LIBGSSAPI_KRB5 + HAVE_LIBKRB5 +</pre><p> + You can validate that Samba has been compiled and linked with LDAP support + by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep LDAP +massive:/usr/sbin # smbd -b | grep LDAP + HAVE_LDAP_H + HAVE_LDAP + HAVE_LDAP_DOMAIN2HOSTLIST + HAVE_LDAP_INIT + HAVE_LDAP_INITIALIZE + HAVE_LDAP_SET_REBIND_PROC + HAVE_LIBLDAP + LDAP_SET_REBIND_PROC_ARGS +</pre><p> + This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP + support. You are relieved to know that it is safe to progress. + </p></li><li><p> + <a class="indexterm" name="id364589"></a> + <a class="indexterm" name="id364598"></a> + <a class="indexterm" name="id364605"></a> + <a class="indexterm" name="id364612"></a> + <a class="indexterm" name="id364621"></a> + <a class="indexterm" name="id364630"></a> + <a class="indexterm" name="id364637"></a> + <a class="indexterm" name="id364644"></a> + <a class="indexterm" name="id364651"></a> + The next step is to identify which version of the Kerberos libraries have been used. + In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is + essential that it has been linked with either MIT Kerberos version 1.3.1 or later, + or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may + identify what version of the MIT Kerberos libraries are installed on your system by + executing (on Red Hat Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -q krb5 +</pre><p> + Or on SUSE Linux, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -q heimdal +</pre><p> + Please note that the RPMs provided by the Samba-Team are known to be working and have + been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE + Linux RPMs may be obtained from <a href="ftp://ftp.sernet.de" target="_top">Sernet</a> in + Germany. + </p><p> + From this point on, you are certain that the Samba-3 build you are using has the + necessary capabilities. You can now configure Samba-3 and the NSS. + </p></li><li><p> + Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the + <code class="filename">/etc/samba</code> directory so that it has the contents shown + in <a href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">???</a>. + </p></li><li><p> + Edit or create the NSS control file so it has the contents shown in <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id364743"></a> + Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you + do keep a backup, don't you? + </p></li><li><p> + Delete the tdb files that cache Samba information. You keep a backup of the old + files, of course. You also remove all files to ensure that nothing can pollute your + nice, new configuration. Execute the following (example is for SUSE Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rm /var/lib/samba/*tdb +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id364783"></a> + Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have + done previously). Correct all errors reported before proceeding. The command you + execute is: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s | less +</pre><p> + Now that you are satisfied that your Samba server is ready to join the Windows + ADS domain, let's move on. + </p></li><li><p> + <a class="indexterm" name="id364822"></a> + <a class="indexterm" name="id364833"></a> + This is a good time to double-check everything and then execute the following + command when everything you have done has checked out okay: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%not24get +Using short domain name -- LONDON +Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' +</pre><p> + You have successfully made your Samba-3 server a member of the ADS domain + using Kerberos protocols. + </p><p> + <a class="indexterm" name="id364858"></a> + <a class="indexterm" name="id364864"></a> + In the event that you receive no output messages, a silent return means that the + domain join failed. You should use <code class="literal">ethereal</code> to identify what + may be failing. Common causes of a failed join include: + + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id364884"></a> + Defective or misconfigured DNS name resolution. + </p></li><li><p> + <a class="indexterm" name="id364898"></a> + Restrictive security settings on the Windows 200x ADS domain controller + preventing needed communications protocols. You can check this by searching + the Windows Server 200x Event Viewer. + </p></li><li><p> + Incorrectly configured <code class="filename">smb.conf</code> file settings. + </p></li><li><p> + Lack of support of necessary Kerberos protocols because the version of MIT + Kerberos (or Heimdal) in use is not up to date enough to support the necessary + functionality. + </p></li></ul></div><p> + + <a class="indexterm" name="id364926"></a> + <a class="indexterm" name="id364937"></a> + <a class="indexterm" name="id364943"></a> + In any case, never execute the <code class="literal">net rpc join</code> command in an attempt + to join the Samba server to the domain, unless you wish not to use the Kerberos + security protocols. Use of the older RPC-based domain join facility requires that + Windows Server 200x ADS has been configured appropriately for mixed mode operation. + </p></li><li><p> + <a class="indexterm" name="id364965"></a> + <a class="indexterm" name="id364972"></a> + If the <code class="literal">tdbdump</code> is installed on your system (not essential), + you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If + you wish to do this, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> tdbdump secrets.tdb +{ +key = "SECRETS/SID/LONDON" +data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\ + F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ + 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ + 00\00\00\00\00\00\00\00" +} +{ +key = "SECRETS/MACHINE_PASSWORD/LONDON" +data = "le3Q5FPnN5.ueC\00" +} +{ +key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON" +data = "\02\00\00\00" +} +{ +key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON" +data = "E\89\F6?" +} +</pre><p> + This is given to demonstrate to the skeptics that this process truly does work. + </p></li><li><p> + It is now time to start Samba in the usual way (as has been done many time before + in this book). + </p></li><li><p> + <a class="indexterm" name="id365022"></a> + This is a good time to verify that everything is working. First, check that + winbind is able to obtain the list of users and groups from the ADS domain controller. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +LONDON+Administrator +LONDON+Guest +LONDON+SUPPORT_388945a0 +LONDON+krbtgt +LONDON+jht +</pre><p> + Good, the list of users was obtained. Now do likewise for group accounts: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +LONDON+Domain Computers +LONDON+Domain Controllers +LONDON+Schema Admins +LONDON+Enterprise Admins +LONDON+Domain Admins +LONDON+Domain Users +LONDON+Domain Guests +LONDON+Group Policy Creator Owners +LONDON+DnsUpdateProxy +</pre><p> + Excellent. That worked also, as expected. + </p></li><li><p><a class="indexterm" name="id365063"></a> + Now repeat this via NSS to validate that full identity resolution is + functional as required. Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +LONDON+Administrator:x:10000:10000:Administrator: + /home/LONDON/administrator:/bin/bash +LONDON+Guest:x:10001:10001:Guest: + /home/LONDON/guest:/bin/bash +LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0: + /home/LONDON/support_388945a0:/bin/bash +LONDON+krbtgt:x:10003:10000:krbtgt: + /home/LONDON/krbtgt:/bin/bash +LONDON+jht:x:10004:10000:John H. Terpstra: + /home/LONDON/jht:/bin/bash +</pre><p> + Okay, ADS user accounts are being resolved. Now you try group resolution: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +LONDON+Domain Computers:x:10002: +LONDON+Domain Controllers:x:10003: +LONDON+Schema Admins:x:10004:LONDON+Administrator +LONDON+Enterprise Admins:x:10005:LONDON+Administrator +LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator +LONDON+Domain Users:x:10000: +LONDON+Domain Guests:x:10001: +LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator +LONDON+DnsUpdateProxy:x:10008: +</pre><p> + This is very pleasing. Everything works as expected. + </p></li><li><p> + <a class="indexterm" name="id365111"></a> + <a class="indexterm" name="id365122"></a> + <a class="indexterm" name="id365131"></a> + You may now perform final verification that communications between Samba-3 winbind and + the Active Directory server is using Kerberos protocols. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads info +LDAP server: 192.168.2.123 +LDAP server name: w2k3s +Realm: LONDON.ABMAS.BIZ +Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ +LDAP port: 389 +Server time: Sat, 03 Jan 2004 02:44:44 GMT +KDC server: 192.168.2.123 +Server time offset: 2 +</pre><p> + It should be noted that Kerberos protocols are time-clock critical. You should + keep all server time clocks synchronized using the network time protocol (NTP). + In any case, the output we obtained confirms that all systems are operational. + </p></li><li><p> + <a class="indexterm" name="id365161"></a> + There is one more action you elect to take, just because you are paranoid and disbelieving, + so you execute the following command: +</p><pre class="programlisting"> +<code class="prompt">root# </code> net ads status -UAdministrator%not24get +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +objectClass: computer +cn: fran +distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz +instanceType: 4 +whenCreated: 20040103092006.0Z +whenChanged: 20040103092006.0Z +uSNCreated: 28713 +uSNChanged: 28717 +name: fran +objectGUID: 58f89519-c467-49b9-acb0-f099d73696e +userAccountControl: 69632 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 127175965783327936 +localPolicyFlags: 0 +pwdLastSet: 127175952062598496 +primaryGroupID: 515 +objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109 +accountExpires: 9223372036854775807 +logonCount: 13 +sAMAccountName: fran$ +sAMAccountType: 805306369 +operatingSystem: Samba +operatingSystemVersion: 3.0.20-SUSE +dNSHostName: fran +userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ +servicePrincipalName: CIFS/fran.london.abmas.biz +servicePrincipalName: CIFS/fran +servicePrincipalName: HOST/fran.london.abmas.biz +servicePrincipalName: HOST/fran +objectCategory: CN=Computer,CN=Schema,CN=Configuration, + DC=london,DC=abmas,DC=biz +isCriticalSystemObject: FALSE +-------------- Security Descriptor (revision: 1, type: 0x8c14) +owner SID: S-1-5-21-4052121579-2079768045-1474639452-512 +group SID: S-1-5-21-4052121579-2079768045-1474639452-513 +------- (system) ACL (revision: 4, size: 120, number of ACEs: 2) +------- ACE (type: 0x07, flags: 0x5a, size: 0x38, + mask: 0x20, object flags: 0x3) +access SID: S-1-1-0 +access type: AUDIT OBJECT +Permissions: + [Write All Properties] +------- ACE (type: 0x07, flags: 0x5a, size: 0x38, + mask: 0x20, object flags: 0x3) +access SID: S-1-1-0 +access type: AUDIT OBJECT +Permissions: + [Write All Properties] +------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40) +------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) +access SID: S-1-5-21-4052121579-2079768045-1474639452-512 +access type: ALLOWED +Permissions: [Full Control] +------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) +access SID: S-1-5-32-548 +... +------- ACE (type: 0x05, flags: 0x12, size: 0x38, + mask: 0x10, object flags: 0x3) +access SID: S-1-5-9 +access type: ALLOWED OBJECT +Permissions: + [Read All Properties] +-------------- End Of Security Descriptor +</pre><p> + And now you have conclusive proof that your Samba-3 ADS domain member server + called <code class="constant">FRAN</code> is able to communicate fully with the ADS + domain controllers. + </p></li></ol></div><p> + Your Samba-3 ADS domain member server is ready for use. During training sessions, + you may be asked what is inside the <code class="filename">winbindd_cache.tdb and winbindd_idmap.tdb</code> + files. Since curiosity just took hold of you, execute the following: +</p><pre class="programlisting"> +<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_idmap.tdb +{ +key = "S-1-5-21-4052121579-2079768045-1474639452-501\00" +data = "UID 10001\00" +} +{ +key = "UID 10005\00" +data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00" +} +{ +key = "GID 10004\00" +data = "S-1-5-21-4052121579-2079768045-1474639452-518\00" +} +{ +key = "S-1-5-21-4052121579-2079768045-1474639452-502\00" +data = "UID 10003\00" +} +... + +<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_cache.tdb +{ +key = "UL/LONDON" +data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D + Administrator-S-1-5-21-4052121579-2079768045-1474639452-500- + S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05 + Guest-S-1-5-21-4052121579-2079768045-1474639452-501- + S-1-5-21-4052121579-2079768045-1474639452-514\10 + SUPPORT_388945a0\10SUPPORT_388945a0. + S-1-5-21-4052121579-2079768045-1474639452-1001- + S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06 + krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502- + S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10 + John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +{ +key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512" +data = "\00\00\00\00bp\00\00\02\00\00\00. + S-1-5-21-4052121579-2079768045-1474639452-1110\03 + jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D + Administrator\01\00\00\00" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513" +data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users" +} +{ +key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518" +data = "\00\00\00\00bp\00\00\01\00\00\00- + S-1-5-21-4052121579-2079768045-1474639452-500\0D + Administrator\01\00\00\00" +} +{ +key = "SEQNUM/LONDON\00" +data = "xp\00\00C\92\F6?" +} +{ +key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110" +data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra. + S-1-5-21-4052121579-2079768045-1474639452-1110- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +{ +key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502" +data = "\00\00\00\00bp\00\00- + S-1-5-21-4052121579-2079768045-1474639452-502" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001" +data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500" +data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator" +} +{ +key = "U/S-1-5-21-4052121579-2079768045-1474639452-502" +data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- + S-1-5-21-4052121579-2079768045-1474639452-502- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +.... +</pre><p> + Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. + May this server serve well all who happen upon it. + </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365315"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id365328"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id365340"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id365353"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id365366"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id365378"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id365391"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id365403"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id365416"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id365428"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id365441"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id365454"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id365466"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365479"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365491"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id365504"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id365516"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id365529"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id365550"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id365563"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id365576"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id365588"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id365610"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id365622"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id365635"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365647"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365660"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id365681"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id365694"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id365707"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id365719"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365733"></a>IDMAP_RID with Winbind</h4></div></div></div><p> + <a class="indexterm" name="id365741"></a> + <a class="indexterm" name="id365748"></a> + <a class="indexterm" name="id365754"></a> + <a class="indexterm" name="id365761"></a> + The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a + predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method + of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data + in a central place. The downside is that it can be used only within a single ADS domain and + is not compatible with trusted domain implementations. + </p><p> + <a class="indexterm" name="id365780"></a> + <a class="indexterm" name="id365787"></a> + <a class="indexterm" name="id365794"></a> + <a class="indexterm" name="id365800"></a> + This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid + plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the + RID to a base value specified. This utility requires that the parameter + “<span class="quote">allow trusted domains = No</span>” must be specified, as it is not compatible + with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and + <em class="parameter"><code>idmap gid</code></em> ranges must be specified. + </p><p> + <a class="indexterm" name="id365830"></a> + <a class="indexterm" name="id365836"></a> + The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. + To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the + method used to join the domain uses the <code class="constant">net rpc join</code> process. + </p><p> + An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">???</a>. + </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365908"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id365921"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id365933"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id365946"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id365958"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id365971"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id365984"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id365996"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id366009"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id366022"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id366034"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id366047"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id366060"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id366072"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id366085"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id366101"></a> + <a class="indexterm" name="id366108"></a> + <a class="indexterm" name="id366115"></a> + <a class="indexterm" name="id366121"></a> + In a large domain with many users, it is imperative to disable enumeration of users and groups. + For example, at a site that has 22,000 users in Active Directory the winbind-based user and + group resolution is unavailable for nearly 12 minutes following first start-up of + <code class="literal">winbind</code>. Disabling of such enumeration results in instantaneous response. + The disabling of user and group enumeration means that it will not be possible to list users + or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> + commands. It will be possible to perform the lookup for individual users, as shown in the procedure + below. + </p><p> + <a class="indexterm" name="id366154"></a> + <a class="indexterm" name="id366161"></a> + The use of this tool requires configuration of NSS as per the native use of winbind. Edit the + <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: +</p><pre class="screen"> +... +passwd: files winbind +shadow: files winbind +group: files winbind +... +hosts: files wins +... +</pre><p> + </p><p> + The following procedure can be used to utilize the idmap_rid facility: + </p><div class="procedure"><ol type="1"><li><p> + Create or install and <code class="filename">smb.conf</code> file with the above configuration. + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%password +Using short domain name -- KPAK +Joined 'BIGJOE' to realm 'CORP.KPAK.COM' +</pre><p> + </p><p> + <a class="indexterm" name="id366236"></a> + An invalid or failed join can be detected by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +BIGJOE$@'s password: +[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) + ads_connect: No results returned +Join to domain is not valid +</pre><p> + The specific error message may differ from the above because it depends on the type of failure that + may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the above test, + and then examine the log files produced to identify the nature of the failure. + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. + </p></li><li><p> + Validate the operation of this configuration by executing: + <a class="indexterm" name="id366298"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd administrator +administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash +</pre><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366318"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p> + <a class="indexterm" name="id366326"></a> + <a class="indexterm" name="id366333"></a> + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as + with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant + LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using + the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. + </p><p> + The example in <a href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">???</a> is for an ADS-style domain. + </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id366387"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id366400"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id366412"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id366425"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id366437"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id366450"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id366463"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id366476"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id366488"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id366501"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id366514"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id366526"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id366539"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id366552"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id366568"></a> + In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the + command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates + advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in + “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>” (TOSHARG2). + </p><p> + <a class="indexterm" name="id366596"></a> + <a class="indexterm" name="id366603"></a> + <a class="indexterm" name="id366610"></a> + Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> + file so it has the following contents: +</p><pre class="screen"> +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = SNOWSHOW.COM + dns_lookup_realm = false + dns_lookup_kdc = true + +[appdefaults] + pam = { + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + forwardable = true + krb4_convert = false + } +</pre><p> + </p><p> + Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> + file so it is either empty (i.e., no contents) or it has the following contents: +</p><pre class="screen"> +[libdefaults] + default_realm = SNOWSHOW.COM + clockskew = 300 + +[realms] + SNOWSHOW.COM = { + kdc = ADSDC.SHOWSHOW.COM + } + +[domain_realm] + .snowshow.com = SNOWSHOW.COM +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. + So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no + need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. + </p></div><p> + Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id366682"></a> + <a class="indexterm" name="id366689"></a> + You will need the <a href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> + tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has + the information needed. The following is an example of a working file: +</p><pre class="screen"> +host 192.168.2.1 +base dc=snowshow,dc=com +binddn cn=Manager,dc=snowshow,dc=com +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=snowshow,dc=com?one +nss_base_shadow ou=People,dc=snowshow,dc=com?one +nss_base_group ou=Groups,dc=snowshow,dc=com?one +ssl no +</pre><p> + </p><p> + The following procedure may be followed to affect a working configuration: + </p><div class="procedure"><ol type="1"><li><p> + Configure the <code class="filename">smb.conf</code> file as shown above. + </p></li><li><p> + Create the <code class="filename">/etc/krb5.conf</code> file following the indications above. + </p></li><li><p> + Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Download, build, and install the PADL nss_ldap tool set. Configure the + <code class="filename">/etc/ldap.conf</code> file as shown above. + </p></li><li><p> + Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP + as shown in the following LDIF file: +</p><pre class="screen"> +dn: dc=snowshow,dc=com +objectClass: dcObject +objectClass: organization +dc: snowshow +o: The Greatest Snow Show in Singapore. +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=snowshow,dc=com +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=Idmap,dc=snowshow,dc=com +objectClass: organizationalUnit +ou: idmap +</pre><p> + </p></li><li><p> + Execute the command to join the Samba domain member server to the ADS domain as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +Using short domain name -- SNOWSHOW +Joined 'GOODELF' to realm 'SNOWSHOW.COM' +</pre><p> + </p></li><li><p> + Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. + </p></li></ol></div><p> + <a class="indexterm" name="id366872"></a> + Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join. + In many cases a failure is indicated by a silent return to the command prompt with no indication of the + reason for failure. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366884"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p> + <a class="indexterm" name="id366892"></a> + <a class="indexterm" name="id366898"></a> + The use of this method is messy. The information provided in this section is for guidance only + and is very definitely not complete. This method does work; it is used in a number of large sites + and has an acceptable level of performance. + </p><p> + An example <code class="filename">smb.conf</code> file is shown in <a href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">???</a>. + </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id366957"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id366970"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id366982"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id366995"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id367008"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id367020"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id367033"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id367046"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id367058"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id367071"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id367084"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id367100"></a> + The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary + to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the + following: +</p><pre class="screen"> +./configure --enable-rfc2307bis --enable-schema-mapping +make install +</pre><p> + </p><p> + <a class="indexterm" name="id367118"></a> + The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id367141"></a> + <a class="indexterm" name="id367147"></a> + The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation + and source code for nss_ldap instructions. + </p><p> + The next step involves preparation on the ADS schema. This is briefly discussed in the remaining + part of this chapter. + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id367167"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p> + <a class="indexterm" name="id367175"></a> + The Microsoft Windows Service for UNIX version 3.5 is available for free + <a href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> + from the Microsoft Web site. You will need to download this tool and install it following + Microsoft instructions. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id367192"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p> + Instructions for obtaining and installing the AD4UNIX tool set can be found from the + <a href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> + Geekcomix</a> Web site. + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367212"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id367219"></a> + So far this chapter has been mainly concerned with the provision of file and print + services for domain member servers. However, an increasing number of UNIX/Linux + workstations are being installed that do not act as file or print servers to anyone + other than a single desktop user. The key demand for desktop systems is to be able + to log onto any UNIX/Linux or Windows desktop using the same network user credentials. + </p><p><a class="indexterm" name="id367234"></a> + The ability to use a common set of user credential across a variety of network systems + is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a + large number of vendors and include a range of technologies such as: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Proxy sign-on + </p></li><li><p> + Federated directory provisioning + </p></li><li><p> + Metadirectory server solutions + </p></li><li><p> + Replacement authentication systems + </p></li></ul></div><p><a class="indexterm" name="id367272"></a> + There are really four solutions that provide integrated authentication and + user identity management facilities: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now + provides a greater level of scalability in large ADS environments. + </p></li><li><p> + <a href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free). + </p></li><li><p> + <a href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial). + </p></li><li><p> + <a href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial). + Centrify's commercial product allows UNIX and Linux systems to use Active Directory + security, directory and policy services. Enhancements include a centralized ID mapping that + allows Samba, DirectControl and Active Directory to seamlessly work together. + </p></li></ul></div><p> + The following guidelines are pertinent to the deployment of winbind-based authentication + and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops + using Windows network domain user credentials (username and password). + </p><p> + You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed + systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This + provides logon services for UNIX/Linux users, while Windows users obtain their sign-on + support via Samba-3. + </p><p> + <a class="indexterm" name="id367339"></a> + On the other hand, if the authentication and identity resolution backend must be provided by + a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft + Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these + situations now follows. + </p><p> + <a class="indexterm" name="id367354"></a> + <a class="indexterm" name="id367361"></a> + <a class="indexterm" name="id367368"></a> + To permit users to log on to a Linux system using Windows network credentials, you need to + configure identity resolution (NSS) and PAM. This means that the basic steps include those + outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) + usually do not need to provide file and print services to a group of users, the configuration + of shares and printers is generally less important. Often this allows the share specifications + to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id367386"></a>NT4 Domain Member</h4></div></div></div><p> + The following steps provide a Linux system that users can log onto using + Windows NT4 (or Samba-3) domain network credentials: + </p><div class="procedure"><ol type="1"><li><p> + Follow the steps outlined in <a href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">???</a> and ensure that + all validation tests function as shown. + </p></li><li><p> + Identify what services users must log on to. On Red Hat Linux, if it is + intended that the user shall be given access to all services, it may be + most expeditious to simply configure the file + <code class="filename">/etc/pam.d/system-auth</code>. + </p></li><li><p> + Carefully make a backup copy of all PAM configuration files before you + begin making changes. If you break the PAM configuration, please note + that you may need to use an emergency boot process to recover your Linux + system. It is possible to break the ability to log into the system if + PAM files are incorrectly configured. The entire directory + <code class="filename">/etc/pam.d</code> should be backed up to a safe location. + </p></li><li><p> + If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> + so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + </p></li><li><p> + To provide the ability to log onto the graphical desktop interface, you must edit + the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the + <code class="filename">/etc/pam.d</code> directory. + </p></li><li><p> + Edit only one file at a time. Carefully validate its operation before attempting + to reboot the machine. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id367498"></a>ADS Domain Member</h4></div></div></div><p> + This procedure should be followed to permit a Linux network client (workstation/desktop) + to permit users to log on using Microsoft Active Directory-based user credentials. + </p><div class="procedure"><ol type="1"><li><p> + Follow the steps outlined in <a href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">???</a> and ensure that + all validation tests function as shown. + </p></li><li><p> + Identify what services users must log on to. On Red Hat Linux, if it is + intended that the user shall be given access to all services, it may be + most expeditious to simply configure the file + <code class="filename">/etc/pam.d/system-auth</code> as shown in <a href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">???</a>. + </p></li><li><p> + Carefully make a backup copy of all PAM configuration files before you + begin making changes. If you break the PAM configuration, please note + that you may need to use an emergency boot process to recover your Linux + system. It is possible to break the ability to log into the system if + PAM files are incorrectly configured. The entire directory + <code class="filename">/etc/pam.d</code> should be backed up to a safe location. + </p></li><li><p> + If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> + so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + </p></li><li><p> + To provide the ability to log onto the graphical desktop interface, you must edit + the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the + <code class="filename">/etc/pam.d</code> directory. + </p></li><li><p> + Edit only one file at a time. Carefully validate its operation before attempting + to reboot the machine. + </p></li></ol></div></div><div class="example"><a name="ch9-pamwnbdlogin"></a><p class="title"><b>Example 7.11. SUSE: PAM <code class="filename">login</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +# /etc/pam.d/login + +#%PAM-1.0 +auth sufficient pam_unix2.so nullok +auth sufficient pam_winbind.so use_first_pass use_authtok +auth required pam_securetty.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_mail.so +account sufficient pam_unix2.so +account sufficient pam_winbind.so user_first_pass use_authtok +password required pam_pwcheck.so nullok +password sufficient pam_unix2.so nullok use_first_pass use_authtok +password sufficient pam_winbind.so use_first_pass use_authtok +session sufficient pam_unix2.so none +session sufficient pam_winbind.so use_first_pass use_authtok +session required pam_limits.so +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-pamwbndxdm"></a><p class="title"><b>Example 7.12. SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +# /etc/pam.d/gdm (/etc/pam.d/xdm) + +#%PAM-1.0 +auth sufficient pam_unix2.so nullok +auth sufficient pam_winbind.so use_first_pass use_authtok +account sufficient pam_unix2.so +account sufficient pam_winbind.so use_first_pass use_authtok +password sufficient pam_unix2.so +password sufficient pam_winbind.so use_first_pass use_authtok +session sufficient pam_unix2.so +session sufficient pam_winbind.so use_first_pass use_authtok +session required pam_dev perm.so +session required pam_resmgr.so +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-rhsysauth"></a><p class="title"><b>Example 7.13. Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +#%PAM-1.0 +auth required /lib/security/$ISA/pam_env.so +auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok +auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +auth required /lib/security/$ISA/pam_deny.so + +account required /lib/security/$ISA/pam_unix.so +account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass + +password required /lib/security/$ISA/pam_cracklib.so retry=3 type= +# Note: The above line is complete. There is nothing following the '=' +password sufficient /lib/security/$ISA/pam_unix.so \ + nullok use_authtok md5 shadow +password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +password required /lib/security/$ISA/pam_deny.so + +session required /lib/security/$ISA/pam_limits.so +session sufficient /lib/security/$ISA/pam_unix.so +session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367699"></a>Key Points Learned</h3></div></div></div><p> + The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you + learned how to integrate such servers so that the UID/GID mappings they use can be consistent + across all domain member servers. You also discovered how to implement the ability to use Samba + or Windows domain account credentials to log on to a UNIX/Linux client. + </p><p> + The following are key points made in this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Domain controllers are always authoritative for the domain. + </p></li><li><p> + Domain members may have local accounts and must be able to resolve the identity of + domain user accounts. Domain user account identity must map to a local UID/GID. That + local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data + across all domain member machines. + </p></li><li><p> + Resolution of user and group identities on domain member machines may be implemented + using direct LDAP services or using winbind. + </p></li><li><p> + On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management + and PAM is responsible for authentication of logon credentials (username and password). + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367744"></a>Questions and Answers</h2></div></div></div><p> + The following questions were obtained from the mailing list and also from private discussions + with Windows network administrators. + </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id367761"> + We use NIS for all UNIX accounts. Why do we need winbind? + </a></dt><dt> <a href="unixclients.html#id367868"> + Our IT management people do not like LDAP but are looking at Microsoft Active Directory. + Which is better? + </a></dt><dt> <a href="unixclients.html#id367942"> + We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible + to use NIS in place of LDAP? + </a></dt><dt> <a href="unixclients.html#id368049"> + Are you suggesting that users should not log on to a domain member server? If so, why? + </a></dt><dt> <a href="unixclients.html#id368158"> + We want to ensure that only users from our own domain plus from trusted domains can use our + Samba servers. In the smb.conf file on all servers, we have enabled the winbind + trusted domains only parameter. We now find that users from trusted domains + cannot access our servers, and users from Windows clients that are not domain members + can also access our servers. Is this a Samba bug? + </a></dt><dt> <a href="unixclients.html#id368322"> + What are the benefits of using LDAP for my domain member servers? + </a></dt><dt> <a href="unixclients.html#id368497"> + Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into + my DNS configuration? + </a></dt><dt> <a href="unixclients.html#id368645"> + Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we + use Samba-3 with that configuration? + </a></dt><dt> <a href="unixclients.html#id368662"> + When I tried to execute net ads join, I got no output. It did not work, so + I think that it failed. I then executed net rpc join and that worked fine. + That is okay, isn't it? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id367761"></a><a name="id367763"></a></td><td align="left" valign="top"><p> + We use NIS for all UNIX accounts. Why do we need winbind? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id367774"></a> + <a class="indexterm" name="id367781"></a> + <a class="indexterm" name="id367787"></a> + <a class="indexterm" name="id367794"></a> + <a class="indexterm" name="id367801"></a> + <a class="indexterm" name="id367808"></a> + You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted + passwords that need to be stored in one of the acceptable passdb backends. + Your choice of backend is limited to <em class="parameter"><code>smbpasswd</code></em> or + <em class="parameter"><code>tdbsam</code></em>. Winbind is needed to handle the resolution of + SIDs from trusted domains to local UID/GID values. + </p><p> + <a class="indexterm" name="id367832"></a> + <a class="indexterm" name="id367839"></a> + On a domain member server, you effectively map Windows domain users to local users + that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains + only</code></em>. This causes user and group account lookups to be routed via + the <code class="literal">getpwnam()</code> family of systems calls. On an NIS-enabled client, + this pushes the resolution of users and groups out through NIS. + </p><p> + As a general rule, it is always a good idea to run winbind on all Samba servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367868"></a><a name="id367870"></a></td><td align="left" valign="top"><p> + Our IT management people do not like LDAP but are looking at Microsoft Active Directory. + Which is better?<a class="indexterm" name="id367876"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367890"></a><a class="indexterm" name="id367901"></a><a class="indexterm" name="id367909"></a> + Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos + infrastructure. Most IT managers who object to LDAP do so because + an LDAP server is most often supplied as a raw tool that needs to be configured and + for which the administrator must create the schema, create the administration tools, and + devise the backup and recovery facilities in a site-dependent manner. LDAP servers + in general are seen as a high-energy, high-risk facility. + </p><p><a class="indexterm" name="id367924"></a> + Microsoft Active Directory by comparison is easy to install and configure and + is supplied with all tools necessary to implement and manage the directory. For sites + that lack a lot of technical competence, Active Directory is a good choice. For sites + that have the technical competence to handle Active Directory well, LDAP is a good + alternative. The real issue is, What type of solution does + the site want? If management wants a choice to use an alternative, they may want to + consider the options. On the other hand, if management just wants a solution that works, + Microsoft Active Directory is a good solution. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367942"></a><a name="id367944"></a></td><td align="left" valign="top"><p> + We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible + to use NIS in place of LDAP? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367955"></a><a class="indexterm" name="id367962"></a><a class="indexterm" name="id367970"></a><a class="indexterm" name="id367978"></a><a class="indexterm" name="id367986"></a><a class="indexterm" name="id367994"></a><a class="indexterm" name="id368001"></a> + Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping + the Windows (SMB) encrypted passwords database correctly synchronized across the entire + network. Workstations (Windows client machines) periodically change their domain + membership secure account password. How can you keep changes that are on remote BDCs + synchronized on the PDC? + </p><p><a class="indexterm" name="id368019"></a><a class="indexterm" name="id368026"></a><a class="indexterm" name="id368034"></a> + LDAP is a more elegant solution because it permits centralized storage and management + of all network identities (user, group, and machine accounts) together with all information + Samba needs to provide to network clients and their users. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368049"></a><a name="id368051"></a></td><td align="left" valign="top"><p> + Are you suggesting that users should not log on to a domain member server? If so, why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368061"></a><a class="indexterm" name="id368069"></a><a class="indexterm" name="id368080"></a> + Many UNIX administrators mock the model that the personal computer industry has adopted + as normative since the early days of Novell NetWare. The old + perception of the necessity to keep users off file and print servers was a result of + fears concerning the security and integrity of data. It was a simple and generally + effective measure to keep users away from servers, except through mapped drives. + </p><p><a class="indexterm" name="id368095"></a><a class="indexterm" name="id368103"></a><a class="indexterm" name="id368111"></a><a class="indexterm" name="id368119"></a><a class="indexterm" name="id368127"></a> + UNIX administrators are fully correct in asserting that UNIX servers and workstations + are identical in terms of the software that is installed. They correctly assert that + in a well-secured environment it is safe to store files on a system that has hundreds + of users. But all network administrators must factor into the decision to allow or + reject general user logins to a UNIX system that is principally a file and print + server the risk to operations through simple user errors. + Only then can one begin to appraise the best strategy and adopt a site-specific + policy that best protects the needs of users and of the organization alike. + </p><p><a class="indexterm" name="id368143"></a> + From experience, it is my recommendation to keep general system-level logins to a + practical minimum and to eliminate them if possible. This should not be taken as a + hard rule, though. The better question is, what works best for the site? + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368158"></a><a name="id368160"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368163"></a><a class="indexterm" name="id368171"></a><a class="indexterm" name="id368182"></a><a class="indexterm" name="id368190"></a> + We want to ensure that only users from our own domain plus from trusted domains can use our + Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind + trusted domains only</code></em> parameter. We now find that users from trusted domains + cannot access our servers, and users from Windows clients that are not domain members + can also access our servers. Is this a Samba bug? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368219"></a><a class="indexterm" name="id368227"></a><a class="indexterm" name="id368235"></a><a class="indexterm" name="id368243"></a><a class="indexterm" name="id368250"></a><a class="indexterm" name="id368258"></a> + The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says, + “<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled + domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users + in the hosts primary domain. Therefore, the user <code class="constant">SAMBA\user1</code> would be + mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead + of allocating a new UID for him or her.</span>” This clearly suggests that you are trying + to use this parameter inappropriately. + </p><p><a class="indexterm" name="id368296"></a> + A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying + precisely the domain users and groups that should be permitted access to the shares. You could, + for example, set the following parameters: +</p><pre class="screen"> +[demoshare] + path = /export/demodata + valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users" +</pre><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368322"></a><a name="id368324"></a></td><td align="left" valign="top"><p> + What are the benefits of using LDAP for my domain member servers? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368334"></a><a class="indexterm" name="id368342"></a><a class="indexterm" name="id368350"></a><a class="indexterm" name="id368358"></a><a class="indexterm" name="id368365"></a><a class="indexterm" name="id368373"></a><a class="indexterm" name="id368381"></a><a class="indexterm" name="id368389"></a><a class="indexterm" name="id368397"></a> + The key benefit of using LDAP is that the UID of all users and the GID of all groups + are globally consistent on domain controllers as well as on domain member servers. + This means that it is possible to copy/replicate files across servers without + loss of identity. + </p><p><a class="indexterm" name="id368410"></a><a class="indexterm" name="id368418"></a><a class="indexterm" name="id368426"></a><a class="indexterm" name="id368434"></a><a class="indexterm" name="id368442"></a><a class="indexterm" name="id368450"></a><a class="indexterm" name="id368461"></a><a class="indexterm" name="id368469"></a> + When use is made of account identity resolution via winbind, even when an IDMAP backend + is stored in LDAP, the UID/GID on domain member servers is consistent, but differs + from the ID that the user/group has on domain controllers. The winbind allocated UID/GID + that is stored in LDAP (or locally) will be in the numeric range specified in the <em class="parameter"><code> + idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is + that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368497"></a><a name="id368499"></a></td><td align="left" valign="top"><p> + Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into + my DNS configuration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368510"></a><a class="indexterm" name="id368521"></a><a class="indexterm" name="id368532"></a><a class="indexterm" name="id368540"></a><a class="indexterm" name="id368548"></a><a class="indexterm" name="id368555"></a><a class="indexterm" name="id368563"></a> + Samba depends on correctly functioning resolution of hostnames to their IP address. Samba + makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the + <code class="literal">getXXXbyXXX()</code> function calls. The configuration of the <code class="constant">hosts</code> + entry in the NSS <code class="filename">/etc/nsswitch.conf</code> file determines how the underlying + resolution process is implemented. If the <code class="constant">hosts</code> entry in your NSS + control file says: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + this means that a hostname lookup first tries the <code class="filename">/etc/hosts</code>. + If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a + WINS lookup. + </p><p><a class="indexterm" name="id368613"></a><a class="indexterm" name="id368621"></a><a class="indexterm" name="id368629"></a> + The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has + been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS + is the preferred name resolution technology. This usually makes most sense when Samba + is a client of an Active Directory domain, where NetBIOS use has been disabled. In this + case, the Windows 200x autoregisters all locator records it needs with its own DNS + server or servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368645"></a><a name="id368647"></a></td><td align="left" valign="top"><p> + Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we + use Samba-3 with that configuration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368662"></a><a name="id368664"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368668"></a><a class="indexterm" name="id368682"></a> + When I tried to execute net ads join, I got no output. It did not work, so + I think that it failed. I then executed net rpc join and that worked fine. + That is okay, isn't it? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368704"></a><a class="indexterm" name="id368712"></a> + No. This is not okay. It means that your Samba-3 client has joined the ADS domain as + a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Domain Members, Updating Samba and Migration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Updating Samba-3</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/upgrades.html b/docs/htmldocs/Samba3-ByExample/upgrades.html new file mode 100644 index 0000000000..4617fa771f --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/upgrades.html @@ -0,0 +1,947 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Updating Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients"><link rel="next" href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Updating Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unixclients.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="ntmigration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrades"></a>Chapter 8. Updating Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrades.html#id368817">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id368901">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370109">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370451">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id370773">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id370887">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id370982">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371166">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id371543">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id368743"></a> +<a class="indexterm" name="id368750"></a> +It was a little difficult to select an appropriate title for this chapter. +From email messages on the Samba mailing lists it is clear that many people +consider the updating and upgrading of Samba to be a migration matter. Others +talk about migrating Samba servers when in fact the issue at hand is one of +installing a new Samba server to replace an older existing Samba server. +</p><p> +<a class="indexterm" name="id368763"></a> +<a class="indexterm" name="id368770"></a> +There has also been much talk about migration of Samba-3 from an smbpasswd +passdb backend to the use of the tdbsam or ldapsam facilities that are new +to Samba-3. +</p><p> +Clearly, there is not a great deal of clarity in the terminology that various +people apply to these modes by which Samba servers are updated. This is further +highlighted by an email posting that included the following neat remark: +</p><div class="blockquote"><blockquote class="blockquote"><p> +<a class="indexterm" name="id368788"></a> +I like the “<span class="quote">net rpc vampire</span>” on NT4, but that to my surprise does +not seem to work against a Samba PDC and, if addressed in the Samba to Samba +context in either book, I could not find it. +</p></blockquote></div><p> +<a class="indexterm" name="id368807"></a> +So in response to the significant request for these situations to be better +documented, this chapter has now been added. User contributions and documentation +of real-world experiences are a most welcome addition to this chapter. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368817"></a>Introduction</h2></div></div></div><p> +<a class="indexterm" name="id368825"></a> +<a class="indexterm" name="id368832"></a> +<a class="indexterm" name="id368838"></a> +A Windows network administrator explained in an email what changes he was +planning to make and followed with the question: “<span class="quote">Anyone done this +before?</span>” Many of us have upgraded and updated Samba without incident. +Others have experienced much pain and user frustration. So it is to be hoped +that the notes in this chapter will make a positive difference by assuring +that someone will be saved a lot of discomfort. +</p><p> +Before anyone commences an upgrade or an update of Samba, the one cardinal +rule that must be observed is: Backup all Samba configuration files in +case it is necessary to revert to the old version. Even if you do not like +this precautionary step, users will punish an administrator who +fails to take adequate steps to avoid situations that may inflict lost +productivity on them. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="id368863"></a> +<a class="indexterm" name="id368870"></a> +Samba makes it possible to upgrade and update configuration files, but it +is not possible to downgrade the configuration files. Please ensure that +all configuration and control files are backed up to permit a down-grade +in the rare event that this may be necessary. +</p></div><p> +<a class="indexterm" name="id368882"></a> +<a class="indexterm" name="id368889"></a> +It is prudent also to backup all data files on the server before attempting +to perform a major upgrade. Many administrators have experienced the consequences +of failure to take adequate precautions. So what is adequate? That is simple! +If data is lost during an upgrade or update and it can not be restored, +the precautions taken were inadequate. If a backup was not needed, but was available, +caution was on the side of the victor. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368901"></a>Cautions and Notes</h3></div></div></div><p> + Someone once said, “<span class="quote">It is good to be sorry, but better never to need to be!</span>” + These are wise words of advice to those contemplating a Samba upgrade or update. + </p><p> + <a class="indexterm" name="id368916"></a> + <a class="indexterm" name="id368923"></a> + <a class="indexterm" name="id368930"></a> + This is as good a time as any to define the terms <code class="constant">upgrade</code> and + <code class="constant">update</code>. The term <code class="constant">upgrade</code> refers to + the installation of a version of Samba that is a whole generation or more ahead of + that which is installed. Generations are indicated by the first digit of the version + number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0 + is in development. + </p><p> + <a class="indexterm" name="id368954"></a> + The term <code class="constant">update</code> refers to a minor version number installation + in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14 + is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade. + </p><p> + <a class="indexterm" name="id368970"></a> + While the use of these terms is an exercise in semantics, what needs to be realized + is that there are major functional differences between a Samba 2.x release and a Samba + 3.0.x release. Such differences may require a significantly different approach to + solving the same networking challenge and generally require careful review of the + latest documentation to identify precisely how the new installation may need to be + modified to preserve prior functionality. + </p><p> + There is an old axiom that says, “<span class="quote">The greater the volume of the documentation, + the greater the risk that noone will read it, but where there is no documentation, + noone can read it!</span>” While true, some documentation is an evil necessity. + It is hoped that this update to the documentation will avoid both extremes. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id368991"></a>Security Identifiers (SIDs)</h4></div></div></div><p> + <a class="indexterm" name="id368999"></a> + <a class="indexterm" name="id369008"></a> + <a class="indexterm" name="id369014"></a> + <a class="indexterm" name="id369021"></a> + <a class="indexterm" name="id369028"></a> + <a class="indexterm" name="id369037"></a> + Before the days of Windows NT and OS/2, every Windows and DOS networking client + that used the SMB protocols was an entirely autonomous entity. There was no concept + of a security identifier for a machine or a user outside of the username, the + machine name, and the workgroup name. In actual fact, these were not security identifiers + in the same context as the way that the SID is used since the development of + Windows NT 3.10. + </p><p> + <a class="indexterm" name="id369053"></a> + <a class="indexterm" name="id369060"></a> + <a class="indexterm" name="id369066"></a> + <a class="indexterm" name="id369073"></a> + <a class="indexterm" name="id369080"></a> + <a class="indexterm" name="id369086"></a> + Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use + of the username that is embedded in the SessionSetUpAndX component of the connection + setup process between a Windows client and an SMB/CIFS server. + </p><p> + <a class="indexterm" name="id369101"></a> + <a class="indexterm" name="id369108"></a> + <a class="indexterm" name="id369114"></a> + Around November 1997 support was added to Samba-1.9 to handle the Windows security + RPC-based protocols that implemented support for Samba to store a machine SID. This + information was stored in a file called <code class="filename">MACHINE.SID.</code> + </p><p> + <a class="indexterm" name="id369132"></a> + <a class="indexterm" name="id369139"></a> + <a class="indexterm" name="id369145"></a> + Within the lifetime of the early Samba 2.x series, the machine SID information was + relocated into a tdb file called <code class="filename">secrets.tdb</code>, which is where + it is still located in Samba 3.0.x along with other information that pertains to the + local machine and its role within a domain security context. + </p><p> + <a class="indexterm" name="id369163"></a> + <a class="indexterm" name="id369173"></a> + <a class="indexterm" name="id369182"></a> + <a class="indexterm" name="id369188"></a> + There are two types of SID, those pertaining to the machine itself and the domain to + which it may belong, and those pertaining to users and groups within the security + context of the local machine, in the case of standalone servers (SAS) and domain member + servers (DMS). + </p><p> + <a class="indexterm" name="id369201"></a> + <a class="indexterm" name="id369208"></a> + <a class="indexterm" name="id369214"></a> + <a class="indexterm" name="id369221"></a> + <a class="indexterm" name="id369228"></a> + <a class="indexterm" name="id369234"></a> + When the Samba <code class="literal">smbd</code> daemon is first started, if the <code class="filename">secrets.tdb</code> + file does not exist, it is created at the first client connection attempt. If this file does + exist, <code class="literal">smbd</code> checks that there is a machine SID (if it is a domain controller, + it searches for the domain SID). If <code class="literal">smbd</code> does not find one for the current + name of the machine or for the current name of the workgroup, a new SID will be generated and + then written to the <code class="filename">secrets.tdb</code> file. The SID is generated in a nondeterminative + manner. This means that each time it is generated for a particular combination of machine name + (hostname) and domain name (workgroup), it will be different. + </p><p> + <a class="indexterm" name="id369279"></a> + The SID is the key used by MS Windows networking for all networking operations. This means + that when the machine or domain SID changes, all security-encoded objects such as profiles + and ACLs may become unusable. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + It is of paramount importance that the machine and domain SID be backed up so that in + the event of a change of hostname (machine name) or domain name (workgroup) the SID can + be restored to its previous value. + </p></div><p> + <a class="indexterm" name="id369297"></a> + <a class="indexterm" name="id369304"></a> + <a class="indexterm" name="id369310"></a> + <a class="indexterm" name="id369317"></a> + <a class="indexterm" name="id369324"></a> + <a class="indexterm" name="id369330"></a> + <a class="indexterm" name="id369337"></a> + <a class="indexterm" name="id369344"></a> + <a class="indexterm" name="id369351"></a> + <a class="indexterm" name="id369357"></a> + In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain + SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled + the SID. On a standalone server the hostname still controls the SID. + </p><p> + <a class="indexterm" name="id369369"></a> + <a class="indexterm" name="id369378"></a> + The local machine SID can be backed up using this procedure (Samba-3): +</p><pre class="screen"> +<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-local-SID +</pre><p> + The contents of the file <code class="filename">/etc/samba/my-local-SID</code> will be: +</p><pre class="screen"> +SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + This SID can be restored by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net setlocalsid S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + </p><p> + Samba 1.9.x stored the machine SID in the the file <code class="filename">/etc/MACHINE.SID</code> + from which it could be recovered and stored into the <code class="filename">secrets.tdb</code> file + using the procedure shown above. + </p><p> + Where the <code class="filename">secrets.tdb</code> file exists and a version of Samba 2.x or later + has been used, there is no specific need to go through this update process. Samba-3 has the + ability to read the older tdb file and to perform an in-situ update to the latest tdb format. + This is not a reversible process it is a one-way upgrade. + </p><p> + <a class="indexterm" name="id369460"></a> + In the course of the Samba 2.0.x series the <code class="literal">smbpasswd</code> was modified to + permit the domain SID to be captured to the <code class="filename">secrets.tdb</code> file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -S PDC -Uadministrator%password +</pre><p> + </p><p> + The release of the Samba 2.2.x series permitted the SID to be obtained by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -S PDC -Uadministrator%password +</pre><p> + from which the SID could be copied to a file and then written to the Samba-2.2.x + <code class="filename">secrets.tdb</code> file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -W S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + </p><p> + <a class="indexterm" name="id369528"></a> + <a class="indexterm" name="id369535"></a> + Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x + systems by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpcclient hostname lsaquery -Uroot%password +</pre><p> + This can also be done with Samba-3 by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -Uroot%password +Domain Name: MIDEARTH +Domain SID: S-1-5-21-726309263-4128913605-1168186429 +Sequence number: 1113415916 +Num users: 4237 +Num domain groups: 86 +Num local groups: 0 +</pre><p> + It is a very good practice to store this SID information in a safely kept file, just in + case it is ever needed at a later date. + </p><p> + <a class="indexterm" name="id369576"></a> + <a class="indexterm" name="id369583"></a> + <a class="indexterm" name="id369590"></a> + Take note that the domain SID is used extensively in Samba. Where LDAP is used for the + <em class="parameter"><code>passdb backend</code></em>, all user, group, and trust accounts are encoded + with the domain SID. This means that if the domain SID changes for any reason, the entire + Samba environment can become broken and require extensive corrective action if the + original SID cannot be restored. Fortunately, it can be recovered from a dump of the + LDAP database. A dump of the LDAP directory database can be obtained by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat -v -l filename.ldif +</pre><p> + </p><p> + <a class="indexterm" name="id369622"></a> + <a class="indexterm" name="id369628"></a> + <a class="indexterm" name="id369635"></a> + When the domain SID has changed, roaming profiles cease to be functional. The recovery + of roaming profiles necessitates resetting of the domain portion of the user SID + that owns the profile. This is encoded in the <code class="filename">NTUser.DAT</code> and can be + updated using the Samba <code class="literal">profiles</code> utility. Please be aware that not all + Linux distributions of the Samba RPMs include this essential utility. Please do not + complain to the Samba Team if this utility is missing; that issue that must be + addressed to the creator of the RPM package. The Samba Team do their best to make + available all the tools needed to manage a Samba-based Windows networking environment. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id369661"></a>Change of hostname</h4></div></div></div><p> + <a class="indexterm" name="id369668"></a> + <a class="indexterm" name="id369678"></a> + Samba uses two methods by which the primary NetBIOS machine name (also known as a computer + name or the hostname) may be determined: If the <code class="filename">smb.conf</code> file contains a + <em class="parameter"><code>netbios name</code></em> entry, its value will be used directly. In the absence + of such an entry, the UNIX system hostname will be used. + </p><p> + Many sites have become victims of lost Samba functionality because the UNIX system + hostname was changed for one reason or another. Such a change will cause a new machine + SID to be generated. If this happens on a domain controller, it will also change the + domain SID. These SIDs can be updated (restored) using the procedure outlined previously. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Do NOT change the hostname or the <em class="parameter"><code>netbios name</code></em>. If this + is changed, be sure to reset the machine SID to the original setting. Otherwise + there may be serious interoperability and/or operational problems. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id369719"></a>Change of Workgroup (Domain) Name</h4></div></div></div><p> + <a class="indexterm" name="id369727"></a> + The domain name of a Samba server is identical to the workgroup name and is + set in the <code class="filename">smb.conf</code> file using the <em class="parameter"><code>workgroup</code></em> parameter. + This has been consistent throughout the history of Samba and across all versions. + </p><p> + <a class="indexterm" name="id369750"></a> + Be aware that when the workgroup name is changed, a new SID will be generated. + The old domain SID can be reset using the procedure outlined earlier in this chapter. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeug1"></a>Location of config files</h4></div></div></div><p> + The Samba-Team has maintained a constant default location for all Samba control files + throughout the life of the project. People who have produced binary packages of Samba + have varied the location of the Samba control files. This has led to some confusion + for network administrators. + </p><p> + <a class="indexterm" name="id369778"></a> + The Samba 1.9.x <code class="filename">smb.conf</code> file may be found either in the <code class="filename">/etc</code> + directory or in <code class="filename">/usr/local/samba/lib</code>. + </p><p> + During the life of the Samba 2.x release, the <code class="filename">smb.conf</code> file was relocated + on Linux systems to the <code class="filename">/etc/samba</code> directory where it + remains located also for Samba 3.0.x installations. + </p><p> + <a class="indexterm" name="id369822"></a> + Samba 2.x introduced the <code class="filename">secrets.tdb</code> file that is also stored in the + <code class="filename">/etc/samba</code> directory, or in the <code class="filename">/usr/local/samba/lib</code> + directory subsystem. + </p><p> + <a class="indexterm" name="id369851"></a> + The location at which <code class="literal">smbd</code> expects to find all configuration and control + files is determined at the time of compilation of Samba. For versions of Samba prior to + 3.0, one way to find the expected location of these files is to execute: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep conf +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep secret +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep smbpasswd +</pre><p> + Note: The <code class="literal">smbd</code> executable may be located in the path + <code class="filename">/usr/local/samba/sbin</code>. + </p><p> + <a class="indexterm" name="id369905"></a> + Samba-3 provides a neat new way to track the location of all control files as well as to + find the compile-time options used as the Samba package was built. Here is how the dark + secrets of the internals of the location of control files within Samba executables can + be uncovered: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | less +Build environment: + Built by: root@frodo + Built on: Mon Apr 11 20:23:27 MDT 2005 + Built using: gcc + Build host: Linux frodo 2.6... + SRCDIR: /usr/src/packages/BUILD/samba-3.0.20/source + BUILDDIR: /usr/src/packages/BUILD/samba-3.0.20/source + +Paths: + SBINDIR: /usr/sbin + BINDIR: /usr/bin + SWATDIR: /usr/share/samba/swat + CONFIGFILE: /etc/samba/smb.conf + LOGFILEBASE: /var/log/samba + LMHOSTSFILE: /etc/samba/lmhosts + LIBDIR: /usr/lib/samba + SHLIBEXT: so + LOCKDIR: /var/lib/samba + PIDDIR: /var/run/samba + SMB_PASSWD_FILE: /etc/samba/smbpasswd + PRIVATE_DIR: /etc/samba + ... +</pre><p> + </p><p> + <a class="indexterm" name="id369934"></a> + It is important that both the <code class="filename">smb.conf</code> file and the <code class="filename">secrets.tdb</code> + be backed up before attempting any upgrade. The <code class="filename">secrets.tdb</code> file + is version-encoded, and therefore a newer version may not work with an older version + of Samba. A backup means that it is always possible to revert a failed or problematic + upgrade. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id369962"></a>International Language Support</h4></div></div></div><p> + <a class="indexterm" name="id369970"></a> + <a class="indexterm" name="id369977"></a> + <a class="indexterm" name="id369984"></a> + <a class="indexterm" name="id369990"></a> + Samba-2.x had no support for Unicode; instead, all national language character-set support in file names + was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus + providing true internationalization support. + </p><p> + <a class="indexterm" name="id370003"></a> + Non-English users whose national language character set has special characters and who upgrade naively will + find that many files that have the special characters in the file name will see them garbled and jumbled up. + This typically happens with umlauts and accents because these characters were particular to the codepage + that was in use with Samba-2.x using an 8-bit encoding scheme. + </p><p> + <a class="indexterm" name="id370016"></a> + Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a + mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some + effort to set straight. + </p><p> + <a class="indexterm" name="id370028"></a> + A very helpful tool is available from Bjorn Jacke's <a href="http://j3e.de/linux/convmv/" target="_top">convmv</a> + work. Convmv is a tool that can be used to convert file and directory names from one encoding method to + another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id370045"></a>Updates and Changes in Idealx smbldap-tools</h4></div></div></div><p> + The smbldap-tools have been maturing rapidly over the past year. With maturation comes change. + The location of the <code class="filename">smbldap.conf</code> and the <code class="filename">smbldap_bind.conf</code> + configuration files have been moved from the directory <code class="filename">/etc/smbldap-tools</code> to + the new location of <code class="filename">/etc/opt/IDEALX/smblda-tools</code> directory. + </p><p> + The smbldap-tools maintains an entry in the LDAP directory in which it stores the next + values that should be used for UID and GID allocation for POSIX accounts that are created + using this tool. The DIT location of these values has changed recently. The original + <code class="constant">sambaUnixIdPooldn object</code> entity was stored in a directory entry (DIT object) + called <code class="constant">NextFreeUnixId</code>, this has been changed to the DIT object + <code class="constant">sambaDomainName</code>. Anyone who updates from an older version to the + current release should note that the information stored under <code class="constant">NextFreeUnixId</code> + must now be relocated to the DIT object <code class="constant">sambaDomainName</code>. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370109"></a>Upgrading from Samba 1.x and 2.x to Samba-3</h2></div></div></div><p> +Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 +may experience little difficulty or may require a lot of effort, depending +on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will +generally be simple and straightforward, although no upgrade should be +attempted without proper planning and preparation. +</p><p> +There are two basic modes of use of Samba versions prior to Samba-3. The first +does not use LDAP, the other does. Samba-1.9.x did not provide LDAP support. +Samba-2.x could be compiled with LDAP support. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeug2"></a>Samba 1.9.x and 2.x Versions Without LDAP</h3></div></div></div><p> + Where it is necessary to upgrade an old Samba installation to Samba-3, + the following procedure can be followed: + </p><div class="procedure"><a name="id370140"></a><p class="title"><b>Procedure 8.1. Upgrading from a Pre-Samba-3 Version</b></p><ol type="1"><li><p> + <a class="indexterm" name="id370151"></a> + <a class="indexterm" name="id370158"></a> + <a class="indexterm" name="id370165"></a> + Stop Samba. This can be done using the appropriate system tool + that is particular for each operating system or by executing the + <code class="literal">kill</code> command on <code class="literal">smbd</code>, + <code class="literal">nmbd</code>, and <code class="literal">winbindd</code>. + </p></li><li><p> + Find the location of the Samba <code class="filename">smb.conf</code> file and back it up to a + safe location. + </p></li><li><p> + Find the location of the <code class="filename">smbpasswd</code> file and + back it up to a safe location. + </p></li><li><p> + Find the location of the <code class="filename">secrets.tdb</code> file and + back it up to a safe location. + </p></li><li><p> + <a class="indexterm" name="id370243"></a> + <a class="indexterm" name="id370250"></a> + <a class="indexterm" name="id370257"></a> + <a class="indexterm" name="id370263"></a> + Find the location of the lock directory. This is the directory + in which Samba stores all its tdb control files. The default + location used by the Samba Team is in + <code class="filename">/usr/local/samba/var/locks</code> directory, + but on Linux systems the old location was under the + <code class="filename">/var/cache/samba</code> directory. However, the + Linux Standards Base specified location is now under the + <code class="filename">/var/lib/samba</code> directory. Copy all the + tdb files to a safe location. + </p></li><li><p> + <a class="indexterm" name="id370298"></a> + It is now safe to upgrade the Samba installation. On Linux systems + it is not necessary to remove the Samba RPMs because a simple + upgrade installation will automatically remove the old files. + </p><p> + On systems that do not support a reliable package management system + it is advisable either to delete the Samba old installation or to + move it out of the way by renaming the directories that contain the + Samba binary files. + </p></li><li><p> + When the Samba upgrade has been installed, the first step that should + be completed is to identify the new target locations for the control + files. Follow the steps shown in <a href="upgrades.html#sbeug1" title="Location of config files">???</a> to locate + the correct directories to which each control file must be moved. + </p></li><li><p> + Do not change the hostname. + </p></li><li><p> + Do not change the workgroup name. + </p></li><li><p> + <a class="indexterm" name="id370347"></a> + Execute the <code class="literal">testparm</code> to validate the <code class="filename">smb.conf</code> file. + This process will flag any parameters that are no longer supported. + It will also flag configuration settings that may be in conflict. + </p><p> + One solution that may be used to clean up and to update the <code class="filename">smb.conf</code> + file involves renaming it to <code class="filename">smb.conf.master</code> and + then executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + <a class="indexterm" name="id370401"></a> + The resulting <code class="filename">smb.conf</code> file will be stripped of all comments + and of all nonconforming configuration settings. + </p></li><li><p> + <a class="indexterm" name="id370421"></a> + It is now safe to start Samba using the appropriate system tool. + Alternately, it is possible to just execute <code class="literal">nmbd</code>, + <code class="literal">smbd</code>, and <code class="literal">winbindd</code> for the command + line while logged in as the root user. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id370451"></a>Applicable to All Samba 2.x to Samba-3 Upgrades</h3></div></div></div><p> + <a class="indexterm" name="id370459"></a> + <a class="indexterm" name="id370465"></a> + <a class="indexterm" name="id370472"></a> + Samba 2.x servers that were running as a domain controller (PDC) + require changes to the configuration of the scripting interface + tools that Samba uses to perform OS updates for + users, groups, and trust accounts (machines and interdomain). + </p><p> + <a class="indexterm" name="id370484"></a> + The following parameters are new to Samba-3 and should be correctly configured. + Please refer to <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> through <a href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">???</a> + in this book for examples of use of the new parameters shown here: + <a class="indexterm" name="id370504"></a> + <a class="indexterm" name="id370510"></a> + <a class="indexterm" name="id370517"></a> + <a class="indexterm" name="id370524"></a> + <a class="indexterm" name="id370531"></a> + <a class="indexterm" name="id370538"></a> + <a class="indexterm" name="id370545"></a> + </p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>add group script</p></td></tr><tr><td><p>add machine script</p></td></tr><tr><td><p>add user to group script</p></td></tr><tr><td><p>delete group script</p></td></tr><tr><td><p>delete user from group script</p></td></tr><tr><td><p>passdb backend</p></td></tr><tr><td><p>set primary group script</p></td></tr></table><p> + </p><p> + <a class="indexterm" name="id370595"></a> + <a class="indexterm" name="id370602"></a> + The <em class="parameter"><code>add machine script</code></em> functionality was previously + handled by the <em class="parameter"><code>add user script</code></em>, which in Samba-3 is + used exclusively to add user accounts. + </p><p> + <a class="indexterm" name="id370625"></a> + <a class="indexterm" name="id370632"></a> + <a class="indexterm" name="id370639"></a> + <a class="indexterm" name="id370646"></a> + <a class="indexterm" name="id370652"></a> + <a class="indexterm" name="id370659"></a> + <a class="indexterm" name="id370666"></a> + <a class="indexterm" name="id370673"></a> + <a class="indexterm" name="id370680"></a> + Where the <em class="parameter"><code>passdb backend</code></em> used is either <code class="constant">smbpasswd</code> + (the default) or the new <code class="constant">tdbsam</code>, the system interface scripts + are typically used. These involve use of OS tools such as <code class="literal">useradd</code>, + <code class="literal">usermod</code>, <code class="literal">userdel</code>, <code class="literal">groupadd</code>, + <code class="literal">groupmod</code>, <code class="literal">groupdel</code>, and so on. + </p><p> + <a class="indexterm" name="id370739"></a> + <a class="indexterm" name="id370746"></a> + <a class="indexterm" name="id370752"></a> + Where the <em class="parameter"><code>passdb backend</code></em> makes use of an LDAP directory, + it is necessary either to use the <code class="constant">smbldap-tools</code> provided + by Idealx or to use an alternate toolset provided by a third + party or else home-crafted to manage the LDAP directory accounts. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id370773"></a>Samba-2.x with LDAP Support</h3></div></div></div><p> + Samba version 2.x could be compiled for use either with or without LDAP. + The LDAP control settings in the <code class="filename">smb.conf</code> file in this old version are + completely different (and less complete) than they are with Samba-3. This + means that after migrating the control files, it is necessary to reconfigure + the LDAP settings entirely. + </p><p> + Follow the procedure outlined in <a href="upgrades.html#sbeug2" title="Samba 1.9.x and 2.x Versions Without LDAP">???</a> to affect a migration + of all files to the correct locations. + </p><p> + <a class="indexterm" name="id370803"></a> + <a class="indexterm" name="id370809"></a> + The Samba SAM schema required for Samba-3 is significantly different from that + used with Samba 2.x. This means that the LDAP directory must be updated + using the procedure outlined in the Samba WHATSNEW.txt file that accompanies + all releases of Samba-3. This information is repeated here directly from this + file: +</p><pre class="screen"> +This is an extract from the Samba-3.0.x WHATSNEW.txt file: +========================================================== +Changes in Behavior +------------------- + +The following issues are known changes in behavior between Samba 2.2 and +Samba 3.0 that may affect certain installations of Samba. + + 1) When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + 2) When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + +###################################################################### +Passdb Backends and Authentication +################################## + +There have been a few new changes that Samba administrators should be +aware of when moving to Samba 3.0. + + 1) encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + 2) Inclusion of new 'security = ads' option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption + type which is necessary for servers on which the + administrator password has not been changed, or kerberos-enabled + SMB connections to servers that require Kerberos SMB signing. + Besides this one difference, either MIT or Heimdal Kerberos + distributions are usable by Samba 3.0. + + +Samba 3.0 also includes the possibility of setting up chains +of authentication methods (auth methods) and account storage +backends (passdb backend). Please refer to the smb.conf(5) +man page for details. While both parameters assume sane default +values, it is likely that you will need to understand what the +values actually mean in order to ensure Samba operates correctly. + +The recommended passdb backends at this time are + + * smbpasswd - 2.2 compatible flat file format + * tdbsam - attribute rich database intended as an smbpasswd + replacement for stand alone servers + * ldapsam - attribute rich account storage and retrieval + backend utilizing an LDAP directory. + * ldapsam_compat - a 2.2 backward compatible LDAP account + backend + +Certain functions of the smbpasswd(8) tool have been split between the +new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) +utility. See the respective man pages for details. + +###################################################################### +LDAP +#### + +This section outlines the new features affecting Samba / LDAP +integration. + +New Schema +---------- + +A new object class (sambaSamAccount) has been introduced to replace +the old sambaAccount. This change aids us in the renaming of +attributes to prevent clashes with attributes from other vendors. +There is a conversion script (examples/LDAP/convertSambaAccount) to +modify and LDIF file to the new schema. + +Example: + + $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif + $ convertSambaAccount --sid=<Domain SID> \ + --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ + --changetype=[modify|add] + +The <DOM SID> can be obtained by running 'net getlocalsid +<DOMAINNAME>' on the Samba PDC as root. The changetype determines +the format of the generated LDIF output--either create new entries +or modify existing entries. + +The old sambaAccount schema may still be used by specifying the +"ldapsam_compat" passdb backend. However, the sambaAccount and +associated attributes have been moved to the historical section of +the schema file and must be uncommented before use if needed. +The 2.2 object class declaration for a sambaAccount has not changed +in the 3.0 samba.schema file. + +Other new object classes and their uses include: + + * sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + * sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + * sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + * sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + * sambaSidEntry - object representing a SID alone, as a Structural + class on which to build the sambaIdmapEntry. + + +New Suffix for Searching +------------------------ + +The following new smb.conf parameters have been added to aid in directing +certain LDAP queries when 'passdb backend = ldapsam://...' has been +specified. + + * ldap suffix - used to search for user and computer accounts + * ldap user suffix - used to store user accounts + * ldap machine suffix - used to store machine trust accounts + * ldap group suffix - location of posixGroup/sambaGroupMapping entries + * ldap idmap suffix - location of sambaIdmapEntry objects + +If an 'ldap suffix' is defined, it will be appended to all of the +remaining sub-suffix parameters. In this case, the order of the suffix +listings in smb.conf is important. Always place the 'ldap suffix' first +in the list. + +Due to a limitation in Samba's smb.conf parsing, you should not surround +the DN's with quotation marks. +</pre><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370887"></a>Updating a Samba-3 Installation</h2></div></div></div><p> +The key concern in this section is to deal with the changes that have been +affected in Samba-3 between the Samba-3.0.0 release and the current update. +Network administrators have expressed concerns over the steps that should be +taken to update Samba-3 versions. +</p><p> +<a class="indexterm" name="id370901"></a> +The information in <a href="upgrades.html#sbeug1" title="Location of config files">???</a> would not be necessary if every +person who has ever produced Samba executable (binary) files could agree on +the preferred location of the <code class="filename">smb.conf</code> file and other Samba control files. +Clearly, such agreement is further away than a pipedream. +</p><p> +<a class="indexterm" name="id370924"></a> +Vendors and packagers who produce Samba binary installable packages do not, +as a rule, use the default paths used by the Samba-Team for the location of +the binary files, the <code class="filename">smb.conf</code> file, and the Samba control files (tdb's +as well as files such as <code class="filename">secrets.tdb</code>). This means that +the network or UNIX administrator who sets out to build the Samba executable +files from the Samba tarball must take particular care. Failure to take care +will result in both the original vendor's version of Samba remaining installed +and the new version being installed in the default location used +by the Samba-Team. This can lead to confusion and to much lost time as the +uninformed administrator deals with apparent failure of the update to take +effect. +</p><p> +<a class="indexterm" name="id370952"></a> +The best advice for those lacking in code compilation experience is to use +only vendor (or Samba-Team) provided binary packages. The Samba packages +that are provided by the Samba-Team are generally built to use file paths +that are compatible with the original OS vendor's practices. +</p><p> +<a class="indexterm" name="id370965"></a> +<a class="indexterm" name="id370972"></a> +If you are not sure whether a binary package complies with the OS +vendor's practices, it is better to ask the package maintainer via +email than to waste much time dealing with the nuances. +Alternately, just diagnose the paths specified by the binary files following +the procedure outlined above. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id370982"></a>Samba-3 to Samba-3 Updates on the Same Server</h3></div></div></div><p> + The guidance in this section deals with updates to an existing + Samba-3 server installation. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id370992"></a>Updating from Samba Versions Earlier than 3.0.5</h4></div></div></div><p> + With the provision that the binary Samba-3 package has been built + with the same path and feature settings as the existing Samba-3 + package that is being updated, an update of Samba-3 versions 3.0.0 + through 3.0.4 can be updated to 3.0.5 without loss of functionality + and without need to change either the <code class="filename">smb.conf</code> file or, where + used, the LDAP schema. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371011"></a>Updating from Samba Versions between 3.0.6 and 3.0.10</h4></div></div></div><p> + <a class="indexterm" name="id371019"></a> + <a class="indexterm" name="id371026"></a> + When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10, + it is necessary only to update the LDAP schema (where LDAP is used). + Always use the LDAP schema file that is shipped with the latest Samba-3 + update. + </p><p> + <a class="indexterm" name="id371040"></a> + <a class="indexterm" name="id371047"></a> + <a class="indexterm" name="id371054"></a> + Samba-3.0.6 introduced the ability to remember the last <span class="emphasis"><em>n</em></span> number + of passwords a user has used. This information will work only with + the <code class="constant">tdbsam</code> and <code class="constant">ldapsam</code> + <em class="parameter"><code>passdb backend</code></em> facilities. + </p><p> + After updating the LDAP schema, do not forget to re-index the LDAP database. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371085"></a>Updating from Samba Versions after 3.0.6 to a Current Release</h4></div></div></div><p> + <a class="indexterm" name="id371093"></a> + Samba-3.0.8 introduced changes in how the <em class="parameter"><code>username map</code></em> + behaves. It also included a change in behavior of <code class="literal">winbindd</code>. + Please refer to the man page for <code class="filename">smb.conf</code> before implementing any update + from versions prior to 3.0.8 to a current version. + </p><p> + <a class="indexterm" name="id371122"></a> + In Samba-3.0.11 a new privileges interface was implemented. Please + refer to <a href="happy.html#sbehap-ppc" title="Addition of Machines to the Domain">???</a> for information regarding this new + feature. It is not necessary to implement the privileges interface, but it + is one that has been requested for several years and thus may be of interest + at your site. + </p><p> + In Samba-3.0.11 there were some functional changes to the <em class="parameter"><code>ldap user + suffix</code></em> and to the <em class="parameter"><code>ldap machine suffix</code></em> behaviors. + The following information has been extracted from the WHATSNEW.txt file from this + release: +</p><pre class="screen"> +============ +LDAP Changes +============ + +If "ldap user suffix" or "ldap machine suffix" are defined in +smb.conf, all user-accounts must reside below the user suffix, +and all machine and inter-domain trust-accounts must be located +below the machine suffix. Previous Samba releases would fall +back to searching the 'ldap suffix' in some cases. +</pre><p> + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id371166"></a>Migrating Samba-3 to a New Server</h3></div></div></div><p> + The two most likely candidates for replacement of a server are + domain member servers and domain controllers. Each needs to be + handled slightly differently. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371176"></a>Replacing a Domain Member Server</h4></div></div></div><p> + <a class="indexterm" name="id371184"></a> + Replacement of a domain member server should be done + using the same procedure as outlined in <a href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients">???</a>. + </p><p> + Usually the new server will be introduced with a temporary name. After + the old server data has been migrated to the new server, it is customary + that the new server be renamed to that of the old server. This will + change its SID and will necessitate rejoining to the domain. + </p><p> + <a class="indexterm" name="id371207"></a> + <a class="indexterm" name="id371213"></a> + <a class="indexterm" name="id371220"></a> + <a class="indexterm" name="id371227"></a> + <a class="indexterm" name="id371234"></a> + <a class="indexterm" name="id371240"></a> + Following a change of hostname (NetBIOS name) it is a good idea on all servers + to shut down the Samba <code class="literal">smbd</code>, <code class="literal">nmbd</code>, and + <code class="literal">winbindd</code> services, delete the <code class="filename">wins.dat</code> + and <code class="filename">browse.dat</code> files, then restart Samba. This will ensure + that the old name and IP address information is no longer able to interfere with + name to IP address resolution. If this is not done, there can be temporary name + resolution problems. These problems usually clear within 45 minutes of a name + change, but can persist for a longer period of time. + </p><p> + <a class="indexterm" name="id371284"></a> + <a class="indexterm" name="id371290"></a> + <a class="indexterm" name="id371297"></a> + <a class="indexterm" name="id371304"></a> + If the old domain member server had local accounts, it is necessary to create + on the new domain member server the same accounts with the same UID and GID + for each account. Where the <em class="parameter"><code>passdb backend</code></em> database + is stored in the <code class="constant">smbpasswd</code> or in the + <code class="constant">tdbsam</code> format, the user and group account information + for UNIX accounts that match the Samba accounts will reside in the system + <code class="filename">/etc/passwd</code>, <code class="filename">/etc/shadow</code>, and + <code class="filename">/etc/group</code> files. In this case, be sure to copy these + account entries to the new target server. + </p><p> + <a class="indexterm" name="id371349"></a> + Where the user accounts for both UNIX and Samba are stored in LDAP, the new + target server must be configured to use the <code class="literal">nss_ldap</code> tool set. + This will automatically ensure that the appropriate user entities are + available on the new server. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371366"></a>Replacing a Domain Controller</h4></div></div></div><p> + <a class="indexterm" name="id371373"></a> + In the past, people who replaced a Windows NT4 domain controller typically + installed a new server, created printers and file shares on it, then migrate across + all data that was destined to reside on it. The same can of course be done with + Samba. + </p><p> + From recent mailing list postings it would seem that some administrators + have the intent to just replace the old Samba server with a new one with + the same name as the old one. In this case, simply follow the same process + as for upgrading a Samba 2.x system and do the following: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Where UNIX (POSIX) user and group accounts are stored in the system + <code class="filename">/etc/passwd</code>, <code class="filename">/etc/shadow</code>, and + <code class="filename">/etc/group</code> files, be sure to add the same accounts + with identical UID and GID values for each user. + </p><p> + Where LDAP is used, if the new system is intended to be the LDAP server, + migrate it across by configuring the LDAP server + (<code class="filename">/etc/openldap/slapd.conf</code>). The directory can + be populated either initially by setting this LDAP server up as a slave or + by dumping the data from the old LDAP server using the <code class="literal">slapcat</code> + command and then reloading the same data into the new LDAP server using the + <code class="literal">slapadd</code> command. Do not forget to install and configure + the <code class="literal">nss_ldap</code> tool and the <code class="filename">/etc/nsswitch.conf</code> + (as shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>). + </p></li><li><p> + Copy the <code class="filename">smb.conf</code> file from the old server to the new server into the correct + location as indicated previously in this chapter. + </p></li><li><p> + Copy the <code class="filename">secrets.tdb</code> file, the <code class="filename">smbpasswd</code> + file (if it is used), the <code class="filename">/etc/samba/passdb.tdb</code> file (only + used by the <code class="constant">tdbsam</code> backend), and all the tdb control files + from the old system to the correct location on the new system. + </p></li><li><p> + Before starting the Samba daemons, verify that the hostname of the new server + is identical to that of the old one. Note: The IP address can be different + from that of the old server. + </p></li><li><p> + Copy all files from the old server to the new server, taking precaution to + preserve all file ownership and permissions as well as any POSIX ACLs that + may have been created on the old server. + </p></li></ul></div><p> + When replacing a Samba domain controller (PDC or BDC) that uses LDAP, the new server + need simply be configured to use the LDAP directory, and for the rest it should just + work. The domain SID is obtained from the LDAP directory as part of the first connect + to the LDAP directory server. + </p><p> + All Samba servers, other than one that uses LDAP, depend on the tdb files, and + particularly on the <code class="filename">secrets.tdb</code> file. So long as the tdb files are + all in place, the <code class="filename">smb.conf</code> file is preserved, and either the hostname is identical + or the <em class="parameter"><code>netbios name</code></em> is set to the original server name, Samba + should correctly pick up the original SID and preserve all other settings. It is + sound advice to validate this before turning the system over to users. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id371543"></a>Migration of Samba Accounts to Active Directory</h3></div></div></div><p> + Yes, it works. The Windows ADMT tool can be used to migrate Samba accounts + to MS Active Directory. There are a few pitfalls to be aware of: + </p><div class="procedure"><a name="id371554"></a><p class="title"><b>Procedure 8.2. Migration to Active Directory</b></p><ol type="1"><li><p> + Administrator password must be THE SAME on the Samba server, + the 2003 ADS, and the local Administrator account on the workstations. + Perhaps this goes without saying, but there needs to be an account + called <code class="constant">Administrator</code> in your Samba domain, with + full administrative (root) rights to that domain. + </p></li><li><p> + In the Advanced/DNS section of the TCP/IP settings on your Windows + workstations, make sure the <em class="parameter"><code>DNS suffix for this + connection</code></em> field is blank. + </p></li><li><p> + Because you are migrating from Samba, user passwords cannot be + migrated. You'll have to reset everyone's passwords. (If you were + migrating from NT4 to ADS, you could migrate passwords as well.) + </p><p> + To date this has not been attempted with roaming profile support; + it has been documented as working with local profiles. + </p></li><li><p> + Disable the Windows Firewall on all workstations. Otherwise, + workstations won't be migrated to the new domain. + </p></li><li><p> + <a class="indexterm" name="id371612"></a> + When migrating machines, always test first (using ADMT's test mode) + and satisfy all errors before committing the migration. Note that the + test will always fail, because the machine will not have been actually + migrated. You'll need to interpret the errors to know whether the + failure was due to a problem or simply to the fact that it was just + a test. + </p></li></ol></div><p> + <a class="indexterm" name="id371626"></a> + There are some significant benefits of using the ADMT, besides just + migrating user accounts. ADMT can be found on the Windows 2003 CD. + </p><div class="itemizedlist"><ul type="disc"><li><p> + You can migrate workstations remotely. You can specify that SIDs + be simply added instead of replaced, giving you the option of joining a + workstation back to the old domain if something goes awry. The + workstations will be joined to the new domain. + </p></li><li><p> + Not only are user accounts migrated from the old domain to the new + domain, but ACLs on the workstations are migrated as well. Like SIDs, + ACLs can be added instead of replaced. + </p></li><li><p> + Locally stored user profiles on workstations are migrated as well, + presenting almost no disruption to the user. Saved passwords will be + lost, just as when you administratively reset the password in Windows ADS. + </p></li><li><p> + The ADMT lets you test all operations before actually performing the + migration. Accounts and workstations can be migrated individually or in + batches. User accounts can be safely migrated all at once (since no + changes are made on the original domain). It is recommended to migrate only one + or two workstations as a test before committing them all. + </p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unixclients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ntmigration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Adding Domain Member Servers and Clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. Migrating NT4 Domain to Samba-3</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/CodingSuggestions.html b/docs/htmldocs/Samba3-Developers-Guide/CodingSuggestions.html new file mode 100644 index 0000000000..719c968738 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/CodingSuggestions.html @@ -0,0 +1,143 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Coding Suggestions</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="internals.html" title="Chapter 5. Samba Internals"><link rel="next" href="contributing.html" title="Chapter 7. Contributing code"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Coding Suggestions</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="internals.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="contributing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CodingSuggestions"></a>Chapter 6. Coding Suggestions</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Steve</span> <span class="surname">French</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Bartlett</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Martin</span> <span class="surname">Pool</span></h3></div></div></div></div><p> +So you want to add code to Samba ... +</p><p> +One of the daunting tasks facing a programmer attempting to write code for +Samba is understanding the various coding conventions used by those most +active in the project. These conventions were mostly unwritten and helped +improve either the portability, stability or consistency of the code. This +document will attempt to document a few of the more important coding +practices used at this time on the Samba project. The coding practices are +expected to change slightly over time, and even to grow as more is learned +about obscure portability considerations. Two existing documents +<code class="filename">samba/source/internals.doc</code> and +<code class="filename">samba/source/architecture.doc</code> provide +additional information. +</p><p> +The loosely related question of coding style is very personal and this +document does not attempt to address that subject, except to say that I +have observed that eight character tabs seem to be preferred in Samba +source. If you are interested in the topic of coding style, two oft-quoted +documents are: +</p><p> +<a href="http://lxr.linux.no/source/Documentation/CodingStyle" target="_top">http://lxr.linux.no/source/Documentation/CodingStyle</a> +</p><p> +<a href="http://www.fsf.org/prep/standards_toc.html" target="_top">http://www.fsf.org/prep/standards_toc.html</a> +</p><p> +But note that coding style in Samba varies due to the many different +programmers who have contributed. +</p><p> +Following are some considerations you should use when adding new code to +Samba. First and foremost remember that: +</p><p> +Portability is a primary consideration in adding function, as is network +compatability with de facto, existing, real world CIFS/SMB implementations. +There are lots of platforms that Samba builds on so use caution when adding +a call to a library function that is not invoked in existing Samba code. +Also note that there are many quite different SMB/CIFS clients that Samba +tries to support, not all of which follow the SNIA CIFS Technical Reference +(or the earlier Microsoft reference documents or the X/Open book on the SMB +Standard) perfectly. +</p><p> +Here are some other suggestions: +</p><div class="orderedlist"><ol type="1"><li><p> + use d_printf instead of printf for display text + reason: enable auto-substitution of translated language text +</p></li><li><p> + use SAFE_FREE instead of free + reason: reduce traps due to null pointers +</p></li><li><p> + don't use bzero use memset, or ZERO_STRUCT and ZERO_STRUCTP macros + reason: not POSIX +</p></li><li><p> + don't use strcpy and strlen (use safe_* equivalents) + reason: to avoid traps due to buffer overruns +</p></li><li><p> + don't use getopt_long, use popt functions instead + reason: portability +</p></li><li><p> + explicitly add const qualifiers on parm passing in functions where parm + is input only (somewhat controversial but const can be #defined away) +</p></li><li><p> + when passing a va_list as an arg, or assigning one to another + please use the VA_COPY() macro + reason: on some platforms, va_list is a struct that must be + initialized in each function...can SEGV if you don't. +</p></li><li><p> + discourage use of threads + reason: portability (also see architecture.doc) +</p></li><li><p> + don't explicitly include new header files in C files - new h files + should be included by adding them once to includes.h + reason: consistency +</p></li><li><p> + don't explicitly extern functions (they are autogenerated by + "make proto" into proto.h) + reason: consistency +</p></li><li><p> + use endian safe macros when unpacking SMBs (see byteorder.h and + internals.doc) + reason: not everyone uses Intel +</p></li><li><p> + Note Unicode implications of charset handling (see internals.doc). See + pull_* and push_* and convert_string functions. + reason: Internationalization +</p></li><li><p> + Don't assume English only + reason: See above +</p></li><li><p> + Try to avoid using in/out parameters (functions that return data which + overwrites input parameters) + reason: Can cause stability problems +</p></li><li><p> + Ensure copyright notices are correct, don't append Tridge's name to code + that he didn't write. If you did not write the code, make sure that it + can coexist with the rest of the Samba GPLed code. +</p></li><li><p> + Consider usage of DATA_BLOBs for length specified byte-data. + reason: stability +</p></li><li><p> + Take advantage of tdbs for database like function + reason: consistency +</p></li><li><p> + Don't access the SAM_ACCOUNT structure directly, they should be accessed + via pdb_get...() and pdb_set...() functions. + reason: stability, consistency +</p></li><li><p> + Don't check a password directly against the passdb, always use the + check_password() interface. + reason: long term pluggability +</p></li><li><p> + Try to use asprintf rather than pstrings and fstrings where possible +</p></li><li><p> + Use normal C comments / * instead of C++ comments // like + this. Although the C++ comment format is part of the C99 + standard, some older vendor C compilers do not accept it. +</p></li><li><p> + Try to write documentation for API functions and structures + explaining the point of the code, the way it should be used, and + any special conditions or results. Mark these with a double-star + comment start / ** so that they can be picked up by Doxygen, as in + this file. +</p></li><li><p> + Keep the scope narrow. This means making functions/variables + static whenever possible. We don't want our namespace + polluted. Each module should have a minimal number of externally + visible functions or variables. +</p></li><li><p> + Use function pointers to keep knowledge about particular pieces of + code isolated in one place. We don't want a particular piece of + functionality to be spread out across lots of places - that makes + for fragile, hand to maintain code. Instead, design an interface + and use tables containing function pointers to implement specific + functionality. This is particularly important for command + interpreters. +</p></li><li><p> + Think carefully about what it will be like for someone else to add + to and maintain your code. If it would be hard for someone else to + maintain then do it another way. +</p></li></ol></div><p> +The suggestions above are simply that, suggestions, but the information may +help in reducing the routine rework done on new code. The preceeding list +is expected to change routinely as new support routines and macros are +added. +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="internals.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="contributing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Samba Internals </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Contributing code</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/Packaging.html b/docs/htmldocs/Samba3-Developers-Guide/Packaging.html new file mode 100644 index 0000000000..808cd246ae --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/Packaging.html @@ -0,0 +1,19 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Notes to packagers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt05.html" title="Part V. Appendices"><link rel="prev" href="pt05.html" title="Part V. Appendices"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Notes to packagers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pt05.html">Prev</a> </td><th width="60%" align="center">Part V. Appendices</th><td width="20%" align="right"> </td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Packaging"></a>Chapter 16. Notes to packagers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="surname">Vernooij</span></h3></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Packaging.html#id334515">Versioning</a></span></dt><dt><span class="sect1"><a href="Packaging.html#id334540">Modules</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334515"></a>Versioning</h2></div></div></div><p> +Please, please update the version number in <code class="filename">source/include/version.h</code> to include the +versioning of your package. This makes it easier to distinguish standard samba builds from custom-build samba +builds (distributions often patch packages). For example, a good version would be: +</p><pre class="programlisting"> +Version 2.999+3.0.alpha21-5 for Debian +</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334540"></a>Modules</h2></div></div></div><p> +Samba3 has support for building parts of samba as plugins. This makes it possible to, for example, +put ldap or mysql support in a separate package, thus making it possible to have a normal samba package not +depending on ldap or mysql. To build as much parts of samba as a plugin, run: +</p><p> +The option <code class="literal">--with-shared-modules</code> is maintained to support specific modules such as +idmap_XXX and vfs_XXX. For example, <code class="literal">--with-shared-modules=idmap_ad</code>. Use of this parameter +to the <code class="literal">configure</code> command as not been supported in official releases. +</p><p> +</p><pre class="programlisting"> +./configure --with-shared-modules=rpc,vfs,auth,pdb,charset +</pre><p> +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pt05.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt05.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Part V. Appendices </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/architecture.html b/docs/htmldocs/Samba3-Developers-Guide/architecture.html new file mode 100644 index 0000000000..4fe9dbcc7d --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/architecture.html @@ -0,0 +1,102 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Samba Architecture</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="pt02.html" title="Part II. Samba Basics"><link rel="next" href="debug.html" title="Chapter 4. The samba DEBUG system"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Samba Architecture</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pt02.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="debug.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="architecture"></a>Chapter 3. Samba Architecture</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3></div></div><div><p class="pubdate"> November 1997</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="architecture.html#id330081">Introduction</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330120">Multithreading and Samba</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330145">Threading smbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330198">Threading nmbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330230">nbmd Design</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330081"></a>Introduction</h2></div></div></div><p> +This document gives a general overview of how Samba works +internally. The Samba Team has tried to come up with a model which is +the best possible compromise between elegance, portability, security +and the constraints imposed by the very messy SMB and CIFS +protocol. +</p><p> +It also tries to answer some of the frequently asked questions such as: +</p><div class="orderedlist"><ol type="1"><li><p> + Is Samba secure when running on Unix? The xyz platform? + What about the root priveliges issue? +</p></li><li><p>Pros and cons of multithreading in various parts of Samba</p></li><li><p>Why not have a separate process for name resolution, WINS, and browsing?</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330120"></a>Multithreading and Samba</h2></div></div></div><p> +People sometimes tout threads as a uniformly good thing. They are very +nice in their place but are quite inappropriate for smbd. nmbd is +another matter, and multi-threading it would be very nice. +</p><p> +The short version is that smbd is not multithreaded, and alternative +servers that take this approach under Unix (such as Syntax, at the +time of writing) suffer tremendous performance penalties and are less +robust. nmbd is not threaded either, but this is because it is not +possible to do it while keeping code consistent and portable across 35 +or more platforms. (This drawback also applies to threading smbd.) +</p><p> +The longer versions is that there are very good reasons for not making +smbd multi-threaded. Multi-threading would actually make Samba much +slower, less scalable, less portable and much less robust. The fact +that we use a separate process for each connection is one of Samba's +biggest advantages. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330145"></a>Threading smbd</h2></div></div></div><p> +A few problems that would arise from a threaded smbd are: +</p><div class="orderedlist"><ol type="1"><li><p> + It's not only to create threads instead of processes, but you + must care about all variables if they have to be thread specific + (currently they would be global). +</p></li><li><p> + if one thread dies (eg. a seg fault) then all threads die. We can + immediately throw robustness out the window. +</p></li><li><p> + many of the system calls we make are blocking. Non-blocking + equivalents of many calls are either not available or are awkward (and + slow) to use. So while we block in one thread all clients are + waiting. Imagine if one share is a slow NFS filesystem and the others + are fast, we will end up slowing all clients to the speed of NFS. +</p></li><li><p> + you can't run as a different uid in different threads. This means + we would have to switch uid/gid on _every_ SMB packet. It would be + horrendously slow. +</p></li><li><p> + the per process file descriptor limit would mean that we could only + support a limited number of clients. +</p></li><li><p> + we couldn't use the system locking calls as the locking context of + fcntl() is a process, not a thread. +</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330198"></a>Threading nmbd</h2></div></div></div><p> +This would be ideal, but gets sunk by portability requirements. +</p><p> +Andrew tried to write a test threads library for nmbd that used only +ansi-C constructs (using setjmp and longjmp). Unfortunately some OSes +defeat this by restricting longjmp to calling addresses that are +shallower than the current address on the stack (apparently AIX does +this). This makes a truly portable threads library impossible. So to +support all our current platforms we would have to code nmbd both with +and without threads, and as the real aim of threads is to make the +code clearer we would not have gained anything. (it is a myth that +threads make things faster. threading is like recursion, it can make +things clear but the same thing can always be done faster by some +other method) +</p><p> +Chris tried to spec out a general design that would abstract threading +vs separate processes (vs other methods?) and make them accessible +through some general API. This doesn't work because of the data +sharing requirements of the protocol (packets in the future depending +on packets now, etc.) At least, the code would work but would be very +clumsy, and besides the fork() type model would never work on Unix. (Is there an OS that it would work on, for nmbd?) +</p><p> +A fork() is cheap, but not nearly cheap enough to do on every UDP +packet that arrives. Having a pool of processes is possible but is +nasty to program cleanly due to the enormous amount of shared data (in +complex structures) between the processes. We can't rely on each +platform having a shared memory system. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330230"></a>nbmd Design</h2></div></div></div><p> +Originally Andrew used recursion to simulate a multi-threaded +environment, which use the stack enormously and made for really +confusing debugging sessions. Luke Leighton rewrote it to use a +queuing system that keeps state information on each packet. The +first version used a single structure which was used by all the +pending states. As the initialisation of this structure was +done by adding arguments, as the functionality developed, it got +pretty messy. So, it was replaced with a higher-order function +and a pointer to a user-defined memory block. This suddenly +made things much simpler: large numbers of functions could be +made static, and modularised. This is the same principle as used +in NT's kernel, and achieves the same effect as threads, but in +a single process. +</p><p> +Then Jeremy rewrote nmbd. The packet data in nmbd isn't what's on the +wire. It's a nice format that is very amenable to processing but still +keeps the idea of a distinct packet. See "struct packet_struct" in +nameserv.h. It has all the detail but none of the on-the-wire +mess. This makes it ideal for using in disk or memory-based databases +for browsing and WINS support. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pt02.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="debug.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Samba Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The samba DEBUG system</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/contributing.html b/docs/htmldocs/Samba3-Developers-Guide/contributing.html new file mode 100644 index 0000000000..25353bef34 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/contributing.html @@ -0,0 +1,41 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Contributing code</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="CodingSuggestions.html" title="Chapter 6. Coding Suggestions"><link rel="next" href="modules.html" title="Chapter 8. Modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Contributing code</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CodingSuggestions.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="contributing"></a>Chapter 7. Contributing code</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div></div></div><p>Here are a few tips and notes that might be useful if you are + interested in modifying samba source code and getting it into + samba's main branch.</p><div class="variablelist"><dl><dt><span class="term">Retrieving the source</span></dt><dd><p>In order to contribute code to samba, make sure you have the + latest source. Retrieving the samba source code from CVS is + documented in the appendix of the Samba HOWTO Collection. + </p></dd><dt><span class="term">Discuss large modifications with team members</span></dt><dd><p>Please discuss large modifications you are going to make + with members of the samba team. Some parts of the samba code + have one or more 'owners' - samba developers who wrote most + of the code and maintain it. + </p><p>This way you can avoid spending your time and effort on + something that is not going to make it into the main samba branch + because someone else was working on the same thing or because your + implementation is not the correct one. + </p></dd><dt><span class="term">Patch format</span></dt><dd><p>Patches to the samba tree should be in unified diff format, + e.g. files generated by <strong class="userinput"><code>diff -u</code></strong>. + </p><p>If you are modifying a copy of samba you retrieved from CVS, + you can easily generate a diff file of these changes by running + <strong class="userinput"><code>cvs diff -u</code></strong>.</p></dd><dt><span class="term">Points of attention when modifying samba source code</span></dt><dd><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>Don't simply copy code from other places and modify it until it + works. Code needs to be clean and logical. Duplicate + code is to be avoided.</p></li><li><p>Test your patch. It might take a while before one of us looks + at your patch so it will take longer before your patch when your patch + needs to go thru the review cycle again.</p></li><li><p>Don't put separate patches in one large diff file. This makes + it harder to read, understand and test the patch. You might + also risk not getting a good patch committed because you mixed it + with one that had issues. </p></li><li><p>Make sure your patch complies to the samba coding style as + suggested in the coding-suggestions chapter. </p></li></ul></div><p> + </p></dd><dt><span class="term">Sending in bugfixes</span></dt><dd><p>Bugfixes to bugs in samba should be submitted to samba's + <a href="https://bugzilla.samba.org/" target="_top">bugzilla system</a>, + along with a description of the bug. + </p></dd><dt><span class="term">Sending in feature patches</span></dt><dd><p>Send feature patches along with a description of what the + patch is supposed to do to the + <a href="mailto:samba-technical@samba.org" target="_top">Samba-technical mailinglist</a> and possibly to a samba team member who is (one of the) 'owners' + of the code you made modifications to. We are all busy people + so everybody tends to 'let one of the others handle it'. If nobody + responded to your patch for a week, try to send it again until you + get a response from one of us. + </p></dd><dt><span class="term">Feedback on your patch</span></dt><dd><p>One of the team members will look at your patch and either + commit your patch or give comments why he won't apply it. In the + latter case you can fix your patch and re-send it until + your patch is approved.</p></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CodingSuggestions.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. Coding Suggestions </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/debug.html b/docs/htmldocs/Samba3-Developers-Guide/debug.html new file mode 100644 index 0000000000..f56fe13b6c --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/debug.html @@ -0,0 +1,180 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. The samba DEBUG system</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="architecture.html" title="Chapter 3. Samba Architecture"><link rel="next" href="internals.html" title="Chapter 5. Samba Internals"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. The samba DEBUG system</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="architecture.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="internals.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="debug"></a>Chapter 4. The samba DEBUG system</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Chris</span> <span class="surname">Hertel</span></h3></div></div><div><p class="pubdate">July 1998</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="debug.html#id330279">New Output Syntax</a></span></dt><dt><span class="sect1"><a href="debug.html#id330374">The DEBUG() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330466">The DEBUGADD() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330498">The DEBUGLVL() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330576">New Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="debug.html#id330582">dbgtext()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330595">dbghdr()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330612">format_debug_text()</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330279"></a>New Output Syntax</h2></div></div></div><p> + The syntax of a debugging log file is represented as: +</p><pre class="programlisting"> + >debugfile< :== { >debugmsg< } + + >debugmsg< :== >debughdr< '\n' >debugtext< + + >debughdr< :== '[' TIME ',' LEVEL ']' FILE ':' [FUNCTION] '(' LINE ')' + + >debugtext< :== { >debugline< } + + >debugline< :== TEXT '\n' +</pre><p> +TEXT is a string of characters excluding the newline character. +</p><p> +LEVEL is the DEBUG level of the message (an integer in the range + 0..10). +</p><p> +TIME is a timestamp. +</p><p> +FILE is the name of the file from which the debug message was +generated. +</p><p> +FUNCTION is the function from which the debug message was generated. +</p><p> +LINE is the line number of the debug statement that generated the +message. +</p><p>Basically, what that all means is:</p><div class="orderedlist"><ol type="1"><li><p> +A debugging log file is made up of debug messages. +</p></li><li><p> +Each debug message is made up of a header and text. The header is +separated from the text by a newline. +</p></li><li><p> +The header begins with the timestamp and debug level of the +message enclosed in brackets. The filename, function, and line +number at which the message was generated follow. The filename is +terminated by a colon, and the function name is terminated by the +parenthesis which contain the line number. Depending upon the +compiler, the function name may be missing (it is generated by the +__FUNCTION__ macro, which is not universally implemented, dangit). +</p></li><li><p> +The message text is made up of zero or more lines, each terminated +by a newline. +</p></li></ol></div><p>Here's some example output:</p><pre class="programlisting"> + [1998/08/03 12:55:25, 1] nmbd.c:(659) + Netbios nameserver version 1.9.19-prealpha started. + Copyright Andrew Tridgell 1994-1997 + [1998/08/03 12:55:25, 3] loadparm.c:(763) + Initializing global parameters +</pre><p> +Note that in the above example the function names are not listed on +the header line. That's because the example above was generated on an +SGI Indy, and the SGI compiler doesn't support the __FUNCTION__ macro. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330374"></a>The DEBUG() Macro</h2></div></div></div><p> +Use of the DEBUG() macro is unchanged. DEBUG() takes two parameters. +The first is the message level, the second is the body of a function +call to the Debug1() function. +</p><p>That's confusing.</p><p>Here's an example which may help a bit. If you would write</p><pre class="programlisting"> +printf( "This is a %s message.\n", "debug" ); +</pre><p> +to send the output to stdout, then you would write +</p><pre class="programlisting"> +DEBUG( 0, ( "This is a %s message.\n", "debug" ) ); +</pre><p> +to send the output to the debug file. All of the normal printf() +formatting escapes work. +</p><p> +Note that in the above example the DEBUG message level is set to 0. +Messages at level 0 always print. Basically, if the message level is +less than or equal to the global value DEBUGLEVEL, then the DEBUG +statement is processed. +</p><p> +The output of the above example would be something like: +</p><pre class="programlisting"> + [1998/07/30 16:00:51, 0] file.c:function(128) + This is a debug message. +</pre><p> +Each call to DEBUG() creates a new header *unless* the output produced +by the previous call to DEBUG() did not end with a '\n'. Output to the +debug file is passed through a formatting buffer which is flushed +every time a newline is encountered. If the buffer is not empty when +DEBUG() is called, the new input is simply appended. +</p><p> +...but that's really just a Kludge. It was put in place because +DEBUG() has been used to write partial lines. Here's a simple (dumb) +example of the kind of thing I'm talking about: +</p><pre class="programlisting"> + DEBUG( 0, ("The test returned " ) ); + if( test() ) + DEBUG(0, ("True") ); + else + DEBUG(0, ("False") ); + DEBUG(0, (".\n") ); +</pre><p> +Without the format buffer, the output (assuming test() returned true) +would look like this: +</p><pre class="programlisting"> + [1998/07/30 16:00:51, 0] file.c:function(256) + The test returned + [1998/07/30 16:00:51, 0] file.c:function(258) + True + [1998/07/30 16:00:51, 0] file.c:function(261) + . +</pre><p>Which isn't much use. The format buffer kludge fixes this problem. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330466"></a>The DEBUGADD() Macro</h2></div></div></div><p> +In addition to the kludgey solution to the broken line problem +described above, there is a clean solution. The DEBUGADD() macro never +generates a header. It will append new text to the current debug +message even if the format buffer is empty. The syntax of the +DEBUGADD() macro is the same as that of the DEBUG() macro. +</p><pre class="programlisting"> + DEBUG( 0, ("This is the first line.\n" ) ); + DEBUGADD( 0, ("This is the second line.\nThis is the third line.\n" ) ); +</pre><p>Produces</p><pre class="programlisting"> + [1998/07/30 16:00:51, 0] file.c:function(512) + This is the first line. + This is the second line. + This is the third line. +</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330498"></a>The DEBUGLVL() Macro</h2></div></div></div><p> +One of the problems with the DEBUG() macro was that DEBUG() lines +tended to get a bit long. Consider this example from +nmbd_sendannounce.c: +</p><pre class="programlisting"> + DEBUG(3,("send_local_master_announcement: type %x for name %s on subnet %s for workgroup %s\n", + type, global_myname, subrec->subnet_name, work->work_group)); +</pre><p> +One solution to this is to break it down using DEBUG() and DEBUGADD(), +as follows: +</p><pre class="programlisting"> + DEBUG( 3, ( "send_local_master_announcement: " ) ); + DEBUGADD( 3, ( "type %x for name %s ", type, global_myname ) ); + DEBUGADD( 3, ( "on subnet %s ", subrec->subnet_name ) ); + DEBUGADD( 3, ( "for workgroup %s\n", work->work_group ) ); +</pre><p> +A similar, but arguably nicer approach is to use the DEBUGLVL() macro. +This macro returns True if the message level is less than or equal to +the global DEBUGLEVEL value, so: +</p><pre class="programlisting"> + if( DEBUGLVL( 3 ) ) + { + dbgtext( "send_local_master_announcement: " ); + dbgtext( "type %x for name %s ", type, global_myname ); + dbgtext( "on subnet %s ", subrec->subnet_name ); + dbgtext( "for workgroup %s\n", work->work_group ); + } +</pre><p>(The dbgtext() function is explained below.)</p><p>There are a few advantages to this scheme:</p><div class="orderedlist"><ol type="1"><li><p> +The test is performed only once. +</p></li><li><p> +You can allocate variables off of the stack that will only be used +within the DEBUGLVL() block. +</p></li><li><p> +Processing that is only relevant to debug output can be contained +within the DEBUGLVL() block. +</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330576"></a>New Functions</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330582"></a>dbgtext()</h3></div></div></div><p> +This function prints debug message text to the debug file (and +possibly to syslog) via the format buffer. The function uses a +variable argument list just like printf() or Debug1(). The +input is printed into a buffer using the vslprintf() function, +and then passed to format_debug_text(). + +If you use DEBUGLVL() you will probably print the body of the +message using dbgtext(). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330595"></a>dbghdr()</h3></div></div></div><p> +This is the function that writes a debug message header. +Headers are not processed via the format buffer. Also note that +if the format buffer is not empty, a call to dbghdr() will not +produce any output. See the comments in dbghdr() for more info. +</p><p> +It is not likely that this function will be called directly. It +is used by DEBUG() and DEBUGADD(). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330612"></a>format_debug_text()</h3></div></div></div><p> +This is a static function in debug.c. It stores the output text +for the body of the message in a buffer until it encounters a +newline. When the newline character is found, the buffer is +written to the debug file via the Debug1() function, and the +buffer is reset. This allows us to add the indentation at the +beginning of each line of the message body, and also ensures +that the output is written a line at a time (which cleans up +syslog output). +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="architecture.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="internals.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Samba Architecture </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Samba Internals</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/devprinting.html b/docs/htmldocs/Samba3-Developers-Guide/devprinting.html new file mode 100644 index 0000000000..a68cce597c --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/devprinting.html @@ -0,0 +1,215 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. Samba Printing Internals</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt04.html" title="Part IV. Debugging and tracing"><link rel="prev" href="tracing.html" title="Chapter 14. Tracing samba system calls"><link rel="next" href="pt05.html" title="Part V. Appendices"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. Samba Printing Internals</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="tracing.html">Prev</a> </td><th width="60%" align="center">Part IV. Debugging and tracing</th><td width="20%" align="right"> <a accesskey="n" href="pt05.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="devprinting"></a>Chapter 15. Samba Printing Internals</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="surname">Carter</span></h3></div></div><div><p class="pubdate">October 2002</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="devprinting.html#id334024">Abstract</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334035"> +Printing Interface to Various Back ends +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334109"> +Print Queue TDB's +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334247"> +ChangeID and Client Caching of Printer Information +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334258"> +Windows NT/2K Printer Change Notify +</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334024"></a>Abstract</h2></div></div></div><p> +The purpose of this document is to provide some insight into +Samba's printing functionality and also to describe the semantics +of certain features of Windows client printing. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334035"></a> +Printing Interface to Various Back ends +</h2></div></div></div><p> +Samba uses a table of function pointers to seven functions. The +function prototypes are defined in the <code class="varname">printif</code> structure declared +in <code class="filename">printing.h</code>. +</p><div class="itemizedlist"><ul type="disc"><li><p>retrieve the contents of a print queue</p></li><li><p>pause the print queue</p></li><li><p>resume a paused print queue</p></li><li><p>delete a job from the queue</p></li><li><p>pause a job in the print queue</p></li><li><p>result a paused print job in the queue</p></li><li><p>submit a job to the print queue</p></li></ul></div><p> +Currently there are only two printing back end implementations +defined. +</p><div class="itemizedlist"><ul type="disc"><li><p>a generic set of functions for working with standard UNIX + printing subsystems</p></li><li><p>a set of CUPS specific functions (this is only enabled if + the CUPS libraries were located at compile time).</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334109"></a> +Print Queue TDB's +</h2></div></div></div><p> +Samba provides periodic caching of the output from the "lpq command" +for performance reasons. This cache time is configurable in seconds. +Obviously the longer the cache time the less often smbd will be +required to exec a copy of lpq. However, the accuracy of the print +queue contents displayed to clients will be diminished as well. +</p><p> +The list of currently opened print queue TDB's can be found +be examining the list of tdb_print_db structures ( see print_db_head +in printing.c ). A queue TDB is opened using the wrapper function +printing.c:get_print_db_byname(). The function ensures that smbd +does not open more than MAX_PRINT_DBS_OPEN in an effort to prevent +a large print server from exhausting all available file descriptors. +If the number of open queue TDB's exceeds the MAX_PRINT_DBS_OPEN +limit, smbd falls back to a most recently used algorithm for maintaining +a list of open TDB's. +</p><p> +There are two ways in which a a print job can be entered into +a print queue's TDB. The first is to submit the job from a Windows +client which will insert the job information directly into the TDB. +The second method is to have the print job picked up by executing the +"lpq command". +</p><pre class="programlisting"> +/* included from printing.h */ +struct printjob { + pid_t pid; /* which process launched the job */ + int sysjob; /* the system (lp) job number */ + int fd; /* file descriptor of open file if open */ + time_t starttime; /* when the job started spooling */ + int status; /* the status of this job */ + size_t size; /* the size of the job so far */ + int page_count; /* then number of pages so far */ + BOOL spooled; /* has it been sent to the spooler yet? */ + BOOL smbjob; /* set if the job is a SMB job */ + fstring filename; /* the filename used to spool the file */ + fstring jobname; /* the job name given to us by the client */ + fstring user; /* the user who started the job */ + fstring queuename; /* service number of printer for this job */ + NT_DEVICEMODE *nt_devmode; +}; +</pre><p> +The current manifestation of the printjob structure contains a field +for the UNIX job id returned from the "lpq command" and a Windows job +ID (32-bit bounded by PRINT_MAX_JOBID). When a print job is returned +by the "lpq command" that does not match an existing job in the queue's +TDB, a 32-bit job ID above the <*vance doesn't know what word is missing here*> is generating by adding UNIX_JOB_START to +the id reported by lpq. +</p><p> +In order to match a 32-bit Windows jobid onto a 16-bit lanman print job +id, smbd uses an in memory TDB to match the former to a number appropriate +for old lanman clients. +</p><p> +When updating a print queue, smbd will perform the following +steps ( refer to <code class="filename">print.c:print_queue_update()</code> ): +</p><div class="orderedlist"><ol type="1"><li><p>Check to see if another smbd is currently in + the process of updating the queue contents by checking the pid + stored in <code class="constant">LOCK/<em class="replaceable"><code>printer_name</code></em></code>. + If so, then do not update the TDB.</p></li><li><p>Lock the mutex entry in the TDB and store our own pid. + Check that this succeeded, else fail.</p></li><li><p>Store the updated time stamp for the new cache + listing</p></li><li><p>Retrieve the queue listing via "lpq command"</p></li><li><pre class="programlisting"> + foreach job in the queue + { + if the job is a UNIX job, create a new entry; + if the job has a Windows based jobid, then + { + Lookup the record by the jobid; + if the lookup failed, then + treat it as a UNIX job; + else + update the job status only + } + }</pre></li><li><p>Delete any jobs in the TDB that are not + in the in the lpq listing</p></li><li><p>Store the print queue status in the TDB</p></li><li><p>update the cache time stamp again</p></li></ol></div><p> +Note that it is the contents of this TDB that is returned to Windows +clients and not the actual listing from the "lpq command". +</p><p> +The NT_DEVICEMODE stored as part of the printjob structure is used to +store a pointer to a non-default DeviceMode associated with the print +job. The pointer will be non-null when the client included a Device +Mode in the OpenPrinterEx() call and subsequently submitted a job for +printing on that same handle. If the client did not include a Device +Mode in the OpenPrinterEx() request, the nt_devmode field is NULL +and the job has the printer's device mode associated with it by default. +</p><p> +Only non-default Device Mode are stored with print jobs in the print +queue TDB. Otherwise, the Device Mode is obtained from the printer +object when the client issues a GetJob(level == 2) request. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334247"></a> +ChangeID and Client Caching of Printer Information +</h2></div></div></div><p> +[To be filled in later] +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334258"></a> +Windows NT/2K Printer Change Notify +</h2></div></div></div><p> +When working with Windows NT+ clients, it is possible for a +print server to use RPC to send asynchronous change notification +events to clients for certain printer and print job attributes. +This can be useful when the client needs to know that a new +job has been added to the queue for a given printer or that the +driver for a printer has been changed. Note that this is done +entirely orthogonal to cache updates based on a new ChangeID for +a printer object. +</p><p> +The basic set of RPC's used to implement change notification are +</p><div class="itemizedlist"><ul type="disc"><li><p>RemoteFindFirstPrinterChangeNotifyEx ( RFFPCN )</p></li><li><p>RemoteFindNextPrinterChangeNotifyEx ( RFNPCN )</p></li><li><p>FindClosePrinterChangeNotify( FCPCN )</p></li><li><p>ReplyOpenPrinter</p></li><li><p>ReplyClosePrinter</p></li><li><p>RouteRefreshPrinterChangeNotify ( RRPCN )</p></li></ul></div><p> +One additional RPC is available to a server, but is never used by the +Windows spooler service: +</p><div class="itemizedlist"><ul type="disc"><li><p>RouteReplyPrinter()</p></li></ul></div><p> +The opnum for all of these RPC's are defined in include/rpc_spoolss.h +</p><p> +Windows NT print servers use a bizarre method of sending print +notification event to clients. The process of registering a new change +notification handle is as follows. The 'C' is for client and the +'S' is for server. All error conditions have been eliminated. +</p><pre class="programlisting"> +C: Obtain handle to printer or to the printer + server via the standard OpenPrinterEx() call. +S: Respond with a valid handle to object + +C: Send a RFFPCN request with the previously obtained + handle with either (a) set of flags for change events + to monitor, or (b) a PRINTER_NOTIFY_OPTIONS structure + containing the event information to monitor. The windows + spooler has only been observed to use (b). +S: The <* another missing word*> opens a new TCP session to the client (thus requiring + all print clients to be CIFS servers as well) and sends + a ReplyOpenPrinter() request to the client. +C: The client responds with a printer handle that can be used to + send event notification messages. +S: The server replies success to the RFFPCN request. + +C: The windows spooler follows the RFFPCN with a RFNPCN + request to fetch the current values of all monitored + attributes. +S: The server replies with an array SPOOL_NOTIFY_INFO_DATA + structures (contained in a SPOOL_NOTIFY_INFO structure). + +C: If the change notification handle is ever released by the + client via a FCPCN request, the server sends a ReplyClosePrinter() + request back to the client first. However a request of this + nature from the client is often an indication that the previous + notification event was not marshalled correctly by the server + or a piece of data was wrong. +S: The server closes the internal change notification handle + (POLICY_HND) and does not send any further change notification + events to the client for that printer or job. +</pre><p> +The current list of notification events supported by Samba can be +found by examining the internal tables in srv_spoolss_nt.c +</p><div class="itemizedlist"><ul type="disc"><li><p>printer_notify_table[]</p></li><li><p>job_notify_table[]</p></li></ul></div><p> +When an event occurs that could be monitored, smbd sends a message +to itself about the change. The list of events to be transmitted +are queued by the smbd process sending the message to prevent an +overload of TDB usage and the internal message is sent during smbd's +idle loop (refer to printing/notify.c and the functions +send_spoolss_notify2_msg() and print_notify_send_messages() ). +</p><p> +The decision of whether or not the change is to be sent to connected +clients is made by the routine which actually sends the notification. +( refer to srv_spoolss_nt.c:recieve_notify2_message() ). +</p><p> +Because it possible to receive a listing of multiple changes for +multiple printers, the notification events must be split into +categories by the printer name. This makes it possible to group +multiple change events to be sent in a single RPC according to the +printer handle obtained via a ReplyOpenPrinter(). +</p><p> +The actual change notification is performed using the RRPCN request +RPC. This packet contains +</p><div class="itemizedlist"><ul type="disc"><li><p>the printer handle registered with the +client's spooler on which the change occurred</p></li><li><p>The change_low value which was sent as part +of the last RFNPCN request from the client</p></li><li><p>The SPOOL_NOTIFY_INFO container with the event +information</p></li></ul></div><p> +A <code class="varname">SPOOL_NOTIFY_INFO</code> contains: +</p><div class="itemizedlist"><ul type="disc"><li><p>the version and flags field are predefined +and should not be changed</p></li><li><p>The count field is the number of entries +in the SPOOL_NOTIFY_INFO_DATA array</p></li></ul></div><p> +The <code class="varname">SPOOL_NOTIFY_INFO_DATA</code> entries contain: +</p><div class="itemizedlist"><ul type="disc"><li><p>The type defines whether or not this event +is for a printer or a print job</p></li><li><p>The field is the flag identifying the event</p></li><li><p>the notify_data union contains the new valuie of the +attribute</p></li><li><p>The enc_type defines the size of the structure for marshalling +and unmarshalling</p></li><li><p>(a) the id must be 0 for a printer event on a printer handle. +(b) the id must be the job id for an event on a printer job +(c) the id must be the matching number of the printer index used +in the response packet to the RFNPCN when using a print server +handle for notification. Samba currently uses the snum of +the printer for this which can break if the list of services +has been modified since the notification handle was registered.</p></li><li><p>The size is either (a) the string length in UNICODE for strings, +(b) the size in bytes of the security descriptor, or (c) 0 for +data values.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="tracing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt04.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pt05.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Tracing samba system calls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Appendices</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/index.html b/docs/htmldocs/Samba3-Developers-Guide/index.html new file mode 100644 index 0000000000..b42e0f6871 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/index.html @@ -0,0 +1,23 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>SAMBA Developers Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><meta name="description" content="Last Update : Fri Oct 10 00:59:58 CEST 2003 This book is a collection of documents that might be useful for people developing samba or those interested in doing so. It's nothing more than a collection of documents written by samba developers about the internals of various parts of samba and the SMB protocol. It's still (and will always be) incomplete. The most recent version of this document can be found at http://devel.samba.org/. This documentation is distributed under the GNU General Public License (GPL) version 2. A copy of the license is included with the Samba source distribution. A copy can be found on-line at http://www.fsf.org/licenses/gpl.txt This document is incomplete and unmaintained. It is merely a collection of development-related notes."><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="next" href="pr01.html" title="Attribution"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SAMBA Developers Guide</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-Developers-Guide"></a>SAMBA Developers Guide</h1></div><div><div class="authorgroup"><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p> +<span class="emphasis"><em>Last Update</em></span> : Fri Oct 10 00:59:58 CEST 2003 +</p><p> +This book is a collection of documents that might be useful for +people developing samba or those interested in doing so. +It's nothing more than a collection of documents written by samba developers about +the internals of various parts of samba and the SMB protocol. It's still (and will always be) incomplete. +The most recent version of this document +can be found at <a href="http://devel.samba.org/" target="_top">http://devel.samba.org/</a>. +</p><p> +This documentation is distributed under the GNU General Public License (GPL) +version 2. A copy of the license is included with the Samba source +distribution. A copy can be found on-line at <a href="http://www.fsf.org/licenses/gpl.txt" target="_top">http://www.fsf.org/licenses/gpl.txt</a> +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This document is incomplete and unmaintained. It is merely a + collection of development-related notes.</p></div></div></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="pr01.html">Attribution</a></span></dt><dt><span class="part"><a href="pt01.html">I. The protocol</a></span></dt><dd><dl><dt><span class="chapter"><a href="unix-smb.html">1. NetBIOS in a Unix World</a></span></dt><dd><dl><dt><span class="sect1"><a href="unix-smb.html#id323085">Introduction</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323102">Usernames</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323144">File Ownership</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323168">Passwords</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323197">Locking</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323237">Deny Modes</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323256">Trapdoor UIDs</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323274">Port numbers</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323305">Protocol Complexity</a></span></dt></dl></dd><dt><span class="chapter"><a href="ntdomain.html">2. NT Domain RPC's</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntdomain.html#id323417">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323559">Sources</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323586">Credits</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id323615">Notes and Structures</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323620">Notes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id281607">Enumerations</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323908">Structures</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id326205">MSRPC over Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id326215">MSRPC Pipes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326284">Header</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326958">Tail</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326994">RPC Bind / Bind Ack</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327132">NTLSA Transact Named Pipe</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327260">LSA Open Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327358">LSA Query Info Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327441">LSA Enumerate Trusted Domains</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327513">LSA Open Secret</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327599">LSA Close</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327651">LSA Lookup SIDS</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327815">LSA Lookup Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id327992">NETLOGON rpc Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328116">LSA Request Challenge</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328219">LSA Authenticate 2</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328332">LSA Server Password Set</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328419">LSA SAM Logon</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328496">LSA SAM Logoff</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id328567">\\MAILSLOT\NET\NTLOGON</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328579">Query for PDC</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328784">SAM Logon</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329040">SRVSVC Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329075">Net Share Enum</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329247">Net Server Get Info</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329338">Cryptographic side of NT Domain Authentication</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329344">Definitions</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329469">Protocol</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329533">Comments</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329566">SIDs and RIDs</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329596">Well-known SIDs</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329845">Well-known RIDS</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="pt02.html">II. Samba Basics</a></span></dt><dd><dl><dt><span class="chapter"><a href="architecture.html">3. Samba Architecture</a></span></dt><dd><dl><dt><span class="sect1"><a href="architecture.html#id330081">Introduction</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330120">Multithreading and Samba</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330145">Threading smbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330198">Threading nmbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330230">nbmd Design</a></span></dt></dl></dd><dt><span class="chapter"><a href="debug.html">4. The samba DEBUG system</a></span></dt><dd><dl><dt><span class="sect1"><a href="debug.html#id330279">New Output Syntax</a></span></dt><dt><span class="sect1"><a href="debug.html#id330374">The DEBUG() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330466">The DEBUGADD() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330498">The DEBUGLVL() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330576">New Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="debug.html#id330582">dbgtext()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330595">dbghdr()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330612">format_debug_text()</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="internals.html">5. Samba Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="internals.html#id330662">Character Handling</a></span></dt><dt><span class="sect1"><a href="internals.html#id330682">The new functions</a></span></dt><dt><span class="sect1"><a href="internals.html#id330789">Macros in byteorder.h</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330799">CVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330809">PVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330820">SCVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330830">SVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330842">IVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330853">SVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330864">IVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330874">SSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330885">SIVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330896">SSVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330907">SIVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330918">RSVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330928">RIVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330939">RSSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330950">RSIVAL(buf,pos,val)</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id330962">LAN Manager Samba API</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330987">Parameters</a></span></dt><dt><span class="sect2"><a href="internals.html#id331097">Return value</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id331155">Code character table</a></span></dt></dl></dd><dt><span class="chapter"><a href="CodingSuggestions.html">6. Coding Suggestions</a></span></dt><dt><span class="chapter"><a href="contributing.html">7. Contributing code</a></span></dt><dt><span class="chapter"><a href="modules.html">8. Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="modules.html#id331748">Advantages</a></span></dt><dt><span class="sect1"><a href="modules.html#id331783">Loading modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331806">Static modules</a></span></dt><dt><span class="sect2"><a href="modules.html#id331836">Shared modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="modules.html#id331855">Writing modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331898">Static/Shared selection in configure.in</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="pt03.html">III. Samba Subsystems</a></span></dt><dd><dl><dt><span class="chapter"><a href="rpc-plugin.html">9. RPC Pluggable Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="rpc-plugin.html#id332057">About</a></span></dt><dt><span class="sect1"><a href="rpc-plugin.html#id332070">General Overview</a></span></dt></dl></dd><dt><span class="chapter"><a href="vfs.html">10. VFS Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="vfs.html#id332231">The Samba (Posix) VFS layer</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332237">The general interface</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332307">Possible VFS operation layers</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332351">The Interaction between the Samba VFS subsystem and the modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332357">Initialization and registration</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332494">How the Modules handle per connection data</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332652">Upgrading to the New VFS Interface</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332658">Upgrading from 2.2.* and 3.0aplha modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332988">Some Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332994">Implement TRANSPARENT functions</a></span></dt><dt><span class="sect2"><a href="vfs.html#id333012">Implement OPAQUE functions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="parsing.html">11. The smb.conf file</a></span></dt><dd><dl><dt><span class="sect1"><a href="parsing.html#id333066">Lexical Analysis</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333134">Handling of Whitespace</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333175">Handling of Line Continuation</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333219">Line Continuation Quirks</a></span></dt></dl></dd><dt><span class="sect1"><a href="parsing.html#id333294">Syntax</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333346">About params.c</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="wins.html">12. Samba WINS Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="wins.html#id333384">WINS Failover</a></span></dt></dl></dd><dt><span class="chapter"><a href="pwencrypt.html">13. LanMan and NT Password Encryption</a></span></dt><dd><dl><dt><span class="sect1"><a href="pwencrypt.html#id333488">Introduction</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333506">How does it work?</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333571">The smbpasswd file</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="pt04.html">IV. Debugging and tracing</a></span></dt><dd><dl><dt><span class="chapter"><a href="tracing.html">14. Tracing samba system calls</a></span></dt><dt><span class="chapter"><a href="devprinting.html">15. Samba Printing Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="devprinting.html#id334024">Abstract</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334035"> +Printing Interface to Various Back ends +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334109"> +Print Queue TDB's +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334247"> +ChangeID and Client Caching of Printer Information +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334258"> +Windows NT/2K Printer Change Notify +</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="pt05.html">V. Appendices</a></span></dt><dd><dl><dt><span class="chapter"><a href="Packaging.html">16. Notes to packagers</a></span></dt><dd><dl><dt><span class="sect1"><a href="Packaging.html#id334515">Versioning</a></span></dt><dt><span class="sect1"><a href="Packaging.html#id334540">Modules</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Attribution</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/internals.html b/docs/htmldocs/Samba3-Developers-Guide/internals.html new file mode 100644 index 0000000000..6dd18957bc --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/internals.html @@ -0,0 +1,206 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Samba Internals</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="debug.html" title="Chapter 4. The samba DEBUG system"><link rel="next" href="CodingSuggestions.html" title="Chapter 6. Coding Suggestions"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Samba Internals</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="debug.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="CodingSuggestions.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="internals"></a>Chapter 5. Samba Internals</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Chappell</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:David.Chappell@mail.trincoll.edu">David.Chappell@mail.trincoll.edu</a>></code></p></div></div></div></div><div><p class="pubdate">8 May 1996</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="internals.html#id330662">Character Handling</a></span></dt><dt><span class="sect1"><a href="internals.html#id330682">The new functions</a></span></dt><dt><span class="sect1"><a href="internals.html#id330789">Macros in byteorder.h</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330799">CVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330809">PVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330820">SCVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330830">SVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330842">IVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330853">SVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330864">IVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330874">SSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330885">SIVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330896">SSVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330907">SIVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330918">RSVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330928">RIVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330939">RSSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330950">RSIVAL(buf,pos,val)</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id330962">LAN Manager Samba API</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330987">Parameters</a></span></dt><dt><span class="sect2"><a href="internals.html#id331097">Return value</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id331155">Code character table</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330662"></a>Character Handling</h2></div></div></div><p> +This section describes character set handling in Samba, as implemented in +Samba 3.0 and above +</p><p> +In the past Samba had very ad-hoc character set handling. Scattered +throughout the code were numerous calls which converted particular +strings to/from DOS codepages. The problem is that there was no way of +telling if a particular char* is in dos codepage or unix +codepage. This led to a nightmare of code that tried to cope with +particular cases without handlingt the general case. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330682"></a>The new functions</h2></div></div></div><p> +The new system works like this: +</p><div class="orderedlist"><ol type="1"><li><p> + all char* strings inside Samba are "unix" strings. These are + multi-byte strings that are in the charset defined by the "unix + charset" option in smb.conf. +</p></li><li><p> + there is no single fixed character set for unix strings, but any + character set that is used does need the following properties: + </p><div class="orderedlist"><ol type="a"><li><p> + must not contain NULLs except for termination + </p></li><li><p> + must be 7-bit compatible with C strings, so that a constant + string or character in C will be byte-for-byte identical to the + equivalent string in the chosen character set. + </p></li><li><p> + when you uppercase or lowercase a string it does not become + longer than the original string + </p></li><li><p> + must be able to correctly hold all characters that your client + will throw at it + </p></li></ol></div><p> + For example, UTF-8 is fine, and most multi-byte asian character sets + are fine, but UCS2 could not be used for unix strings as they + contain nulls. + </p></li><li><p> + when you need to put a string into a buffer that will be sent on the + wire, or you need a string in a character set format that is + compatible with the clients character set then you need to use a + pull_ or push_ function. The pull_ functions pull a string from a + wire buffer into a (multi-byte) unix string. The push_ functions + push a string out to a wire buffer. +</p></li><li><p> + the two main pull_ and push_ functions you need to understand are + pull_string and push_string. These functions take a base pointer + that should point at the start of the SMB packet that the string is + in. The functions will check the flags field in this packet to + automatically determine if the packet is marked as a unicode packet, + and they will choose whether to use unicode for this string based on + that flag. You may also force this decision using the STR_UNICODE or + STR_ASCII flags. For use in smbd/ and libsmb/ there are wrapper + functions clistr_ and srvstr_ that call the pull_/push_ functions + with the appropriate first argument. + </p><p> + You may also call the pull_ascii/pull_ucs2 or push_ascii/push_ucs2 + functions if you know that a particular string is ascii or + unicode. There are also a number of other convenience functions in + charcnv.c that call the pull_/push_ functions with particularly + common arguments, such as pull_ascii_pstring() + </p></li><li><p> + The biggest thing to remember is that internal (unix) strings in Samba + may now contain multi-byte characters. This means you cannot assume + that characters are always 1 byte long. Often this means that you will + have to convert strings to ucs2 and back again in order to do some + (seemingly) simple task. For examples of how to do this see functions + like strchr_m(). I know this is very slow, and we will eventually + speed it up but right now we want this stuff correct not fast. +</p></li><li><p> + all lp_ functions now return unix strings. The magic "DOS" flag on + parameters is gone. +</p></li><li><p> + all vfs functions take unix strings. Don't convert when passing to them +</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330789"></a>Macros in byteorder.h</h2></div></div></div><p> +This section describes the macros defined in byteorder.h. These macros +are used extensively in the Samba code. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330799"></a>CVAL(buf,pos)</h3></div></div></div><p> +returns the byte at offset pos within buffer buf as an unsigned character. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330809"></a>PVAL(buf,pos)</h3></div></div></div><p>returns the value of CVAL(buf,pos) cast to type unsigned integer.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330820"></a>SCVAL(buf,pos,val)</h3></div></div></div><p>sets the byte at offset pos within buffer buf to value val.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330830"></a>SVAL(buf,pos)</h3></div></div></div><p> + returns the value of the unsigned short (16 bit) little-endian integer at + offset pos within buffer buf. An integer of this type is sometimes + refered to as "USHORT". +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330842"></a>IVAL(buf,pos)</h3></div></div></div><p>returns the value of the unsigned 32 bit little-endian integer at offset +pos within buffer buf.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330853"></a>SVALS(buf,pos)</h3></div></div></div><p>returns the value of the signed short (16 bit) little-endian integer at +offset pos within buffer buf.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330864"></a>IVALS(buf,pos)</h3></div></div></div><p>returns the value of the signed 32 bit little-endian integer at offset pos +within buffer buf.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330874"></a>SSVAL(buf,pos,val)</h3></div></div></div><p>sets the unsigned short (16 bit) little-endian integer at offset pos within +buffer buf to value val.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330885"></a>SIVAL(buf,pos,val)</h3></div></div></div><p>sets the unsigned 32 bit little-endian integer at offset pos within buffer +buf to the value val.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330896"></a>SSVALS(buf,pos,val)</h3></div></div></div><p>sets the short (16 bit) signed little-endian integer at offset pos within +buffer buf to the value val.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330907"></a>SIVALS(buf,pos,val)</h3></div></div></div><p>sets the signed 32 bit little-endian integer at offset pos withing buffer +buf to the value val.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330918"></a>RSVAL(buf,pos)</h3></div></div></div><p>returns the value of the unsigned short (16 bit) big-endian integer at +offset pos within buffer buf.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330928"></a>RIVAL(buf,pos)</h3></div></div></div><p>returns the value of the unsigned 32 bit big-endian integer at offset +pos within buffer buf.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330939"></a>RSSVAL(buf,pos,val)</h3></div></div></div><p>sets the value of the unsigned short (16 bit) big-endian integer at +offset pos within buffer buf to value val. +refered to as "USHORT".</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330950"></a>RSIVAL(buf,pos,val)</h3></div></div></div><p>sets the value of the unsigned 32 bit big-endian integer at offset +pos within buffer buf to value val.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330962"></a>LAN Manager Samba API</h2></div></div></div><p> +This section describes the functions need to make a LAN Manager RPC call. +This information had been obtained by examining the Samba code and the LAN +Manager 2.0 API documentation. It should not be considered entirely +reliable. +</p><p> +</p><pre class="programlisting"> +call_api(int prcnt, int drcnt, int mprcnt, int mdrcnt, + char *param, char *data, char **rparam, char **rdata); +</pre><p> +</p><p> +This function is defined in client.c. It uses an SMB transaction to call a +remote api. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330987"></a>Parameters</h3></div></div></div><p>The parameters are as follows:</p><div class="orderedlist"><ol type="1"><li><p> + prcnt: the number of bytes of parameters begin sent. +</p></li><li><p> + drcnt: the number of bytes of data begin sent. +</p></li><li><p> + mprcnt: the maximum number of bytes of parameters which should be returned +</p></li><li><p> + mdrcnt: the maximum number of bytes of data which should be returned +</p></li><li><p> + param: a pointer to the parameters to be sent. +</p></li><li><p> + data: a pointer to the data to be sent. +</p></li><li><p> + rparam: a pointer to a pointer which will be set to point to the returned + parameters. The caller of call_api() must deallocate this memory. +</p></li><li><p> + rdata: a pointer to a pointer which will be set to point to the returned + data. The caller of call_api() must deallocate this memory. +</p></li></ol></div><p> +These are the parameters which you ought to send, in the order of their +appearance in the parameter block: +</p><div class="orderedlist"><ol type="1"><li><p> +An unsigned 16 bit integer API number. You should set this value with +SSVAL(). I do not know where these numbers are described. +</p></li><li><p> +An ASCIIZ string describing the parameters to the API function as defined +in the LAN Manager documentation. The first parameter, which is the server +name, is ommited. This string is based uppon the API function as described +in the manual, not the data which is actually passed. +</p></li><li><p> +An ASCIIZ string describing the data structure which ought to be returned. +</p></li><li><p> +Any parameters which appear in the function call, as defined in the LAN +Manager API documentation, after the "Server" and up to and including the +"uLevel" parameters. +</p></li><li><p> +An unsigned 16 bit integer which gives the size in bytes of the buffer we +will use to receive the returned array of data structures. Presumably this +should be the same as mdrcnt. This value should be set with SSVAL(). +</p></li><li><p> +An ASCIIZ string describing substructures which should be returned. If no +substructures apply, this string is of zero length. +</p></li></ol></div><p> +The code in client.c always calls call_api() with no data. It is unclear +when a non-zero length data buffer would be sent. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331097"></a>Return value</h3></div></div></div><p> +The returned parameters (pointed to by rparam), in their order of appearance +are:</p><div class="orderedlist"><ol type="1"><li><p> +An unsigned 16 bit integer which contains the API function's return code. +This value should be read with SVAL(). +</p></li><li><p> +An adjustment which tells the amount by which pointers in the returned +data should be adjusted. This value should be read with SVAL(). Basically, +the address of the start of the returned data buffer should have the returned +pointer value added to it and then have this value subtracted from it in +order to obtain the currect offset into the returned data buffer. +</p></li><li><p> +A count of the number of elements in the array of structures returned. +It is also possible that this may sometimes be the number of bytes returned. +</p></li></ol></div><p> +When call_api() returns, rparam points to the returned parameters. The +first if these is the result code. It will be zero if the API call +suceeded. This value by be read with "SVAL(rparam,0)". +</p><p> +The second parameter may be read as "SVAL(rparam,2)". It is a 16 bit offset +which indicates what the base address of the returned data buffer was when +it was built on the server. It should be used to correct pointer before +use. +</p><p> +The returned data buffer contains the array of returned data structures. +Note that all pointers must be adjusted before use. The function +fix_char_ptr() in client.c can be used for this purpose. +</p><p> +The third parameter (which may be read as "SVAL(rparam,4)") has something to +do with indicating the amount of data returned or possibly the amount of +data which can be returned if enough buffer space is allowed. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331155"></a>Code character table</h2></div></div></div><p> +Certain data structures are described by means of ASCIIz strings containing +code characters. These are the code characters: +</p><div class="orderedlist"><ol type="1"><li><p> +W a type byte little-endian unsigned integer +</p></li><li><p> +N a count of substructures which follow +</p></li><li><p> +D a four byte little-endian unsigned integer +</p></li><li><p> +B a byte (with optional count expressed as trailing ASCII digits) +</p></li><li><p> +z a four byte offset to a NULL terminated string +</p></li><li><p> +l a four byte offset to non-string user data +</p></li><li><p> +b an offset to data (with count expressed as trailing ASCII digits) +</p></li><li><p> +r pointer to returned data buffer??? +</p></li><li><p> +L length in bytes of returned data buffer??? +</p></li><li><p> +h number of bytes of information available??? +</p></li></ol></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="debug.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="CodingSuggestions.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The samba DEBUG system </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Coding Suggestions</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/modules.html b/docs/htmldocs/Samba3-Developers-Guide/modules.html new file mode 100644 index 0000000000..c7593f6761 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/modules.html @@ -0,0 +1,70 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt02.html" title="Part II. Samba Basics"><link rel="prev" href="contributing.html" title="Chapter 7. Contributing code"><link rel="next" href="pt03.html" title="Part III. Samba Subsystems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="contributing.html">Prev</a> </td><th width="60%" align="center">Part II. Samba Basics</th><td width="20%" align="right"> <a accesskey="n" href="pt03.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="modules"></a>Chapter 8. Modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 19 March 2003 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="modules.html#id331748">Advantages</a></span></dt><dt><span class="sect1"><a href="modules.html#id331783">Loading modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331806">Static modules</a></span></dt><dt><span class="sect2"><a href="modules.html#id331836">Shared modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="modules.html#id331855">Writing modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331898">Static/Shared selection in configure.in</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331748"></a>Advantages</h2></div></div></div><p> +The new modules system has the following advantages: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Transparent loading of static and shared modules (no need +for a subsystem to know about modules)</td></tr><tr><td>Simple selection between shared and static modules at configure time</td></tr><tr><td>"preload modules" option for increasing performance for stable modules</td></tr><tr><td>No nasty #define stuff anymore</td></tr><tr><td>All backends are available as plugin now (including pdb_ldap and pdb_tdb)</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331783"></a>Loading modules</h2></div></div></div><p> +Some subsystems in samba use different backends. These backends can be +either statically linked in to samba or available as a plugin. A subsystem +should have a function that allows a module to register itself. For example, +the passdb subsystem has: +</p><pre class="programlisting"> +NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init); +</pre><p> +This function will be called by the initialisation function of the module to +register itself. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331806"></a>Static modules</h3></div></div></div><p> +The modules system compiles a list of initialisation functions for the +static modules of each subsystem. This is a define. For example, +it is here currently (from <code class="filename">include/config.h</code>): +</p><pre class="programlisting"> +/* Static init functions */ +#define static_init_pdb { pdb_mysql_init(); pdb_ldap_init(); pdb_smbpasswd_init(); pdb_tdbsam_init(); pdb_guest_init();} +</pre><p> +These functions should be called before the subsystem is used. That +should be done when the subsystem is initialised or first used. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331836"></a>Shared modules</h3></div></div></div><p> +If a subsystem needs a certain backend, it should check if it has +already been registered. If the backend hasn't been registered already, +the subsystem should call smb_probe_module(char *subsystem, char *backend). +This function tries to load the correct module from a certain path +($LIBDIR/subsystem/backend.so). If the first character in 'backend' +is a slash, smb_probe_module() tries to load the module from the +absolute path specified in 'backend'. +</p><p>After smb_probe_module() has been executed, the subsystem +should check again if the module has been registered. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id331855"></a>Writing modules</h2></div></div></div><p> +Each module has an initialisation function. For modules that are +included with samba this name is '<em class="replaceable"><code>subsystem</code></em>_<em class="replaceable"><code>backend</code></em>_init'. For external modules (that will never be built-in, but only available as a module) this name is always 'init_module'. (In the case of modules included with samba, the configure system will add a #define subsystem_backend_init() init_module()). +The prototype for these functions is: +</p><pre class="programlisting"> +NTSTATUS init_module(void); +</pre><p>This function should call one or more +registration functions. The function should return NT_STATUS_OK on success and +NT_STATUS_UNSUCCESSFUL or a more useful nt error code on failure.</p><p>For example, pdb_ldap_init() contains: </p><pre class="programlisting"> +NTSTATUS pdb_ldap_init(void) +{ +smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam); +smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua); + return NT_STATUS_OK; +} +</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331898"></a>Static/Shared selection in configure.in</h3></div></div></div><p> +Some macros in configure.in generate the various defines and substs that +are necessary for the system to work correct. All modules that should +be built by default have to be added to the variable 'default_modules'. +For example, if ldap is found, pdb_ldap is added to this variable. +</p><p> +On the bottom of configure.in, SMB_MODULE() should be called +for each module and SMB_SUBSYSTEM() for each subsystem. +</p><p>Syntax:</p><pre class="programlisting"> +SMB_MODULE(<em class="replaceable"><code>subsystem</code></em>_<em class="replaceable"><code>backend</code></em>, <em class="replaceable"><code>object files</code></em>, <em class="replaceable"><code>plugin name</code></em>, <em class="replaceable"><code>subsystem name</code></em>, <em class="replaceable"><code>static_action</code></em>, <em class="replaceable"><code>shared_action</code></em>) +SMB_SUBSYSTEM(<em class="replaceable"><code>subsystem</code></em>,<em class="replaceable"><code>depfile</code></em>) +</pre><p>The depfile for a certain subsystem is the file that calls the +initialisation functions for the statically built in modules.</p><p> +<em class="replaceable"><code>@SUBSYSTEM_MODULES@</code></em> in Makefile.in will +be replaced with the names of the plugins to build. +</p><p>You must make sure all .c files that contain defines that can +be changed by ./configure are rebuilded in the 'modules_clean' make target. +Practically, this means all c files that contain <code class="literal">static_init_subsystem;</code> calls need to be rebuilded. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +There currently also is a configure.in command called SMB_MODULE_PROVIVES(). +This is used for modules that register multiple things. It should not +be used as probing will most likely disappear in the future.</p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="contributing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt02.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pt03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Contributing code </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Samba Subsystems</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html b/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html new file mode 100644 index 0000000000..f198eceda7 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html @@ -0,0 +1,246 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. NT Domain RPC's</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt01.html" title="Part I. The protocol"><link rel="prev" href="unix-smb.html" title="Chapter 1. NetBIOS in a Unix World"><link rel="next" href="pt02.html" title="Part II. Samba Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. NT Domain RPC's</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unix-smb.html">Prev</a> </td><th width="60%" align="center">Part I. The protocol</th><td width="20%" align="right"> <a accesskey="n" href="pt02.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ntdomain"></a>Chapter 2. NT Domain RPC's</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Luke</span> <span class="surname">Leighton</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:lkcl@switchboard.net">lkcl@switchboard.net</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Ashton</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:paul@argo.demon.co.uk">paul@argo.demon.co.uk</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Duncan</span> <span class="surname">Stansfield</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:duncans@sco.com">duncans@sco.com</a>></code></p></div></div></div></div><div><p class="pubdate">01 November 97(version 0.0.24)</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntdomain.html#id323417">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323559">Sources</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323586">Credits</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id323615">Notes and Structures</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323620">Notes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id281607">Enumerations</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323908">Structures</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id326205">MSRPC over Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id326215">MSRPC Pipes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326284">Header</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326958">Tail</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326994">RPC Bind / Bind Ack</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327132">NTLSA Transact Named Pipe</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327260">LSA Open Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327358">LSA Query Info Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327441">LSA Enumerate Trusted Domains</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327513">LSA Open Secret</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327599">LSA Close</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327651">LSA Lookup SIDS</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327815">LSA Lookup Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id327992">NETLOGON rpc Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328116">LSA Request Challenge</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328219">LSA Authenticate 2</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328332">LSA Server Password Set</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328419">LSA SAM Logon</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328496">LSA SAM Logoff</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id328567">\\MAILSLOT\NET\NTLOGON</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328579">Query for PDC</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328784">SAM Logon</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329040">SRVSVC Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329075">Net Share Enum</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329247">Net Server Get Info</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329338">Cryptographic side of NT Domain Authentication</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329344">Definitions</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329469">Protocol</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329533">Comments</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329566">SIDs and RIDs</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329596">Well-known SIDs</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329845">Well-known RIDS</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323417"></a>Introduction</h2></div></div></div><p> +This document contains information to provide an NT workstation with login +services, without the need for an NT server. It is the sgml version of <a href="http://mailhost.cb1.com/~lkcl/cifsntdomain.txt" target="_top">http://mailhost.cb1.com/~lkcl/cifsntdomain.txt</a>, controlled by Luke. +</p><p> +It should be possible to select a domain instead of a workgroup (in the NT +workstation's TCP/IP settings) and after the obligatory reboot, type in a +username, password, select a domain and successfully log in. I would +appreciate any feedback on your experiences with this process, and any +comments, corrections and additions to this document. +</p><p> +The packets described here can be easily derived from (and are probably +better understood using) Netmon.exe. You will need to use the version +of Netmon that matches your system, in order to correctly decode the +NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from +NT Service Pack 1 and its corresponding version of Netmon. It is intended +that an annotated packet trace be produced, which will likely be more +instructive than this document. +</p><p> +Also needed, to fully implement NT Domain Login Services, is the +document describing the cryptographic part of the NT authentication. +This document is available from comp.protocols.smb; from the ntsecurity.net +digest and from the samba digest, amongst other sources. +</p><p> +A copy is available from: +</p><p><a href="http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708;L=ntbugtraq;O=A;P=2935" target="_top">http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708;L=ntbugtraq;O=A;P=2935</a></p><p><a href="http://mailhost.cb1.com/~lkcl/crypt.html" target="_top">http://mailhost.cb1.com/~lkcl/crypt.html</a></p><p> +A c-code implementation, provided by <a href="mailto:linus@incolumitas.se" target="_top">Linus Nordberg</a> +of this protocol is available from: +</p><p><a href="http://samba.org/cgi-bin/mfs/01/digest/1997/97aug/0391.html" target="_top">http://samba.org/cgi-bin/mfs/01/digest/1997/97aug/0391.html</a></p><p><a href="http://mailhost.cb1.com/~lkcl/crypt.txt" target="_top">http://mailhost.cb1.com/~lkcl/crypt.txt</a></p><p> +Also used to provide debugging information is the Check Build version of +NT workstation, and enabling full debugging in NETLOGON. This is +achieved by setting the following REG_SZ registry key to 0x1ffffff: +</p><p><code class="filename">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</code></p><p><span class="emphasis"><em>Incorrect direct editing of the registry can cause your +machine to fail. Then again, so can incorrect implementation of this +protocol. See "Liability:" above.</em></span></p><p> +Bear in mind that each packet over-the-wire will have its origin in an +API call. Therefore, there are likely to be structures, enumerations +and defines that are usefully documented elsewhere. +</p><p> +This document is by no means complete or authoritative. Missing sections +include, but are not limited to: +</p><div class="orderedlist"><ol type="1"><li><p>Mappings of RIDs to usernames (and vice-versa).</p></li><li><p>What a User ID is and what a Group ID is.</p></li><li><p>The exact meaning/definition of various magic constants or enumerations.</p></li><li><p>The reply error code and use of that error code when a +workstation becomes a member of a domain (to be described later). +Failure to return this error code will make the workstation report +that it is already a member of the domain.</p></li><li><p>the cryptographic side of the NetrServerPasswordSet command, +which would allow the workstation to change its password. This password is +used to generate the long-term session key. [It is possible to reject this +command, and keep the default workstation password].</p></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323559"></a>Sources</h3></div></div></div><table class="simplelist" border="0" summary="Simple list"><tr><td>cket Traces from Netmonitor (Service Pack 1 and above)</td></tr><tr><td>ul Ashton and Luke Leighton's other "NT Domain" doc.</td></tr><tr><td>FS documentation - cifs6.txt</td></tr><tr><td>FS documentation - cifsrap2.txt</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323586"></a>Credits</h3></div></div></div><table class="simplelist" border="0" summary="Simple list"><tr><td>Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based.</td></tr><tr><td>Duncan Stansfield: low-level analysis of MSRPC Pipes.</td></tr><tr><td>Linus Nordberg: producing c-code from Paul's crypto spec.</td></tr><tr><td>Windows Sourcer development team</td></tr></table></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323615"></a>Notes and Structures</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323620"></a>Notes</h3></div></div></div><div class="orderedlist"><ol type="1"><li><p> +In the SMB Transact pipes, some "Structures", described here, appear to be +4-byte aligned with the SMB header, at their start. Exactly which +"Structures" need aligning is not precisely known or documented. +</p></li><li><p> +In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be +2-byte aligned with the start of the mailslot, at their start. +</p></li><li><p> +Domain SID is of the format S-revision-version-auth1-auth2...authN. +e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision. +</p></li><li><p> +any undocumented buffer pointers must be non-zero if the string buffer it +refers to contains characters. exactly what value they should be is unknown. +0x0000 0002 seems to do the trick to indicate that the buffer exists. a +NULL buffer pointer indicates that the string buffer is of zero length. +If the buffer pointer is NULL, then it is suspected that the structure it +refers to is NOT put into (or taken out of) the SMB data stream. This is +empirically derived from, for example, the LSA SAM Logon response packet, +where if the buffer pointer is NULL, the user information is not inserted +into the data stream. Exactly what happens with an array of buffer pointers +is not known, although an educated guess can be made. +</p></li><li><p> +an array of structures (a container) appears to have a count and a pointer. +if the count is zero, the pointer is also zero. no further data is put +into or taken out of the SMB data stream. if the count is non-zero, then +the pointer is also non-zero. immediately following the pointer is the +count again, followed by an array of container sub-structures. the count +appears a third time after the last sub-structure. +</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id281607"></a>Enumerations</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id281613"></a>MSRPC Header type</h4></div></div></div><p>command number in the msrpc packet header</p><div class="variablelist"><dl><dt><span class="term">MSRPC_Request:</span></dt><dd><p>0x00</p></dd><dt><span class="term">MSRPC_Response:</span></dt><dd><p>0x02</p></dd><dt><span class="term">MSRPC_Bind:</span></dt><dd><p>0x0B</p></dd><dt><span class="term">MSRPC_BindAck:</span></dt><dd><p>0x0C</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323803"></a>MSRPC Packet info</h4></div></div></div><p>The meaning of these flags is undocumented</p><div class="variablelist"><dl><dt><span class="term">FirstFrag:</span></dt><dd><p>0x01 </p></dd><dt><span class="term">LastFrag:</span></dt><dd><p>0x02 </p></dd><dt><span class="term">NotaFrag:</span></dt><dd><p>0x04 </p></dd><dt><span class="term">RecRespond:</span></dt><dd><p>0x08 </p></dd><dt><span class="term">NoMultiplex:</span></dt><dd><p>0x10 </p></dd><dt><span class="term">NotForIdemp:</span></dt><dd><p>0x20 </p></dd><dt><span class="term">NotforBcast:</span></dt><dd><p>0x40 </p></dd><dt><span class="term">NoUuid:</span></dt><dd><p>0x80 </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323908"></a>Structures</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323913"></a>VOID *</h4></div></div></div><p>sizeof VOID* is 32 bits.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323922"></a>char</h4></div></div></div><p>sizeof char is 8 bits.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323931"></a>UTIME</h4></div></div></div><p>UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323941"></a>NTTIME</h4></div></div></div><p>NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323951"></a>DOM_SID (domain SID structure)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>num of sub-authorities in domain SID</p></dd><dt><span class="term">UINT8</span></dt><dd><p>SID revision number</p></dd><dt><span class="term">UINT8</span></dt><dd><p>num of sub-authorities in domain SID</p></dd><dt><span class="term">UINT8[6]</span></dt><dd><p>6 bytes for domain SID - Identifier Authority.</p></dd><dt><span class="term">UINT16[n_subauths]</span></dt><dd><p>domain SID sub-authorities</p></dd></dl></div><p><span class="emphasis"><em>Note: the domain SID is documented elsewhere.</em></span> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324023"></a>STR (string)</h4></div></div></div><p>STR (string) is a char[] : a null-terminated string of ascii characters.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324034"></a>UNIHDR (unicode string header) </h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16</span></dt><dd><p>length of unicode string</p></dd><dt><span class="term">UINT16</span></dt><dd><p>max length of unicode string</p></dd><dt><span class="term">UINT32</span></dt><dd><p>4 - undocumented.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324078"></a>UNIHDR2 (unicode string header plus buffer pointer)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UNIHDR</span></dt><dd><p>unicode string header</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324110"></a>UNISTR (unicode string)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16[]</span></dt><dd><p>null-terminated string of unicode characters.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324132"></a>NAME (length-indicated unicode string)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>length of unicode string</p></dd><dt><span class="term">UINT16[]</span></dt><dd><p>null-terminated string of unicode characters.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324164"></a>UNISTR2 (aligned unicode string)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT8[]</span></dt><dd><p>padding to get unicode string 4-byte aligned with the start of the SMB header.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>max length of unicode string</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>length of unicode string</p></dd><dt><span class="term">UINT16[]</span></dt><dd><p>string of uncode characters</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324231"></a>OBJ_ATTR (object attributes)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>0x18 - length (in bytes) including the length field.</p></dd><dt><span class="term">VOID*</span></dt><dd><p>0 - root directory (pointer)</p></dd><dt><span class="term">VOID*</span></dt><dd><p>0 - object name (pointer)</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - attributes (undocumented)</p></dd><dt><span class="term">VOID*</span></dt><dd><p>0 - security descriptior (pointer)</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - security quality of service</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324304"></a>POL_HND (LSA policy handle)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">char[20]</span></dt><dd><p>policy handle</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324325"></a>DOM_SID2 (domain SID structure, SIDS stored in unicode)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>5 - SID type</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UNIHDR2</span></dt><dd><p>domain SID unicode string header</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>domain SID unicode string</p></dd></dl></div><p><span class="emphasis"><em>Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved.</em></span></p><p><span class="emphasis"><em>Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere.</em></span></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324392"></a>DOM_RID (domain RID structure)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>5 - well-known SID. 1 - user SID (see ShowACLs)</p></dd><dt><span class="term">UINT32</span></dt><dd><p>5 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>domain RID </p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - domain index out of above reference domains</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324446"></a>LOG_INFO (server, account, client structure)</h4></div></div></div><p><span class="emphasis"><em>Note: logon server name starts with two '\' characters and is upper case.</em></span></p><p><span class="emphasis"><em>Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case.</em></span></p><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon server unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>account name unicode string</p></dd><dt><span class="term">UINT16</span></dt><dd><p>sec_chan - security channel type</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon client machine unicode string</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324523"></a>CLNT_SRV (server, client names structure)</h4></div></div></div><p><span class="emphasis"><em>Note: logon server name starts with two '\' characters and is upper case.</em></span></p><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon server unicode string</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon client machine unicode string</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324584"></a>CREDS (credentials + time stamp)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">char[8]</span></dt><dd><p>credentials</p></dd><dt><span class="term">UTIME</span></dt><dd><p>time stamp</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324616"></a>CLNT_INFO2 (server, client structure, client credentials)</h4></div></div></div><p><span class="emphasis"><em>Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to + maintain an authenticated request/response trail.</em></span></p><div class="variablelist"><dl><dt><span class="term">CLNT_SRV</span></dt><dd><p>client and server names</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>???? padding, for 4-byte alignment with SMB header.</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to client credentials.</p></dd><dt><span class="term">CREDS</span></dt><dd><p>client-calculated credentials + client time</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324678"></a>CLNT_INFO (server, account, client structure, client credentials)</h4></div></div></div><p><span class="emphasis"><em>Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail.</em></span></p><div class="variablelist"><dl><dt><span class="term">LOG_INFO</span></dt><dd><p>logon account info</p></dd><dt><span class="term">CREDS</span></dt><dd><p>client-calculated credentials + client time</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324718"></a>ID_INFO_1 (id info structure, auth level 1)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>ptr_id_info_1</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>domain name unicode header</p></dd><dt><span class="term">UINT32</span></dt><dd><p>param control</p></dd><dt><span class="term">UINT64</span></dt><dd><p>logon ID</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>user name unicode header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>workgroup name unicode header</p></dd><dt><span class="term">char[16]</span></dt><dd><p>arc4 LM OWF Password</p></dd><dt><span class="term">char[16]</span></dt><dd><p>arc4 NT OWF Password</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>domain name unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>user name unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>workstation name unicode string</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324852"></a>SAM_INFO (sam logon/logoff id info structure)</h4></div></div></div><p><span class="emphasis"><em>Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised.</em></span></p><div class="variablelist"><dl><dt><span class="term">CLNT_INFO2</span></dt><dd><p>client identification/authentication info</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to return credentials.</p></dd><dt><span class="term">CRED</span></dt><dd><p>return credentials - ignored.</p></dd><dt><span class="term">UINT16</span></dt><dd><p>logon level</p></dd><dt><span class="term">UINT16</span></dt><dd><p>switch value</p></dd></dl></div><pre class="programlisting"> + switch (switch_value) + case 1: + { + ID_INFO_1 id_info_1; + } +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324932"></a>GID (group id info)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>group id</p></dd><dt><span class="term">UINT32</span></dt><dd><p>user attributes (only used by NT 3.1 and 3.51)</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324962"></a>DOM_REF (domain reference info)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num referenced domains?</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain name buffer pointer.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>32 - max number of entries</p></dd><dt><span class="term">UINT32</span></dt><dd><p>4 - num referenced domains?</p></dd><dt><span class="term">UNIHDR2</span></dt><dd><p>domain name unicode string header</p></dd><dt><span class="term">UNIHDR2[num_ref_doms-1]</span></dt><dd><p>referenced domain unicode string headers</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>domain name unicode string</p></dd><dt><span class="term">DOM_SID[num_ref_doms]</span></dt><dd><p>referenced domain SIDs</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325074"></a>DOM_INFO (domain info, levels 3 and 5 are the same))</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT8[]</span></dt><dd><p>??? padding to get 4-byte alignment with start of SMB header</p></dd><dt><span class="term">UINT16</span></dt><dd><p>domain name string length * 2</p></dd><dt><span class="term">UINT16</span></dt><dd><p>domain name string length * 2</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain name string buffer pointer</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain SID string buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>domain name (unicode string)</p></dd><dt><span class="term">DOM_SID</span></dt><dd><p>domain SID</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325162"></a>USER_INFO (user logon info)</h4></div></div></div><p><span class="emphasis"><em>Note: it would be nice to know what the 16 byte user session key is for.</em></span></p><div class="variablelist"><dl><dt><span class="term">NTTIME</span></dt><dd><p>logon time</p></dd><dt><span class="term">NTTIME</span></dt><dd><p>logoff time</p></dd><dt><span class="term">NTTIME</span></dt><dd><p>kickoff time</p></dd><dt><span class="term">NTTIME</span></dt><dd><p>password last set time</p></dd><dt><span class="term">NTTIME</span></dt><dd><p>password can change time</p></dd><dt><span class="term">NTTIME</span></dt><dd><p>password must change time</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>username unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>user's full name unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>logon script unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>profile path unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>home directory unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>home directory drive unicode string header</p></dd><dt><span class="term">UINT16</span></dt><dd><p>logon count</p></dd><dt><span class="term">UINT16</span></dt><dd><p>bad password count</p></dd><dt><span class="term">UINT32</span></dt><dd><p>User ID</p></dd><dt><span class="term">UINT32</span></dt><dd><p>Group ID</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num groups</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer to groups.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>user flags</p></dd><dt><span class="term">char[16]</span></dt><dd><p>user session key</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>logon server unicode string header</p></dd><dt><span class="term">UNIHDR</span></dt><dd><p>logon domain unicode string header</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented logon domain id pointer</p></dd><dt><span class="term">char[40]</span></dt><dd><p>40 undocumented padding bytes. future expansion?</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - num_other_sids?</p></dd><dt><span class="term">VOID*</span></dt><dd><p>NULL - undocumented pointer to other domain SIDs.</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>username unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>user's full name unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon script unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>profile path unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>home directory unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>home directory drive unicode string</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num groups</p></dd><dt><span class="term">GID[num_groups]</span></dt><dd><p>group info</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon server unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon domain unicode string</p></dd><dt><span class="term">DOM_SID</span></dt><dd><p>domain SID</p></dd><dt><span class="term">DOM_SID[num_sids]</span></dt><dd><p>other domain SIDs?</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325606"></a>SH_INFO_1_PTR (pointers to level 1 share info strings)</h4></div></div></div><p><span class="emphasis"><em>Note: see cifsrap2.txt section5, page 10.</em></span></p><table class="simplelist" border="0" summary="Simple list"><tr><td>0 for shi1_type indicates a Disk.</td></tr><tr><td>1 for shi1_type indicates a Print Queue.</td></tr><tr><td>2 for shi1_type indicates a Device.</td></tr><tr><td>3 for shi1_type indicates an IPC pipe.</td></tr><tr><td>0x8000 0000 (top bit set in shi1_type) indicates a hidden share.</td></tr></table><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>shi1_netname - pointer to net name</p></dd><dt><span class="term">UINT32</span></dt><dd><p>shi1_type - type of share. 0 - undocumented.</p></dd><dt><span class="term">VOID*</span></dt><dd><p>shi1_remark - pointer to comment.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325679"></a>SH_INFO_1_STR (level 1 share info strings)</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UNISTR2</span></dt><dd><p>shi1_netname - unicode string of net name</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>shi1_remark - unicode string of comment.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325712"></a>SHARE_INFO_1_CTR</h4></div></div></div><p>share container with 0 entries:</p><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>0 - EntriesRead</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - Buffer</p></dd></dl></div><p>share container with > 0 entries:</p><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>EntriesRead</p></dd><dt><span class="term">UINT32</span></dt><dd><p>non-zero - Buffer</p></dd><dt><span class="term">UINT32</span></dt><dd><p>EntriesRead</p></dd><dt><span class="term">SH_INFO_1_PTR[EntriesRead]</span></dt><dd><p>share entry pointers</p></dd><dt><span class="term">SH_INFO_1_STR[EntriesRead]</span></dt><dd><p>share entry strings</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to get unicode string 4-byte aligned with start of the SMB header.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>EntriesRead</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - padding</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id325845"></a>SERVER_INFO_101</h4></div></div></div><p><span class="emphasis"><em>Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1. </em></span></p><div class="variablelist"><dl><dt><span class="term">SV_TYPE_WORKSTATION</span></dt><dd><p>0x00000001 All workstations</p></dd><dt><span class="term">SV_TYPE_SERVER</span></dt><dd><p>0x00000002 All servers</p></dd><dt><span class="term">SV_TYPE_SQLSERVER</span></dt><dd><p>0x00000004 Any server running with SQL server</p></dd><dt><span class="term">SV_TYPE_DOMAIN_CTRL</span></dt><dd><p>0x00000008 Primary domain controller</p></dd><dt><span class="term">SV_TYPE_DOMAIN_BAKCTRL</span></dt><dd><p>0x00000010 Backup domain controller</p></dd><dt><span class="term">SV_TYPE_TIME_SOURCE</span></dt><dd><p>0x00000020 Server running the timesource service</p></dd><dt><span class="term">SV_TYPE_AFP</span></dt><dd><p>0x00000040 Apple File Protocol servers</p></dd><dt><span class="term">SV_TYPE_NOVELL</span></dt><dd><p>0x00000080 Novell servers</p></dd><dt><span class="term">SV_TYPE_DOMAIN_MEMBER</span></dt><dd><p>0x00000100 Domain Member</p></dd><dt><span class="term">SV_TYPE_PRINTQ_SERVER</span></dt><dd><p>0x00000200 Server sharing print queue</p></dd><dt><span class="term">SV_TYPE_DIALIN_SERVER</span></dt><dd><p>0x00000400 Server running dialin service.</p></dd><dt><span class="term">SV_TYPE_XENIX_SERVER</span></dt><dd><p>0x00000800 Xenix server</p></dd><dt><span class="term">SV_TYPE_NT</span></dt><dd><p>0x00001000 NT server</p></dd><dt><span class="term">SV_TYPE_WFW</span></dt><dd><p>0x00002000 Server running Windows for </p></dd><dt><span class="term">SV_TYPE_SERVER_NT</span></dt><dd><p>0x00008000 Windows NT non DC server</p></dd><dt><span class="term">SV_TYPE_POTENTIAL_BROWSER</span></dt><dd><p>0x00010000 Server that can run the browser service</p></dd><dt><span class="term">SV_TYPE_BACKUP_BROWSER</span></dt><dd><p>0x00020000 Backup browser server</p></dd><dt><span class="term">SV_TYPE_MASTER_BROWSER</span></dt><dd><p>0x00040000 Master browser server</p></dd><dt><span class="term">SV_TYPE_DOMAIN_MASTER</span></dt><dd><p>0x00080000 Domain Master Browser server</p></dd><dt><span class="term">SV_TYPE_LOCAL_LIST_ONLY</span></dt><dd><p>0x40000000 Enumerate only entries marked "local"</p></dd><dt><span class="term">SV_TYPE_DOMAIN_ENUM</span></dt><dd><p>0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL.</p></dd></dl></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>500 - platform_id</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to name</p></dd><dt><span class="term">UINT32</span></dt><dd><p>5 - major version</p></dd><dt><span class="term">UINT32</span></dt><dd><p>4 - minor version</p></dd><dt><span class="term">UINT32</span></dt><dd><p>type (SV_TYPE_... bit field)</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to comment</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>sv101_name - unicode string of server name</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>sv_101_comment - unicode string of server comment.</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to get unicode string 4-byte aligned with start of the SMB header.</p></dd></dl></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326205"></a>MSRPC over Transact Named Pipe</h2></div></div></div><p>For details on the SMB Transact Named Pipe, see cifs6.txt</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326215"></a>MSRPC Pipes</h3></div></div></div><p> +The MSRPC is conducted over an SMB Transact Pipe with a name of +<code class="filename">\PIPE\</code>. You must first obtain a 16 bit file handle, by +sending a SMBopenX with the pipe name <code class="filename">\PIPE\srvsvc</code> for +example. You can then perform an SMB Trans, +and must carry out an SMBclose on the file handle once you are finished. +</p><p> +Trans Requests must be sent with two setup UINT16s, no UINT16 params (none +known about), and UINT8 data parameters sufficient to contain the MSRPC +header, and MSRPC data. The first UINT16 setup parameter must be either +0x0026 to indicate an RPC, or 0x0001 to indicate Set Named Pipe Handle +state. The second UINT16 parameter must be the file handle for the pipe, +obtained above. +</p><p> +The Data section for an API Command of 0x0026 (RPC pipe) in the Trans +Request is the RPC Header, followed by the RPC Data. The Data section for +an API Command of 0x0001 (Set Named Pipe Handle state) is two bytes. The +only value seen for these two bytes is 0x00 0x43. +</p><p> +MSRPC Responses are sent as response data inside standard SMB Trans +responses, with the MSRPC Header, MSRPC Data and MSRPC tail. +</p><p> +It is suspected that the Trans Requests will need to be at least 2-byte +aligned (probably 4-byte). This is standard practice for SMBs. It is also +independent of the observed 4-byte alignments with the start of the MSRPC +header, including the 4-byte alignment between the MSRPC header and the +MSRPC data. +</p><p> +First, an SMBtconX connection is made to the IPC$ share. The connection +must be made using encrypted passwords, not clear-text. Then, an SMBopenX +is made on the pipe. Then, a Set Named Pipe Handle State must be sent, +after which the pipe is ready to accept API commands. Lastly, and SMBclose +is sent. +</p><p> +To be resolved: +</p><p> +lkcl/01nov97 there appear to be two additional bytes after the null-terminated \PIPE\ name for the RPC pipe. Values seen so far are +listed below:</p><pre class="programlisting"> + initial SMBopenX request: RPC API command 0x26 params: + "\\PIPE\\lsarpc" 0x65 0x63; 0x72 0x70; 0x44 0x65; + "\\PIPE\\srvsvc" 0x73 0x76; 0x4E 0x00; 0x5C 0x43; +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326284"></a>Header</h3></div></div></div><p>[section to be rewritten, following receipt of work by Duncan Stansfield]</p><p>Interesting note: if you set packed data representation to 0x0100 0000 +then all 4-byte and 2-byte word ordering is turned around!</p><p>The start of each of the NTLSA and NETLOGON named pipes begins with:</p><div class="segmentedlist"><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>00</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>5 - RPC major version</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>01</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>0 - RPC minor version</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>02</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>2 - RPC response packet</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>03</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>3 - (FirstFrag bit-wise or with LastFrag)</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>04</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT32</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>0x1000 0000 - packed data representation</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>08</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT16</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>fragment length - data size (bytes) inc header and tail.</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>0A</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT16</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>0 - authentication length </div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>0C</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT32</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>call identifier. matches 12th UINT32 of incoming RPC data.</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>10</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT32</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>allocation hint - data size (bytes) minus header and tail.</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>14</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT16</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>0 - presentation context identifier</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>16</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>0 - cancel count</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>17</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>UINT8</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>in replies: 0 - reserved; in requests: opnum - see #defines.</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">offset: </span></strong>18</div><div class="seg"><strong><span class="segtitle">Variable type: </span></strong>......</div><div class="seg"><strong><span class="segtitle">Variable data: </span></strong>start of data (goes on for allocation_hint bytes)</div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326433"></a>RPC_Packet for request, response, bind and bind acknowledgement</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT8 versionmaj</span></dt><dd><p>reply same as request (0x05)</p></dd><dt><span class="term">UINT8 versionmin</span></dt><dd><p>reply same as request (0x00)</p></dd><dt><span class="term">UINT8 type</span></dt><dd><p>one of the MSRPC_Type enums</p></dd><dt><span class="term">UINT8 flags</span></dt><dd><p>reply same as request (0x00 for Bind, 0x03 for Request)</p></dd><dt><span class="term">UINT32 representation</span></dt><dd><p>reply same as request (0x00000010)</p></dd><dt><span class="term">UINT16 fraglength</span></dt><dd><p>the length of the data section of the SMB trans packet</p></dd><dt><span class="term">UINT16 authlength</span></dt><dd><p></p></dd><dt><span class="term">UINT32 callid</span></dt><dd><p>call identifier. (e.g. 0x00149594)</p></dd><dt><span class="term">* stub USE TvPacket</span></dt><dd><p>the remainder of the packet depending on the "type"</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326536"></a>Interface identification</h4></div></div></div><p>the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc</p><pre class="programlisting"> +abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003) +transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002) +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326555"></a>RPC_Iface RW</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT8 byte[16]</span></dt><dd><p>16 bytes of number</p></dd><dt><span class="term">UINT32 version</span></dt><dd><p>the interface number</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326585"></a>RPC_ReqBind RW</h4></div></div></div><p>the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck</p><div class="variablelist"><dl><dt><span class="term">UINT16 maxtsize</span></dt><dd><p>maximum transmission fragment size (0x1630)</p></dd><dt><span class="term">UINT16 maxrsize</span></dt><dd><p>max receive fragment size (0x1630)</p></dd><dt><span class="term">UINT32 assocgid</span></dt><dd><p>associated group id (0x0)</p></dd><dt><span class="term">UINT32 numelements</span></dt><dd><p>the number of elements (0x1)</p></dd><dt><span class="term">UINT16 contextid</span></dt><dd><p>presentation context identifier (0x0)</p></dd><dt><span class="term">UINT8 numsyntaxes</span></dt><dd><p>the number of syntaxes (has always been 1?)(0x1)</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>4-byte alignment padding, against SMB header</p></dd><dt><span class="term">* abstractint USE RPC_Iface</span></dt><dd><p>num and vers. of interface client is using</p></dd><dt><span class="term">* transferint USE RPC_Iface</span></dt><dd><p>num and vers. of interface to use for replies</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326694"></a>RPC_Address RW</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16 length</span></dt><dd><p>length of the string including null terminator</p></dd><dt><span class="term">* port USE string</span></dt><dd><p>the string above in single byte, null terminated form</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326724"></a>RPC_ResBind RW</h4></div></div></div><p>the response to place after the header in the reply packet</p><div class="variablelist"><dl><dt><span class="term">UINT16 maxtsize</span></dt><dd><p>same as request</p></dd><dt><span class="term">UINT16 maxrsize</span></dt><dd><p>same as request</p></dd><dt><span class="term">UINT32 assocgid</span></dt><dd><p>zero</p></dd><dt><span class="term">* secondaddr USE RPC_Address</span></dt><dd><p>the address string, as described earlier</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>4-byte alignment padding, against SMB header</p></dd><dt><span class="term">UINT8 numresults</span></dt><dd><p>the number of results (0x01)</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>4-byte alignment padding, against SMB header</p></dd><dt><span class="term">UINT16 result</span></dt><dd><p>result (0x00 = accept)</p></dd><dt><span class="term">UINT16 reason</span></dt><dd><p>reason (0x00 = no reason specified)</p></dd><dt><span class="term">* transfersyntax USE RPC_Iface</span></dt><dd><p>the transfer syntax from the request</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326841"></a>RPC_ReqNorm RW</h4></div></div></div><p>the remainder of the packet after the header for every other other request</p><div class="variablelist"><dl><dt><span class="term">UINT32 allochint</span></dt><dd><p>the size of the stub data in bytes</p></dd><dt><span class="term">UINT16 prescontext</span></dt><dd><p>presentation context identifier (0x0)</p></dd><dt><span class="term">UINT16 opnum</span></dt><dd><p>operation number (0x15)</p></dd><dt><span class="term">* stub USE TvPacket</span></dt><dd><p>a packet dependent on the pipe name (probably the interface) and the op number)</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id326896"></a>RPC_ResNorm RW</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32 allochint</span></dt><dd><p># size of the stub data in bytes</p></dd><dt><span class="term">UINT16 prescontext</span></dt><dd><p># presentation context identifier (same as request)</p></dd><dt><span class="term">UINT8 cancelcount</span></dt><dd><p># cancel count? (0x0)</p></dd><dt><span class="term">UINT8 reserved</span></dt><dd><p># 0 - one byte padding</p></dd><dt><span class="term">* stub USE TvPacket</span></dt><dd><p># the remainder of the reply</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326958"></a>Tail</h3></div></div></div><p>The end of each of the NTLSA and NETLOGON named pipes ends with:</p><div class="variablelist"><dl><dt><span class="term">......</span></dt><dd><p>end of data</p></dd><dt><span class="term">UINT32</span></dt><dd><p>return code</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326994"></a>RPC Bind / Bind Ack</h3></div></div></div><p> +RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc) +with a "transfer syntax" (see RPC_Iface structure). The purpose for doing +this is unknown. +</p><p><span class="emphasis"><em>Note: The RPC_ResBind SMB Transact request is sent with two uint16 setup parameters. The first is 0x0026; the second is the file handle + returned by the SMBopenX Transact response.</em></span></p><p><span class="emphasis"><em>Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the same in the response as the same members in the RPC_ReqBind. The + RPC_ResBind member transfersyntax is the same in the response as + the</em></span></p><p><span class="emphasis"><em>Note: The RPC_ResBind response member secondaddr contains the name of what is presumed to be the service behind the RPC pipe. The + mapping identified so far is:</em></span></p><div class="variablelist"><dl><dt><span class="term">initial SMBopenX request:</span></dt><dd><p>RPC_ResBind response:</p></dd><dt><span class="term">"\\PIPE\\srvsvc"</span></dt><dd><p>"\\PIPE\\ntsvcs"</p></dd><dt><span class="term">"\\PIPE\\samr"</span></dt><dd><p>"\\PIPE\\lsass"</p></dd><dt><span class="term">"\\PIPE\\lsarpc"</span></dt><dd><p>"\\PIPE\\lsass"</p></dd><dt><span class="term">"\\PIPE\\wkssvc"</span></dt><dd><p>"\\PIPE\\wksvcs"</p></dd><dt><span class="term">"\\PIPE\\NETLOGON"</span></dt><dd><p>"\\PIPE\\NETLOGON"</p></dd></dl></div><p><span class="emphasis"><em>Note: The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header.</em></span></p><p>Request:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>RPC_Packet</td></tr><tr><td>RPC_ReqBind</td></tr></table><p>Response:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>RPC_Packet</td></tr><tr><td>RPC_ResBind</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327132"></a>NTLSA Transact Named Pipe</h3></div></div></div><p>The sequence of actions taken on this pipe are:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords.</td></tr><tr><td>Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle.</td></tr><tr><td>Using the file handle, send a Set Named Pipe Handle state to 0x4300.</td></tr><tr><td>Send an LSA Open Policy request. Store the Policy Handle.</td></tr><tr><td>Using the Policy Handle, send LSA Query Info Policy requests, etc.</td></tr><tr><td>Using the Policy Handle, send an LSA Close.</td></tr><tr><td>Close the IPC$ share.</td></tr></table><p>Defines for this pipe, identifying the query are:</p><div class="variablelist"><dl><dt><span class="term">LSA Open Policy:</span></dt><dd><p>0x2c</p></dd><dt><span class="term">LSA Query Info Policy:</span></dt><dd><p>0x07</p></dd><dt><span class="term">LSA Enumerate Trusted Domains:</span></dt><dd><p>0x0d</p></dd><dt><span class="term">LSA Open Secret:</span></dt><dd><p>0xff</p></dd><dt><span class="term">LSA Lookup SIDs:</span></dt><dd><p>0xfe</p></dd><dt><span class="term">LSA Lookup Names:</span></dt><dd><p>0xfd</p></dd><dt><span class="term">LSA Close:</span></dt><dd><p>0x00</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327260"></a>LSA Open Policy</h3></div></div></div><p><span class="emphasis"><em>Note: The policy handle can be anything you like.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327270"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>server name - unicode string starting with two '\'s</p></dd><dt><span class="term">OBJ_ATTR</span></dt><dd><p>object attributes</p></dd><dt><span class="term">UINT32</span></dt><dd><p>1 - desired access</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327325"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>LSA policy handle</p></dd><dt><span class="term">return</span></dt><dd><p>0 - indicates success</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327358"></a>LSA Query Info Policy</h3></div></div></div><p><span class="emphasis"><em>Note: The info class in response must be the same as that in the request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327369"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>LSA policy handle</p></dd><dt><span class="term">UINT16</span></dt><dd><p>info class (also a policy handle?)</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327399"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UINT16</span></dt><dd><p>info class (same as info class in request).</p></dd></dl></div><pre class="programlisting"> +switch (info class) +case 3: +case 5: +{ +DOM_INFO domain info, levels 3 and 5 (are the same). +} + +return 0 - indicates success +</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327441"></a>LSA Enumerate Trusted Domains</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327447"></a>Request</h4></div></div></div><p>no extra data</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327457"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>0 - enumeration context</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - entries read</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - trust information</p></dd><dt><span class="term">return</span></dt><dd><p>0x8000 001a - "no trusted domains" success code</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327513"></a>LSA Open Secret</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327518"></a>Request</h4></div></div></div><p>no extra data</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327528"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd><dt><span class="term">UINT32</span></dt><dd><p>0 - undocumented</p></dd></dl></div><p>return 0x0C00 0034 - "no such secret" success code</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327599"></a>LSA Close</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327605"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>policy handle to be closed</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327626"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>0s - closed policy handle (all zeros)</p></dd></dl></div><p>return 0 - indicates success</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327651"></a>LSA Lookup SIDS</h3></div></div></div><p><span class="emphasis"><em>Note: num_entries in response must be same as num_entries in request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327661"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>LSA policy handle</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain SID buffer pointer</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain name buffer pointer</p></dd><dt><span class="term">VOID*[num_entries] undocumented domain SID pointers to be looked up. +</span></dt><dd><p>DOM_SID[num_entries] domain SIDs to be looked up.</p></dd><dt><span class="term">char[16]</span></dt><dd><p>completely undocumented 16 bytes.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327738"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">DOM_REF</span></dt><dd><p>domain reference response</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd><dt><span class="term">DOM_SID2[num_entries]</span></dt><dd><p>domain SIDs (from Request, listed above).</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd></dl></div><p>return 0 - indicates success</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327815"></a>LSA Lookup Names</h3></div></div></div><p><span class="emphasis"><em>Note: num_entries in response must be same as num_entries in request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327825"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">POL_HND</span></dt><dd><p>LSA policy handle</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain SID buffer pointer</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented domain name buffer pointer</p></dd><dt><span class="term">NAME[num_entries]</span></dt><dd><p>names to be looked up.</p></dd><dt><span class="term">char[]</span></dt><dd><p>undocumented bytes - falsely translated SID structure?</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327914"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">DOM_REF</span></dt><dd><p>domain reference response</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd><dt><span class="term">DOM_RID[num_entries]</span></dt><dd><p>domain SIDs (from Request, listed above).</p></dd><dt><span class="term">UINT32</span></dt><dd><p>num_entries (listed above)</p></dd></dl></div><p>return 0 - indicates success</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327992"></a>NETLOGON rpc Transact Named Pipe</h2></div></div></div><p>The sequence of actions taken on this pipe are:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords.</td></tr><tr><td>en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle.</td></tr><tr><td>ing the file handle, send a Set Named Pipe Handle state to 0x4300.</td></tr><tr><td>eate Client Challenge. Send LSA Request Challenge. Store Server Challenge.</td></tr><tr><td>lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge.</td></tr><tr><td>lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds.</td></tr><tr><td>lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds.</td></tr><tr><td>lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds.</td></tr><tr><td>ose the IPC$ share.</td></tr></table><p>Defines for this pipe, identifying the query are</p><div class="variablelist"><dl><dt><span class="term">LSA Request Challenge:</span></dt><dd><p>0x04</p></dd><dt><span class="term">LSA Server Password Set:</span></dt><dd><p>0x06</p></dd><dt><span class="term">LSA SAM Logon:</span></dt><dd><p>0x02</p></dd><dt><span class="term">LSA SAM Logoff:</span></dt><dd><p>0x03</p></dd><dt><span class="term">LSA Auth 2:</span></dt><dd><p>0x0f</p></dd><dt><span class="term">LSA Logon Control:</span></dt><dd><p>0x0e</p></dd></dl></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328116"></a>LSA Request Challenge</h3></div></div></div><p><span class="emphasis"><em>Note: logon server name starts with two '\' characters and is upper case.</em></span></p><p><span class="emphasis"><em>Note: logon client is the machine, not the user.</em></span></p><p><span class="emphasis"><em>Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case).</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328139"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon server unicode string</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>logon client unicode string</p></dd><dt><span class="term">char[8]</span></dt><dd><p>client challenge</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328194"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">char[8]</span></dt><dd><p>server challenge</p></dd></dl></div><p>return 0 - indicates success</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328219"></a>LSA Authenticate 2</h3></div></div></div><p><span class="emphasis"><em>Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).</em></span></p><p><span class="emphasis"><em>Note: neg_flags in the response is the same as that in the request.</em></span></p><p><span class="emphasis"><em>Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328242"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">LOG_INFO</span></dt><dd><p>client identification info</p></dd><dt><span class="term">char[8]</span></dt><dd><p>client-calculated credentials</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to 4-byte align with start of SMB header.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>neg_flags - negotiated flags (usual value is 0x0000 01ff)</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328295"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">char[8]</span></dt><dd><p>server credentials.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>neg_flags - same as neg_flags in request.</p></dd></dl></div><p>return 0 - indicates success. failure value unknown.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328332"></a>LSA Server Password Set</h3></div></div></div><p><span class="emphasis"><em>Note: the new password is suspected to be a DES encryption using the old password to generate the key.</em></span></p><p><span class="emphasis"><em>Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).</em></span></p><p><span class="emphasis"><em>Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second.</em></span></p><p><span class="emphasis"><em>Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328360"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">CLNT_INFO</span></dt><dd><p>client identification/authentication info</p></dd><dt><span class="term">char[]</span></dt><dd><p>new password - undocumented.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328393"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">CREDS</span></dt><dd><p>server credentials. server time stamp appears to be ignored.</p></dd></dl></div><p>return 0 - indicates success; 0xC000 006a indicates failure</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328419"></a>LSA SAM Logon</h3></div></div></div><p><span class="emphasis"><em> +Note: valid_user is True iff the username and password hash are valid for + the requested domain. +</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328430"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">SAM_INFO</span></dt><dd><p>sam_id structure</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328451"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">CREDS</span></dt><dd><p>server credentials. server time stamp appears to be ignored.</p></dd></dl></div><pre class="programlisting"> +if (valid_user) +{ + UINT16 3 - switch value indicating USER_INFO structure. + VOID* non-zero - pointer to USER_INFO structure + USER_INFO user logon information + + UINT32 1 - Authoritative response; 0 - Non-Auth? + + return 0 - indicates success +} +else +{ + UINT16 0 - switch value. value to indicate no user presumed. + VOID* 0x0000 0000 - indicates no USER_INFO structure. + + UINT32 1 - Authoritative response; 0 - Non-Auth? + + return 0xC000 0064 - NT_STATUS_NO_SUCH_USER. +} +</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328496"></a>LSA SAM Logoff</h3></div></div></div><p><span class="emphasis"><em> +Note: presumably, the SAM_INFO structure is validated, and a (currently + undocumented) error code returned if the Logoff is invalid. +</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328507"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">SAM_INFO</span></dt><dd><p>sam_id structure</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328528"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>undocumented buffer pointer</p></dd><dt><span class="term">CREDS</span></dt><dd><p>server credentials. server time stamp appears to be ignored.</p></dd></dl></div><p>return 0 - indicates success. undocumented failure indication.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id328567"></a>\\MAILSLOT\NET\NTLOGON</h2></div></div></div><p><span class="emphasis"><em> +Note: mailslots will contain a response mailslot, to which the response + should be sent. the target NetBIOS name is REQUEST_NAME<20>, where + REQUEST_NAME is the name of the machine that sent the request. +</em></span></p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328579"></a>Query for PDC</h3></div></div></div><p><span class="emphasis"><em>Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328590"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16</span></dt><dd><p>0x0007 - Query for PDC</p></dd><dt><span class="term">STR</span></dt><dd><p>machine name</p></dd><dt><span class="term">STR</span></dt><dd><p>response mailslot</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to 2-byte align with start of mailslot.</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>machine name</p></dd><dt><span class="term">UINT32</span></dt><dd><p>NTversion</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LMNTtoken</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LM20token</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328689"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16</span></dt><dd><p>0x000A - Respose to Query for PDC</p></dd><dt><span class="term">STR</span></dt><dd><p>machine name (in uppercase)</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to 2-byte align with start of mailslot.</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>machine name</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>domain name</p></dd><dt><span class="term">UINT32</span></dt><dd><p>NTversion (same as received in request)</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LMNTtoken (same as received in request)</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LM20token (same as received in request)</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id328784"></a>SAM Logon</h3></div></div></div><p><span class="emphasis"><em>Note: machine name in response is preceded by two '\' characters.</em></span></p><p><span class="emphasis"><em>Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.</em></span></p><p><span class="emphasis"><em>Note: user name in the response is presumably the same as that in the request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328805"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16</span></dt><dd><p>0x0012 - SAM Logon</p></dd><dt><span class="term">UINT16</span></dt><dd><p>request count</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>machine name</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>user name</p></dd><dt><span class="term">STR</span></dt><dd><p>response mailslot</p></dd><dt><span class="term">UINT32</span></dt><dd><p>alloweable account</p></dd><dt><span class="term">UINT32</span></dt><dd><p>domain SID size</p></dd><dt><span class="term">char[sid_size]</span></dt><dd><p>domain SID, of sid_size bytes.</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>???? padding to 4? 2? -byte align with start of mailslot.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>NTversion</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LMNTtoken</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LM20token</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328949"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT16</span></dt><dd><p>0x0013 - Response to SAM Logon</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>machine name</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>user name - workstation trust account</p></dd><dt><span class="term">UNISTR</span></dt><dd><p>domain name </p></dd><dt><span class="term">UINT32</span></dt><dd><p>NTversion</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LMNTtoken</p></dd><dt><span class="term">UINT16</span></dt><dd><p>LM20token</p></dd></dl></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id329040"></a>SRVSVC Transact Named Pipe</h2></div></div></div><p>Defines for this pipe, identifying the query are:</p><div class="variablelist"><dl><dt><span class="term">Net Share Enum</span></dt><dd><p>0x0f</p></dd><dt><span class="term">Net Server Get Info</span></dt><dd><p>0x15</p></dd></dl></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329075"></a>Net Share Enum</h3></div></div></div><p><span class="emphasis"><em>Note: share level and switch value in the response are presumably the same as those in the request.</em></span></p><p><span class="emphasis"><em>Note: cifsrap2.txt (section 5) may be of limited assistance here.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329091"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">VOID*</span></dt><dd><p>pointer (to server name?)</p></dd><dt><span class="term">UNISTR2</span></dt><dd><p>server name</p></dd><dt><span class="term">UINT8[]</span></dt><dd><p>padding to get unicode string 4-byte aligned with the start of the SMB header.</p></dd><dt><span class="term">UINT32</span></dt><dd><p>share level</p></dd><dt><span class="term">UINT32</span></dt><dd><p>switch value</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to SHARE_INFO_1_CTR</p></dd><dt><span class="term">SHARE_INFO_1_CTR</span></dt><dd><p>share info with 0 entries</p></dd><dt><span class="term">UINT32</span></dt><dd><p>preferred maximum length (0xffff ffff)</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329189"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>share level</p></dd><dt><span class="term">UINT32</span></dt><dd><p>switch value</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to SHARE_INFO_1_CTR</p></dd><dt><span class="term">SHARE_INFO_1_CTR</span></dt><dd><p>share info (only added if share info ptr is non-zero)</p></dd></dl></div><p>return 0 - indicates success</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329247"></a>Net Server Get Info</h3></div></div></div><p><span class="emphasis"><em>Note: level is the same value as in the request.</em></span></p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329257"></a>Request</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UNISTR2</span></dt><dd><p>server name</p></dd><dt><span class="term">UINT32</span></dt><dd><p>switch level</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329289"></a>Response</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">UINT32</span></dt><dd><p>switch level</p></dd><dt><span class="term">VOID*</span></dt><dd><p>pointer to SERVER_INFO_101</p></dd><dt><span class="term">SERVER_INFO_101</span></dt><dd><p>server info (only added if server info ptr is non-zero)</p></dd></dl></div><p>return 0 - indicates success</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id329338"></a>Cryptographic side of NT Domain Authentication</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329344"></a>Definitions</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Add(A1,A2)</span></dt><dd><p>Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2</p></dd><dt><span class="term">E(K,D)</span></dt><dd><p>DES ECB encryption of 8 byte data D using 7 byte key K</p></dd><dt><span class="term">lmowf()</span></dt><dd><p>Lan man hash</p></dd><dt><span class="term">ntowf()</span></dt><dd><p>NT hash</p></dd><dt><span class="term">PW</span></dt><dd><p>md4(machine_password) == md4(lsadump $machine.acc) == +pwdump(machine$) (initially) == md4(lmowf(unicode(machine))) +</p></dd><dt><span class="term">ARC4(K,Lk,D,Ld)</span></dt><dd><p>ARC4 encryption of data D of length Ld with key K of length Lk</p></dd><dt><span class="term">v[m..n(,l)]</span></dt><dd><p>subset of v from bytes m to n, optionally padded with zeroes to length l</p></dd><dt><span class="term">Cred(K,D)</span></dt><dd><p>E(K[7..7,7],E(K[0..6],D)) computes a credential</p></dd><dt><span class="term">Time()</span></dt><dd><p>4 byte current time</p></dd><dt><span class="term">Cc,Cs</span></dt><dd><p>8 byte client and server challenges Rc,Rs: 8 byte client and server credentials</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329469"></a>Protocol</h3></div></div></div><pre class="programlisting"> +C->S ReqChal,Cc +S->C Cs +</pre><pre class="programlisting"> +C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs))) +</pre><pre class="programlisting"> +C: Rc = Cred(Ks,Cc) +C->S Authenticate,Rc +S: Rs = Cred(Ks,Cs), assert(Rc == Cred(Ks,Cc)) +S->C Rs +C: assert(Rs == Cred(Ks,Cs)) +</pre><p> +On joining the domain the client will optionally attempt to change its +password and the domain controller may refuse to update it depending +on registry settings. This will also occur weekly afterwards. +</p><pre class="programlisting"> +C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) +C->S ServerPasswordSet,Rc',Tc,arc4(Ks[0..7,16],lmowf(randompassword()) +C: Rc = Cred(Ks,Rc+Tc+1) +S: assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time() +S: Rs' = Cred(Ks,Rs+Tc+1) +S->C Rs',Ts +C: assert(Rs' == Cred(Ks,Rs+Tc+1)) +S: Rs = Rs' +</pre><p> +User: U with password P wishes to login to the domain (incidental data +such as workstation and domain omitted) +</p><pre class="programlisting"> +C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) +C->S NetLogonSamLogon,Rc',Tc,U,arc4(Ks[0..7,16],16,ntowf(P),16), arc4(Ks[0..7,16],16,lmowf(P),16) +S: assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM) +S: Ts = Time() +</pre><pre class="programlisting"> +S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc) +C: assert(Rs == Cred(Ks,Cred(Rc+Tc+1)) +C: Rc = Cred(Ks,Rc+Tc+1) +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329533"></a>Comments</h3></div></div></div><p> +On first joining the domain the session key could be computed by +anyone listening in on the network as the machine password has a well +known value. Until the machine is rebooted it will use this session +key to encrypt NT and LM one way functions of passwords which are +password equivalents. Any user who logs in before the machine has been +rebooted a second time will have their password equivalent exposed. Of +course the new machine password is exposed at this time anyway. +</p><p> +None of the returned user info such as logon script, profile path and +SIDs *appear* to be protected by anything other than the TCP checksum. +</p><p> +The server time stamps appear to be ignored. +</p><p> +The client sends a ReturnAuthenticator in the SamLogon request which I +can't find a use for. However its time is used as the timestamp +returned by the server. +</p><p> +The password OWFs should NOT be sent over the network reversibly +encrypted. They should be sent using ARC4(Ks,md4(owf)) with the server +computing the same function using the owf values in the SAM. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id329566"></a>SIDs and RIDs</h2></div></div></div><p> +SIDs and RIDs are well documented elsewhere. +</p><p> +A SID is an NT Security ID (see DOM_SID structure). They are of the form: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>revision-NN-SubAuth1-SubAuth2-SubAuth3... </td></tr><tr><td>revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...</td></tr></table><p> +currently, the SID revision is 1. +The Sub-Authorities are known as Relative IDs (RIDs). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329596"></a>Well-known SIDs</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329602"></a>Universal well-known SIDs</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">Null SID</span></dt><dd><p>S-1-0-0</p></dd><dt><span class="term">World</span></dt><dd><p>S-1-1-0</p></dd><dt><span class="term">Local</span></dt><dd><p>S-1-2-0</p></dd><dt><span class="term">Creator Owner ID</span></dt><dd><p>S-1-3-0</p></dd><dt><span class="term">Creator Group ID</span></dt><dd><p>S-1-3-1</p></dd><dt><span class="term">Creator Owner Server ID</span></dt><dd><p>S-1-3-2</p></dd><dt><span class="term">Creator Group Server ID</span></dt><dd><p>S-1-3-3</p></dd><dt><span class="term">(Non-unique IDs)</span></dt><dd><p>S-1-4</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329701"></a>NT well-known SIDs</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">NT Authority</span></dt><dd><p>S-1-5</p></dd><dt><span class="term">Dialup</span></dt><dd><p>S-1-5-1</p></dd><dt><span class="term">Network</span></dt><dd><p>S-1-5-2</p></dd><dt><span class="term">Batch</span></dt><dd><p>S-1-5-3</p></dd><dt><span class="term">Interactive</span></dt><dd><p>S-1-5-4</p></dd><dt><span class="term">Service</span></dt><dd><p>S-1-5-6</p></dd><dt><span class="term">AnonymousLogon(aka null logon session)</span></dt><dd><p>S-1-5-7</p></dd><dt><span class="term">Proxy</span></dt><dd><p>S-1-5-8</p></dd><dt><span class="term">ServerLogon(aka domain controller account)</span></dt><dd><p>S-1-5-8</p></dd><dt><span class="term">(Logon IDs)</span></dt><dd><p>S-1-5-5-X-Y</p></dd><dt><span class="term">(NT non-unique IDs)</span></dt><dd><p>S-1-5-0x15-...</p></dd><dt><span class="term">(Built-in domain)</span></dt><dd><p>s-1-5-0x20</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329845"></a>Well-known RIDS</h3></div></div></div><p> +A RID is a sub-authority value, as part of either a SID, or in the case +of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1 +structure, in the LSA SAM Logon response. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329855"></a>Well-known RID users</h4></div></div></div><div class="segmentedlist"><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong>DOMAIN_USER_RID_ADMIN</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>01F4</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong>DOMAIN_USER_RID_GUEST</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>01F5</div></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329894"></a>Well-known RID groups</h4></div></div></div><div class="segmentedlist"><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_GROUP_RID_ADMINS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0200</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_GROUP_RID_USERS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0201</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_GROUP_RID_GUESTS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0202</div></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329942"></a>Well-known RID aliases</h4></div></div></div><div class="segmentedlist"><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_ADMINS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0220</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_USERS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0221</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_GUESTS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0222</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_POWER_USERS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0223</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_ACCOUNT_OPS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0224</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_SYSTEM_OPS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0225</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_PRINT_OPS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0226</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_BACKUP_OPS</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0227</div></div><div class="seglistitem"><div class="seg"><strong><span class="segtitle">Groupname: </span></strong> DOMAIN_ALIAS_RID_REPLICATOR</div><div class="seg"><strong><span class="segtitle">????: </span></strong>0x0000</div><div class="seg"><strong><span class="segtitle">RID: </span></strong>0228</div></div></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unix-smb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt01.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pt02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. NetBIOS in a Unix World </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Samba Basics</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/parsing.html b/docs/htmldocs/Samba3-Developers-Guide/parsing.html new file mode 100644 index 0000000000..188c7f9b65 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/parsing.html @@ -0,0 +1,114 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. The smb.conf file</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt03.html" title="Part III. Samba Subsystems"><link rel="prev" href="vfs.html" title="Chapter 10. VFS Modules"><link rel="next" href="wins.html" title="Chapter 12. Samba WINS Internals"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. The smb.conf file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="vfs.html">Prev</a> </td><th width="60%" align="center">Part III. Samba Subsystems</th><td width="20%" align="right"> <a accesskey="n" href="wins.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="parsing"></a>Chapter 11. The smb.conf file</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Chris</span> <span class="surname">Hertel</span></h3></div></div><div><p class="pubdate">November 1997</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="parsing.html#id333066">Lexical Analysis</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333134">Handling of Whitespace</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333175">Handling of Line Continuation</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333219">Line Continuation Quirks</a></span></dt></dl></dd><dt><span class="sect1"><a href="parsing.html#id333294">Syntax</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333346">About params.c</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333066"></a>Lexical Analysis</h2></div></div></div><p> +Basically, the file is processed on a line by line basis. There are +four types of lines that are recognized by the lexical analyzer +(params.c): +</p><div class="orderedlist"><ol type="1"><li><p> +Blank lines - Lines containing only whitespace. +</p></li><li><p> +Comment lines - Lines beginning with either a semi-colon or a +pound sign (';' or '#'). +</p></li><li><p> +Section header lines - Lines beginning with an open square bracket ('['). +</p></li><li><p> +Parameter lines - Lines beginning with any other character. +(The default line type.) +</p></li></ol></div><p> +The first two are handled exclusively by the lexical analyzer, which +ignores them. The latter two line types are scanned for +</p><div class="orderedlist"><ol type="1"><li><p> + - Section names +</p></li><li><p> + - Parameter names +</p></li><li><p> + - Parameter values +</p></li></ol></div><p> +These are the only tokens passed to the parameter loader +(loadparm.c). Parameter names and values are divided from one +another by an equal sign: '='. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333134"></a>Handling of Whitespace</h3></div></div></div><p> +Whitespace is defined as all characters recognized by the isspace() +function (see ctype(3C)) except for the newline character ('\n') +The newline is excluded because it identifies the end of the line. +</p><div class="orderedlist"><ol type="1"><li><p> +The lexical analyzer scans past white space at the beginning of a line. +</p></li><li><p> +Section and parameter names may contain internal white space. All +whitespace within a name is compressed to a single space character. +</p></li><li><p> +Internal whitespace within a parameter value is kept verbatim with +the exception of carriage return characters ('\r'), all of which +are removed. +</p></li><li><p> +Leading and trailing whitespace is removed from names and values. +</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333175"></a>Handling of Line Continuation</h3></div></div></div><p> +Long section header and parameter lines may be extended across +multiple lines by use of the backslash character ('\\'). Line +continuation is ignored for blank and comment lines. +</p><p> +If the last (non-whitespace) character within a section header or on +a parameter line is a backslash, then the next line will be +(logically) concatonated with the current line by the lexical +analyzer. For example: +</p><pre class="programlisting"> + param name = parameter value string \ + with line continuation. +</pre><p>Would be read as</p><pre class="programlisting"> + param name = parameter value string with line continuation. +</pre><p> +Note that there are five spaces following the word 'string', +representing the one space between 'string' and '\\' in the top +line, plus the four preceeding the word 'with' in the second line. +(Yes, I'm counting the indentation.) +</p><p> +Line continuation characters are ignored on blank lines and at the end +of comments. They are *only* recognized within section and parameter +lines. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333219"></a>Line Continuation Quirks</h3></div></div></div><p>Note the following example:</p><pre class="programlisting"> + param name = parameter value string \ + \ + with line continuation. +</pre><p> +The middle line is *not* parsed as a blank line because it is first +concatonated with the top line. The result is +</p><pre class="programlisting"> +param name = parameter value string with line continuation. +</pre><p>The same is true for comment lines.</p><pre class="programlisting"> + param name = parameter value string \ + ; comment \ + with a comment. +</pre><p>This becomes:</p><pre class="programlisting"> +param name = parameter value string ; comment with a comment. +</pre><p> +On a section header line, the closing bracket (']') is considered a +terminating character, and the rest of the line is ignored. The lines +</p><pre class="programlisting"> + [ section name ] garbage \ + param name = value +</pre><p>are read as</p><pre class="programlisting"> + [section name] + param name = value +</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333294"></a>Syntax</h2></div></div></div><p>The syntax of the smb.conf file is as follows:</p><pre class="programlisting"> + <file> :== { <section> } EOF + <section> :== <section header> { <parameter line> } + <section header> :== '[' NAME ']' + <parameter line> :== NAME '=' VALUE NL +</pre><p>Basically, this means that</p><div class="orderedlist"><ol type="1"><li><p> + a file is made up of zero or more sections, and is terminated by + an EOF (we knew that). +</p></li><li><p> + A section is made up of a section header followed by zero or more + parameter lines. +</p></li><li><p> + A section header is identified by an opening bracket and + terminated by the closing bracket. The enclosed NAME identifies + the section. +</p></li><li><p> + A parameter line is divided into a NAME and a VALUE. The *first* + equal sign on the line separates the NAME from the VALUE. The + VALUE is terminated by a newline character (NL = '\n'). +</p></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333346"></a>About params.c</h3></div></div></div><p> +The parsing of the config file is a bit unusual if you are used to +lex, yacc, bison, etc. Both lexical analysis (scanning) and parsing +are performed by params.c. Values are loaded via callbacks to +loadparm.c. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="vfs.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt03.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="wins.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. VFS Modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Samba WINS Internals</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pr01.html b/docs/htmldocs/Samba3-Developers-Guide/pr01.html new file mode 100644 index 0000000000..2305a7c9e7 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pr01.html @@ -0,0 +1,33 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Attribution</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="index.html" title="SAMBA Developers Guide"><link rel="next" href="pt01.html" title="Part I. The protocol"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Attribution</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pt01.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id282135"></a>Attribution</h2></div></div></div><p><a href="unix-smb.html" title="Chapter 1. NetBIOS in a Unix World">NetBIOS in a Unix World</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell</p></li></ul></div><p> +</p><p><a href="ntdomain.html" title="Chapter 2. NT Domain RPC's">NT Domain RPC's</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Luke Leighton <<a href="mailto:lkcl@switchboard.net" target="_top">lkcl@switchboard.net</a>></p></li><li><p>Paul Ashton <<a href="mailto:paul@argo.demon.co.uk" target="_top">paul@argo.demon.co.uk</a>></p></li><li><p>Duncan Stansfield <<a href="mailto:duncans@sco.com" target="_top">duncans@sco.com</a>></p></li></ul></div><p> +</p><p><a href="architecture.html" title="Chapter 3. Samba Architecture">Samba Architecture</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Dan Shearer</p></li></ul></div><p> +</p><p><a href="debug.html" title="Chapter 4. The samba DEBUG system">The samba DEBUG system</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Chris Hertel</p></li></ul></div><p> +</p><p><a href="internals.html" title="Chapter 5. Samba Internals">Samba Internals</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>David Chappell <<a href="mailto:David.Chappell@mail.trincoll.edu" target="_top">David.Chappell@mail.trincoll.edu</a>></p></li></ul></div><p> +</p><p><a href="CodingSuggestions.html" title="Chapter 6. Coding Suggestions">Coding Suggestions</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Steve French</p></li><li><p>Simo Sorce</p></li><li><p>Andrew Bartlett</p></li><li><p>Tim Potter</p></li><li><p>Martin Pool</p></li></ul></div><p> +</p><p><a href="contributing.html" title="Chapter 7. Contributing code">Contributing code</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p> +</p><p><a href="modules.html" title="Chapter 8. Modules">Modules</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p> +</p><p><a href="rpc-plugin.html" title="Chapter 9. RPC Pluggable Modules">RPC Pluggable Modules</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Anthony Liguori <<a href="mailto:aliguor@us.ibm.com" target="_top">aliguor@us.ibm.com</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p> +</p><p><a href="vfs.html" title="Chapter 10. VFS Modules">VFS Modules</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Alexander Bokovoy <<a href="mailto:ab@samba.org" target="_top">ab@samba.org</a>></p></li><li><p>Stefan Metzmacher <<a href="mailto:metze@samba.org" target="_top">metze@samba.org</a>></p></li></ul></div><p> +</p><p><a href="parsing.html" title="Chapter 11. The smb.conf file">The smb.conf file</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Chris Hertel</p></li></ul></div><p> +</p><p><a href="wins.html" title="Chapter 12. Samba WINS Internals">Samba WINS Internals</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Gerald Carter</p></li></ul></div><p> +</p><p><a href="pwencrypt.html" title="Chapter 13. LanMan and NT Password Encryption">LanMan and NT Password Encryption</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:samba@samba.org" target="_top">samba@samba.org</a>></p></li></ul></div><p> +</p><p><a href="tracing.html" title="Chapter 14. Tracing samba system calls">Tracing samba system calls</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell</p></li></ul></div><p> +</p><p><a href="devprinting.html" title="Chapter 15. Samba Printing Internals">Samba Printing Internals</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Gerald Carter</p></li></ul></div><p> +</p><p><a href="Packaging.html" title="Chapter 16. Notes to packagers">Notes to packagers</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij</p></li></ul></div><p> +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pt01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAMBA Developers Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. The protocol</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pt01.html b/docs/htmldocs/Samba3-Developers-Guide/pt01.html new file mode 100644 index 0000000000..78110968ac --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pt01.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. The protocol</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="pr01.html" title="Attribution"><link rel="next" href="unix-smb.html" title="Chapter 1. NetBIOS in a Unix World"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. The protocol</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="unix-smb.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id323055"></a>Part I. The protocol</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="unix-smb.html">1. NetBIOS in a Unix World</a></span></dt><dd><dl><dt><span class="sect1"><a href="unix-smb.html#id323085">Introduction</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323102">Usernames</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323144">File Ownership</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323168">Passwords</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323197">Locking</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323237">Deny Modes</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323256">Trapdoor UIDs</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323274">Port numbers</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323305">Protocol Complexity</a></span></dt></dl></dd><dt><span class="chapter"><a href="ntdomain.html">2. NT Domain RPC's</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntdomain.html#id323417">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323559">Sources</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323586">Credits</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id323615">Notes and Structures</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id323620">Notes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id281607">Enumerations</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id323908">Structures</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id326205">MSRPC over Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id326215">MSRPC Pipes</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326284">Header</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326958">Tail</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id326994">RPC Bind / Bind Ack</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327132">NTLSA Transact Named Pipe</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327260">LSA Open Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327358">LSA Query Info Policy</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327441">LSA Enumerate Trusted Domains</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327513">LSA Open Secret</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327599">LSA Close</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327651">LSA Lookup SIDS</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id327815">LSA Lookup Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id327992">NETLOGON rpc Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328116">LSA Request Challenge</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328219">LSA Authenticate 2</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328332">LSA Server Password Set</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328419">LSA SAM Logon</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328496">LSA SAM Logoff</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id328567">\\MAILSLOT\NET\NTLOGON</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id328579">Query for PDC</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id328784">SAM Logon</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329040">SRVSVC Transact Named Pipe</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329075">Net Share Enum</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329247">Net Server Get Info</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329338">Cryptographic side of NT Domain Authentication</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329344">Definitions</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329469">Protocol</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329533">Comments</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntdomain.html#id329566">SIDs and RIDs</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntdomain.html#id329596">Well-known SIDs</a></span></dt><dt><span class="sect2"><a href="ntdomain.html#id329845">Well-known RIDS</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="unix-smb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Attribution </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. NetBIOS in a Unix World</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pt02.html b/docs/htmldocs/Samba3-Developers-Guide/pt02.html new file mode 100644 index 0000000000..fad553cc12 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pt02.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Samba Basics</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="ntdomain.html" title="Chapter 2. NT Domain RPC's"><link rel="next" href="architecture.html" title="Chapter 3. Samba Architecture"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Samba Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ntdomain.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="architecture.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id330051"></a>Part II. Samba Basics</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="architecture.html">3. Samba Architecture</a></span></dt><dd><dl><dt><span class="sect1"><a href="architecture.html#id330081">Introduction</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330120">Multithreading and Samba</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330145">Threading smbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330198">Threading nmbd</a></span></dt><dt><span class="sect1"><a href="architecture.html#id330230">nbmd Design</a></span></dt></dl></dd><dt><span class="chapter"><a href="debug.html">4. The samba DEBUG system</a></span></dt><dd><dl><dt><span class="sect1"><a href="debug.html#id330279">New Output Syntax</a></span></dt><dt><span class="sect1"><a href="debug.html#id330374">The DEBUG() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330466">The DEBUGADD() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330498">The DEBUGLVL() Macro</a></span></dt><dt><span class="sect1"><a href="debug.html#id330576">New Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="debug.html#id330582">dbgtext()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330595">dbghdr()</a></span></dt><dt><span class="sect2"><a href="debug.html#id330612">format_debug_text()</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="internals.html">5. Samba Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="internals.html#id330662">Character Handling</a></span></dt><dt><span class="sect1"><a href="internals.html#id330682">The new functions</a></span></dt><dt><span class="sect1"><a href="internals.html#id330789">Macros in byteorder.h</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330799">CVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330809">PVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330820">SCVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330830">SVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330842">IVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330853">SVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330864">IVALS(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330874">SSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330885">SIVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330896">SSVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330907">SIVALS(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330918">RSVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330928">RIVAL(buf,pos)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330939">RSSVAL(buf,pos,val)</a></span></dt><dt><span class="sect2"><a href="internals.html#id330950">RSIVAL(buf,pos,val)</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id330962">LAN Manager Samba API</a></span></dt><dd><dl><dt><span class="sect2"><a href="internals.html#id330987">Parameters</a></span></dt><dt><span class="sect2"><a href="internals.html#id331097">Return value</a></span></dt></dl></dd><dt><span class="sect1"><a href="internals.html#id331155">Code character table</a></span></dt></dl></dd><dt><span class="chapter"><a href="CodingSuggestions.html">6. Coding Suggestions</a></span></dt><dt><span class="chapter"><a href="contributing.html">7. Contributing code</a></span></dt><dt><span class="chapter"><a href="modules.html">8. Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="modules.html#id331748">Advantages</a></span></dt><dt><span class="sect1"><a href="modules.html#id331783">Loading modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331806">Static modules</a></span></dt><dt><span class="sect2"><a href="modules.html#id331836">Shared modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="modules.html#id331855">Writing modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="modules.html#id331898">Static/Shared selection in configure.in</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ntdomain.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="architecture.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. NT Domain RPC's </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Samba Architecture</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pt03.html b/docs/htmldocs/Samba3-Developers-Guide/pt03.html new file mode 100644 index 0000000000..2ed48f1af7 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pt03.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Samba Subsystems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="modules.html" title="Chapter 8. Modules"><link rel="next" href="rpc-plugin.html" title="Chapter 9. RPC Pluggable Modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Samba Subsystems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="modules.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="rpc-plugin.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id331991"></a>Part III. Samba Subsystems</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="rpc-plugin.html">9. RPC Pluggable Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="rpc-plugin.html#id332057">About</a></span></dt><dt><span class="sect1"><a href="rpc-plugin.html#id332070">General Overview</a></span></dt></dl></dd><dt><span class="chapter"><a href="vfs.html">10. VFS Modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="vfs.html#id332231">The Samba (Posix) VFS layer</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332237">The general interface</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332307">Possible VFS operation layers</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332351">The Interaction between the Samba VFS subsystem and the modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332357">Initialization and registration</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332494">How the Modules handle per connection data</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332652">Upgrading to the New VFS Interface</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332658">Upgrading from 2.2.* and 3.0aplha modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332988">Some Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332994">Implement TRANSPARENT functions</a></span></dt><dt><span class="sect2"><a href="vfs.html#id333012">Implement OPAQUE functions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="parsing.html">11. The smb.conf file</a></span></dt><dd><dl><dt><span class="sect1"><a href="parsing.html#id333066">Lexical Analysis</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333134">Handling of Whitespace</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333175">Handling of Line Continuation</a></span></dt><dt><span class="sect2"><a href="parsing.html#id333219">Line Continuation Quirks</a></span></dt></dl></dd><dt><span class="sect1"><a href="parsing.html#id333294">Syntax</a></span></dt><dd><dl><dt><span class="sect2"><a href="parsing.html#id333346">About params.c</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="wins.html">12. Samba WINS Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="wins.html#id333384">WINS Failover</a></span></dt></dl></dd><dt><span class="chapter"><a href="pwencrypt.html">13. LanMan and NT Password Encryption</a></span></dt><dd><dl><dt><span class="sect1"><a href="pwencrypt.html#id333488">Introduction</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333506">How does it work?</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333571">The smbpasswd file</a></span></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="modules.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="rpc-plugin.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. RPC Pluggable Modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pt04.html b/docs/htmldocs/Samba3-Developers-Guide/pt04.html new file mode 100644 index 0000000000..8232ad18c2 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pt04.html @@ -0,0 +1,9 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Debugging and tracing</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="pwencrypt.html" title="Chapter 13. LanMan and NT Password Encryption"><link rel="next" href="tracing.html" title="Chapter 14. Tracing samba system calls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Debugging and tracing</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pwencrypt.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="tracing.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id333814"></a>Part IV. Debugging and tracing</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="tracing.html">14. Tracing samba system calls</a></span></dt><dt><span class="chapter"><a href="devprinting.html">15. Samba Printing Internals</a></span></dt><dd><dl><dt><span class="sect1"><a href="devprinting.html#id334024">Abstract</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334035"> +Printing Interface to Various Back ends +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334109"> +Print Queue TDB's +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334247"> +ChangeID and Client Caching of Printer Information +</a></span></dt><dt><span class="sect1"><a href="devprinting.html#id334258"> +Windows NT/2K Printer Change Notify +</a></span></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pwencrypt.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="tracing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. LanMan and NT Password Encryption </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Tracing samba system calls</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pt05.html b/docs/htmldocs/Samba3-Developers-Guide/pt05.html new file mode 100644 index 0000000000..2e7656ec08 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pt05.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Appendices</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="index.html" title="SAMBA Developers Guide"><link rel="prev" href="devprinting.html" title="Chapter 15. Samba Printing Internals"><link rel="next" href="Packaging.html" title="Chapter 16. Notes to packagers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Appendices</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="devprinting.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="Packaging.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id334489"></a>Part V. Appendices</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="Packaging.html">16. Notes to packagers</a></span></dt><dd><dl><dt><span class="sect1"><a href="Packaging.html#id334515">Versioning</a></span></dt><dt><span class="sect1"><a href="Packaging.html#id334540">Modules</a></span></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="devprinting.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="Packaging.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Samba Printing Internals </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Notes to packagers</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html b/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html new file mode 100644 index 0000000000..88ae39da7f --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html @@ -0,0 +1,103 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. LanMan and NT Password Encryption</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt03.html" title="Part III. Samba Subsystems"><link rel="prev" href="wins.html" title="Chapter 12. Samba WINS Internals"><link rel="next" href="pt04.html" title="Part IV. Debugging and tracing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. LanMan and NT Password Encryption</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="wins.html">Prev</a> </td><th width="60%" align="center">Part III. Samba Subsystems</th><td width="20%" align="right"> <a accesskey="n" href="pt04.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pwencrypt"></a>Chapter 13. LanMan and NT Password Encryption</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><br> + <code class="email"><<a href="mailto:samba@samba.org">samba@samba.org</a>></code><br> + </p></div></div></div></div><div><p class="pubdate">19 Apr 1999</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pwencrypt.html#id333488">Introduction</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333506">How does it work?</a></span></dt><dt><span class="sect1"><a href="pwencrypt.html#id333571">The smbpasswd file</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333488"></a>Introduction</h2></div></div></div><p>With the development of LanManager and Windows NT + compatible password encryption for Samba, it is now able + to validate user connections in exactly the same way as + a LanManager or Windows NT server.</p><p>This document describes how the SMB password encryption + algorithm works and what issues there are in choosing whether + you want to use it. You should read it carefully, especially + the part about security and the "PROS and CONS" section.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333506"></a>How does it work?</h2></div></div></div><p>LanManager encryption is somewhat similar to UNIX + password encryption. The server uses a file containing a + hashed value of a user's password. This is created by taking + the user's plaintext password, capitalising it, and either + truncating to 14 bytes or padding to 14 bytes with null bytes. + This 14 byte value is used as two 56 bit DES keys to encrypt + a 'magic' eight byte value, forming a 16 byte value which is + stored by the server and client. Let this value be known as + the "hashed password".</p><p>Windows NT encryption is a higher quality mechanism, + consisting of doing an MD4 hash on a Unicode version of the user's + password. This also produces a 16 byte hash value that is + non-reversible.</p><p>When a client (LanManager, Windows for WorkGroups, Windows + 95 or Windows NT) wishes to mount a Samba drive (or use a Samba + resource), it first requests a connection and negotiates the + protocol that the client and server will use. In the reply to this + request the Samba server generates and appends an 8 byte, random + value - this is stored in the Samba server after the reply is sent + and is known as the "challenge". The challenge is different for + every client connection.</p><p>The client then uses the hashed password (16 byte values + described above), appended with 5 null bytes, as three 56 bit + DES keys, each of which is used to encrypt the challenge 8 byte + value, forming a 24 byte value known as the "response".</p><p>In the SMB call SMBsessionsetupX (when user level security + is selected) or the call SMBtconX (when share level security is + selected), the 24 byte response is returned by the client to the + Samba server. For Windows NT protocol levels the above calculation + is done on both hashes of the user's password and both responses are + returned in the SMB call, giving two 24 byte values.</p><p>The Samba server then reproduces the above calculation, using + its own stored value of the 16 byte hashed password (read from the + <code class="filename">smbpasswd</code> file - described later) and the challenge + value that it kept from the negotiate protocol reply. It then checks + to see if the 24 byte value it calculates matches the 24 byte value + returned to it from the client.</p><p>If these values match exactly, then the client knew the + correct password (or the 16 byte hashed value - see security note + below) and is thus allowed access. If not, then the client did not + know the correct password and is denied access.</p><p>Note that the Samba server never knows or stores the cleartext + of the user's password - just the 16 byte hashed values derived from + it. Also note that the cleartext password or 16 byte hashed values + are never transmitted over the network - thus increasing security.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333571"></a>The smbpasswd file</h2></div></div></div><a name="SMBPASSWDFILEFORMAT"></a><p>In order for Samba to participate in the above protocol + it must be able to look up the 16 byte hashed values given a user name. + Unfortunately, as the UNIX password value is also a one way hash + function (ie. it is impossible to retrieve the cleartext of the user's + password given the UNIX hash of it), a separate password file + containing this 16 byte value must be kept. To minimise problems with + these two password files, getting out of sync, the UNIX <code class="filename"> + /etc/passwd</code> and the <code class="filename">smbpasswd</code> file, + a utility, <code class="literal">mksmbpasswd.sh</code>, is provided to generate + a smbpasswd file from a UNIX <code class="filename">/etc/passwd</code> file. + </p><p>To generate the smbpasswd file from your <code class="filename">/etc/passwd + </code> file use the following command:</p><p><code class="prompt">$ </code><strong class="userinput"><code>cat /etc/passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd</code></strong></p><p>If you are running on a system that uses NIS, use</p><p><code class="prompt">$ </code><strong class="userinput"><code>ypcat passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd</code></strong></p><p>The <code class="literal">mksmbpasswd.sh</code> program is found in + the Samba source directory. By default, the smbpasswd file is + stored in :</p><p><code class="filename">/usr/local/samba/private/smbpasswd</code></p><p>The owner of the <code class="filename">/usr/local/samba/private/</code> + directory should be set to root, and the permissions on it should + be set to 0500 (<code class="literal">chmod 500 /usr/local/samba/private</code>). + </p><p>Likewise, the smbpasswd file inside the private directory should + be owned by root and the permissions on is should be set to 0600 + (<code class="literal">chmod 600 smbpasswd</code>).</p><p>The format of the smbpasswd file is (The line has been + wrapped here. It should appear as one entry per line in + your smbpasswd file.)</p><pre class="programlisting"> +username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + [Account type]:LCT-<last-change-time>:Long name + </pre><p>Although only the <em class="replaceable"><code>username</code></em>, + <em class="replaceable"><code>uid</code></em>, <em class="replaceable"><code> + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</code></em>, + [<em class="replaceable"><code>Account type</code></em>] and <em class="replaceable"><code> + last-change-time</code></em> sections are significant + and are looked at in the Samba code.</p><p>It is <span class="emphasis"><em>VITALLY</em></span> important that there by 32 + 'X' characters between the two ':' characters in the XXX sections - + the smbpasswd and Samba code will fail to validate any entries that + do not have 32 characters between ':' characters. The first XXX + section is for the Lanman password hash, the second is for the + Windows NT version.</p><p>When the password file is created all users have password entries + consisting of 32 'X' characters. By default this disallows any access + as this user. When a user has a password set, the 'X' characters change + to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii + representation of the 16 byte hashed value of a user's password.</p><p>To set a user to have no password (not recommended), edit the file + using vi, and replace the first 11 characters with the ascii text + <code class="constant">"NO PASSWORD"</code> (minus the quotes).</p><p>For example, to clear the password for user bob, his smbpasswd file + entry would look like :</p><pre class="programlisting"> +bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + [U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell + </pre><p>If you are allowing users to use the smbpasswd command to set + their own passwords, you may want to give users NO PASSWORD initially + so they do not have to enter a previous password when changing to their + new password (not recommended). In order for you to allow this the + <code class="literal">smbpasswd</code> program must be able to connect to the + <code class="literal">smbd</code> daemon as that user with no password. Enable this + by adding the line :</p><p><code class="literal">null passwords = yes</code></p><p>to the [global] section of the smb.conf file (this is why + the above scenario is not recommended). Preferably, allocate your + users a default password to begin with, so you do not have + to enable this on your server.</p><p><span class="emphasis"><em>Note : </em></span>This file should be protected very + carefully. Anyone with access to this file can (with enough knowledge of + the protocols) gain access to your SMB server. The file is thus more + sensitive than a normal unix <code class="filename">/etc/passwd</code> file.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="wins.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt03.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pt04.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Samba WINS Internals </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Debugging and tracing</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html b/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html new file mode 100644 index 0000000000..1a64448f3b --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html @@ -0,0 +1,24 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. RPC Pluggable Modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt03.html" title="Part III. Samba Subsystems"><link rel="prev" href="pt03.html" title="Part III. Samba Subsystems"><link rel="next" href="vfs.html" title="Chapter 10. VFS Modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. RPC Pluggable Modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pt03.html">Prev</a> </td><th width="60%" align="center">Part III. Samba Subsystems</th><td width="20%" align="right"> <a accesskey="n" href="vfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="rpc-plugin"></a>Chapter 9. RPC Pluggable Modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Anthony</span> <span class="surname">Liguori</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><code class="email"><<a href="mailto:aliguor@us.ibm.com">aliguor@us.ibm.com</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">January 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="rpc-plugin.html#id332057">About</a></span></dt><dt><span class="sect1"><a href="rpc-plugin.html#id332070">General Overview</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332057"></a>About</h2></div></div></div><p> +This document describes how to make use the new RPC Pluggable Modules features +of Samba 3.0. This architecture was added to increase the maintainability of +Samba allowing RPC Pipes to be worked on separately from the main CVS branch. +The RPM architecture will also allow third-party vendors to add functionality +to Samba through plug-ins. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332070"></a>General Overview</h2></div></div></div><p> +When an RPC call is sent to smbd, smbd tries to load a shared library by the +name <code class="filename">librpc_<pipename>.so</code> to handle the call if +it doesn't know how to handle the call internally. For instance, LSA calls +are handled by <code class="filename">librpc_lsass.so</code>.. +These shared libraries should be located in the <code class="filename"><sambaroot>/lib/rpc</code>. smbd then attempts to call the init_module function within +the shared library. Check the chapter on modules for more information. +</p><p> +In the init_module function, the library should call +rpc_pipe_register_commands(). This function takes the following arguments: +</p><pre class="programlisting"> +NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, + const struct api_struct *cmds, int size); +</pre><div class="variablelist"><dl><dt><span class="term">version</span></dt><dd><p>Version number of the RPC interface. Use the define <span class="emphasis"><em>SMB_RPC_INTERFACE_VERSION</em></span> for this +argument.</p></dd><dt><span class="term">clnt</span></dt><dd><p>the Client name of the named pipe</p></dd><dt><span class="term">srv</span></dt><dd><p>the Server name of the named pipe</p></dd><dt><span class="term">cmds</span></dt><dd><p>a list of api_structs that map RPC ordinal numbers to function calls</p></dd><dt><span class="term">size</span></dt><dd><p>the number of api_structs contained in cmds</p></dd></dl></div><p> +See rpc_server/srv_reg.c and rpc_server/srv_reg_nt.c for a small example of +how to use this library. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pt03.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt03.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="vfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Samba Subsystems </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. VFS Modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/samba.css b/docs/htmldocs/Samba3-Developers-Guide/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/htmldocs/Samba3-Developers-Guide/tracing.html b/docs/htmldocs/Samba3-Developers-Guide/tracing.html new file mode 100644 index 0000000000..40fb35223e --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/tracing.html @@ -0,0 +1,77 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Tracing samba system calls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt04.html" title="Part IV. Debugging and tracing"><link rel="prev" href="pt04.html" title="Part IV. Debugging and tracing"><link rel="next" href="devprinting.html" title="Chapter 15. Samba Printing Internals"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Tracing samba system calls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pt04.html">Prev</a> </td><th width="60%" align="center">Part IV. Debugging and tracing</th><td width="20%" align="right"> <a accesskey="n" href="devprinting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="tracing"></a>Chapter 14. Tracing samba system calls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span></div></div></div></div></div><p> +This file describes how to do a system call trace on Samba to work out +what its doing wrong. This is not for the faint of heart, but if you +are reading this then you are probably desperate. +</p><p> +Actually its not as bad as the the above makes it sound, just don't +expect the output to be very pretty :-) +</p><p> +Ok, down to business. One of the big advantages of unix systems is +that they nearly all come with a system trace utility that allows you +to monitor all system calls that a program is making. This is +extremely using for debugging and also helps when trying to work out +why something is slower than you expect. You can use system tracing +without any special compilation options. +</p><p> +The system trace utility is called different things on different +systems. On Linux systems its called strace. Under SunOS 4 its called +trace. Under SVR4 style systems (including solaris) its called +truss. Under many BSD systems its called ktrace. +</p><p> +The first thing you should do is read the man page for your native +system call tracer. In the discussion below I'll assume its called +strace as strace is the only portable system tracer (its available for +free for many unix types) and its also got some of the nicest +features. +</p><p> +Next, try using strace on some simple commands. For example, <code class="literal">strace +ls</code> or <code class="literal">strace echo hello</code>. +</p><p> +You'll notice that it produces a LOT of output. It is showing you the +arguments to every system call that the program makes and the +result. Very little happens in a program without a system call so you +get lots of output. You'll also find that it produces a lot of +"preamble" stuff showing the loading of shared libraries etc. Ignore +this (unless its going wrong!) +</p><p> +For example, the only line that really matters in the <code class="literal">strace echo +hello</code> output is: +</p><pre class="programlisting"> +write(1, "hello\n", 6) = 6 +</pre><p>all the rest is just setting up to run the program.</p><p> +Ok, now you're familiar with strace. To use it on Samba you need to +strace the running smbd daemon. The way I tend ot use it is to first +login from my Windows PC to the Samba server, then use smbstatus to +find which process ID that client is attached to, then as root I do +<code class="literal">strace -p PID</code> to attach to that process. I normally redirect the +stderr output from this command to a file for later perusal. For +example, if I'm using a csh style shell: +</p><p><code class="literal">strace -f -p 3872 >& strace.out</code></p><p>or with a sh style shell:</p><p><code class="literal">strace -f -p 3872 > strace.out 2>&1</code></p><p> +Note the "-f" option. This is only available on some systems, and +allows you to trace not just the current process, but any children it +forks. This is great for finding printing problems caused by the +"print command" being wrong. +</p><p> +Once you are attached you then can do whatever it is on the client +that is causing problems and you will capture all the system calls +that smbd makes. +</p><p> +So how do you interpret the results? Generally I search through the +output for strings that I know will appear when the problem +happens. For example, if I am having touble with permissions on a file +I would search for that files name in the strace output and look at +the surrounding lines. Another trick is to match up file descriptor +numbers and "follow" what happens to an open file until it is closed. +</p><p> +Beyond this you will have to use your initiative. To give you an idea +of what you are looking for here is a piece of strace output that +shows that <code class="filename">/dev/null</code> is not world writeable, which +causes printing to fail with Samba: +</p><pre class="programlisting"> +[pid 28268] open("/dev/null", O_RDWR) = -1 EACCES (Permission denied) +[pid 28268] open("/dev/null", O_WRONLY) = -1 EACCES (Permission denied) +</pre><p> +The process is trying to first open <code class="filename">/dev/null</code> read-write +then read-only. Both fail. This means <code class="filename">/dev/null</code> has +incorrect permissions. +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pt04.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt04.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="devprinting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Debugging and tracing </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. Samba Printing Internals</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html b/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html new file mode 100644 index 0000000000..46aad8f3ca --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html @@ -0,0 +1,202 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. NetBIOS in a Unix World</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt01.html" title="Part I. The protocol"><link rel="prev" href="pt01.html" title="Part I. The protocol"><link rel="next" href="ntdomain.html" title="Chapter 2. NT Domain RPC's"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. NetBIOS in a Unix World</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pt01.html">Prev</a> </td><th width="60%" align="center">Part I. The protocol</th><td width="20%" align="right"> <a accesskey="n" href="ntdomain.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unix-smb"></a>Chapter 1. NetBIOS in a Unix World</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3></div></div><div><p class="pubdate">April 1995</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unix-smb.html#id323085">Introduction</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323102">Usernames</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323144">File Ownership</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323168">Passwords</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323197">Locking</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323237">Deny Modes</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323256">Trapdoor UIDs</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323274">Port numbers</a></span></dt><dt><span class="sect1"><a href="unix-smb.html#id323305">Protocol Complexity</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323085"></a>Introduction</h2></div></div></div><p> +This is a short document that describes some of the issues that +confront a SMB implementation on unix, and how Samba copes with +them. They may help people who are looking at unix<->PC +interoperability. +</p><p> +It was written to help out a person who was writing a paper on unix to +PC connectivity. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323102"></a>Usernames</h2></div></div></div><p> +The SMB protocol has only a loose username concept. Early SMB +protocols (such as CORE and COREPLUS) have no username concept at +all. Even in later protocols clients often attempt operations +(particularly printer operations) without first validating a username +on the server. +</p><p> +Unix security is based around username/password pairs. A unix box +should not allow clients to do any substantive operation without some +sort of validation. +</p><p> +The problem mostly manifests itself when the unix server is in "share +level" security mode. This is the default mode as the alternative +"user level" security mode usually forces a client to connect to the +server as the same user for each connected share, which is +inconvenient in many sites. +</p><p> +In "share level" security the client normally gives a username in the +"session setup" protocol, but does not supply an accompanying +password. The client then connects to resources using the "tree +connect" protocol, and supplies a password. The problem is that the +user on the PC types the username and the password in different +contexts, unaware that they need to go together to give access to the +server. The username is normally the one the user typed in when they +"logged onto" the PC (this assumes Windows for Workgroups). The +password is the one they chose when connecting to the disk or printer. +</p><p> +The user often chooses a totally different username for their login as +for the drive connection. Often they also want to access different +drives as different usernames. The unix server needs some way of +divining the correct username to combine with each password. +</p><p> +Samba tries to avoid this problem using several methods. These succeed +in the vast majority of cases. The methods include username maps, the +service%user syntax, the saving of session setup usernames for later +validation and the derivation of the username from the service name +(either directly or via the user= option). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323144"></a>File Ownership</h2></div></div></div><p> +The commonly used SMB protocols have no way of saying "you can't do +that because you don't own the file". They have, in fact, no concept +of file ownership at all. +</p><p> +This brings up all sorts of interesting problems. For example, when +you copy a file to a unix drive, and the file is world writeable but +owned by another user the file will transfer correctly but will +receive the wrong date. This is because the utime() call under unix +only succeeds for the owner of the file, or root, even if the file is +world writeable. For security reasons Samba does all file operations +as the validated user, not root, so the utime() fails. This can stuff +up shared development diectories as programs like "make" will not get +file time comparisons right. +</p><p> +There are several possible solutions to this problem, including +username mapping, and forcing a specific username for particular +shares. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323168"></a>Passwords</h2></div></div></div><p> +Many SMB clients uppercase passwords before sending them. I have no +idea why they do this. Interestingly WfWg uppercases the password only +if the server is running a protocol greater than COREPLUS, so +obviously it isn't just the data entry routines that are to blame. +</p><p> +Unix passwords are case sensitive. So if users use mixed case +passwords they are in trouble. +</p><p> +Samba can try to cope with this by either using the "password level" +option which causes Samba to try the offered password with up to the +specified number of case changes, or by using the "password server" +option which allows Samba to do its validation via another machine +(typically a WinNT server). +</p><p> +Samba supports the password encryption method used by SMB +clients. Note that the use of password encryption in Microsoft +networking leads to password hashes that are "plain text equivalent". +This means that it is *VERY* important to ensure that the Samba +smbpasswd file containing these password hashes is only readable +by the root user. See the documentation ENCRYPTION.txt for more +details. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323197"></a>Locking</h2></div></div></div><p> +Since samba 2.2, samba supports other types of locking as well. This +section is outdated. +</p><p> +The locking calls available under a DOS/Windows environment are much +richer than those available in unix. This means a unix server (like +Samba) choosing to use the standard fcntl() based unix locking calls +to implement SMB locking has to improvise a bit. +</p><p> +One major problem is that dos locks can be in a 32 bit (unsigned) +range. Unix locking calls are 32 bits, but are signed, giving only a 31 +bit range. Unfortunately OLE2 clients use the top bit to select a +locking range used for OLE semaphores. +</p><p> +To work around this problem Samba compresses the 32 bit range into 31 +bits by appropriate bit shifting. This seems to work but is not +ideal. In a future version a separate SMB lockd may be added to cope +with the problem. +</p><p> +It also doesn't help that many unix lockd daemons are very buggy and +crash at the slightest provocation. They normally go mostly unused in +a unix environment because few unix programs use byte range +locking. The stress of huge numbers of lock requests from dos/windows +clients can kill the daemon on some systems. +</p><p> +The second major problem is the "opportunistic locking" requested by +some clients. If a client requests opportunistic locking then it is +asking the server to notify it if anyone else tries to do something on +the same file, at which time the client will say if it is willing to +give up its lock. Unix has no simple way of implementing +opportunistic locking, and currently Samba has no support for it. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323237"></a>Deny Modes</h2></div></div></div><p> +When a SMB client opens a file it asks for a particular "deny mode" to +be placed on the file. These modes (DENY_NONE, DENY_READ, DENY_WRITE, +DENY_ALL, DENY_FCB and DENY_DOS) specify what actions should be +allowed by anyone else who tries to use the file at the same time. If +DENY_READ is placed on the file, for example, then any attempt to open +the file for reading should fail. +</p><p> +Unix has no equivalent notion. To implement this Samba uses either lock +files based on the files inode and placed in a separate lock +directory or a shared memory implementation. The lock file method +is clumsy and consumes processing and file resources, +the shared memory implementation is vastly prefered and is turned on +by default for those systems that support it. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323256"></a>Trapdoor UIDs</h2></div></div></div><p> +A SMB session can run with several uids on the one socket. This +happens when a user connects to two shares with different +usernames. To cope with this the unix server needs to switch uids +within the one process. On some unixes (such as SCO) this is not +possible. This means that on those unixes the client is restricted to +a single uid. +</p><p> +Note that you can also get the "trapdoor uid" message for other +reasons. Please see the FAQ for details. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323274"></a>Port numbers</h2></div></div></div><p> +There is a convention that clients on sockets use high "unprivileged" +port numbers (>1000) and connect to servers on low "privilegedg" port +numbers. This is enforced in Unix as non-root users can't open a +socket for listening on port numbers less than 1000. +</p><p> +Most PC based SMB clients (such as WfWg and WinNT) don't follow this +convention completely. The main culprit is the netbios nameserving on +udp port 137. Name query requests come from a source port of 137. This +is a problem when you combine it with the common firewalling technique +of not allowing incoming packets on low port numbers. This means that +these clients can't query a netbios nameserver on the other side of a +low port based firewall. +</p><p> +The problem is more severe with netbios node status queries. I've +found that WfWg, Win95 and WinNT3.5 all respond to netbios node status +queries on port 137 no matter what the source port was in the +request. This works between machines that are both using port 137, but +it means it's not possible for a unix user to do a node status request +to any of these OSes unless they are running as root. The answer comes +back, but it goes to port 137 which the unix user can't listen +on. Interestingly WinNT3.1 got this right - it sends node status +responses back to the source port in the request. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323305"></a>Protocol Complexity</h2></div></div></div><p> +There are many "protocol levels" in the SMB protocol. It seems that +each time new functionality was added to a Microsoft operating system, +they added the equivalent functions in a new protocol level of the SMB +protocol to "externalise" the new capabilities. +</p><p> +This means the protocol is very "rich", offering many ways of doing +each file operation. This means SMB servers need to be complex and +large. It also means it is very difficult to make them bug free. It is +not just Samba that suffers from this problem, other servers such as +WinNT don't support every variation of every call and it has almost +certainly been a headache for MS developers to support the myriad of +SMB calls that are available. +</p><p> +There are about 65 "top level" operations in the SMB protocol (things +like SMBread and SMBwrite). Some of these include hundreds of +sub-functions (SMBtrans has at least 120 sub-functions, like +DosPrintQAdd and NetSessionEnum). All of them take several options +that can change the way they work. Many take dozens of possible +"information levels" that change the structures that need to be +returned. Samba supports all but 2 of the "top level" functions. It +supports only 8 (so far) of the SMBtrans sub-functions. Even NT +doesn't support them all. +</p><p> +Samba currently supports up to the "NT LM 0.12" protocol, which is the +one preferred by Win95 and WinNT3.5. Luckily this protocol level has a +"capabilities" field which specifies which super-duper new-fangled +options the server suports. This helps to make the implementation of +this protocol level much easier. +</p><p> +There is also a problem with the SMB specications. SMB is a X/Open +spec, but the X/Open book is far from ideal, and fails to cover many +important issues, leaving much to the imagination. Microsoft recently +renamed the SMB protocol CIFS (Common Internet File System) and have +published new specifications. These are far superior to the old +X/Open documents but there are still undocumented calls and features. +This specification is actively being worked on by a CIFS developers +mailing list hosted by Microsft. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pt01.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt01.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ntdomain.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. The protocol </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. NT Domain RPC's</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/vfs.html b/docs/htmldocs/Samba3-Developers-Guide/vfs.html new file mode 100644 index 0000000000..9ce045e44e --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/vfs.html @@ -0,0 +1,561 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. VFS Modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt03.html" title="Part III. Samba Subsystems"><link rel="prev" href="rpc-plugin.html" title="Chapter 9. RPC Pluggable Modules"><link rel="next" href="parsing.html" title="Chapter 11. The smb.conf file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. VFS Modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rpc-plugin.html">Prev</a> </td><th width="60%" align="center">Part III. Samba Subsystems</th><td width="20%" align="right"> <a accesskey="n" href="parsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="vfs"></a>Chapter 10. VFS Modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:ab@samba.org">ab@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:metze@samba.org">metze@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 27 May 2003 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="vfs.html#id332231">The Samba (Posix) VFS layer</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332237">The general interface</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332307">Possible VFS operation layers</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332351">The Interaction between the Samba VFS subsystem and the modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332357">Initialization and registration</a></span></dt><dt><span class="sect2"><a href="vfs.html#id332494">How the Modules handle per connection data</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332652">Upgrading to the New VFS Interface</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332658">Upgrading from 2.2.* and 3.0aplha modules</a></span></dt></dl></dd><dt><span class="sect1"><a href="vfs.html#id332988">Some Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="vfs.html#id332994">Implement TRANSPARENT functions</a></span></dt><dt><span class="sect2"><a href="vfs.html#id333012">Implement OPAQUE functions</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332231"></a>The Samba (Posix) VFS layer</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332237"></a>The general interface</h3></div></div></div><p> +Each VFS operation has a vfs_op_type, a function pointer and a handle pointer in the +struct vfs_ops and tree macros to make it easier to call the operations. +(Take a look at <code class="filename">include/vfs.h</code> and <code class="filename">include/vfs_macros.h</code>.) +</p><pre class="programlisting"> +typedef enum _vfs_op_type { + SMB_VFS_OP_NOOP = -1, + + ... + + /* File operations */ + + SMB_VFS_OP_OPEN, + SMB_VFS_OP_CLOSE, + SMB_VFS_OP_READ, + SMB_VFS_OP_WRITE, + SMB_VFS_OP_LSEEK, + SMB_VFS_OP_SENDFILE, + + ... + + SMB_VFS_OP_LAST +} vfs_op_type; +</pre><p>This struct contains the function and handle pointers for all operations.</p><pre class="programlisting"> +struct vfs_ops { + struct vfs_fn_pointers { + ... + + /* File operations */ + + int (*open)(struct vfs_handle_struct *handle, + struct connection_struct *conn, + const char *fname, int flags, mode_t mode); + int (*close)(struct vfs_handle_struct *handle, + struct files_struct *fsp, int fd); + ssize_t (*read)(struct vfs_handle_struct *handle, + struct files_struct *fsp, int fd, void *data, size_t n); + ssize_t (*write)(struct vfs_handle_struct *handle, + struct files_struct *fsp, int fd, + const void *data, size_t n); + SMB_OFF_T (*lseek)(struct vfs_handle_struct *handle, + struct files_struct *fsp, int fd, + SMB_OFF_T offset, int whence); + ssize_t (*sendfile)(struct vfs_handle_struct *handle, + int tofd, files_struct *fsp, int fromfd, + const DATA_BLOB *header, SMB_OFF_T offset, size_t count); + + ... + } ops; + + struct vfs_handles_pointers { + ... + + /* File operations */ + + struct vfs_handle_struct *open; + struct vfs_handle_struct *close; + struct vfs_handle_struct *read; + struct vfs_handle_struct *write; + struct vfs_handle_struct *lseek; + struct vfs_handle_struct *sendfile; + + ... + } handles; +}; +</pre><p> +This macros SHOULD be used to call any vfs operation. +DO NOT ACCESS conn->vfs.ops.* directly !!! +</p><pre class="programlisting"> +... + +/* File operations */ +#define SMB_VFS_OPEN(conn, fname, flags, mode) \ + ((conn)->vfs.ops.open((conn)->vfs.handles.open,\ + (conn), (fname), (flags), (mode))) +#define SMB_VFS_CLOSE(fsp, fd) \ + ((fsp)->conn->vfs.ops.close(\ + (fsp)->conn->vfs.handles.close, (fsp), (fd))) +#define SMB_VFS_READ(fsp, fd, data, n) \ + ((fsp)->conn->vfs.ops.read(\ + (fsp)->conn->vfs.handles.read,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_WRITE(fsp, fd, data, n) \ + ((fsp)->conn->vfs.ops.write(\ + (fsp)->conn->vfs.handles.write,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_LSEEK(fsp, fd, offset, whence) \ + ((fsp)->conn->vfs.ops.lseek(\ + (fsp)->conn->vfs.handles.lseek,\ + (fsp), (fd), (offset), (whence))) +#define SMB_VFS_SENDFILE(tofd, fsp, fromfd, header, offset, count) \ + ((fsp)->conn->vfs.ops.sendfile(\ + (fsp)->conn->vfs.handles.sendfile,\ + (tofd), (fsp), (fromfd), (header), (offset), (count))) + +... +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332307"></a>Possible VFS operation layers</h3></div></div></div><p> +These values are used by the VFS subsystem when building the conn->vfs +and conn->vfs_opaque structs for a connection with multiple VFS modules. +Internally, Samba differentiates only opaque and transparent layers at this process. +Other types are used for providing better diagnosing facilities. +</p><p> +Most modules will provide transparent layers. Opaque layer is for modules +which implement actual file system calls (like DB-based VFS). For example, +default POSIX VFS which is built in into Samba is an opaque VFS module. +</p><p> +Other layer types (logger, splitter, scanner) were designed to provide different +degree of transparency and for diagnosing VFS module behaviour. +</p><p> +Each module can implement several layers at the same time provided that only +one layer is used per each operation. +</p><pre class="programlisting"> +typedef enum _vfs_op_layer { + SMB_VFS_LAYER_NOOP = -1, /* - For using in VFS module to indicate end of array */ + /* of operations description */ + SMB_VFS_LAYER_OPAQUE = 0, /* - Final level, does not call anything beyond itself */ + SMB_VFS_LAYER_TRANSPARENT, /* - Normal operation, calls underlying layer after */ + /* possibly changing passed data */ + SMB_VFS_LAYER_LOGGER, /* - Logs data, calls underlying layer, logging may not */ + /* use Samba VFS */ + SMB_VFS_LAYER_SPLITTER, /* - Splits operation, calls underlying layer _and_ own facility, */ + /* then combines result */ + SMB_VFS_LAYER_SCANNER /* - Checks data and possibly initiates additional */ + /* file activity like logging to files _inside_ samba VFS */ +} vfs_op_layer; +</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332351"></a>The Interaction between the Samba VFS subsystem and the modules</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332357"></a>Initialization and registration</h3></div></div></div><p> +As each Samba module a VFS module should have a +</p><pre class="programlisting">NTSTATUS vfs_example_init(void);</pre><p> function if it's staticly linked to samba or +</p><pre class="programlisting">NTSTATUS init_module(void);</pre><p> function if it's a shared module. +</p><p> +This should be the only non static function inside the module. +Global variables should also be static! +</p><p> +The module should register its functions via the +</p><pre class="programlisting"> +NTSTATUS smb_register_vfs(int version, const char *name, vfs_op_tuple *vfs_op_tuples); +</pre><p> function. +</p><div class="variablelist"><dl><dt><span class="term">version</span></dt><dd><p>should be filled with SMB_VFS_INTERFACE_VERSION</p></dd><dt><span class="term">name</span></dt><dd><p>this is the name witch can be listed in the +<code class="literal">vfs objects</code> parameter to use this module.</p></dd><dt><span class="term">vfs_op_tuples</span></dt><dd><p> +this is an array of vfs_op_tuple's. +(vfs_op_tuples is descripted in details below.) +</p></dd></dl></div><p> +For each operation the module wants to provide it has a entry in the +vfs_op_tuple array. +</p><pre class="programlisting"> +typedef struct _vfs_op_tuple { + void* op; + vfs_op_type type; + vfs_op_layer layer; +} vfs_op_tuple; +</pre><div class="variablelist"><dl><dt><span class="term">op</span></dt><dd><p>the function pointer to the specified function.</p></dd><dt><span class="term">type</span></dt><dd><p>the vfs_op_type of the function to specified witch operation the function provides.</p></dd><dt><span class="term">layer</span></dt><dd><p>the vfs_op_layer in whitch the function operates.</p></dd></dl></div><p>A simple example:</p><pre class="programlisting"> +static vfs_op_tuple example_op_tuples[] = { + {SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(example_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_OPAQUE}, + + /* This indicates the end of the array */ + {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +NTSTATUS init_module(void) +{ + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "example", example_op_tuples); +} +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332494"></a>How the Modules handle per connection data</h3></div></div></div><p>Each VFS function has as first parameter a pointer to the modules vfs_handle_struct. +</p><pre class="programlisting"> +typedef struct vfs_handle_struct { + struct vfs_handle_struct *next, *prev; + const char *param; + struct vfs_ops vfs_next; + struct connection_struct *conn; + void *data; + void (*free_data)(void **data); +} vfs_handle_struct; +</pre><div class="variablelist"><dl><dt><span class="term">param</span></dt><dd><p>this is the module parameter specified in the <code class="literal">vfs objects</code> parameter.</p><p>e.g. for 'vfs objects = example:test' param would be "test".</p></dd><dt><span class="term">vfs_next</span></dt><dd><p>This vfs_ops struct contains the information for calling the next module operations. +Use the SMB_VFS_NEXT_* macros to call a next module operations and +don't access handle->vfs_next.ops.* directly!</p></dd><dt><span class="term">conn</span></dt><dd><p>This is a pointer back to the connection_struct to witch the handle belongs.</p></dd><dt><span class="term">data</span></dt><dd><p>This is a pointer for holding module private data. +You can alloc data with connection life time on the handle->conn->mem_ctx TALLOC_CTX. +But you can also manage the memory allocation yourself.</p></dd><dt><span class="term">free_data</span></dt><dd><p>This is a function pointer to a function that free's the module private data. +If you talloc your private data on the TALLOC_CTX handle->conn->mem_ctx, +you can set this function pointer to NULL.</p></dd></dl></div><p>Some useful MACROS for handle private data. +</p><pre class="programlisting"> +#define SMB_VFS_HANDLE_GET_DATA(handle, datap, type, ret) { \ + if (!(handle)||((datap=(type *)(handle)->data)==NULL)) { \ + DEBUG(0,("%s() failed to get vfs_handle->data!\n",FUNCTION_MACRO)); \ + ret; \ + } \ +} + +#define SMB_VFS_HANDLE_SET_DATA(handle, datap, free_fn, type, ret) { \ + if (!(handle)) { \ + DEBUG(0,("%s() failed to set handle->data!\n",FUNCTION_MACRO)); \ + ret; \ + } else { \ + if ((handle)->free_data) { \ + (handle)->free_data(&(handle)->data); \ + } \ + (handle)->data = (void *)datap; \ + (handle)->free_data = free_fn; \ + } \ +} + +#define SMB_VFS_HANDLE_FREE_DATA(handle) { \ + if ((handle) && (handle)->free_data) { \ + (handle)->free_data(&(handle)->data); \ + } \ +} +</pre><p>How SMB_VFS_LAYER_TRANSPARENT functions can call the SMB_VFS_LAYER_OPAQUE functions.</p><p>The easiest way to do this is to use the SMB_VFS_OPAQUE_* macros. +</p><pre class="programlisting"> +... +/* File operations */ +#define SMB_VFS_OPAQUE_OPEN(conn, fname, flags, mode) \ + ((conn)->vfs_opaque.ops.open(\ + (conn)->vfs_opaque.handles.open,\ + (conn), (fname), (flags), (mode))) +#define SMB_VFS_OPAQUE_CLOSE(fsp, fd) \ + ((fsp)->conn->vfs_opaque.ops.close(\ + (fsp)->conn->vfs_opaque.handles.close,\ + (fsp), (fd))) +#define SMB_VFS_OPAQUE_READ(fsp, fd, data, n) \ + ((fsp)->conn->vfs_opaque.ops.read(\ + (fsp)->conn->vfs_opaque.handles.read,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_OPAQUE_WRITE(fsp, fd, data, n) \ + ((fsp)->conn->vfs_opaque.ops.write(\ + (fsp)->conn->vfs_opaque.handles.write,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_OPAQUE_LSEEK(fsp, fd, offset, whence) \ + ((fsp)->conn->vfs_opaque.ops.lseek(\ + (fsp)->conn->vfs_opaque.handles.lseek,\ + (fsp), (fd), (offset), (whence))) +#define SMB_VFS_OPAQUE_SENDFILE(tofd, fsp, fromfd, header, offset, count) \ + ((fsp)->conn->vfs_opaque.ops.sendfile(\ + (fsp)->conn->vfs_opaque.handles.sendfile,\ + (tofd), (fsp), (fromfd), (header), (offset), (count))) +... +</pre><p>How SMB_VFS_LAYER_TRANSPARENT functions can call the next modules functions.</p><p>The easiest way to do this is to use the SMB_VFS_NEXT_* macros. +</p><pre class="programlisting"> +... +/* File operations */ +#define SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode) \ + ((handle)->vfs_next.ops.open(\ + (handle)->vfs_next.handles.open,\ + (conn), (fname), (flags), (mode))) +#define SMB_VFS_NEXT_CLOSE(handle, fsp, fd) \ + ((handle)->vfs_next.ops.close(\ + (handle)->vfs_next.handles.close,\ + (fsp), (fd))) +#define SMB_VFS_NEXT_READ(handle, fsp, fd, data, n) \ + ((handle)->vfs_next.ops.read(\ + (handle)->vfs_next.handles.read,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n) \ + ((handle)->vfs_next.ops.write(\ + (handle)->vfs_next.handles.write,\ + (fsp), (fd), (data), (n))) +#define SMB_VFS_NEXT_LSEEK(handle, fsp, fd, offset, whence) \ + ((handle)->vfs_next.ops.lseek(\ + (handle)->vfs_next.handles.lseek,\ + (fsp), (fd), (offset), (whence))) +#define SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, fromfd, header, offset, count) \ + ((handle)->vfs_next.ops.sendfile(\ + (handle)->vfs_next.handles.sendfile,\ + (tofd), (fsp), (fromfd), (header), (offset), (count))) +... +</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332652"></a>Upgrading to the New VFS Interface</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332658"></a>Upgrading from 2.2.* and 3.0aplha modules</h3></div></div></div><div class="orderedlist"><ol type="1"><li><p> +Add "vfs_handle_struct *handle, " as first parameter to all vfs operation functions. +e.g. example_connect(connection_struct *conn, const char *service, const char *user); +-> example_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user); +</p></li><li><p> +Replace "default_vfs_ops." with "smb_vfs_next_". +e.g. default_vfs_ops.connect(conn, service, user); +-> smb_vfs_next_connect(conn, service, user); +</p></li><li><p> +Uppercase all "smb_vfs_next_*" functions. +e.g. smb_vfs_next_connect(conn, service, user); +-> SMB_VFS_NEXT_CONNECT(conn, service, user); +</p></li><li><p> +Add "handle, " as first parameter to all SMB_VFS_NEXT_*() calls. +e.g. SMB_VFS_NEXT_CONNECT(conn, service, user); +-> SMB_VFS_NEXT_CONNECT(handle, conn, service, user); +</p></li><li><p> +(Only for 2.2.* modules) +Convert the old struct vfs_ops example_ops to +a vfs_op_tuple example_op_tuples[] array. +e.g. +</p><pre class="programlisting"> +struct vfs_ops example_ops = { + /* Disk operations */ + example_connect, /* connect */ + example_disconnect, /* disconnect */ + NULL, /* disk free * + /* Directory operations */ + NULL, /* opendir */ + NULL, /* readdir */ + NULL, /* mkdir */ + NULL, /* rmdir */ + NULL, /* closedir */ + /* File operations */ + NULL, /* open */ + NULL, /* close */ + NULL, /* read */ + NULL, /* write */ + NULL, /* lseek */ + NULL, /* sendfile */ + NULL, /* rename */ + NULL, /* fsync */ + example_stat, /* stat */ + example_fstat, /* fstat */ + example_lstat, /* lstat */ + NULL, /* unlink */ + NULL, /* chmod */ + NULL, /* fchmod */ + NULL, /* chown */ + NULL, /* fchown */ + NULL, /* chdir */ + NULL, /* getwd */ + NULL, /* utime */ + NULL, /* ftruncate */ + NULL, /* lock */ + NULL, /* symlink */ + NULL, /* readlink */ + NULL, /* link */ + NULL, /* mknod */ + NULL, /* realpath */ + NULL, /* fget_nt_acl */ + NULL, /* get_nt_acl */ + NULL, /* fset_nt_acl */ + NULL, /* set_nt_acl */ + + NULL, /* chmod_acl */ + NULL, /* fchmod_acl */ + + NULL, /* sys_acl_get_entry */ + NULL, /* sys_acl_get_tag_type */ + NULL, /* sys_acl_get_permset */ + NULL, /* sys_acl_get_qualifier */ + NULL, /* sys_acl_get_file */ + NULL, /* sys_acl_get_fd */ + NULL, /* sys_acl_clear_perms */ + NULL, /* sys_acl_add_perm */ + NULL, /* sys_acl_to_text */ + NULL, /* sys_acl_init */ + NULL, /* sys_acl_create_entry */ + NULL, /* sys_acl_set_tag_type */ + NULL, /* sys_acl_set_qualifier */ + NULL, /* sys_acl_set_permset */ + NULL, /* sys_acl_valid */ + NULL, /* sys_acl_set_file */ + NULL, /* sys_acl_set_fd */ + NULL, /* sys_acl_delete_def_file */ + NULL, /* sys_acl_get_perm */ + NULL, /* sys_acl_free_text */ + NULL, /* sys_acl_free_acl */ + NULL /* sys_acl_free_qualifier */ +}; +</pre><p> +-> +</p><pre class="programlisting"> +static vfs_op_tuple example_op_tuples[] = { + {SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(example_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(example_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(example_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; +</pre><p> +</p></li><li><p> +Move the example_op_tuples[] array to the end of the file. +</p></li><li><p> +Add the init_module() function at the end of the file. +e.g. +</p><pre class="programlisting"> +NTSTATUS init_module(void) +{ + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION,"example",example_op_tuples); +} +</pre><p> +</p></li><li><p> +Check if your vfs_init() function does more then just prepare the vfs_ops structs or +remember the struct smb_vfs_handle_struct. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If NOT you can remove the vfs_init() function.</td></tr><tr><td>If YES decide if you want to move the code to the example_connect() operation or to the init_module(). And then remove vfs_init(). + e.g. a debug class registration should go into init_module() and the allocation of private data should go to example_connect().</td></tr></table><p> +</p></li><li><p> +(Only for 3.0alpha* modules) +Check if your vfs_done() function contains needed code. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If NOT you can remove the vfs_done() function.</td></tr><tr><td>If YES decide if you can move the code to the example_disconnect() operation. Otherwise register a SMB_EXIT_EVENT with smb_register_exit_event(); (Described in the <a href="modules.html" title="Chapter 8. Modules">modules section</a>) And then remove vfs_done(). e.g. the freeing of private data should go to example_disconnect(). +</td></tr></table><p> +</p></li><li><p> +Check if you have any global variables left. +Decide if it wouldn't be better to have this data on a connection basis. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If NOT leave them as they are. (e.g. this could be the variable for the private debug class.)</td></tr><tr><td>If YES pack all this data into a struct. You can use handle->data to point to such a struct on a per connection basis.</td></tr></table><p> + + e.g. if you have such a struct: +</p><pre class="programlisting"> +struct example_privates { + char *some_string; + int db_connection; +}; +</pre><p> +first way of doing it: +</p><pre class="programlisting"> +static int example_connect(vfs_handle_struct *handle, + connection_struct *conn, const char *service, + const char* user) +{ + struct example_privates *data = NULL; + + /* alloc our private data */ + data = (struct example_privates *)talloc_zero(conn->mem_ctx, sizeof(struct example_privates)); + if (!data) { + DEBUG(0,("talloc_zero() failed\n")); + return -1; + } + + /* init out private data */ + data->some_string = talloc_strdup(conn->mem_ctx,"test"); + if (!data->some_string) { + DEBUG(0,("talloc_strdup() failed\n")); + return -1; + } + + data->db_connection = open_db_conn(); + + /* and now store the private data pointer in handle->data + * we don't need to specify a free_function here because + * we use the connection TALLOC context. + * (return -1 if something failed.) + */ + VFS_HANDLE_SET_DATA(handle, data, NULL, struct example_privates, return -1); + + return SMB_VFS_NEXT_CONNECT(handle,conn,service,user); +} + +static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd) +{ + struct example_privates *data = NULL; + + /* get the pointer to our private data + * return -1 if something failed + */ + SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1); + + /* do something here...*/ + DEBUG(0,("some_string: %s\n",data->some_string)); + + return SMB_VFS_NEXT_CLOSE(handle, fsp, fd); +} +</pre><p> +second way of doing it: +</p><pre class="programlisting"> +static void free_example_privates(void **datap) +{ + struct example_privates *data = (struct example_privates *)*datap; + + SAFE_FREE(data->some_string); + SAFE_FREE(data); + + *datap = NULL; + + return; +} + +static int example_connect(vfs_handle_struct *handle, + connection_struct *conn, const char *service, + const char* user) +{ + struct example_privates *data = NULL; + + /* alloc our private data */ + data = (struct example_privates *)malloc(sizeof(struct example_privates)); + if (!data) { + DEBUG(0,("malloc() failed\n")); + return -1; + } + + /* init out private data */ + data->some_string = strdup("test"); + if (!data->some_string) { + DEBUG(0,("strdup() failed\n")); + return -1; + } + + data->db_connection = open_db_conn(); + + /* and now store the private data pointer in handle->data + * we need to specify a free_function because we used malloc() and strdup(). + * (return -1 if something failed.) + */ + SMB_VFS_HANDLE_SET_DATA(handle, data, free_example_privates, struct example_privates, return -1); + + return SMB_VFS_NEXT_CONNECT(handle,conn,service,user); +} + +static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd) +{ + struct example_privates *data = NULL; + + /* get the pointer to our private data + * return -1 if something failed + */ + SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1); + + /* do something here...*/ + DEBUG(0,("some_string: %s\n",data->some_string)); + + return SMB_VFS_NEXT_CLOSE(handle, fsp, fd); +} +</pre><p> +</p></li><li><p> +To make it easy to build 3rd party modules it would be usefull to provide +configure.in, (configure), install.sh and Makefile.in with the module. +(Take a look at the example in <code class="filename">examples/VFS</code>.) +</p><p> +The configure script accepts <code class="option">--with-samba-source</code> to specify +the path to the samba source tree. +It also accept <code class="option">--enable-developer</code> which lets the compiler +give you more warnings. +</p><p> +The idea is that you can extend this +<code class="filename">configure.in</code> and <code class="filename">Makefile.in</code> scripts +for your module. +</p></li><li><p> +Compiling & Testing... +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><strong class="userinput"><code>./configure <code class="option">--enable-developer</code></code></strong> ...</td></tr><tr><td><strong class="userinput"><code>make</code></strong></td></tr><tr><td>Try to fix all compiler warnings</td></tr><tr><td><strong class="userinput"><code>make</code></strong></td></tr><tr><td>Testing, Testing, Testing ...</td></tr></table><p> +</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332988"></a>Some Notes</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332994"></a>Implement TRANSPARENT functions</h3></div></div></div><p> +Avoid writing functions like this: + +</p><pre class="programlisting"> +static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd) +{ + return SMB_VFS_NEXT_CLOSE(handle, fsp, fd); +} +</pre><p> + +Overload only the functions you really need to! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333012"></a>Implement OPAQUE functions</h3></div></div></div><p> +If you want to just implement a better version of a +default samba opaque function +(e.g. like a disk_free() function for a special filesystem) +it's ok to just overload that specific function. +</p><p> +If you want to implement a database filesystem or +something different from a posix filesystem. +Make sure that you overload every vfs operation!!! +</p><p> +Functions your FS does not support should be overloaded by something like this: +e.g. for a readonly filesystem. +</p><pre class="programlisting"> +static int example_rename(vfs_handle_struct *handle, connection_struct *conn, + char *oldname, char *newname) +{ + DEBUG(10,("function rename() not allowed on vfs 'example'\n")); + errno = ENOSYS; + return -1; +} +</pre></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="rpc-plugin.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt03.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="parsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. RPC Pluggable Modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. The smb.conf file</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-Developers-Guide/wins.html b/docs/htmldocs/Samba3-Developers-Guide/wins.html new file mode 100644 index 0000000000..cf386caf00 --- /dev/null +++ b/docs/htmldocs/Samba3-Developers-Guide/wins.html @@ -0,0 +1,43 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Samba WINS Internals</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="SAMBA Developers Guide"><link rel="up" href="pt03.html" title="Part III. Samba Subsystems"><link rel="prev" href="parsing.html" title="Chapter 11. The smb.conf file"><link rel="next" href="pwencrypt.html" title="Chapter 13. LanMan and NT Password Encryption"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Samba WINS Internals</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="parsing.html">Prev</a> </td><th width="60%" align="center">Part III. Samba Subsystems</th><td width="20%" align="right"> <a accesskey="n" href="pwencrypt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="wins"></a>Chapter 12. Samba WINS Internals</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="surname">Carter</span></h3></div></div><div><p class="pubdate">October 2002</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="wins.html#id333384">WINS Failover</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333384"></a>WINS Failover</h2></div></div></div><p> +The current Samba codebase possesses the capability to use groups of WINS +servers that share a common namespace for NetBIOS name registration and +resolution. The formal parameter syntax is +</p><pre class="programlisting"> + WINS_SERVER_PARAM = SERVER [ SEPARATOR SERVER_LIST ] + WINS_SERVER_PARAM = "wins server" + SERVER = ADDR[:TAG] + ADDR = ip_addr | fqdn + TAG = string + SEPARATOR = comma | \s+ + SERVER_LIST = SERVER [ SEPARATOR SERVER_LIST ] +</pre><p> +A simple example of a valid wins server setting is +</p><pre class="programlisting"> +[global] + wins server = 192.168.1.2 192.168.1.3 +</pre><p> +In the event that no TAG is defined in for a SERVER in the list, smbd assigns a default +TAG of "*". A TAG is used to group servers of a shared NetBIOS namespace together. Upon +startup, nmbd will attempt to register the netbios name value with one server in each +tagged group. +</p><p> +An example using tags to group WINS servers together is show here. Note that the use of +interface names in the tags is only by convention and is not a technical requirement. +</p><pre class="programlisting"> +[global] + wins server = 192.168.1.2:eth0 192.168.1.3:eth0 192.168.2.2:eth1 +</pre><p> +Using this configuration, nmbd would attempt to register the server's NetBIOS name +with one WINS server in each group. Because the "eth0" group has two servers, the +second server would only be used when a registration (or resolution) request to +the first server in that group timed out. +</p><p> +NetBIOS name resolution follows a similar pattern as name registration. When resolving +a NetBIOS name via WINS, smbd and other Samba programs will attempt to query a single WINS +server in a tagged group until either a positive response is obtained at least once or +until a server from every tagged group has responded negatively to the name query request. +If a timeout occurs when querying a specific WINS server, that server is marked as down to +prevent further timeouts and the next server in the WINS group is contacted. Once marked as +dead, Samba will not attempt to contact that server for name registration/resolution queries +for a period of 10 minutes. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="parsing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="pt03.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pwencrypt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. The smb.conf file </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. LanMan and NT Password Encryption</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/AccessControls.html b/docs/htmldocs/Samba3-HOWTO/AccessControls.html new file mode 100644 index 0000000000..81a0a20d57 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/AccessControls.html @@ -0,0 +1,913 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id380678">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id380846">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381159">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381279">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381872">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381903">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382473">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382742">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382878">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id383200">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id383206">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383245">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383310">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383436">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383623">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383760">Interaction with the Standard Samba “<span class="quote">create mask</span>” Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384062">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384126">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id384487">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id384497">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384805">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384841">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id380526"></a> +<a class="indexterm" name="id380533"></a> +<a class="indexterm" name="id380540"></a> +<a class="indexterm" name="id380547"></a> +Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of +resources shared via Samba do not behave in the manner they might expect. MS Windows network +administrators are often confused regarding network access controls and how to +provide users with the access they need while protecting resources from unauthorized access. +</p><p> +<a class="indexterm" name="id380560"></a> +<a class="indexterm" name="id380567"></a> +Many UNIX administrators are unfamiliar with the MS Windows environment and in particular +have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file +and directory access permissions. +</p><p> +<a class="indexterm" name="id380579"></a> +<a class="indexterm" name="id380586"></a> +<a class="indexterm" name="id380593"></a> +<a class="indexterm" name="id380599"></a> +The problem lies in the differences in how file and directory permissions and controls work +between the two environments. This difference is one that Samba cannot completely hide, even +though it does try to bridge the chasm to a degree. +</p><p> +<a class="indexterm" name="id380610"></a> +<a class="indexterm" name="id380617"></a> +<a class="indexterm" name="id380626"></a> +<a class="indexterm" name="id380633"></a> +POSIX Access Control List technology has been available (along with extended attributes) +for UNIX for many years, yet there is little evidence today of any significant use. This +explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows +administrators are astounded at this, given that ACLs were a foundational capability of the now +decade-old MS Windows NT operating system. +</p><p> +<a class="indexterm" name="id380647"></a> +The purpose of this chapter is to present each of the points of control that are possible with +Samba-3 in the hope that this will help the network administrator to find the optimum method +for delivering the best environment for MS Windows desktop users. +</p><p> +<a class="indexterm" name="id380659"></a> +<a class="indexterm" name="id380666"></a> +This is an opportune point to mention that Samba was created to provide a means of interoperability +and interchange of data between differing operating environments. Samba has no intent to change +UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient +level of exchange of data between the two environments. What is available today extends well +beyond early plans and expectations, yet the gap continues to shrink. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380678"></a>Features and Benefits</h2></div></div></div><p> + Samba offers much flexibility in file system access management. These are the key access control + facilities present in Samba today: + </p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p> + <a class="indexterm" name="id380697"></a> + <span class="emphasis"><em>UNIX File and Directory Permissions</em></span> + </p><p> +<a class="indexterm" name="id380713"></a> +<a class="indexterm" name="id380720"></a> +<a class="indexterm" name="id380726"></a> + Samba honors and implements UNIX file system access controls. Users + who access a Samba server will do so as a particular MS Windows user. + This information is passed to the Samba server as part of the logon or + connection setup process. Samba uses this user identity to validate + whether or not the user should be given access to file system resources + (files and directories). This chapter provides an overview for those + to whom the UNIX permissions and controls are a little strange or unknown. + </p></li><li><p> + <span class="emphasis"><em>Samba Share Definitions</em></span> + </p><p> +<a class="indexterm" name="id380750"></a> + In configuring share settings and controls in the <code class="filename">smb.conf</code> file, + the network administrator can exercise overrides to native file + system permissions and behaviors. This can be handy and convenient + to effect behavior that is more like what MS Windows NT users expect, + but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this. + The basic options and techniques are described herein. + </p></li><li><p> + <span class="emphasis"><em>Samba Share ACLs</em></span> + <a class="indexterm" name="id380778"></a> + </p><p> +<a class="indexterm" name="id380790"></a> + Just as it is possible in MS Windows NT to set ACLs on shares + themselves, so it is possible to do in Samba. + Few people make use of this facility, yet it remains one of the + easiest ways to affect access controls (restrictions) and can often + do so with minimum invasiveness compared with other methods. + </p></li><li><p> + <a class="indexterm" name="id380805"></a> + <a class="indexterm" name="id380815"></a> + <span class="emphasis"><em>MS Windows ACLs through UNIX POSIX ACLs</em></span> + </p><p> +<a class="indexterm" name="id380831"></a> + The use of POSIX ACLs on UNIX/Linux is possible only if the underlying + operating system supports them. If not, then this option will not be + available to you. Current UNIX technology platforms have native support + for POSIX ACLs. There are patches for the Linux kernel that also provide + this support. Sadly, few Linux platforms ship today with native ACLs and + extended attributes enabled. This chapter has pertinent information + for users of platforms that support them. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380846"></a>File System Access Controls</h2></div></div></div><p> +Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP +implement a totally divergent file system technology from what is provided in the UNIX operating system +environment. First we consider what the most significant differences are, then we look +at how Samba helps to bridge the differences. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id380858"></a>MS Windows NTFS Comparison with UNIX File Systems</h3></div></div></div><p> + <a class="indexterm" name="id380866"></a> + <a class="indexterm" name="id380873"></a> + <a class="indexterm" name="id380879"></a> + <a class="indexterm" name="id380889"></a> + Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions + and permissions. It also means that if the MS Windows networking environment requires file system + behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating + that in a transparent and consistent manner. + </p><p> + It is good news that Samba does this to a large extent, and on top of that, provides a high degree + of optional configuration to override the default behavior. We look at some of these overrides, + but for the greater part we stay within the bounds of default behavior. Those wishing to explore + the depths of control ability should review the <code class="filename">smb.conf</code> man page. + </p><p>The following compares file system features for UNIX with those of MS Windows NT/200x: + <a class="indexterm" name="id380917"></a> + + </p><div class="variablelist"><dl><dt><span class="term">Name Space</span></dt><dd><p> + MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names + may be 1023 characters long. In MS Windows, file extensions indicate particular file types; + in UNIX this is not so rigorously observed because all names are considered arbitrary. + </p><p> + What MS Windows calls a folder, UNIX calls a directory. + </p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p> + <a class="indexterm" name="id380959"></a> + <a class="indexterm" name="id380966"></a> + MS Windows file names are generally uppercase if made up of 8.3 (8-character file name + and 3 character extension. File names that are longer than 8.3 are case preserving and case + insensitive. + </p><p> + UNIX file and directory names are case sensitive and case preserving. Samba implements the + MS Windows file name behavior, but it does so as a user application. The UNIX file system + provides no mechanism to perform case-insensitive file name lookups. MS Windows does this + by default. This means that Samba has to carry the processing overhead to provide features + that are not native to the UNIX operating system environment. + </p><p> + Consider the following. All are unique UNIX names but one single MS Windows file name: + </p><pre class="screen"> + MYFILE.TXT + MyFile.txt + myfile.txt + </pre><p> + So clearly, in an MS Windows file namespace these three files cannot co-exist, but in UNIX + they can. + </p><p> + So what should Samba do if all three are present? That which is lexically first will be + accessible to MS Windows users; the others are invisible and unaccessible any + other solution would be suicidal. The Windows client will ask for a case-insensitive file + lookup, and that is the reason for which Samba must offer a consistent selection in the + event that the UNIX directory contains multiple files that would match a case insensitive + file listing. + </p></dd><dt><span class="term">Directory Separators</span></dt><dd><p> + <a class="indexterm" name="id381022"></a> + MS Windows and DOS use the backslash <code class="constant">\</code> as a directory delimiter, and UNIX uses + the forward-slash <code class="constant">/</code> as its directory delimiter. This is handled transparently by Samba. + </p></dd><dt><span class="term">Drive Identification</span></dt><dd><p> + <a class="indexterm" name="id381048"></a> + MS Windows products support a notion of drive letters, like <code class="literal">C:</code>, to represent + disk partitions. UNIX has no concept of separate identifiers for file partitions; each + such file system is mounted to become part of the overall directory tree. + The UNIX directory tree begins at <code class="constant">/</code> just as the root of a DOS drive is specified as + <code class="constant">C:\</code>. + </p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p> + <a class="indexterm" name="id381081"></a> + MS Windows generally never experiences file names that begin with a dot (<code class="constant">.</code>), while in UNIX these + are commonly found in a user's home directory. Files that begin with a dot (<code class="constant">.</code>) are typically + startup files for various UNIX applications, or they may be files that contain + startup configuration data. + </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p> + <a class="indexterm" name="id381108"></a> + <a class="indexterm" name="id381117"></a> + <a class="indexterm" name="id381126"></a> + MS Windows make use of <span class="emphasis"><em>links and shortcuts</em></span> that are actually special types of files that will + redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory + links, but they are entirely different from what MS Windows users are used to. + </p><p> + Symbolic links are files in UNIX that contain the actual location of the data (file or directory). An + operation (like read or write) will operate directly on the file referenced. Symbolic links are also + referred to as “<span class="quote">soft links.</span>” A hard link is something that MS Windows is not familiar with. It allows + one physical file to be known simultaneously by more than one file name. + </p></dd></dl></div><p> + There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort + in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the + purpose of UNIX/Linux training and education. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381159"></a>Managing Directories</h3></div></div></div><p> +<a class="indexterm" name="id381166"></a> +<a class="indexterm" name="id381173"></a> +<a class="indexterm" name="id381180"></a> + There are three basic operations for managing directories: <code class="literal">create</code>, <code class="literal">delete</code>, + <code class="literal">rename</code>. <a href="AccessControls.html#TOSH-Accesstbl" title="Table 16.1. Managing Directories with UNIX and Windows">Managing Directories with UNIX and + Windows</a> compares the commands in Windows and UNIX that implement these operations. + </p><div class="table"><a name="TOSH-Accesstbl"></a><p class="title"><b>Table 16.1. Managing Directories with UNIX and Windows</b></p><div class="table-contents"><table summary="Managing Directories with UNIX and Windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">UNIX Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381279"></a>File and Directory Access Control</h3></div></div></div><p> + <a class="indexterm" name="id381287"></a> +<a class="indexterm" name="id381296"></a> +<a class="indexterm" name="id381303"></a> + The network administrator is strongly advised to read basic UNIX training manuals and reference materials + regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions + without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). + </p><p> + UNIX/Linux file and directory access permissions involves setting three primary sets of data and one control set. + A UNIX file listing looks as follows: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>ls -la</code></strong> +total 632 +drwxr-xr-x 13 maryo gnomes 816 2003-05-12 22:56 . +drwxrwxr-x 37 maryo gnomes 3800 2003-05-12 22:29 .. +dr-xr-xr-x 2 maryo gnomes 48 2003-05-12 22:29 muchado02 +drwxrwxrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado03 +drw-rw-rw- 2 maryo gnomes 48 2003-05-12 22:29 muchado04 +d-w--w--w- 2 maryo gnomes 48 2003-05-12 22:29 muchado05 +dr--r--r-- 2 maryo gnomes 48 2003-05-12 22:29 muchado06 +drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 +---------- 1 maryo gnomes 1242 2003-05-12 22:31 mydata00.lst +--w--w--w- 1 maryo gnomes 7754 2003-05-12 22:33 mydata02.lst +-r--r--r-- 1 maryo gnomes 21017 2003-05-12 22:32 mydata04.lst +-rw-rw-rw- 1 maryo gnomes 41105 2003-05-12 22:32 mydata06.lst +<code class="prompt">$ </code> +</pre><p> + </p><p> + The columns represent (from left to right) permissions, number of hard links to file, owner, group, size + (bytes), access date, time of last modification, and file name. + </p><p> + An overview of the permissions field is shown in <a href="AccessControls.html#access1" title="Figure 16.1. Overview of UNIX permissions field.">Overview of UNIX permissions + field</a>. + </p><div class="figure"><a name="access1"></a><p class="title"><b>Figure 16.1. Overview of UNIX permissions field.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/access1.png" width="216" alt="Overview of UNIX permissions field."></div></div></div><br class="figure-break"><p> + Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented + as a “<span class="quote">-</span>” character (see <a href="AccessControls.html#access2" title="Example 16.1. Example File">???</a>) +<a class="indexterm" name="id381417"></a> +<a class="indexterm" name="id381423"></a> +<a class="indexterm" name="id381430"></a> +<a class="indexterm" name="id381437"></a> +<a class="indexterm" name="id381444"></a> +<a class="indexterm" name="id381450"></a> + </p><div class="example"><a name="access2"></a><p class="title"><b>Example 16.1. Example File</b></p><div class="example-contents"><pre class="programlisting"> +-rwxr-x--- Means: + ^^^ The owner (user) can read, write, execute + ^^^ the group can read and execute + ^^^ everyone else cannot do anything with it. +</pre></div></div><br class="example-break"><p> +<a class="indexterm" name="id381478"></a> +<a class="indexterm" name="id381485"></a> +<a class="indexterm" name="id381492"></a> +<a class="indexterm" name="id381498"></a> + Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, + s = UNIX Domain Socket. + </p><p> +<a class="indexterm" name="id381510"></a> +<a class="indexterm" name="id381516"></a> +<a class="indexterm" name="id381523"></a> +<a class="indexterm" name="id381530"></a> +<a class="indexterm" name="id381537"></a> + The letters <code class="constant">rwxXst</code> set permissions for the user, group, and others as read (r), write (w), + execute (or access for directories) (x), execute only if the file is a directory or already has execute + permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t). + </p><p> +<a class="indexterm" name="id381553"></a> +<a class="indexterm" name="id381560"></a> +<a class="indexterm" name="id381567"></a> +<a class="indexterm" name="id381573"></a> + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. + Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on + directories, such as <code class="filename">/tmp</code>, that are world-writable. + </p><p> +<a class="indexterm" name="id381592"></a> +<a class="indexterm" name="id381599"></a> +<a class="indexterm" name="id381606"></a> +<a class="indexterm" name="id381612"></a> +<a class="indexterm" name="id381622"></a> + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or + group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that + all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file + to be exclusively owned by a user whose primary group is not the group that all such users belong to. + </p><p> + When a directory is set <code class="constant">d-wx--x---</code>, the owner can read and create (write) files in it, but because + the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the + directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then + group members will be able to write to (or delete) them. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id381646"></a>Protecting Directories and Files from Deletion</h4></div></div></div><p> +<a class="indexterm" name="id381654"></a> +<a class="indexterm" name="id381661"></a> +<a class="indexterm" name="id381668"></a> +<a class="indexterm" name="id381675"></a> + People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. + For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can + write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to + but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system + anyone who has the ability to create a file can write to it. Anyone who has write permission on the + directory that contains a file and has write permission for it has the capability to delete it. + </p><p> +<a class="indexterm" name="id381690"></a> +<a class="indexterm" name="id381697"></a> +<a class="indexterm" name="id381704"></a> + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on + the directory that the file is in. In other words, a user can delete a file in a directory to which that + user has write access, even if that user does not own the file. + </p><p> +<a class="indexterm" name="id381716"></a> +<a class="indexterm" name="id381723"></a> +<a class="indexterm" name="id381730"></a> +<a class="indexterm" name="id381737"></a> + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore + limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs + a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known + as extended attributes. Only the Windows concept of <span class="emphasis"><em>inheritance</em></span> is implemented by Samba through + the appropriate extended attribute. + </p><p> +<a class="indexterm" name="id381754"></a> +<a class="indexterm" name="id381761"></a> +<a class="indexterm" name="id381768"></a> +<a class="indexterm" name="id381775"></a> + The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. + For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory + or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutible</code> bit. + Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the + man page for the <code class="literal">chattr</code> on SUSE Linux 9.2 says: +</p><pre class="screen"> +A file with the i attribute cannot be modified: it cannot be deleted +or renamed, no link can be created to this file and no data can be +written to the file. Only the superuser or a process possessing the +CAP_LINUX_IMMUTABLE capability can set or clear this attribute. +</pre><p> + A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host + server. + </p><div class="procedure"><a name="id381806"></a><p class="title"><b>Procedure 16.1. Test for File Immutibility Support</b></p><ol type="1"><li><p> + Create a file called <code class="filename">filename</code>. + </p></li><li><p> + Login as the <code class="constant">root</code> user, then set the immutibile flag on a test file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> chattr +i `filename' +</pre><p> + </p></li><li><p> + Login as the user who owns the file (not root) and attempt to remove the file as follows: +</p><pre class="screen"> +mystic:/home/hannibal > rm filename +</pre><p> + It will not be possible to delete the file if the immutible flag is correctly honored. + </p></li></ol></div><p> + On operating systems and file system types that support the immutible bit, it is possible to create directories + that cannot be deleted. Check the man page on your particular host system to determine whether or not + immutable directories are writable. If they are not, then the entire directory and its contents will effectively + be protected from writing (file creation also) and deletion. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id381872"></a>Share Definition Access Controls</h2></div></div></div><p> + <a class="indexterm" name="id381880"></a> + The following parameters in the <code class="filename">smb.conf</code> file sections define a share control or affect access controls. + Before using any of the following options, please refer to the man page for <code class="filename">smb.conf</code>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381903"></a>User- and Group-Based Controls</h3></div></div></div><p> + User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to + force all file system operations as if a single user were doing so. The use of the + <a class="indexterm" name="id381913"></a>force user and <a class="indexterm" name="id381920"></a>force group behavior will achieve this. + In other situations it may be necessary to use a paranoia level of control to ensure that only particular + authorized persons will be able to access a share or its contents. Here the use of the + <a class="indexterm" name="id381929"></a>valid users or the <a class="indexterm" name="id381936"></a>invalid users parameter may be useful. + </p><p> + As always, it is highly advisable to use the easiest to maintain and the least ambiguous method for + controlling access. Remember, when you leave the scene, someone else will need to provide assistance, and + if he or she finds too great a mess or does not understand what you have done, there is risk of + Samba being removed and an alternative solution being adopted. + </p><p> + <a href="AccessControls.html#ugbc" title="Table 16.2. User- and Group-Based Controls">User and Group Based Controls</a> enumerates these controls. + </p><div class="table"><a name="ugbc"></a><p class="title"><b>Table 16.2. User- and Group-Based Controls</b></p><div class="table-contents"><table summary="User- and Group-Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id382012"></a>admin users</td><td align="justify"><p> + List of users who will be granted administrative privileges on the share. + They will do all file operations as the superuser (root). + Users in this list will be able to do anything they like on the share, + irrespective of file permissions. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382031"></a>force group</td><td align="justify"><p> + Specifies a UNIX group name that will be assigned as the default primary group + for all users connecting to this service. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382049"></a>force user</td><td align="justify"><p> + Specifies a UNIX username that will be assigned as the default user for all users connecting to this service. + This is useful for sharing files. Incorrect use can cause security problems. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382068"></a>guest ok</td><td align="justify"><p> + If this parameter is set for a service, then no password is required to connect to the service. Privileges will be + those of the guest account. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382086"></a>invalid users</td><td align="justify"><p> + List of users that should not be allowed to login to this service. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382103"></a>only user</td><td align="justify"><p> + Controls whether connections with usernames not in the user list will be allowed. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382121"></a>read list</td><td align="justify"><p> + List of users that are given read-only access to a service. Users in this list + will not be given write access, no matter what the read-only option is set to. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382139"></a>username</td><td align="justify"><p> + Refer to the <code class="filename">smb.conf</code> man page for more information; this is a complex and potentially misused parameter. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382163"></a>valid users</td><td align="justify"><p> + List of users that should be allowed to login to this service. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382180"></a>write list</td><td align="justify"><p> + List of users that are given read-write access to a service. + </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id382198"></a>File and Directory Permissions-Based Controls</h3></div></div></div><p> + Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of + misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side + effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce + them in a controlled way. + </p><p> + Refer to <a href="AccessControls.html#fdpbc" title="Table 16.3. File and Directory Permission-Based Controls">File and Directory Permission Based Controls</a> for information + regarding the parameters that may be used to set file and directory permission-based access controls. + </p><div class="table"><a name="fdpbc"></a><p class="title"><b>Table 16.3. File and Directory Permission-Based Controls</b></p><div class="table-contents"><table summary="File and Directory Permission-Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id382272"></a>create mask</td><td align="justify"><p> + Refer to the <code class="filename">smb.conf</code> man page. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382295"></a>directory mask</td><td align="justify"><p> + The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. + See also directory security mask. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382312"></a>dos filemode</td><td align="justify"><p> + Enabling this parameter allows a user who has write access to the file to modify the permissions on it. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382330"></a>force create mode</td><td align="justify"><p> + This parameter specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382347"></a>force directory mode</td><td align="justify"><p> + This parameter specifies a set of UNIX-mode bit permissions that will always be set on a directory created by Samba. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382365"></a>force directory security mode</td><td align="justify"><p> + Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382383"></a>force security mode</td><td align="justify"><p> + Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382401"></a>hide unreadable</td><td align="justify"><p> + Prevents clients from seeing the existence of files that cannot be read. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382418"></a>hide unwriteable files</td><td align="justify"><p> + Prevents clients from seeing the existence of files that cannot be written to. Unwritable directories are shown as usual. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382436"></a>nt acl support</td><td align="justify"><p> + This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs. + </p></td></tr><tr><td align="left"><a class="indexterm" name="id382454"></a>security mask</td><td align="justify"><p> + Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. + </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id382473"></a>Miscellaneous Controls</h3></div></div></div><p> + The parameter documented in <a href="AccessControls.html#mcoc" title="Table 16.4. Other Controls">Other Controls</a> are often used by administrators + in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the + full implications of <code class="filename">smb.conf</code> file settings. + </p><div class="table"><a name="mcoc"></a><p class="title"><b>Table 16.4. Other Controls</b></p><div class="table-contents"><table summary="Other Controls" border="1"><colgroup><col align="justify"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="justify"> + <a class="indexterm" name="id382549"></a>case sensitive, + <a class="indexterm" name="id382556"></a>default case, + <a class="indexterm" name="id382563"></a>short preserve case + </td><td align="justify"><p> + This means that all file name lookup will be done in a case-sensitive manner. + Files will be created with the precise file name Samba received from the MS Windows client. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382581"></a>csc policy</td><td align="justify"><p> + Client-side caching policy parallels MS Windows client-side file caching capabilities. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382599"></a>dont descend</td><td align="justify"><p> + Allows specifying a comma-delimited list of directories that the server should always show as empty. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382616"></a>dos filetime resolution</td><td align="justify"><p> + This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382634"></a>dos filetimes</td><td align="justify"><p> + DOS and Windows allow users to change file timestamps if they can write to the file. POSIX semantics prevent this. + This option allows DOS and Windows behavior. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382652"></a>fake oplocks</td><td align="justify"><p> + Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an + oplock, the client is free to assume that it is the only one accessing the file, and it will aggressively cache file data. + </p></td></tr><tr><td align="justify"> + <a class="indexterm" name="id382672"></a>hide dot files, + <a class="indexterm" name="id382680"></a>hide files, + <a class="indexterm" name="id382687"></a>veto files + </td><td align="justify"><p> + Note: MS Windows Explorer allows override of files marked as hidden so they will still be visible. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382704"></a>read only</td><td align="justify"><p> + If this parameter is yes, then users of a service may not create or modify files in the service's directory. + </p></td></tr><tr><td align="justify"><a class="indexterm" name="id382722"></a>veto files</td><td align="justify"><p> + List of files and directories that are neither visible nor accessible. + </p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id382742"></a>Access Controls on Shares</h2></div></div></div><p> +<a class="indexterm" name="id382750"></a> +<a class="indexterm" name="id382756"></a> +<a class="indexterm" name="id382763"></a> +<a class="indexterm" name="id382770"></a> + <a class="indexterm" name="id382777"></a> + This section deals with how to configure Samba per-share access control restrictions. + By default, Samba sets no restrictions on the share itself. Restrictions on the share itself + can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can + connect to a share. In the absence of specific restrictions, the default setting is to allow + the global user <code class="constant">Everyone - Full Control</code> (full control, change and read). + </p><p> +<a class="indexterm" name="id382796"></a> +<a class="indexterm" name="id382803"></a> +<a class="indexterm" name="id382810"></a> + At this time Samba does not provide a tool for configuring access control settings on the share + itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x + Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide + this capability in the Samba command-line tool set. + </p><p> +<a class="indexterm" name="id382823"></a> +<a class="indexterm" name="id382830"></a> +<a class="indexterm" name="id382836"></a> +<a class="indexterm" name="id382843"></a> + Samba stores the per-share access control settings in a file called <code class="filename">share_info.tdb</code>. + The location of this file on your system will depend on how Samba was compiled. The default location + for Samba's tdb files is under <code class="filename">/usr/local/samba/var</code>. If the <code class="filename">tdbdump</code> + utility has been compiled and installed on your system, then you can examine the contents of this file + by executing <code class="literal">tdbdump share_info.tdb</code> in the directory containing the tdb files. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id382878"></a>Share Permissions Management</h3></div></div></div><p> + The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id382888"></a>Windows NT4 Workstation/Server</h4></div></div></div><p> +<a class="indexterm" name="id382896"></a> +<a class="indexterm" name="id382903"></a> +<a class="indexterm" name="id382910"></a> +<a class="indexterm" name="id382916"></a> + The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server + is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows + NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft + web site <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673" target="_top">support</a> section. + </p><div class="procedure"><a name="id382934"></a><p class="title"><b>Procedure 16.2. Instructions</b></p><ol type="1"><li><p> + Launch the <span class="application">NT4 Server Manager</span> and click on the Samba server you want to + administer. From the menu select <span class="guimenu">Computer</span>, then click on + <span class="guimenuitem">Shared Directories</span>. + </p></li><li><p> + Click on the share that you wish to manage and click the <span class="guilabel">Properties</span> tab, then click + the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id382986"></a>Windows 200x/XP</h4></div></div></div><p> +<a class="indexterm" name="id382994"></a> +<a class="indexterm" name="id383001"></a> +<a class="indexterm" name="id383008"></a> +<a class="indexterm" name="id383015"></a> + On <span class="application">MS Windows NT4/200x/XP</span> system, ACLs on the share itself are set using native + tools, usually from File Manager. For example, in Windows 200x, right-click on the shared folder, + then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default + Windows NT4/200x permission allows "Everyone" full control on the share. + </p><p> +<a class="indexterm" name="id383045"></a> +<a class="indexterm" name="id383052"></a> +<a class="indexterm" name="id383058"></a> + MS Windows 200x and later versions come with a tool called the <span class="application">Computer Management</span> + snap-in for the MMC. This tool is located by clicking on <span class="guimenu">Control Panel -> + Administrative Tools -> Computer Management</span>. + </p><div class="procedure"><a name="id383080"></a><p class="title"><b>Procedure 16.3. Instructions</b></p><ol type="1"><li><p> + After launching the MMC with the Computer Management snap-in, click the menu item <span class="guimenuitem">Action</span> + and select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you are already logged in with administrative privilege, this step is not offered. + </p></li><li><p> + If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, type in the name of the target + Samba server in the field <span class="guilabel">Name:</span>. Now click the on <span class="guibutton">[+]</span> next to + <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to + <span class="guilabel">Shared Folders</span> in the left panel. + </p></li><li><p> +<a class="indexterm" name="id383155"></a> + In the right panel, double-click on the share on which you wish to set access control permissions. + Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities + to the shared folder. Remember to set what type of access (full control, change, read) you + wish to assign for each entry. + </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Be careful. If you take away all permissions from the <code class="constant">Everyone</code> user without removing + this user, effectively no user will be able to access the share. This is a result of what is known as + ACL precedence. Everyone with <span class="emphasis"><em>no access</em></span> means that <code class="constant">MaryK</code> who is + part of the group <code class="constant">Everyone</code> will have no access even if she is given explicit full + control access. + </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383200"></a>MS Windows Access Control Lists and UNIX Interoperability</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383206"></a>Managing UNIX Permissions Using NT Security Dialogs</h3></div></div></div><p> + <a class="indexterm" name="id383214"></a> + Windows NT clients can use their native security settings dialog box to view and modify the + underlying UNIX permissions. + </p><p> + This ability is careful not to compromise the security of the UNIX host on which Samba is running and + still obeys all the file permission rules that a Samba administrator can set. + </p><p> + Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control + options provided in Windows are actually ignored. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. + When trying to figure out file access problems, it is vitally important to find the identity of the Windows + user as it is presented by Samba at the point of file access. This can best be determined from the + Samba log files. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383245"></a>Viewing File Security on a Samba Share</h3></div></div></div><p> + From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter + or UNC path. When the menu pops up, click on the <span class="guilabel">Properties</span> entry at the bottom + of the menu. This brings up the file <code class="constant">Properties</code> dialog box. Click on the + <span class="guilabel">Security</span> tab and you will see three buttons: <span class="guibutton">Permissions</span>, + <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>. The <span class="guibutton">Auditing</span> + button will cause either an error message <span class="errorname">"A requested privilege is not held by the client"</span> + to appear if the user is not the NT administrator, or a dialog intended to allow an administrator + to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is + nonfunctional with a Samba share at this time, because the only useful button, the <span class="guibutton">Add</span> + button, will not currently allow a list of users to be seen. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383310"></a>Viewing File Ownership</h3></div></div></div><p> + Clicking on the <span class="guibutton">Ownership</span> button brings up a dialog box telling you who owns + the given file. The owner name will be displayed like this: + </p><pre class="screen"> + <code class="constant">SERVER\user (Long name)</code> + </pre><p> + <em class="replaceable"><code>SERVER</code></em> is the NetBIOS name of the Samba server, <em class="replaceable"><code>user</code></em> + is the username of the UNIX user who owns the file, and <em class="replaceable"><code>(Long name)</code></em> is the + descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). + Click on the <span class="guibutton">Close</span> button to remove this dialog. + </p><p> + If the parameter <a class="indexterm" name="id383356"></a>nt acl support is set to <code class="constant">false</code>, + the file owner will be shown as the NT user <span class="emphasis"><em>Everyone</em></span>. + </p><p> +<a class="indexterm" name="id383374"></a> + The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to + yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto + the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged + operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> user. Because clicking on this button causes + NT to attempt to change the ownership of a file to the current user logged into the NT client, this will + not work with Samba at this time. + </p><p> +<a class="indexterm" name="id383398"></a> +<a class="indexterm" name="id383405"></a> +<a class="indexterm" name="id383412"></a> + There is an NT <code class="literal">chown</code> command that will work with Samba and allow a user with administrator + privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system + or remote mounted NTFS or Samba drive. This is available as part of the <span class="application">Seclib</span> NT + security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383436"></a>Viewing File or Directory Permissions</h3></div></div></div><p> + The third button is the <span class="guibutton">Permissions</span> button. Clicking on it brings up a dialog box + that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this: + </p><p><code class="literal"><em class="replaceable"><code>SERVER</code></em>\ + <em class="replaceable"><code>user</code></em> + <em class="replaceable"><code>(Long name)</code></em></code></p><p><em class="replaceable"><code>SERVER</code></em> is the NetBIOS name of the Samba server, + <em class="replaceable"><code>user</code></em> is the username of the UNIX user who owns the file, and + <em class="replaceable"><code>(Long name)</code></em> is the descriptive string identifying the user (normally found in the + GECOS field of the UNIX password database).</p><p> + If the parameter <a class="indexterm" name="id383484"></a>nt acl support is set to <code class="constant">false</code>, + the file owner will be shown as the NT user <code class="constant">Everyone</code>, and the permissions will be + shown as NT <span class="emphasis"><em>Full Control</em></span>. + </p><p> + The permissions field is displayed differently for files and directories. Both are discussed next. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id383509"></a>File Permissions</h4></div></div></div><p> + The standard UNIX user/group/world triplet and the corresponding <code class="constant">read, write, + execute</code> permissions triplets are mapped by Samba into a three-element NT ACL with the + “<span class="quote">r</span>”, “<span class="quote">w</span>”, and “<span class="quote">x</span>” bits mapped into the corresponding NT + permissions. The UNIX world permissions are mapped into the global NT group <code class="constant">Everyone</code>, followed + by the list of permissions allowed for the UNIX world. The UNIX owner and group permissions are displayed as an NT + <span class="guiicon">user</span> icon and an NT <span class="guiicon">local group</span> icon, respectively, followed by the list + of permissions allowed for the UNIX user and group. + </p><p> + Because many UNIX permission sets do not map into common NT names such as <code class="constant">read</code>, + <code class="constant">change</code>, or <code class="constant">full control</code>, usually the permissions will be prefixed + by the words <code class="constant">Special Access</code> in the NT display list. + </p><p> + But what happens if the file has no permissions allowed for a particular UNIX user group or world component? + In order to allow <span class="emphasis"><em>no permissions</em></span> to be seen and modified, Samba then overloads the NT + <code class="constant">Take Ownership</code> ACL attribute (which has no meaning in UNIX) and reports a component with + no permissions as having the NT <code class="literal">O</code> bit set. This was chosen, of course, to make it look + like a zero, meaning zero permissions. More details on the decision behind this action are given below. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id383592"></a>Directory Permissions</h4></div></div></div><p> + Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the + directory itself, which is usually displayed in the first set of parentheses in the normal <code class="constant">RW</code> + NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described + above, and is displayed in the same way. + </p><p> + The second set of directory permissions has no real meaning in the UNIX permissions world and represents the <code class="constant"> + inherited</code> permissions that any file created within this directory would inherit. + </p><p> + Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file + created by Samba on this share would receive. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383623"></a>Modifying File or Directory Permissions</h3></div></div></div><p> + Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box + and clicking on <span class="guibutton">OK</span>. However, there are limitations that a user needs to be aware of, + and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to + be taken into account. + </p><p> + If the parameter <a class="indexterm" name="id383643"></a>nt acl support is set to <code class="constant">false</code>, any attempt to + set security permissions will fail with an <span class="errorname">"Access Denied" </span> message. + </p><p> + The first thing to note is that the <span class="guibutton">Add</span> button will not return a list of users in Samba + (it will give an error message saying <span class="errorname">"The remote procedure call failed and did not + execute"</span>). This means that you can only manipulate the current user/group/world permissions listed + in the dialog box. This actually works quite well because these are the only permissions that UNIX actually + has. + </p><p> + If a permission triplet (either user, group, or world) is removed from the list of permissions in the NT + dialog box, then when the <span class="guibutton">OK</span> button is pressed, it will be applied as <span class="emphasis"><em>no + permissions</em></span> on the UNIX side. If you view the permissions again, the <span class="emphasis"><em>no + permissions</em></span> entry will appear as the NT <code class="literal">O</code> flag, as described above. This allows + you to add permissions back to a file or directory once you have removed them from a triplet component. + </p><p> + Because UNIX supports only the “<span class="quote">r</span>”, “<span class="quote">w</span>”, and “<span class="quote">x</span>” bits of an NT ACL, if + other NT security attributes such as <code class="constant">Delete Access</code> are selected, they will be ignored + when applied on the Samba server. + </p><p> + When setting permissions on a directory, the second set of permissions (in the second set of parentheses) is + by default applied to all files within that directory. If this is not what you want, you must uncheck the + <span class="guilabel">Replace permissions on existing files</span> checkbox in the NT dialog before clicking on + <span class="guibutton">OK</span>. + </p><p> + If you wish to remove all permissions from a user/group/world component, you may either highlight the + component and click on the <span class="guibutton">Remove</span> button or set the component to only have the special + <code class="constant">Take Ownership</code> permission (displayed as <code class="literal">O</code>) highlighted. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383760"></a>Interaction with the Standard Samba “<span class="quote">create mask</span>” Parameters</h3></div></div></div><p>There are four parameters that control interaction with the standard Samba <em class="parameter"><code>create mask</code></em> parameters: + + + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id383782"></a>security mask</p></li><li><p><a class="indexterm" name="id383792"></a>force security mode</p></li><li><p><a class="indexterm" name="id383802"></a>directory security mask</p></li><li><p><a class="indexterm" name="id383812"></a>force directory security mode</p></li></ul></div><p> + + </p><p> + When a user clicks on <span class="guibutton">OK</span> to apply the + permissions, Samba maps the given permissions into a user/group/world + r/w/x triplet set, and then checks the changed permissions for a + file against the bits set in the + <a class="indexterm" name="id383833"></a>security mask parameter. Any bits that + were changed that are not set to <span class="emphasis"><em>1</em></span> in this parameter are left alone + in the file permissions.</p><p> + Essentially, zero bits in the <a class="indexterm" name="id383848"></a>security mask + may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span> + allowed to change, and one bits are those the user is allowed to change. + </p><p> + If not explicitly set, this parameter defaults to the same value as + the <a class="indexterm" name="id383863"></a>create mask parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to 0777. + </p><p> + Next Samba checks the changed permissions for a file against the bits set in the + <a class="indexterm" name="id383875"></a>force security mode parameter. Any bits + that were changed that correspond to bits set to <span class="emphasis"><em>1</em></span> in this parameter + are forced to be set.</p><p> + Essentially, bits set in the <em class="parameter"><code>force security mode</code></em> parameter + may be treated as a set of bits that, when modifying security on a file, the user + has always set to be <span class="emphasis"><em>on</em></span>.</p><p> + If not explicitly set, this parameter defaults to the same value + as the <a class="indexterm" name="id383904"></a>force create mode parameter. + To allow a user to modify all the user/group/world permissions on a file + with no restrictions, set this parameter to 000. The + <a class="indexterm" name="id383913"></a>security mask and <em class="parameter"><code>force + security mode</code></em> parameters are applied to the change + request in that order.</p><p> + For a directory, Samba performs the same operations as + described above for a file except it uses the parameter <em class="parameter"><code> + directory security mask</code></em> instead of <em class="parameter"><code>security + mask</code></em>, and <em class="parameter"><code>force directory security mode + </code></em> parameter instead of <em class="parameter"><code>force security mode + </code></em>.</p><p> + The <a class="indexterm" name="id383958"></a>directory security mask parameter + by default is set to the same value as the <em class="parameter"><code>directory mask + </code></em> parameter and the <em class="parameter"><code>force directory security + mode</code></em> parameter by default is set to the same value as + the <a class="indexterm" name="id383978"></a>force directory mode parameter. + In this way Samba enforces the permission restrictions that + an administrator can set on a Samba share, while still allowing users + to modify the permission bits within that restriction.</p><p> + If you want to set up a share that allows users full control + in modifying the permission bits on their files and directories and + does not force any particular bits to be set <span class="emphasis"><em>on</em></span>, + then set the following parameters in the <code class="filename">smb.conf</code> file in that + share-specific section: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id384010"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id384023"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id384036"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id384048"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384062"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Samba maps some of the DOS attribute bits (such as “<span class="quote">read-only</span>”) + into the UNIX permissions of a file. This means there can + be a conflict between the permission bits set via the security + dialog and the permission bits set by the file attribute mapping. + </p></div><p> + If a file has no UNIX read access for the owner, it will show up + as “<span class="quote">read-only</span>” in the standard file attributes tabbed dialog. + Unfortunately, this dialog is the same one that contains the security information + in another tab. + </p><p> + What this can mean is that if the owner changes the permissions + to allow himself or herself read access using the security dialog, clicks on + <span class="guibutton">OK</span> to get back to the standard attributes tab + dialog, and clicks on <span class="guibutton">OK</span> on that dialog, then + NT will set the file permissions back to read-only (as that is what + the attributes still say in the dialog). This means that after setting + permissions and clicking on <span class="guibutton">OK</span> to get back to the + attributes dialog, you should always press <span class="guibutton">Cancel</span> + rather than <span class="guibutton">OK</span> to ensure that your changes + are not overridden. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384126"></a>Windows NT/200X ACLs and POSIX ACLs Limitations</h3></div></div></div><p> + Windows administrators are familiar with simple ACL controls, and they typically + consider that UNIX user/group/other (ugo) permissions are inadequate and not + sufficiently fine-grained. + </p><p> + Competing SMB implementations differ in how they handle Windows ACLs. Samba handles + Windows ACLs from the perspective of UNIX file system administration and thus adopts + the limitations of POSIX ACLs. Therefore, where POSIX ACLs lack a capability of the + Windows NT/200X ACLs, the POSIX semantics and limitations are imposed on the Windows + administrator. + </p><p> + POSIX ACLs present an interesting challenge to the UNIX administrator and therefore + force a compromise to be applied to Windows ACLs administration. POSIX ACLs are not + covered by an official standard; rather, the latest standard is a draft standard + 1003.1e revision 17. This is the POSIX document on which the Samba implementation has + been implemented. + </p><p> + UNIX vendors differ in the manner in which POSIX ACLs are implemented. There are a + number of Linux file systems that support ACLs. Samba has to provide a way to make + transparent all the differences between the various implementations of POSIX ACLs. + The pressure for ACLs support in Samba has noticeably increased the pressure to + standardize ACLs support in the UNIX world. + </p><p> + Samba has to deal with the complicated matter of handling the challenge of the Windows + ACL that implements <span class="emphasis"><em>inheritance</em></span>, a concept not anticipated by POSIX + ACLs as implemented in UNIX file systems. Samba provides support for <span class="emphasis"><em>masks</em></span> + that permit normal ugo and ACLs functionality to be overrided. This further complicates + the way in which Windows ACLs must be implemented. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id384170"></a>UNIX POSIX ACL Overview</h4></div></div></div><p> + In examining POSIX ACLs we must consider the manner in which they operate for + both files and directories. File ACLs have the following significance: +</p><pre class="screen"> +# file: testfile <- the file name +# owner: jeremy <-- the file owner +# group: users <-- the POSIX group owner +user::rwx <-- perms for the file owner (user) +user:tpot:r-x <-- perms for the additional user `tpot' +group::r-- <-- perms for the file group owner (group) +group:engrs:r-- <-- perms for the additonal group `engineers' +mask:rwx <-- the mask that is `ANDed' with groups +other::--- <-- perms applied to everyone else (other) +</pre><p> + Directory ACLs have the following signficance: +</p><pre class="screen"> +# file: testdir <-- the directory name +# owner: jeremy <-- the directory owner +# group: jeremy <-- the POSIX group owner +user::rwx <-- directory perms for owner (user) +group::rwx <-- directory perms for owning group (group) +mask::rwx <-- the mask that is `ANDed' with group perms +other:r-x <-- perms applied to everyone else (other) +default:user::rwx <-- inherited owner perms +default:user:tpot:rwx <-- inherited extra perms for user `tpot' +default:group::r-x <-- inherited group perms +default:mask:rwx <-- inherited default mask +default:other:--- <-- inherited permissions for everyone (other) +</pre><p> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id384211"></a>Mapping of Windows File ACLs to UNIX POSIX ACLs</h4></div></div></div><p> + Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. + The mappings for file permissions are shown in <a href="AccessControls.html#fdsacls" title="Table 16.5. How Windows File ACLs Map to UNIX POSIX File ACLs">How + Windows File ACLs Map to UNIX POSIX File ACLs</a>. + The # character means this flag is set only when the Windows administrator + sets the <code class="constant">Full Control</code> flag on the file. + </p><div class="table"><a name="fdsacls"></a><p class="title"><b>Table 16.5. How Windows File ACLs Map to UNIX POSIX File ACLs</b></p><div class="table-contents"><table summary="How Windows File ACLs Map to UNIX POSIX File ACLs" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Windows ACE</th><th align="center">File Attribute Flag</th></tr></thead><tbody><tr><td align="left"><p>Full Control</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Traverse Folder/Execute File</p></td><td align="center"><p>x</p></td></tr><tr><td align="left"><p>List Folder/Read Data</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Read Attributes</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Read Extended Attribures</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Create Files/Write Data</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Create Folders/Append Data</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Write Attributes</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Write Extended Attributes</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Delete Subfolders and Files</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Delete</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Read Permissions</p></td><td align="center"><p>all</p></td></tr><tr><td align="left"><p>Change Permissions</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Take Ownership</p></td><td align="center"><p>#</p></td></tr></tbody></table></div></div><br class="table-break"><p> + As can be seen from the mapping table, there is no one-to-one mapping capability, and therefore + Samba must make a logical mapping that will permit Windows to operate more-or-less the way + that is intended by the administrator. + </p><p> + In general the mapping of UNIX POSIX user/group/other permissions will be mapped to + Windows ACLs. This has precedence over the creation of POSIX ACLs. POSIX ACLs are necessary + to establish access controls for users and groups other than the user and group that + own the file or directory. + </p><p> + The UNIX administrator can set any directory permission from within the UNIX environment. + The Windows administrator is more restricted in that it is not possible from within + Windows Explorer to remove read permission for the file owner. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id384467"></a>Mapping of Windows Directory ACLs to UNIX POSIX ACLs</h4></div></div></div><p> + Interesting things happen in the mapping of UNIX POSIX directory permissions and + UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of + an ACL) are mapped to Windows directory ACLs. + </p><p> + Directory permissions function in much the same way as shown for file permissions, but + there are some notable exceptions and a few peculiarities that the astute administrator + will want to take into account in the setting up of directory permissions. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384487"></a>Common Errors</h2></div></div></div><p> +File, directory, and share access problems are common topics on the mailing list. The following +are examples recently taken from the mailing list. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384497"></a>Users Cannot Write to a Public Share</h3></div></div></div><p> + The following complaint has frequently been voiced on the Samba mailing list: + “<span class="quote"> + We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), + and there's a public share on which everyone needs to have permission to create/modify files, but only + root can change the file, no one else can. We need to constantly go to the server to + <strong class="userinput"><code>chgrp -R users *</code></strong> and <strong class="userinput"><code>chown -R nobody *</code></strong> to allow + other users to change the file. + </span>” + </p><p> + Here is one way the problem can be solved: + </p><div class="procedure"><ol type="1"><li><p> + Go to the top of the directory that is shared. + </p></li><li><p> + Set the ownership to whatever public user and group you want +</p><pre class="screen"> +<code class="prompt">$ </code>find `directory_name' -type d -exec chown user:group {}\; +<code class="prompt">$ </code>find `directory_name' -type d -exec chmod 2775 {}\; +<code class="prompt">$ </code>find `directory_name' -type f -exec chmod 0775 {}\; +<code class="prompt">$ </code>find `directory_name' -type f -exec chown user:group {}\; +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The above will set the <code class="constant">SGID bit</code> on all directories. Read your + UNIX/Linux man page on what that does. This ensures that all files and directories + that are created in the directory tree will be owned by the current user and will + be owned by the group that owns the directory in which it is created. + </p></div></li><li><p> + Directory is <em class="replaceable"><code>/foodbar</code></em>: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>chown jack:engr /foodbar</code></strong> +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This is the same as doing:</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>chown jack /foodbar</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>chgrp engr /foodbar</code></strong> +</pre></div></li><li><p>Now type: + +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>chmod 2775 /foodbar</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>ls -al /foodbar/..</code></strong> +</pre><p> + </p><p>You should see: +</p><pre class="screen"> +drwxrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar +</pre><p> + </p></li><li><p>Now type: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>su - jill</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>cd /foodbar</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>touch Afile</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>ls -al</code></strong> +</pre><p> + </p><p> + You should see that the file <code class="filename">Afile</code> created by Jill will have ownership + and permissions of Jack, as follows: +</p><pre class="screen"> +-rw-r--r-- 1 jill engr 0 2007-01-18 19:41 Afile +</pre><p> + </p></li><li><p> + If the user that must have write permission in the directory is not a member of the group + <span class="emphasis"><em>engr</em></span> set in the <code class="filename">smb.conf</code> entry for the share: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id384788"></a><em class="parameter"><code>force group = engr</code></em></td></tr></table><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384805"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p> + When you have a user in <a class="indexterm" name="id384821"></a>admin users, Samba will always do file operations for + this user as <span class="emphasis"><em>root</em></span>, even if <a class="indexterm" name="id384832"></a>force user has been set. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id384841"></a>MS Word with Samba Changes Owner of File</h3></div></div></div><p> + <span class="emphasis"><em>Question:</em></span> “<span class="quote">When user B saves a word document that is owned by user A, + the updated file is now owned by user B. Why is Samba doing this? How do I fix this?</span>” + </p><p> + <span class="emphasis"><em>Answer:</em></span> Word does the following when you modify/change a Word document: MS Word creates a new document with + a temporary name. Word then closes the old document and deletes it, then renames the new document to the original document name. + There is no mechanism by which Samba can in any way know that the new document really should be owned by the owners + of the original file. Samba has no way of knowing that the file will be renamed by MS Word. As far as Samba is able + to tell, the file that gets created is a new file, not one that the application (Word) is updating. + </p><p> + There is a workaround to solve the permissions problem. It involves understanding how you can manage file + system behavior from within the <code class="filename">smb.conf</code> file, as well as understanding how UNIX file systems work. Set on the directory + in which you are changing Word documents: <code class="literal">chmod g+s `directory_name'.</code> This ensures that all files will + be created with the group that owns the directory. In <code class="filename">smb.conf</code> share declaration section set: + </p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id384902"></a><em class="parameter"><code>force create mode = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id384915"></a><em class="parameter"><code>force directory mode = 0770</code></em></td></tr></table><p> + </p><p> + These two settings will ensure that all directories and files that get created in the share will be readable/writable by the + owner and group set on the directory itself. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. User Rights and Privileges </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. File and Record Locking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html b/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html new file mode 100644 index 0000000000..5394d944cc --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html @@ -0,0 +1,319 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts"><link rel="next" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 25. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 15 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423076">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423235">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423774">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423940">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423980">Limiting Logon Connections</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id423066"></a> +This section documents peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423076"></a>Features and Benefits</h2></div></div></div><p> +Often the difference between a working network environment and a well-appreciated one can +best be measured by the <span class="emphasis"><em>little things</em></span> that make everything work more +harmoniously. A key part of every network environment solution is the ability to remotely +manage MS Windows workstations, remotely access the Samba server, provide customized +logon scripts, as well as other housekeeping activities that help to sustain more reliable +network operations. +</p><p> +This chapter presents information on each of these areas. They are placed here, and not in +other chapters, for ease of reference. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423098"></a>Remote Server Administration</h2></div></div></div><p>“<span class="quote">How do I get User Manager and Server Manager?</span>”</p><p> +<a class="indexterm" name="id423111"></a> +<a class="indexterm" name="id423117"></a> +<a class="indexterm" name="id423124"></a> +Since I do not need to buy an <span class="application">NT4 server</span>, how do I get the User Manager for Domains +and the Server Manager? +</p><p> +<a class="indexterm" name="id423141"></a> +<a class="indexterm" name="id423148"></a> +Microsoft distributes a version of these tools called <code class="filename">Nexus.exe</code> for installation +on <span class="application">Windows 9x/Me</span> systems. The tools set includes: +</p><div class="itemizedlist"><ul type="disc"><li><p>Server Manager</p></li><li><p>User Manager for Domains</p></li><li><p>Event Viewer</p></li></ul></div><p> +Download the archived file at the Microsoft <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">Nexus</a> link. +</p><p> +<a class="indexterm" name="id423199"></a> +<a class="indexterm" name="id423206"></a> +<a class="indexterm" name="id423213"></a> +The <span class="application">Windows NT 4.0</span> version of the User Manager for +Domains and Server Manager are available from Microsoft +<a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">via ftp</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423235"></a>Remote Desktop Management</h2></div></div></div><p> +<a class="indexterm" name="id423243"></a> +<a class="indexterm" name="id423250"></a> +There are a number of possible remote desktop management solutions that range from free +through costly. Do not let that put you off. Sometimes the most costly solution is the +most cost effective. In any case, you will need to draw your own conclusions as to which +is the best tool in your network environment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id423260"></a>Remote Management from NoMachine.Com</h3></div></div></div><p> + <a class="indexterm" name="id423268"></a> + The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. + It is presented in slightly edited form (with author details omitted for privacy reasons). + The entire answer is reproduced below with some comments removed. + </p><p>“<span class="quote"> +<a class="indexterm" name="id423282"></a> + I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote + desktop capabilities so users outside could login to the system and get their desktop up from home or + another country. + </span>”</p><p>“<span class="quote"> +<a class="indexterm" name="id423295"></a> +<a class="indexterm" name="id423302"></a> +<a class="indexterm" name="id423308"></a> +<a class="indexterm" name="id423315"></a> + Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so + it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login + even if the computer is in a domain? + </span>”</p><p> + Answer provided: Check out the new offer of “<span class="quote">NX</span>” software from + <a href="http://www.nomachine.com/" target="_top">NoMachine</a>. + </p><p> +<a class="indexterm" name="id423342"></a> +<a class="indexterm" name="id423349"></a> +<a class="indexterm" name="id423356"></a> + It implements an easy-to-use interface to the Remote X protocol as + well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed + performance much better than anything you may have ever seen. + </p><p> +<a class="indexterm" name="id423368"></a> + Remote X is not new at all, but what they did achieve successfully is + a new way of compression and caching technologies that makes the thing + fast enough to run even over slow modem/ISDN connections. + </p><p> +<a class="indexterm" name="id423380"></a> +<a class="indexterm" name="id423386"></a> +<a class="indexterm" name="id423393"></a> +<a class="indexterm" name="id423400"></a> + I test drove their (public) Red Hat machine in Italy, over a loaded + Internet connection, with enabled thumbnail previews in KDE konqueror, + which popped up immediately on “<span class="quote">mouse-over</span>”. From inside that (remote X) + session I started a rdesktop session on another, a Windows XP machine. + To test the performance, I played Pinball. I am proud to announce + that my score was 631,750 points at first try. + </p><p> +<a class="indexterm" name="id423416"></a> +<a class="indexterm" name="id423422"></a> +<a class="indexterm" name="id423429"></a> +<a class="indexterm" name="id423436"></a> + NX performs better on my local LAN than any of the other “<span class="quote">pure</span>” + connection methods I use from time to time: TightVNC, rdesktop or + Remote X. It is even faster than a direct crosslink connection between + two nodes. + </p><p> +<a class="indexterm" name="id423451"></a> +<a class="indexterm" name="id423458"></a> +<a class="indexterm" name="id423465"></a> + I even got sound playing from the Remote X app to my local boxes, and + had a working “<span class="quote">copy'n'paste</span>” from an NX window (running a KDE session + in Italy) to my Mozilla mailing agent. These guys are certainly doing + something right! + </p><p> + I recommend test driving NX to anybody with a only a passing interest in remote computing + the <a href="http://www.nomachine.com/testdrive.php" target="_top">NX</a> utility. + </p><p> + Just download the free-of-charge client software (available for Red Hat, + SuSE, Debian and Windows) and be up and running within 5 minutes (they + need to send you your account data, though, because you are assigned + a real UNIX account on their testdrive.nomachine.com box). + </p><p> + They plan to get to the point were you can have NX application servers + running as a cluster of nodes, and users simply start an NX session locally + and can select applications to run transparently (apps may even run on + another NX node, but pretend to be on the same as used for initial login, + because it displays in the same window. You also can run it + full-screen, and after a short time you forget that it is a remote session + at all). + </p><p> +<a class="indexterm" name="id423505"></a> + Now the best thing for last: All the core compression and caching + technologies are released under the GPL and available as source code + to anybody who wants to build on it! These technologies are working, + albeit started from the command line only (and very inconvenient to + use in order to get a fully running remote X session up and running). + </p><p> + To answer your questions: + </p><div class="itemizedlist"><ul type="disc"><li><p> + You do not need to install a terminal server; XP has RDP support built in. + </p></li><li><p> + NX is much cheaper than Citrix and comparable in performance, probably faster. + </p></li><li><p> + You do not need to hack XP it just works. + </p></li><li><p> + You log into the XP box from remote transparently (and I think there is no + need to change anything to get a connection, even if authentication is against a domain). + </p></li><li><p> + The NX core technologies are all Open Source and released under the GPL + you can now use a (very inconvenient) command line at no cost, + but you can buy a comfortable (proprietary) NX GUI front end for money. + </p></li><li><p> +<a class="indexterm" name="id423561"></a> +<a class="indexterm" name="id423567"></a> +<a class="indexterm" name="id423573"></a> +<a class="indexterm" name="id423580"></a> +<a class="indexterm" name="id423587"></a> + NoMachine is encouraging and offering help to OSS/Free Software implementations + for such a front-end too, even if it means competition to them (they have written + to this effect even to the LTSP, KDE, and GNOME developer mailing lists). + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id423599"></a>Remote Management with ThinLinc</h3></div></div></div><p> + Another alternative for remote access is <span class="emphasis"><em>ThinLinc</em></span> from Cendio. + </p><p> +<a class="indexterm" name="id423614"></a> +<a class="indexterm" name="id423621"></a> +<a class="indexterm" name="id423628"></a> +<a class="indexterm" name="id423635"></a> +<a class="indexterm" name="id423641"></a> +<a class="indexterm" name="id423648"></a> +<a class="indexterm" name="id423655"></a> +<a class="indexterm" name="id423661"></a> + ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard + protocols such as SSH, TightVNC, NFS and PulseAudio. + </p><p> +<a class="indexterm" name="id423673"></a> +<a class="indexterm" name="id423679"></a> + ThinLinc an be used both in the LAN environment to implement a Thin Client strategy for an organization, and as + secure remote access solution for people working from remote locations, even over smallband connections. + ThinLinc is free to use for a single concurrent user. + </p><p> +<a class="indexterm" name="id423692"></a> +<a class="indexterm" name="id423698"></a> +<a class="indexterm" name="id423705"></a> + The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows + XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting + all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also + available. + </p><p> + ThinLinc may be evaluated by connecting to Cendio's demo system, see + <a href="http://www.cendio.com" target="_top">Cendio's</a> web site + <a href="http://www.cendio.com/testdrive" target="_top">testdrive</a> center. + </p><p> + Cendio is a major contributor to several open source projects including + <a href="http://www.tightvnc.com" target="_top">TightVNC</a>, + <a href="http://pulseaudio.org" target="_top">PulseAudio</a> , unfsd, + <a href="http://www.python.org" target="_top">Python</a> and + <a href="http://www.rdesktop.org" target="_top">rdesktop</a>. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423774"></a>Network Logon Script Magic</h2></div></div></div><p> +There are several opportunities for creating a custom network startup configuration environment. +</p><div class="itemizedlist"><ul type="disc"><li><p>No Logon Script.</p></li><li><p>Simple universal Logon Script that applies to all users.</p></li><li><p>Use of a conditional Logon Script that applies per-user or per-group attributes.</p></li><li><p>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create + a custom logon script and then execute it.</p></li><li><p>User of a tool such as KixStart.</p></li></ul></div><p> +The Samba source code tree includes two logon script generation/execution tools. +See <code class="filename">examples</code> directory <code class="filename">genlogon</code> and +<code class="filename">ntlogon</code> subdirectories. +</p><p> +The following listings are from the genlogon directory. +</p><p> +<a class="indexterm" name="id423840"></a> +This is the <code class="filename">genlogon.pl</code> file: + +</p><pre class="programlisting"> + #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from + # smb.conf with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standards Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec"; + print LOG " - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON; +</pre><p> +</p><p> +Those wishing to use a more elaborate or capable logon processing system should check out these sites: +</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></p></li><li><p><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id423940"></a>Adding Printers without User Intervention</h3></div></div></div><p> +<a class="indexterm" name="id423948"></a> +Printers may be added automatically during logon script processing through the use of: +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /?</code></strong> +</pre><p> + +See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft Knowledge Base article 189105</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id423980"></a>Limiting Logon Connections</h3></div></div></div><p> + Sometimes it is necessary to limit the number of concurrent connections to a + Samba shared resource. For example, a site may wish to permit only one network + logon per user. + </p><p> + The Samba <em class="parameter"><code>preexec script</code></em> parameter can be used to permit only one + connection per user. Though this method is not foolproof and may have side effects, + the following contributed method may inspire someone to provide a better solution. + </p><p> + This is not a perfect solution because Windows clients can drop idle connections + with an auto-reconnect capability that could result in the appearance that a share + is no longer in use, while actually it is. Even so, it demonstrates the principle + of use of the <em class="parameter"><code>preexec script</code></em> parameter. + </p><p> + The following share configuration demonstrates use of the script shown in <a href="AdvancedNetworkManagement.html#Tpees" title="Example 25.1. Script to Enforce Single Resource Logon">???</a>. +</p><pre class="programlisting"> +[myshare] + ... + preexec script = /sbin/PermitSingleLogon.sh + preexec close = Yes + ... +</pre><p> + </p><div class="example"><a name="Tpees"></a><p class="title"><b>Example 25.1. Script to Enforce Single Resource Logon</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +IFS="-" +RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF \ + > 6 {print $1}' | sort | uniq -d) + +if [ "X${RESULT}" == X ]; then + exit 0 +else + exit 1 +fi +</pre></div></div><br class="example-break"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 24. Winbind: Use of Domain Accounts </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 26. System and Account Policies</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Appendix.html b/docs/htmldocs/Samba3-HOWTO/Appendix.html new file mode 100644 index 0000000000..4b6303220c --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/Appendix.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Reference Section</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="bugreport.html" title="Chapter 40. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 41. How to Compile Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Reference Section</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendix"></a>Part VI. Reference Section</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="compiling.html">41. How to Compile Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="compiling.html#id450070">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450076">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450114">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id450289">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450357">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450486">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450708">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450957">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id451161">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Portability.html">42. Portability</a></span></dt><dd><dl><dt><span class="sect1"><a href="Portability.html#id451523">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451618">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451650">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451779">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451818">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451872">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451878">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Other-Clients.html">43. Samba and Other CIFS Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="Other-Clients.html#id452041">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452117">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452122">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452233">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452283">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452362">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452368">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452446">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452468">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452517">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452542">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452594">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452657">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452850">Windows NT 3.1</a></span></dt></dl></dd><dt><span class="chapter"><a href="speed.html">44. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="speed.html#id452955">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452984">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id453061">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id453095">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id453133">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id453152">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453197">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453234">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id453252">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id453354">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id453443">Samba Performance is Very Slow</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch-ldap-tls.html">45. LDAP and Transport Layer Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch46.html">46. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch46.html#id454529">Free Support</a></span></dt><dt><span class="sect1"><a href="ch46.html#id454727">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="DNSDHCP.html">47. DNS and DHCP Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454865">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id455025">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id455101">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. How to Compile Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Backup.html b/docs/htmldocs/Samba3-HOWTO/Backup.html new file mode 100644 index 0000000000..88becd4d2a --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/Backup.html @@ -0,0 +1,130 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="unicode.html" title="Chapter 30. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 32. High Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 31. Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Backup.html#id435499">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id435539">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id435626">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435788">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435949">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435992">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id435499"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id435506"></a> +<a class="indexterm" name="id435513"></a> +<a class="indexterm" name="id435520"></a> +<a class="indexterm" name="id435527"></a> +The Samba project is over 10 years old. During the early history +of Samba, UNIX administrators were its key implementors. UNIX administrators +use UNIX system tools to backup UNIX system files. Over the past +4 years, an increasing number of Microsoft network administrators have +taken an interest in Samba. This is reflected in the questions about backup +in general on the Samba mailing lists. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id435539"></a>Discussion of Backup Solutions</h2></div></div></div><p> +<a class="indexterm" name="id435547"></a> +<a class="indexterm" name="id435554"></a> +During discussions at a Microsoft Windows training course, one of +the pro-UNIX delegates stunned the class when he pointed out that Windows +NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set +that has an unlimited number of tools that are simple, efficient, +and, in combination, capable of achieving any desired outcome. +</p><p> +<a class="indexterm" name="id435567"></a> +<a class="indexterm" name="id435574"></a> +One of the Windows networking advocates retorted that if she wanted a +Meccano set, she would buy one. She made it clear that a complex single +tool that does more than is needed but does it with a clear purpose and +intent is preferred by some like her. +</p><p> +<a class="indexterm" name="id435586"></a> +<a class="indexterm" name="id435593"></a> +<a class="indexterm" name="id435600"></a> +Please note that all information here is provided as is and without recommendation +of fitness or suitability. The network administrator is strongly encouraged to +perform due diligence research before implementing any backup solution, whether free +software or commercial. +</p><p> +A useful Web site I recently stumbled across that you might like to refer to +is located at <a href="http://www.allmerchants.com/Software/Backup_Software/" target="_top"> +www.allmerchants.com</a>. +</p><p> +The following three free software projects might also merit consideration. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435626"></a>BackupPC</h3></div></div></div><p> + <a class="indexterm" name="id435634"></a> +<a class="indexterm" name="id435640"></a> +<a class="indexterm" name="id435647"></a> + BackupPC version 2.0.0 has been released on <a href="http://backuppc.sourceforge.net" target="_top">SourceForge</a>. + New features include support for <code class="literal">rsync/rsyncd</code> and internationalization of the CGI interface + (including English, French, Spanish, and German). + </p><p> +<a class="indexterm" name="id435671"></a> +<a class="indexterm" name="id435678"></a> +<a class="indexterm" name="id435684"></a> +<a class="indexterm" name="id435691"></a> +<a class="indexterm" name="id435698"></a> +<a class="indexterm" name="id435704"></a> +<a class="indexterm" name="id435711"></a> +<a class="indexterm" name="id435717"></a> + BackupPC is a high-performance Perl-based package for backing up Linux, + UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly + configurable and easy to install and maintain. SMB (via smbclient), + <code class="literal">tar</code> over <code class="literal">rsh/ssh</code>, or <code class="literal">rsync/rsyncd</code> + are used to extract client data. + </p><p> +<a class="indexterm" name="id435747"></a> +<a class="indexterm" name="id435754"></a> +<a class="indexterm" name="id435761"></a> + Given the ever-decreasing cost of disks and RAID systems, it is now + practical and cost effective to backup a large number of machines onto + a server's local disk or network storage. This is what BackupPC does. + </p><p> + Key features are pooling of identical files (big savings in server disk + space), compression, and a comprehensive CGI interface that allows users + to browse backups and restore files. + </p><p> +<a class="indexterm" name="id435778"></a> + BackupPC is free software distributed under a GNU GPL license. + BackupPC runs on Linux/UNIX/freenix servers and has been tested + on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435788"></a>Rsync</h3></div></div></div><p> +<a class="indexterm" name="id435796"></a> +<a class="indexterm" name="id435803"></a> +<a class="indexterm" name="id435810"></a> +<a class="indexterm" name="id435816"></a> +<a class="indexterm" name="id435823"></a> +<a class="indexterm" name="id435830"></a> + <code class="literal">rsync</code> is a flexible program for efficiently copying files or + directory trees.</p><p><code class="literal">rsync</code> has many options to select which files will be copied + and how they are to be transferred. It may be used as an + alternative to <code class="literal">ftp, http, scp</code>, or <code class="literal">rcp</code>.</p><p> +<a class="indexterm" name="id435867"></a> +<a class="indexterm" name="id435874"></a> +<a class="indexterm" name="id435881"></a> + The rsync remote-update protocol allows rsync to transfer just + the differences between two sets of files across the network link, + using an efficient checksum-search algorithm described in the + technical report that accompanies the rsync package.</p><p>Some of the additional features of rsync are:</p><div class="itemizedlist"><ul type="disc"><li><p> + Support for copying links, devices, owners, groups, and permissions. + </p></li><li><p> + Exclude and exclude-from options are similar to GNU tar. + </p></li><li><p> + A CVS exclude mode for ignoring the same files that CVS would ignore. + </p></li><li><p> + Can use any transparent remote shell, including rsh or ssh. + </p></li><li><p> + Does not require root privileges. + </p></li><li><p> + Pipelining of file transfers to minimize latency costs. + </p></li><li><p> + Support for anonymous or authenticated rsync servers (ideal for + mirroring). + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435949"></a>Amanda</h3></div></div></div><p> + <a class="indexterm" name="id435956"></a> +<a class="indexterm" name="id435963"></a> +<a class="indexterm" name="id435970"></a> + Amanda, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that + allows the administrator of a LAN to set up a single master backup server to back up + multiple hosts to a single large capacity tape drive. Amanda uses native dump and/or + GNU tar facilities and can back up a large number of workstations running multiple + versions of UNIX. Recent versions can also use Samba to back up Microsoft Windows hosts. + </p><p> + For more information regarding Amanda, please check the <a href="http://www.amanda.org/" target="_top"> + www.amanda.org/ site</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435992"></a>BOBS: Browseable Online Backup System</h3></div></div></div><p> + <a class="indexterm" name="id436000"></a> + Browseable Online Backup System (BOBS) is a complete online backup system. Uses large + disks for storing backups and lets users browse the files using a Web browser. Handles + some special files like AppleDouble and icon files. + </p><p> + The home page for BOBS is located at <a href="http://bobs.sourceforge.net/" target="_top"> + bobs.sourceforge.net</a>. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. High Availability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html b/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html new file mode 100644 index 0000000000..e27ef22391 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html @@ -0,0 +1,3109 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. CUPS Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="classicalprinting.html" title="Chapter 21. Classical Printing Support"><link rel="next" href="VFS.html" title="Chapter 23. Stackable VFS modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. CUPS Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="classicalprinting.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 22. CUPS Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH <br></span><div class="address"><p><code class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span> <div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawings</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> (27 Jan 2004) </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="CUPS-printing.html#id400524">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400530">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400581">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400978">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401226">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401621">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401636">Central Spooling vs. “<span class="quote">Peer-to-Peer</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401884">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable “<span class="quote">raw</span>” Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402147">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404104">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404252">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404429">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404588">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404838">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405130">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405438">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405653">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405664"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405726">“<span class="quote">Raw</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406350"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407066">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407175">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407253">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407268">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407326">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407490">Network Printing (Windows Clients and UNIX/Samba Print +Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407671">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407739">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407819">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407856">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407917">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407928">Printer Drivers Running in “<span class="quote">Kernel Mode</span>” Cause Many +Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407959">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407973">CUPS: A “<span class="quote">Magical Stone</span>”?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408093">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408112"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408200">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408505">CUPS “<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408727">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408838">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408858">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409757">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409864">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409942">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410555">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410647">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id411985">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412184">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412246">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412307">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412353">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412624">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413329">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413751">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413781">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413832">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413996">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414132">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414190">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414225">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414238">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id414498">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414575">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414681">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414972">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id415081">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id415086">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop">“<span class="quote">cupsaddsmb</span>” Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415153">“<span class="quote">cupsaddsmb</span>” or “<span class="quote">rpcclient addriver</span>” Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415189">“<span class="quote">cupsaddsmb</span>” Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415259">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415282">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415360">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415399">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415434">Can't Use “<span class="quote">cupsaddsmb</span>” on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415468">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415499">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415530">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415567">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415591">Win XP-SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415632">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415896">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415949"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415995">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416081">Print Queue Called “<span class="quote">lp</span>” Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416144">Location of Adobe PostScript Driver Files for “<span class="quote">cupsaddsmb</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id416195">Overview of the CUPS Printing Processes</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400524"></a>Introduction</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400530"></a>Features and Benefits</h3></div></div></div><p> +<a class="indexterm" name="id400538"></a> + The Common UNIX Print System (<a href="http://www.cups.org/" target="_top">CUPS</a>) + has become quite popular. All major Linux distributions now ship it as their default printing + system. To many, it is still a mystical tool. Mostly, it just works. People tend to regard + it as a “<span class="quote">black box</span>” that they do not want to look into as long as it works. But once + there is a little problem, they have trouble finding out where to start debugging it. Refer to + <a href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing</a>, which contains much information + that is also relevant to CUPS. + </p><p> +<a class="indexterm" name="id400568"></a> + CUPS sports quite a few unique and powerful features. While its basic functions may be grasped quite + easily, they are also new. Because it is different from other, more traditional printing systems, it is best + not to try to apply any prior knowledge about printing to this new system. Rather, try to understand CUPS from + the beginning. This documentation will lead you to a complete understanding of CUPS. Let's start with the most + basic things first. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400581"></a>Overview</h3></div></div></div><p> +<a class="indexterm" name="id400589"></a> +<a class="indexterm" name="id400595"></a> +<a class="indexterm" name="id400602"></a> +<a class="indexterm" name="id400609"></a> +<a class="indexterm" name="id400616"></a> +<a class="indexterm" name="id400625"></a> +<a class="indexterm" name="id400635"></a> +<a class="indexterm" name="id400641"></a> + CUPS is more than just a print spooling system. It is a complete printer management system that + complies with the new Internet Printing Protocol (IPP). IPP is an industry and Internet Engineering Task Force + (IETF) standard for network printing. Many of its functions can be managed remotely (or locally) via a Web + browser (giving you platform-independent access to the CUPS print server). Additionally, it has the + traditional command line and several more modern GUI interfaces (GUI interfaces developed by third parties, + like KDE's overwhelming <a href="http://printing.kde.org/" target="_top">KDEPrint</a>). + </p><p> +<a class="indexterm" name="id400662"></a> +<a class="indexterm" name="id400669"></a> + CUPS allows creation of <span class="emphasis"><em>raw</em></span> printers (i.e., no print file format translation) as + well as <span class="emphasis"><em>smart</em></span> printers (i.e., CUPS does file format conversion as required for the + printer). In many ways, this gives CUPS capabilities similar to the MS Windows print monitoring system. Of + course, if you are a CUPS advocate, you would argue that CUPS is better! In any case, let us now explore how + to configure CUPS for interfacing with MS Windows print clients via Samba. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400690"></a>Basic CUPS Support Configuration</h2></div></div></div><p> +<a class="indexterm" name="id400698"></a> +<a class="indexterm" name="id400704"></a> +<a class="indexterm" name="id400711"></a> +<a class="indexterm" name="id400718"></a> +<a class="indexterm" name="id400725"></a> +Printing with CUPS in the most basic <code class="filename">smb.conf</code> setup in Samba-3.0 (as was true for 2.2.x) requires just two +parameters: <a class="indexterm" name="id400739"></a>printing = cups and <a class="indexterm" name="id400746"></a>printcap = cups. CUPS does not need a printcap file. However, the +<code class="filename">cupsd.conf</code> configuration file knows of two related directives that control how such a +file will be automatically created and maintained by CUPS for the convenience of third-party applications +(example: <em class="parameter"><code>Printcap /etc/printcap</code></em> and <em class="parameter"><code>PrintcapFormat BSD</code></em>). +Legacy programs often require the existence of a printcap file containing printer names or they will refuse to +print. Make sure CUPS is set to generate and maintain a printcap file. For details, see <code class="literal">man +cupsd.conf</code> and other CUPS-related documentation, like the wealth of documents regarding the CUPS +server itself available from the <a href="http://localhost:631/documentation.html" target="_top">CUPS</a> web site. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400790"></a>Linking smbd with libcups.so</h3></div></div></div><p> +<a class="indexterm" name="id400798"></a> + Samba has a special relationship to CUPS. Samba can be compiled with CUPS library support. + Most recent installations have this support enabled. By default, CUPS linking is compiled + into smbd and other Samba binaries. Of course, you can use CUPS even + if Samba is not linked against <code class="filename">libcups.so</code> but + there are some differences in required or supported configuration. + </p><p> +<a class="indexterm" name="id400820"></a> +<a class="indexterm" name="id400827"></a> + When Samba is compiled and linked with <code class="filename">libcups</code>, <a class="indexterm" name="id400839"></a>printcap = cups + uses the CUPS API to list printers, submit jobs, query queues, and so on. Otherwise it maps to the System V + commands with an additional <code class="literal">-oraw</code> option for printing. On a Linux + system, you can use the <code class="literal">ldd</code> utility to find out if smbd has been linked with the + libcups library (<code class="literal">ldd</code> may not be present on other OS platforms, or its function may be embodied + by a different command): +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ldd `which smbd`</code></strong> +libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) +libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) +libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) +[....] +</pre><p> + </p><p> +<a class="indexterm" name="id400888"></a> + The line <code class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)</code> shows + there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups + is set, then <span class="emphasis"><em>any otherwise manually set print command in <code class="filename">smb.conf</code> is ignored</em></span>. + This is an important point to remember! + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should it be necessary, for any reason, to set your own print commands, you can do this by setting + <a class="indexterm" name="id400918"></a>printing = sysv. However, you will lose all the benefits + of tight CUPS-Samba integration. When you do this, you must manually configure the printing system commands + (most important: + <a class="indexterm" name="id400926"></a>print command; other commands are + <a class="indexterm" name="id400934"></a>lppause command, + <a class="indexterm" name="id400941"></a>lpresume command, + <a class="indexterm" name="id400948"></a>lpq command, + <a class="indexterm" name="id400955"></a>lprm command, + <a class="indexterm" name="id400962"></a>queuepause command and + <a class="indexterm" name="id400969"></a>queue resume command). + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400978"></a>Simple <code class="filename">smb.conf</code> Settings for CUPS</h3></div></div></div><p> + To summarize, <a href="CUPS-printing.html#cups-exam-simple" title="Example 22.1. Simplest Printing-Related smb.conf">the Simplest Printing-Related + <code class="filename">smb.conf</code> file</a> shows the simplest printing-related setup for <code class="filename">smb.conf</code> to + enable basic CUPS support: + </p><div class="example"><a name="cups-exam-simple"></a><p class="title"><b>Example 22.1. Simplest Printing-Related smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id401038"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401051"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id401063"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id401085"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id401097"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id401110"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td><a class="indexterm" name="id401122"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401135"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401147"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id401160"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401172"></a><em class="parameter"><code>printer admin = root, @ntadmins</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id401188"></a> +<a class="indexterm" name="id401195"></a> +<a class="indexterm" name="id401202"></a> + This is all you need for basic printing setup for CUPS. It will print all graphic, text, PDF, and PostScript + files submitted from Windows clients. However, most of your Windows users would not know how to send these + kinds of files to print without opening a GUI application. Windows clients tend to have local printer drivers + installed, and the GUI application's print buttons start a printer driver. Your users also rarely send files + from the command line. Unlike UNIX clients, they rarely submit graphic, text, or PDF formatted files directly + to the spooler. They nearly exclusively print from GUI applications with a “<span class="quote">printer driver</span>” + hooked between the application's native format and the print data stream. If the backend printer is not a + PostScript device, the print data stream is “<span class="quote">binary,</span>” sensible only for the target printer. Read + on to learn what problem this may cause and how to avoid it. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401226"></a>More Complex CUPS <code class="filename">smb.conf</code> Settings</h3></div></div></div><p> + <a href="CUPS-printing.html#overridesettings" title="Example 22.2. Overriding Global CUPS Settings for One Printer">The Overriding Global CUPS Settings for One Printer example</a> + is a slightly more complex printing-related setup for <code class="filename">smb.conf</code>. It enables general CUPS printing + support for all printers, but defines one printer share, which is set up differently. + </p><div class="example"><a name="overridesettings"></a><p class="title"><b>Example 22.2. Overriding Global CUPS Settings for One Printer</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id401279"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id401292"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id401304"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id401326"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id401338"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id401351"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401363"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401376"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id401388"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401401"></a><em class="parameter"><code>printer admin = root, @ntadmins</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[special_printer]</code></em></td></tr><tr><td><a class="indexterm" name="id401422"></a><em class="parameter"><code>comment = A special printer with his own settings</code></em></td></tr><tr><td><a class="indexterm" name="id401435"></a><em class="parameter"><code>path = /var/spool/samba-special</code></em></td></tr><tr><td><a class="indexterm" name="id401448"></a><em class="parameter"><code>printing = sysv</code></em></td></tr><tr><td><a class="indexterm" name="id401460"></a><em class="parameter"><code>printcap = lpstat</code></em></td></tr><tr><td><a class="indexterm" name="id401473"></a><em class="parameter"><code>print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f </code></em></td></tr><tr><td><a class="indexterm" name="id401488"></a><em class="parameter"><code>public = no</code></em></td></tr><tr><td><a class="indexterm" name="id401500"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id401513"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id401526"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401538"></a><em class="parameter"><code>printer admin = kurt</code></em></td></tr><tr><td><a class="indexterm" name="id401551"></a><em class="parameter"><code>hosts deny = 0.0.0.0</code></em></td></tr><tr><td><a class="indexterm" name="id401563"></a><em class="parameter"><code>hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60</code></em></td></tr></table></div></div><br class="example-break"><p> + This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters + known to Samba into the <code class="filename">/tmp/smbprn.log</code> file and deletes the job-file. Moreover, the + <a class="indexterm" name="id401587"></a>printer admin of this share is “<span class="quote">kurt</span>” (not the “<span class="quote">@ntadmins</span>” group), + guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it + allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set + <a class="indexterm" name="id401604"></a>printing = sysv and <a class="indexterm" name="id401611"></a>printcap = lpstat. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id401621"></a>Advanced Configuration</h2></div></div></div><p> + Before we delve into all the configuration options, let us clarify a few points. <span class="emphasis"><em>Network printing + needs to be organized and set up correctly</em></span>. This frequently doesn't happen. Legacy systems or small + business LAN environments often lack design and good housekeeping. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401636"></a>Central Spooling vs. “<span class="quote">Peer-to-Peer</span>” Printing</h3></div></div></div><p> +<a class="indexterm" name="id401647"></a> + <a class="indexterm" name="id401654"></a> + <a class="indexterm" name="id401663"></a> + Many small office or home networks, as well as badly organized larger environments, allow each client a direct + access to available network printers. This is generally a bad idea. It often blocks one client's access to the + printer when another client's job is printing. It might freeze the first client's application while it is + waiting to get rid of the job. Also, there are frequent complaints about various jobs being printed with their + pages mixed with each other. A better concept is the use of a print server: it routes all jobs through one + central system, which responds immediately, takes jobs from multiple concurrent clients, and transfers them to + the printer(s) in the correct order. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401680"></a>Raw Print Serving: Vendor Drivers on Windows Clients</h3></div></div></div><p> + <a class="indexterm" name="id401688"></a> + <a class="indexterm" name="id401695"></a> + Most traditionally configured UNIX print servers acting on behalf of + Samba's Windows clients represented a really simple setup. Their only + task was to manage the “<span class="quote">raw</span>” spooling of all jobs handed to them by + Samba. This approach meant that the Windows clients were expected to + prepare the print job file that is ready to be sent to the printing + device. In this case, a native (vendor-supplied) Windows printer driver needs to + be installed on each and every client for the target device. + </p><p> +<a class="indexterm" name="id401713"></a> +<a class="indexterm" name="id401719"></a> + It is possible to configure CUPS, Samba, and your Windows clients in the + same traditional and simple way. When CUPS printers are configured + for raw print-through mode operation, it is the responsibility of the + Samba client to fully render the print job (file). The file must be + sent in a format that is suitable for direct delivery to the + printer. Clients need to run the vendor-provided drivers to do + this. In this case, CUPS will not do any print file format conversion + work. + </p><p> + The easiest printing configuration possible is raw print-through. + This is achieved by installation of the printer as if it were physically + attached to the Windows client. You then redirect output to a raw network + print queue. This procedure may be followed to achieve this: + </p><div class="procedure"><a name="id401737"></a><p class="title"><b>Procedure 22.1. Configuration Steps for Raw CUPS Printing Support</b></p><ol type="1"><li><p> +<a class="indexterm" name="id401749"></a> + Edit <code class="filename">/etc/cups/mime.types</code> to uncomment the line + near the end of the file that has: +</p><pre class="screen"> +#application/octet-... +</pre><p> + </p></li><li><p> +<a class="indexterm" name="id401774"></a> + Do the same for the file <code class="filename">/etc/cups/mime.convs</code>. + </p></li><li><p> + Add a raw printer using the Web interface. Point your browser at + <code class="constant">http://localhost:631</code>. Enter Administration, and add + the printer following the prompts. Do not install any drivers for it. + Choose Raw. Choose queue name <code class="constant">Raw Queue</code>. + </p></li><li><p> + In the <code class="filename">smb.conf</code> file <code class="constant">[printers]</code> section add + <a class="indexterm" name="id401820"></a>use client driver = Yes, + and in the <code class="constant">[global]</code> section add + <a class="indexterm" name="id401831"></a>printing = CUPS, plus + <a class="indexterm" name="id401838"></a>printcap = CUPS. + </p></li><li><p> + Install the printer as if it is a local printer, that is, Printing to <code class="constant">LPT1:</code>. + </p></li><li><p> + Edit the configuration under the <span class="guimenu">Detail</span> tab and create a + <code class="constant">local port</code> that points to the raw printer queue that + you have configured above. Example: <code class="constant">\\server\raw_q</code>. + Here, the name <code class="constant">raw_q</code> is the name you gave the print + queue in the CUPS environment. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401884"></a>Installation of Windows Client Drivers</h3></div></div></div><p> + The printer drivers on the Windows clients may be installed + in two functionally different ways: + </p><div class="itemizedlist"><ul type="disc"><li><p>Manually install the drivers locally on each client, + one by one; this yields the old LanMan style + printing and uses a <code class="filename">\\sambaserver\printershare</code> + type of connection.</p></li><li><p> + <a class="indexterm" name="id401911"></a> + Deposit and prepare the drivers (for later download) on + the print server (Samba); this enables the clients to use + “<span class="quote">Point'n'Print</span>” to get drivers semi-automatically installed the + first time they access the printer; with this method NT/200x/XP + clients use the <span class="emphasis"><em>SPOOLSS/MS-RPC</em></span> + type printing calls.</p></li></ul></div><p> + The second method is recommended for use over the first. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="cups-raw"></a>Explicitly Enable “<span class="quote">raw</span>” Printing for <span class="emphasis"><em>application/octet-stream</em></span></h3></div></div></div><p> + <a class="indexterm" name="id401952"></a> + <a class="indexterm" name="id401958"></a> + <a class="indexterm" name="id401965"></a> + If you use the first option (drivers are installed on the client + side), there is one setting to take care of: CUPS needs to be told + that it should allow “<span class="quote">raw</span>” printing of deliberate (binary) file + formats. The CUPS files that need to be correctly set for raw mode + printers to work are: + </p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">/etc/cups/mime.types</code></p></li><li><p><code class="filename">/etc/cups/mime.convs</code></p></li></ul></div><p> + Both contain entries (at the end of the respective files) that must be uncommented to allow RAW mode + operation. In <code class="filename">/etc/cups/mime.types</code>, make sure this line is present: +</p><pre class="programlisting"> +application/octet-stream +</pre><p> + <a class="indexterm" name="id402015"></a> + <a class="indexterm" name="id402022"></a> + In <code class="filename">/etc/cups/mime.convs</code>, have this line: + <a class="indexterm" name="id402035"></a> +</p><pre class="programlisting"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + If these two files are not set up correctly for raw Windows client + printing, you may encounter the dreaded <code class="computeroutput">Unable to + convert file 0</code> in your CUPS <code class="filename">error_log</code> file. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Editing the <code class="filename">mime.convs</code> and the <code class="filename">mime.types</code> file does + not <span class="emphasis"><em>enforce</em></span> “<span class="quote">raw</span>” printing, it only <span class="emphasis"><em>allows</em></span> it. + </p></div><p><b>Background. </b> + <a class="indexterm" name="id402096"></a> +<a class="indexterm" name="id402103"></a> + That CUPS is a more security-aware printing system than traditional ones does not by default allow a user to + send deliberate (possibly binary) data to printing devices. This could be easily abused to launch a + “<span class="quote">Denial of Service</span>” attack on your printer(s), causing at least the loss of a lot of paper and + ink. “<span class="quote">Unknown</span>” data are tagged by CUPS as <em class="parameter"><code>MIME type: application/octet-stream</code></em> + and not allowed to go to the printer. By default, you can only send other (known) MIME types “<span class="quote">raw.</span>” + Sending data “<span class="quote">raw</span>” means that CUPS does not try to convert them and passes them to the printer + untouched. + </p><p> + This is all you need to know to get the CUPS/Samba combo printing + “<span class="quote">raw</span>” files prepared by Windows clients, which have vendor drivers + locally installed. If you are not interested in background information about + more advanced CUPS/Samba printing, simply skip the remaining sections + of this chapter. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id402147"></a>Driver Upload Methods</h3></div></div></div><p> + This section describes three familiar methods, plus one new one, by which + printer drivers may be uploaded. + </p><p> + <a class="indexterm" name="id402159"></a> + If you want to use the MS-RPC-type printing, you must upload the + drivers onto the Samba server first (<em class="parameter"><code>[print$]</code></em> + share). For a discussion on how to deposit printer drivers on the + Samba host (so the Windows clients can download and use them via + “<span class="quote">Point'n'Print</span>”), please refer to the <a href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing + chapter</a> of this book. There you will find a description or reference to + three methods of preparing the client drivers on the Samba server: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id402192"></a> + The GUI, “<span class="quote">Add Printer Wizard</span>” <span class="emphasis"><em>upload-from-a-Windows-client</em></span> method. + </p></li><li><p> + The command line, “<span class="quote">smbclient/rpcclient</span>” upload-from-a-UNIX-workstation method. + </p></li><li><p> + <a class="indexterm" name="id402219"></a> + The Imprints tool set method. + </p></li></ul></div><p> +<a class="indexterm" name="id402231"></a> + These three methods apply to CUPS all the same. The <code class="literal">cupsaddsmb</code> utility is a new and more + convenient way to load the Windows drivers into Samba and is provided if you use CUPS. + </p><p> + <code class="literal">cupsaddsmb</code> is discussed in much detail later in this chapter. But we first + explore the CUPS filtering system and compare the Windows and UNIX printing architectures. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id402258"></a>Advanced Intelligent Printing with PostScript Driver Download</h2></div></div></div><p> + <a class="indexterm" name="id402266"></a> + We now know how to set up a “<span class="quote">dump</span>” print server, that is, a server that spools + print jobs “<span class="quote">raw</span>”, leaving the print data untouched. + </p><p> + You might need to set up CUPS in a smarter way. The reasons could be manifold: + </p><a class="indexterm" name="id402289"></a><a class="indexterm" name="id402296"></a><a class="indexterm" name="id402302"></a><div class="itemizedlist"><ul type="disc"><li><p>Maybe your boss wants to get monthly statistics: Which + printer did how many pages? What was the average data size of a job? + What was the average print run per day? What are the typical hourly + peaks in printing? Which department prints how much?</p></li><li><p>Maybe you are asked to set up a print quota system: + Users should not be able to print more jobs once they have surpassed + a given limit per period.</p></li><li><p>Maybe your previous network printing setup is a mess + and must be re-organized from a clean beginning.</p></li><li><p>Maybe you are experiencing too many “<span class="quote">blue screens</span>” + originating from poorly debugged printer drivers running in NT “<span class="quote">kernel mode</span>”?</p></li></ul></div><p> + These goals cannot be achieved by a raw print server. To build a + server meeting these requirements, you'll first need to learn + how CUPS works and how you can enable its features. + </p><p> + What follows is the comparison of some fundamental concepts for + Windows and UNIX printing, then a description of the + CUPS filtering system, how it works, and how you can tweak it. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gdipost"></a>GDI on Windows, PostScript on UNIX</h3></div></div></div><p> + <a class="indexterm" name="id402363"></a> + <a class="indexterm" name="id402370"></a> + Network printing is one of the most complicated and error-prone + day-to-day tasks any user or administrator may encounter. This is + true for all OS platforms, and there are reasons it is so. + </p><p> + <a class="indexterm" name="id402382"></a> + <a class="indexterm" name="id402388"></a> +<a class="indexterm" name="id402395"></a> +<a class="indexterm" name="id402401"></a> +<a class="indexterm" name="id402408"></a> + You can't expect to throw just any file format at a printer and have it get printed. A file format conversion + must take place. The problem is that there is no common standard for print file formats across all + manufacturers and printer types. While PostScript (trademark held by Adobe) and, to an extent, PCL (trademark + held by Hewlett-Packard) have developed into semi-official “<span class="quote">standards</span>” by being the most widely + used page description languages (PDLs), there are still many manufacturers who “<span class="quote">roll their own</span>” + (their reasons may be unacceptable license fees for using printer-embedded PostScript interpreters, and so on). + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id402432"></a>Windows Drivers, GDI, and EMF</h3></div></div></div><p> + <a class="indexterm" name="id402440"></a> + <a class="indexterm" name="id402446"></a> + <a class="indexterm" name="id402453"></a> +<a class="indexterm" name="id402460"></a> + In Windows OS, the format conversion job is done by the printer drivers. On MS Windows OS platforms all + application programmers have at their disposal a built-in API, the graphical device interface (GDI), as part + and parcel of the OS itself to base themselves on. This GDI core is used as one common unified ground for all + Windows programs to draw pictures, fonts, and documents <span class="emphasis"><em>on screen</em></span> as well as <span class="emphasis"><em>on + paper</em></span> (print). Therefore, printer driver developers can standardize on a well-defined GDI output + for their own driver input. Achieving WYSIWYG (What You See Is What You Get) is relatively easy, because the + on-screen graphic primitives, as well as the on-paper drawn objects, come from one common source. This source, + the GDI, often produces a file format called Enhanced MetaFile (EMF). The EMF is processed by the printer + driver and converted to the printer-specific file format. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id402487"></a> +<a class="indexterm" name="id402494"></a> +<a class="indexterm" name="id402501"></a> + To the GDI foundation in MS Windows, Apple has chosen to put paper and screen output on a common foundation + for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating <a class="indexterm" name="id402509"></a> <a class="indexterm" name="id402516"></a> + <a class="indexterm" name="id402523"></a> <a class="indexterm" name="id402529"></a> systems. + Apple's <span class="emphasis"><em>core graphic engine</em></span> uses a <span class="emphasis"><em>PDF</em></span> derivative for all display work. + </p></div><p> + The example in <a href="CUPS-printing.html#1small" title="Figure 22.1. Windows Printing to a Local Printer.">Windows Printing to a Local Printer</a> illustrates local Windows + printing. + </p><div class="figure"><a name="1small"></a><p class="title"><b>Figure 22.1. Windows Printing to a Local Printer.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/1small.png" alt="Windows Printing to a Local Printer."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id402598"></a>UNIX Printfile Conversion and GUI Basics</h3></div></div></div><p> + <a class="indexterm" name="id402606"></a> + <a class="indexterm" name="id402613"></a> + <a class="indexterm" name="id402620"></a> + <a class="indexterm" name="id402626"></a> + In UNIX and Linux, there is no comparable layer built into the OS kernel(s) or the X (screen display) server. + Every application is responsible for itself to create its print output. Fortunately, most use PostScript and + that at least gives some common ground. Unfortunately, there are many different levels of quality for this + PostScript. And worse, there is a huge difference (and no common root) in the way the same document is + displayed on screen and how it is presented on paper. WYSIWYG is more difficult to achieve. This goes back to + the time, decades ago, when the predecessors of X.org, designing the UNIX foundations and protocols for + graphical user interfaces, refused to take responsibility for “<span class="quote">paper output</span>”, as some had + demanded at the time, and restricted itself to “<span class="quote">on-screen only.</span>” (For some years now, the + “<span class="quote">Xprint</span>” project has been under development, attempting to build printing support into the X + framework, including a PostScript and a PCL driver, but it is not yet ready for prime time.) You can see this + unfavorable inheritance up to the present day by looking into the various “<span class="quote">font</span>” directories on + your system; there are separate ones for fonts used for X display and fonts to be used on paper. + </p><p><b>Background. </b> + <a class="indexterm" name="id402672"></a> +<a class="indexterm" name="id402679"></a> +<a class="indexterm" name="id402686"></a> +<a class="indexterm" name="id402692"></a> +<a class="indexterm" name="id402699"></a> +<a class="indexterm" name="id402706"></a> +<a class="indexterm" name="id402713"></a> +<a class="indexterm" name="id402720"></a> +<a class="indexterm" name="id402726"></a> +<a class="indexterm" name="id402733"></a> + The PostScript programming language is an “<span class="quote">invention</span>” by Adobe, but its specifications have been + published extensively. Its strength lies in its powerful abilities to describe graphical objects (fonts, + shapes, patterns, lines, curves, and dots), their attributes (color, linewidth), and the way to manipulate + (scale, distort, rotate, shift) them. Because of its open specification, anybody with the skill can start + writing his or her own implementation of a PostScript interpreter and use it to display PostScript files on + screen or on paper. Most graphical output devices are based on the concept of “<span class="quote">raster images</span>” or + “<span class="quote">pixels</span>” (one notable exception is pen plotters). Of course, you can look at a PostScript file in + its textual form and you will be reading its PostScript code, the language instructions that need to be + interpreted by a rasterizer. Rasterizers produce pixel images, which may be displayed on screen by a viewer + program or on paper by a printer. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="post-and-ghost"></a>PostScript and Ghostscript</h3></div></div></div><p> + <a class="indexterm" name="id402774"></a> + <a class="indexterm" name="id402780"></a> + <a class="indexterm" name="id402789"></a> +<a class="indexterm" name="id402799"></a> +<a class="indexterm" name="id402805"></a> + So UNIX is lacking a common ground for printing on paper and displaying on screen. Despite this unfavorable + legacy for UNIX, basic printing is fairly easy if you have PostScript printers at your disposal. The reason is + that these devices have a built-in PostScript language “<span class="quote">interpreter,</span>” also called a raster image + processor (RIP), (which makes them more expensive than other types of printers; throw PostScript toward them, + and they will spit out your printed pages. The RIP does all the hard work of converting the PostScript drawing + commands into a bitmap picture as you see it on paper, in a resolution as done by your printer. This is no + different than PostScript printing a file from a Windows origin. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id402832"></a> +<a class="indexterm" name="id402838"></a> +<a class="indexterm" name="id402845"></a> + Traditional UNIX programs and printing systems while using PostScript are largely not + PPD-aware. PPDs are “<span class="quote">PostScript Printer Description</span>” files. They enable you to specify and + control all options a printer supports: duplexing, stapling, and punching. Therefore, UNIX users for a long + time couldn't choose many of the supported device and job options, unlike Windows or Apple users. But now + there is CUPS. as illustrated in <a href="CUPS-printing.html#2small" title="Figure 22.2. Printing to a PostScript Printer.">Printing to a PostScript Printer</a>. + </p></div><div class="figure"><a name="2small"></a><p class="title"><b>Figure 22.2. Printing to a PostScript Printer.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/2small.png" alt="Printing to a PostScript Printer."></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id402919"></a> + However, there are other types of printers out there. These do not know how to print PostScript. They use + their own PDL, often proprietary. To print to them is much more demanding. Since your UNIX applications mostly + produce PostScript, and since these devices do not understand PostScript, you need to convert the print files + to a format suitable for your printer on the host before you can send it away. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id402931"></a>Ghostscript: The Software RIP for Non-PostScript Printers</h3></div></div></div><p> + <a class="indexterm" name="id402939"></a> + Here is where Ghostscript kicks in. Ghostscript is the traditional (and quite powerful) PostScript interpreter + used on UNIX platforms. It is a RIP in software, capable of doing a <span class="emphasis"><em>lot</em></span> of file format + conversions for a very broad spectrum of hardware devices as well as software file formats. Ghostscript + technology and drivers are what enable PostScript printing to non-PostScript hardware. This is shown in + <a href="CUPS-printing.html#3small" title="Figure 22.3. Ghostscript as a RIP for Non-PostScript Printers.">Ghostscript as a RIP for Non-PostScript Printers</a>. + </p><div class="figure"><a name="3small"></a><p class="title"><b>Figure 22.3. Ghostscript as a RIP for Non-PostScript Printers.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/3small.png" alt="Ghostscript as a RIP for Non-PostScript Printers."></div></div></div><br class="figure-break"><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="id403005"></a> +<a class="indexterm" name="id403011"></a> +<a class="indexterm" name="id403018"></a> + Use the “<span class="quote">gs -h</span>” command to check for all built-in “<span class="quote">devices</span>” on your Ghostscript + version. If you specify a parameter of <em class="parameter"><code>-sDEVICE=png256</code></em> on your Ghostscript command + line, you are asking Ghostscript to convert the input into a PNG file. Naming a “<span class="quote">device</span>” on the + command line is the most important single parameter to tell Ghostscript exactly how it should render the + input. New Ghostscript versions are released at fairly regular intervals, now by artofcode LLC. They are + initially put under the “<span class="quote">AFPL</span>” license, but re-released under the GNU GPL as soon as the next + AFPL version appears. GNU Ghostscript is probably the version installed on most Samba systems. But it has some + deficiencies. <a class="indexterm" name="id403051"></a> Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript, + with lots of bug-fixes, additional devices, and improvements. It is jointly maintained by developers from + CUPS, Gimp-Print, MandrakeSoft, SuSE, Red Hat, and Debian. It includes the “<span class="quote">cups</span>” device + (essential to print to non-PS printers from CUPS). + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id403071"></a>PostScript Printer Description (PPD) Specification</h3></div></div></div><p> + <a class="indexterm" name="id403079"></a> +<a class="indexterm" name="id403085"></a> +<a class="indexterm" name="id403092"></a> + While PostScript in essence is a PDL to represent the page layout in a device-independent way, real-world + print jobs are always ending up being output on hardware with device-specific features. To take care of all + the differences in hardware and to allow for innovations, Adobe has specified a syntax and file format for + PostScript Printer Description (PPD) files. Every PostScript printer ships with one of these files. + </p><p> + PPDs contain all the information about general and special features of the + given printer model: Which different resolutions can it handle? Does + it have a duplexing unit? How many paper trays are there? What media + types and sizes does it take? For each item, it also names the special + command string to be sent to the printer (mostly inside the PostScript + file) in order to enable it. + </p><p> + Information from these PPDs is meant to be taken into account by the + printer drivers. Therefore, installed as part of the Windows + PostScript driver for a given printer is the printer's PPD. Where it + makes sense, the PPD features are presented in the drivers' UI dialogs + to display to the user a choice of print options. In the end, the + user selections are somehow written (in the form of special + PostScript, PJL, JCL, or vendor-dependent commands) into the PostScript + file created by the driver. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + <a class="indexterm" name="id403121"></a> +<a class="indexterm" name="id403127"></a> + A PostScript file that was created to contain device-specific commands + for achieving a certain print job output (e.g., duplexed, stapled, and + punched) on a specific target machine may not print as expected, or + may not be printable at all on other models; it also may not be fit + for further processing by software (e.g., by a PDF distilling program). + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id403139"></a>Using Windows-Formatted Vendor PPDs</h3></div></div></div><p> +<a class="indexterm" name="id403147"></a> +<a class="indexterm" name="id403154"></a> +<a class="indexterm" name="id403161"></a> + CUPS can handle all spec-compliant PPDs as supplied by the manufacturers for their PostScript models. Even if + a vendor does not mention our favorite OS in his or her manuals and brochures, you can safely trust this: + <span class="emphasis"><em>If you get the Windows NT version of the PPD, you can use it unchanged in CUPS</em></span> and thus + access the full power of your printer just like a Windows NT user could! + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> + To check the spec compliance of any PPD online, go to <a href="http://www.cups.org/testppd.php" target="_top">http://www.cups.org/testppd.php</a> and upload your PPD. You will + see the results displayed immediately. CUPS in all versions after 1.1.19 has a much stricter internal PPD + parsing and checking code enabled; in case of printing trouble, this online resource should be one of your + first pit stops. + </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + <a class="indexterm" name="id403194"></a> + <a class="indexterm" name="id403201"></a> + For real PostScript printers, <span class="emphasis"><em>do not</em></span> use the <span class="emphasis"><em>Foomatic</em></span> or + <span class="emphasis"><em>cupsomatic</em></span> PPDs from Linuxprinting.org. With these devices, the original vendor-provided + PPDs are always the first choice. + </p></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="id403224"></a> + If you are looking for an original vendor-provided PPD of a specific device, and you know that an NT4 box (or + any other Windows box) on your LAN has the PostScript driver installed, just use <code class="literal">smbclient + //NT4-box/print\$ -U username</code> to access the Windows directory where all printer driver files are + stored. First look in the <code class="filename">W32X86/2</code> subdirectory for the PPD you are seeking. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id403248"></a>CUPS Also Uses PPDs for Non-PostScript Printers</h3></div></div></div><p> +<a class="indexterm" name="id403256"></a> +<a class="indexterm" name="id403263"></a> +<a class="indexterm" name="id403270"></a> + CUPS also uses specially crafted PPDs to handle non-PostScript printers. These PPDs are usually not available + from the vendors (and no, you can't just take the PPD of a PostScript printer with the same model name and + hope it works for the non-PostScript version too). To understand how these PPDs work for non-PS printers, we + first need to dive deeply into the CUPS filtering and file format conversion architecture. Stay tuned. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id403283"></a>The CUPS Filtering Architecture</h2></div></div></div><p> +<a class="indexterm" name="id403291"></a> +<a class="indexterm" name="id403298"></a> +<a class="indexterm" name="id403305"></a> +<a class="indexterm" name="id403312"></a> +<a class="indexterm" name="id403318"></a> +The core of the CUPS filtering system is based on Ghostscript. In addition to Ghostscript, CUPS uses some +other filters of its own. You (or your OS vendor) may have plugged in even more filters. CUPS handles all data +file formats under the label of various MIME types. Every incoming print file is subjected to an initial +autotyping. The autotyping determines its given MIME type. A given MIME type implies zero or more possible +filtering chains relevant to the selected target printer. This section discusses how MIME types recognition +and conversion rules interact. They are used by CUPS to automatically set up a working filtering chain for any +given input data format. +</p><p> +If CUPS rasterizes a PostScript file natively to a bitmap, this is done in two stages: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id403341"></a> +<a class="indexterm" name="id403348"></a> + The first stage uses a Ghostscript device named “<span class="quote">cups</span>” + (this is since version 1.1.15) and produces a generic raster format + called “<span class="quote">CUPS raster</span>”. + </p></li><li><p> +<a class="indexterm" name="id403368"></a> + The second stage uses a “<span class="quote">raster driver</span>” that converts + the generic CUPS raster to a device-specific raster. + </p></li></ul></div><p> +<a class="indexterm" name="id403383"></a> +<a class="indexterm" name="id403390"></a> +<a class="indexterm" name="id403397"></a> +Make sure your Ghostscript version has the “<span class="quote">cups</span>” device compiled in (check with <code class="literal">gs -h | +grep cups</code>). Otherwise you may encounter the dreaded <code class="computeroutput">Unable to convert file +0</code> in your CUPS error_log file. To have “<span class="quote">cups</span>” as a device in your Ghostscript, +you either need to patch GNU Ghostscript and recompile or use +<a class="indexterm" name="id403425"></a><a href="http://www.cups.org/ghostscript.php" target="_top">ESP Ghostscript</a>. The superior alternative is ESP +Ghostscript. It supports not just CUPS, but 300 other devices (while GNU Ghostscript supports only about 180). +Because of this broad output device support, ESP Ghostscript is the first choice for non-CUPS spoolers, too. +It is now recommended by Linuxprinting.org for all spoolers. +</p><p> +<a class="indexterm" name="id403445"></a> +<a class="indexterm" name="id403451"></a> +<a class="indexterm" name="id403458"></a> +<a class="indexterm" name="id403465"></a> +CUPS printers may be set up to use external rendering paths. One of the most common is provided by the +Foomatic/cupsomatic concept from <a href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a>. This +uses the classical Ghostscript approach, doing everything in one step. It does not use the +“<span class="quote">cups</span>” device, but one of the many others. However, even for Foomatic/cupsomatic usage, best +results and <a class="indexterm" name="id403484"></a> broadest printer +model support is provided by ESP Ghostscript (more about Foomatic/cupsomatic, particularly the new version +called now <span class="emphasis"><em>foomatic-rip</em></span>, follows). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id403499"></a>MIME Types and CUPS Filters</h3></div></div></div><p> + <a class="indexterm" name="id403507"></a> + <a class="indexterm" name="id403516"></a> +<a class="indexterm" name="id403523"></a> +<a class="indexterm" name="id403530"></a> +<a class="indexterm" name="id403537"></a> + CUPS reads the file <code class="filename">/etc/cups/mime.types</code> (and all other files carrying a + <code class="filename">*.types</code> suffix in the same directory) upon startup. These files contain the MIME type + recognition rules that are applied when CUPS runs its autotyping routines. The rule syntax is explained in the + man page for <code class="filename">mime.types</code> and in the comments section of the + <code class="filename">mime.types</code> file itself. A simple rule reads like this: + <a class="indexterm" name="id403570"></a> +</p><pre class="programlisting"> +application/pdf pdf string(0,%PDF) +</pre><p> +<a class="indexterm" name="id403583"></a> +<a class="indexterm" name="id403590"></a> + This means if a filename has a <code class="filename">.pdf</code> suffix or if the magic string + <span class="emphasis"><em>%PDF</em></span> is right at the beginning of the file itself (offset 0 from the start), then it is a + PDF file (<em class="parameter"><code>application/pdf</code></em>). Another rule is this: +</p><pre class="programlisting"> +application/postscript ai eps ps string(0,%!) string(0,<04>%!) +</pre><p> +<a class="indexterm" name="id403620"></a> +<a class="indexterm" name="id403627"></a> +<a class="indexterm" name="id403634"></a> +<a class="indexterm" name="id403640"></a> +<a class="indexterm" name="id403647"></a> +<a class="indexterm" name="id403654"></a> + If the filename has one of the suffixes <code class="filename">.ai</code>, <code class="filename">.eps</code>, + <code class="filename">.ps</code>, or if the file itself starts with one of the strings <span class="emphasis"><em>%!</em></span> or + <span class="emphasis"><em><04>%!</em></span>, it is a generic PostScript file + (<em class="parameter"><code>application/postscript</code></em>). + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="id403696"></a> + Don't confuse the other mime.types files your system might be using + with the one in the <code class="filename">/etc/cups/</code> directory. + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id403714"></a> +<a class="indexterm" name="id403721"></a> +<a class="indexterm" name="id403728"></a> +<a class="indexterm" name="id403734"></a> +<a class="indexterm" name="id403741"></a> + There is an important difference between two similar MIME types in CUPS: one is + <em class="parameter"><code>application/postscript</code></em>, the other is + <em class="parameter"><code>application/vnd.cups-postscript</code></em>. While <em class="parameter"><code>application/postscript</code></em> is + meant to be device-independent, job options for the file are still outside the PS file content, embedded in + command-line or environment variables by CUPS, <em class="parameter"><code>application/vnd.cups-postscript</code></em> may have + the job options inserted into the PostScript data itself (where applicable). The transformation of the generic + PostScript (<em class="parameter"><code>application/postscript</code></em>) to the device-specific version + (<em class="parameter"><code>application/vnd.cups-postscript</code></em>) is the responsibility of the CUPS + <em class="parameter"><code>pstops</code></em> filter. pstops uses information contained in the PPD to do the transformation. + </p></div><p> +<a class="indexterm" name="id403797"></a> +<a class="indexterm" name="id403804"></a> +<a class="indexterm" name="id403811"></a> +<a class="indexterm" name="id403817"></a> +<a class="indexterm" name="id403824"></a> +<a class="indexterm" name="id403830"></a> +<a class="indexterm" name="id403837"></a> +<a class="indexterm" name="id403844"></a> +<a class="indexterm" name="id403850"></a> +<a class="indexterm" name="id403857"></a> +<a class="indexterm" name="id403864"></a> +<a class="indexterm" name="id403871"></a> +<a class="indexterm" name="id403878"></a> +<a class="indexterm" name="id403884"></a> +<a class="indexterm" name="id403891"></a> +<a class="indexterm" name="id403898"></a> + CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI, and + many image formats (GIF, PNG, TIFF, JPEG, Photo-CD, SUN-Raster, + PNM, PBM, SGI-RGB, and more) and their associated MIME types + with its filters. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id403909"></a>MIME Type Conversion Rules</h3></div></div></div><p> + <a class="indexterm" name="id403917"></a> + <a class="indexterm" name="id403923"></a> +<a class="indexterm" name="id403930"></a> +<a class="indexterm" name="id403937"></a> +<a class="indexterm" name="id403944"></a> + CUPS reads the file <code class="filename">/etc/cups/mime.convs</code> + (and all other files named with a <code class="filename">*.convs</code> + suffix in the same directory) upon startup. These files contain + lines naming an input MIME type, an output MIME type, a format + conversion filter that can produce the output from the input type, + and virtual costs associated with this conversion. One example line + reads like this: +</p><pre class="programlisting"> +application/pdf application/postscript 33 pdftops +</pre><p> +<a class="indexterm" name="id403971"></a> + This means that the <em class="parameter"><code>pdftops</code></em> filter will take + <em class="parameter"><code>application/pdf</code></em> as input and produce + <em class="parameter"><code>application/postscript</code></em> as output; the virtual + cost of this operation is 33 CUPS-$. The next filter is more + expensive, costing 66 CUPS-$: + <a class="indexterm" name="id403997"></a> +</p><pre class="programlisting"> +application/vnd.hp-HPGL application/postscript 66 hpgltops +</pre><p> +<a class="indexterm" name="id404010"></a> + This is the <em class="parameter"><code>hpgltops</code></em>, which processes HP-GL + plotter files to PostScript. + <a class="indexterm" name="id404023"></a> +</p><pre class="programlisting"> +application/octet-stream +</pre><p> + Here are two more examples: + <a class="indexterm" name="id404036"></a> +<a class="indexterm" name="id404043"></a> +<a class="indexterm" name="id404050"></a> +<a class="indexterm" name="id404057"></a> +</p><pre class="programlisting"> +application/x-shell application/postscript 33 texttops +text/plain application/postscript 33 texttops +</pre><p> +<a class="indexterm" name="id404070"></a> + The last two examples name the <em class="parameter"><code>texttops</code></em> filter to work on + <em class="parameter"><code>text/plain</code></em> as well as on <em class="parameter"><code>application/x-shell</code></em>. (Hint: This + differentiation is needed for the syntax highlighting feature of <em class="parameter"><code>texttops</code></em>). + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404104"></a>Filtering Overview</h3></div></div></div><p> + <a class="indexterm" name="id404112"></a> + There are many more combinations named in <code class="filename">mime.convs</code>. However, you are not limited to use + the ones predefined there. You can plug in any filter you like to the CUPS framework. It must meet, or must be + made to meet, some minimal requirements. If you find (or write) a cool conversion filter of some kind, make + sure it complies with what CUPS needs and put in the right lines in <code class="filename">mime.types</code> and + <code class="filename">mime.convs</code>; then it will work seamlessly inside CUPS. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id404141"></a>Filter Requirements</h4></div></div></div><p> + The “<span class="quote">CUPS requirements</span>” for filters are simple. Take filenames or <code class="filename">stdin</code> as + input and write to <code class="filename">stdout</code>. They should take these arguments: + </p><div class="variablelist"><dl><dt><span class="term">printer</span></dt><dd><p> + The name of the printer queue (normally this is the name of the filter being run). + </p></dd><dt><span class="term">job</span></dt><dd><p> + The numeric job ID for the job being printed. + </p></dd><dt><span class="term">user</span></dt><dd><p> + The string from the originating-user-name attribute. + </p></dd><dt><span class="term">title</span></dt><dd><p> + The string from the job-name attribute. + </p></dd><dt><span class="term">copies</span></dt><dd><p> + The numeric value from the number-copies attribute. + </p></dd><dt><span class="term">options</span></dt><dd><p> + The job options. + </p></dd><dt><span class="term">filename</span></dt><dd><p> + (optionally) The print request file (if missing, filters expected data + fed through <code class="filename">stdin</code>). In most cases, it is easy to + write a simple wrapper script around existing filters to make them work with CUPS. + </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404252"></a>Prefilters</h3></div></div></div><p> + <a class="indexterm" name="id404260"></a> +<a class="indexterm" name="id404267"></a> +<a class="indexterm" name="id404274"></a> + As previously stated, PostScript is the central file format to any UNIX-based + printing system. From PostScript, CUPS generates raster data to feed + non-PostScript printers. + </p><p> +<a class="indexterm" name="id404285"></a> +<a class="indexterm" name="id404292"></a> +<a class="indexterm" name="id404299"></a> +<a class="indexterm" name="id404306"></a> +<a class="indexterm" name="id404312"></a> +<a class="indexterm" name="id404319"></a> +<a class="indexterm" name="id404326"></a> +<a class="indexterm" name="id404332"></a> +<a class="indexterm" name="id404339"></a> +<a class="indexterm" name="id404346"></a> + But what happens if you send one of the supported non-PS formats to print? Then CUPS runs + “<span class="quote">prefilters</span>” on these input formats to generate PostScript first. There are prefilters to create + PostScript from ASCII text, PDF, DVI, or HP-GL. The outcome of these filters is always of MIME type + <em class="parameter"><code>application/postscript</code></em> (meaning that any device-specific print options are not yet + embedded into the PostScript by CUPS and that the next filter to be called is pstops). Another prefilter is + running on all supported image formats, the <em class="parameter"><code>imagetops</code></em> filter. Its outcome is always of + MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em> (not application/postscript), meaning it has + the print options already embedded into the file. This is shown in <a href="CUPS-printing.html#4small" title="Figure 22.4. Prefiltering in CUPS to Form PostScript.">Prefiltering in + CUPS to Form PostScript</a>. + </p><div class="figure"><a name="4small"></a><p class="title"><b>Figure 22.4. Prefiltering in CUPS to Form PostScript.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/4small.png" width="135" alt="Prefiltering in CUPS to Form PostScript."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404429"></a>pstops</h3></div></div></div><p> +<a class="indexterm" name="id404437"></a> +<a class="indexterm" name="id404444"></a> +<a class="indexterm" name="id404451"></a> +<a class="indexterm" name="id404458"></a> +<a class="indexterm" name="id404464"></a> +<a class="indexterm" name="id404471"></a> +<a class="indexterm" name="id404478"></a> + <span class="emphasis"><em>pstops</em></span> is a filter that is used to convert <em class="parameter"><code>application/postscript</code></em> to + <em class="parameter"><code>application/vnd.cups-postscript</code></em>. As stated earlier, this filter inserts all + device-specific print options (commands to the printer to ask for the duplexing of output, or stapling and + punching it, and so on) into the PostScript file. An example is illustrated in <a href="CUPS-printing.html#5small" title="Figure 22.5. Adding Device-Specific Print Options.">Adding Device-Specific Print Options</a>. + </p><div class="figure"><a name="5small"></a><p class="title"><b>Figure 22.5. Adding Device-Specific Print Options.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/5small.png" width="135" alt="Adding Device-Specific Print Options."></div></div></div><br class="figure-break"><p> + This is not all. Other tasks performed by it are: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Selecting the range of pages to be printed (e.g., you can choose to + print only pages “<span class="quote">3, 6, 8-11, 16, and 19-21</span>”, or only odd-numbered + pages). + </p></li><li><p> + Putting two or more logical pages on one sheet of paper (the + so-called “<span class="quote">number-up</span>” function). + </p></li><li><p>Counting the pages of the job to insert the accounting + information into the <code class="filename">/var/log/cups/page_log</code>. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404588"></a>pstoraster</h3></div></div></div><p> +<a class="indexterm" name="id404596"></a> +<a class="indexterm" name="id404603"></a> +<a class="indexterm" name="id404610"></a> + <em class="parameter"><code>pstoraster</code></em> is at the core of the CUPS filtering system. It is responsible for the first + stage of the rasterization process. Its input is of MIME type application/vnd.cups-postscript; its output is + application/vnd.cups-raster. This output format is not yet meant to be printable. Its aim is to serve as a + general-purpose input format for more specialized <span class="emphasis"><em>raster drivers</em></span> that are able to + generate device-specific printer data. This is shown in <a href="CUPS-printing.html#cups-raster" title="Figure 22.6. PostScript to Intermediate Raster Format.">the PostScript to + Intermediate Raster Format diagram</a>. + </p><div class="figure"><a name="cups-raster"></a><p class="title"><b>Figure 22.6. PostScript to Intermediate Raster Format.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/6small.png" width="135" alt="PostScript to Intermediate Raster Format."></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="id404680"></a> +<a class="indexterm" name="id404687"></a> +<a class="indexterm" name="id404694"></a> +<a class="indexterm" name="id404701"></a> + CUPS raster is a generic raster format with powerful features. It is able to include per-page information, + color profiles, and more, to be used by the downstream raster drivers. Its MIME type is registered with IANA + and its specification is, of course, completely open. It is designed to make it quite easy and inexpensive for + manufacturers to develop Linux and UNIX raster drivers for their printer models should they choose to do so. + CUPS always takes care of the first stage of rasterization so these vendors do not need to care about + Ghostscript complications (in fact, there are currently more than one vendor financing the development of CUPS + raster drivers). This is illustrated in <a href="CUPS-printing.html#cups-raster2" title="Figure 22.7. CUPS-Raster Production Using Ghostscript.">the CUPS-Raster Production Using + Ghostscript illustration</a>. + </p><div class="figure"><a name="cups-raster2"></a><p class="title"><b>Figure 22.7. CUPS-Raster Production Using Ghostscript.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/7small.png" alt="CUPS-Raster Production Using Ghostscript."></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="id404765"></a> +<a class="indexterm" name="id404772"></a> +<a class="indexterm" name="id404779"></a> +<a class="indexterm" name="id404786"></a> + CUPS versions before version 1.1.15 shipped a binary (or source code) standalone filter, named + <em class="parameter"><code>pstoraster</code></em>. <em class="parameter"><code>pstoraster</code></em>, which was derived from GNU Ghostscript + 5.50 and could be installed instead of and in addition to any GNU or AFPL Ghostscript package without + conflicting. + </p><p> + Since version 1.1.15, this feature has changed. The functions for this filter have been integrated back + into Ghostscript (now based on GNU Ghostscript version 7.05). The <em class="parameter"><code>pstoraster</code></em> filter is + now a simple shell script calling <code class="literal">gs</code> with the <code class="literal">-sDEVICE=cups</code> parameter. + If your Ghostscript fails when this command is executed: <code class="literal">gs -h |grep cups</code>, you might not + be able to print, update your Ghostscript. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404838"></a>imagetops and imagetoraster</h3></div></div></div><p> +<a class="indexterm" name="id404846"></a> +<a class="indexterm" name="id404853"></a> + In the section about prefilters, we mentioned the prefilter + that generates PostScript from image formats. The <em class="parameter"><code>imagetoraster</code></em> + filter is used to convert directly from image to raster, without the + intermediate PostScript stage. It is used more often than the previously + mentioned prefilters. We summarize in a flowchart the image file + filtering in <a href="CUPS-printing.html#small8" title="Figure 22.8. Image Format to CUPS-Raster Format Conversion.">the Image Format to CUPS-Raster Format Conversion illustration</a>. + </p><div class="figure"><a name="small8"></a><p class="title"><b>Figure 22.8. Image Format to CUPS-Raster Format Conversion.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/8small.png" alt="Image Format to CUPS-Raster Format Conversion."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id404918"></a>rasterto [printers specific]</h3></div></div></div><p> +<a class="indexterm" name="id404926"></a> +<a class="indexterm" name="id404933"></a> +<a class="indexterm" name="id404940"></a> +<a class="indexterm" name="id404947"></a> +<a class="indexterm" name="id404953"></a> +<a class="indexterm" name="id404960"></a> +<a class="indexterm" name="id404967"></a> +<a class="indexterm" name="id404974"></a> +<a class="indexterm" name="id404981"></a> +<a class="indexterm" name="id404987"></a> +<a class="indexterm" name="id404994"></a> + CUPS ships with quite a variety of raster drivers for processing CUPS raster. On my system, I find in + /usr/lib/cups/filter/ the following: <em class="parameter"><code>rastertoalps</code></em>, <em class="parameter"><code>rastertobj</code></em>, + <em class="parameter"><code>rastertoepson</code></em>, <em class="parameter"><code>rastertoescp</code></em>, <em class="parameter"><code>rastertopcl</code></em>, + <em class="parameter"><code>rastertoturboprint</code></em>, <em class="parameter"><code>rastertoapdk</code></em>, + <em class="parameter"><code>rastertodymo</code></em>, <em class="parameter"><code>rastertoescp</code></em>, <em class="parameter"><code>rastertohp</code></em>, + and <em class="parameter"><code>rastertoprinter</code></em>. Don't worry if you have fewer drivers than this; some of these are + installed by commercial add-ons to CUPS (like <em class="parameter"><code>rastertoturboprint</code></em>), and others (like + <em class="parameter"><code>rastertoprinter</code></em>) by third-party driver development projects (such as Gimp-Print) + wanting to cooperate as closely as possible with CUPS. See <a href="CUPS-printing.html#small9" title="Figure 22.9. Raster to Printer-Specific Formats.">the Raster to + Printer-Specific Formats illustration</a>. + </p><div class="figure"><a name="small9"></a><p class="title"><b>Figure 22.9. Raster to Printer-Specific Formats.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/9small.png" alt="Raster to Printer-Specific Formats."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405130"></a>CUPS Backends</h3></div></div></div><p> +<a class="indexterm" name="id405138"></a> +<a class="indexterm" name="id405145"></a> + The last part of any CUPS filtering chain is a backend. Backends + are special programs that send the print-ready file to the final + device. There is a separate backend program for any transfer + protocol for sending print jobs over the network, and one for every local + interface. Every CUPS print queue needs to have a CUPS “<span class="quote">device-URI</span>” + associated with it. The device URI is the way to encode the backend + used to send the job to its destination. Network device-URIs use + two slashes in their syntax, local device URIs only one, as you can + see from the following list. Keep in mind that local interface names + may vary greatly from my examples, if your OS is not Linux: + </p><div class="variablelist"><dl><dt><span class="term">usb</span></dt><dd><p> + This backend sends print files to USB-connected printers. An + example for the CUPS device-URI to use is + <code class="filename">usb:/dev/usb/lp0</code>. + </p></dd><dt><span class="term">serial</span></dt><dd><p> + This backend sends print files to serially connected printers. + An example for the CUPS device-URI to use is + <code class="filename">serial:/dev/ttyS0?baud=11500</code>. + </p></dd><dt><span class="term">parallel</span></dt><dd><p> + This backend sends print files to printers connected to the + parallel port. An example for the CUPS device-URI to use is + <code class="filename">parallel:/dev/lp0</code>. + </p></dd><dt><span class="term">SCSI</span></dt><dd><p> + This backend sends print files to printers attached to the + SCSI interface. An example for the CUPS device-URI to use is + <code class="filename">scsi:/dev/sr1</code>. + </p></dd><dt><span class="term">lpd</span></dt><dd><p> + This backend sends print files to LPR/LPD-connected network + printers. An example for the CUPS device-URI to use is + <code class="filename">lpd://remote_host_name/remote_queue_name</code>. + </p></dd><dt><span class="term">AppSocket/HP JetDirect</span></dt><dd><p> + This backend sends print files to AppSocket (a.k.a., HP + JetDirect) connected network printers. An example for the CUPS + device-URI to use is + <code class="filename">socket://10.11.12.13:9100</code>. + </p></dd><dt><span class="term">ipp</span></dt><dd><p> + This backend sends print files to IPP-connected network + printers (or to other CUPS servers). Examples for CUPS device-URIs + to use are + <code class="filename">ipp:://192.193.194.195/ipp</code> + (for many HP printers) and + <code class="filename">ipp://remote_cups_server/printers/remote_printer_name</code>. + </p></dd><dt><span class="term">http</span></dt><dd><p> + This backend sends print files to HTTP-connected printers. + (The http:// CUPS backend is only a symlink to the ipp:// backend.) + Examples for the CUPS device-URIs to use are + <code class="filename">http:://192.193.194.195:631/ipp</code> + (for many HP printers) and + <code class="filename">http://remote_cups_server:631/printers/remote_printer_name</code>. + </p></dd><dt><span class="term">smb</span></dt><dd><p> + This backend sends print files to printers shared by a Windows + host. Examples of CUPS device-URIs that may be used includes: + </p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><code class="filename">smb://workgroup/server/printersharename</code></td></tr><tr><td><code class="filename">smb://server/printersharename</code></td></tr><tr><td><code class="filename">smb://username:password@workgroup/server/printersharename</code></td></tr><tr><td><code class="filename">smb://username:password@server/printersharename</code></td></tr></table><p> + </p><p> + The smb:// backend is a symlink to the Samba utility + <em class="parameter"><code>smbspool</code></em> (does not ship with CUPS). If the + symlink is not present in your CUPS backend directory, have your + root user create it: <code class="literal">ln -s `which smbspool' + /usr/lib/cups/backend/smb</code>. + </p></dd></dl></div><p> + It is easy to write your own backends as shell or Perl scripts if you + need any modification or extension to the CUPS print system. One + reason could be that you want to create “<span class="quote">special</span>” printers that send + the print jobs as email (through a “<span class="quote">mailto:/</span>” backend), convert them to + PDF (through a “<span class="quote">pdfgen:/</span>” backend) or dump them to “<span class="quote">/dev/null</span>”. (In + fact, I have the systemwide default printer set up to be connected to + a devnull:/ backend: there are just too many people sending jobs + without specifying a printer, and scripts and programs that do not name + a printer. The systemwide default deletes the job and sends a polite + email back to the $USER asking him or her to always specify the correct + printer name.) + </p><p> +<a class="indexterm" name="id405397"></a> +<a class="indexterm" name="id405404"></a> + Not all of the mentioned backends may be present on your system or + usable (depending on your hardware configuration). One test for all + available CUPS backends is provided by the <span class="emphasis"><em>lpinfo</em></span> + utility. Used with the <code class="option">-v</code> parameter, it lists + all available backends: + </p><pre class="screen"> + <code class="prompt">$ </code><strong class="userinput"><code>lpinfo -v</code></strong> + </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405438"></a>The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></h3></div></div></div><p> + <a class="indexterm" name="id405451"></a> + <a class="indexterm" name="id405458"></a> +<a class="indexterm" name="id405464"></a> +<a class="indexterm" name="id405471"></a> +<a class="indexterm" name="id405478"></a> + <em class="parameter"><code>cupsomatic</code></em> filters may be the most widely used on CUPS + installations. You must be clear that these were not + developed by the CUPS people. They are a third-party add-on to + CUPS. They utilize the traditional Ghostscript devices to render jobs + for CUPS. When troubleshooting, you should know about the + difference. Here the whole rendering process is done in one stage, + inside Ghostscript, using an appropriate device for the target + printer. <em class="parameter"><code>cupsomatic</code></em> uses PPDs that are generated from the Foomatic + Printer & Driver Database at Linuxprinting.org. + </p><p> + You can recognize these PPDs from the line calling the + <em class="parameter"><code>cupsomatic</code></em> filter: +</p><pre class="programlisting"> +*cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" +</pre><p> + You may find this line among the first 40 or so lines of the PPD + file. If you have such a PPD installed, the printer shows up in the + CUPS Web interface with a <em class="parameter"><code>foomatic</code></em> namepart for + the driver description. <em class="parameter"><code>cupsomatic</code></em> is a Perl script that runs + Ghostscript with all the complicated command-line options + autoconstructed from the selected PPD and command line options give to + the print job. + </p><p> + <a class="indexterm" name="id405535"></a> +<a class="indexterm" name="id405542"></a> +<a class="indexterm" name="id405549"></a> +<a class="indexterm" name="id405556"></a> +<a class="indexterm" name="id405562"></a> +<a class="indexterm" name="id405569"></a> +<a class="indexterm" name="id405576"></a> +<a class="indexterm" name="id405583"></a> +<a class="indexterm" name="id405590"></a> +<a class="indexterm" name="id405596"></a> +<a class="indexterm" name="id405603"></a> + However, <em class="parameter"><code>cupsomatic</code></em> is now deprecated. Its PPDs (especially the first + generation of them, still in heavy use out there) are not meeting the + Adobe specifications. You might also suffer difficulties when you try + to download them with “<span class="quote">Point'n'Print</span>” to Windows clients. A better + and more powerful successor is now in a stable beta-version: it is called <em class="parameter"><code>foomatic-rip</code></em>. To use + <em class="parameter"><code>foomatic-rip</code></em> as a filter with CUPS, you need the new type of PPDs, which + have a similar but different line: +</p><pre class="programlisting"> +*cupsFilter: "application/vnd.cups-postscript 0 foomatic-rip" +</pre><p> + The PPD-generating engine at Linuxprinting.org has been revamped. + The new PPDs comply with the Adobe spec. They also provide a + new way to specify different quality levels (hi-res photo, normal + color, grayscale, and draft) with a single click, whereas before you + could have required five or more different selections (media type, + resolution, inktype, and dithering algorithm). There is support for + custom-size media built in. There is support to switch + print options from page to page in the middle of a job. And the + best thing is that the new <code class="constant">foomatic-rip</code> works seamlessly with all + legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR, and so on), providing + for them access to use PPDs for their printing. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405653"></a>The Complete Picture</h3></div></div></div><p> + If you want to see an overview of all the filters and how they + relate to each other, the complete picture of the puzzle is at the end + of this chapter. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405664"></a><code class="filename">mime.convs</code></h3></div></div></div><p> + CUPS autoconstructs all possible filtering chain paths for any given + MIME type and every printer installed. But how does it decide in + favor of or against a specific alternative? (There may be cases + where there is a choice of two or more possible filtering chains for + the same target printer.) Simple. You may have noticed the figures in + the third column of the mime.convs file. They represent virtual costs + assigned to this filter. Every possible filtering chain will sum up to + a total “<span class="quote">filter cost.</span>” CUPS decides for the most “<span class="quote">inexpensive</span>” route. + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="id405692"></a> +<a class="indexterm" name="id405698"></a> + Setting <em class="parameter"><code>FilterLimit 1000</code></em> in + <code class="filename">cupsd.conf</code> will not allow more filters to + run concurrently than will consume a total of 1000 virtual filter + cost. This is an efficient way to limit the load of any CUPS + server by setting an appropriate “<span class="quote">FilterLimit</span>” value. A FilterLimit of + 200 allows roughly one job at a time, while a FilterLimit of 1000 allows + approximately five jobs maximum at a time. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405726"></a>“<span class="quote">Raw</span>” Printing</h3></div></div></div><p> +<a class="indexterm" name="id405736"></a> +<a class="indexterm" name="id405742"></a> +<a class="indexterm" name="id405749"></a> + You can tell CUPS to print (nearly) any file “<span class="quote">raw</span>”. “<span class="quote">Raw</span>” means it will not be + filtered. CUPS will send the file to the printer “<span class="quote">as is</span>” without bothering if the printer is able + to digest it. Users need to take care themselves that they send sensible data formats only. Raw printing can + happen on any queue if the “<span class="quote"><em class="parameter"><code>-o raw</code></em></span>” option is specified on the command + line. You can also set up raw-only queues by simply not associating any PPD with it. This command: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E</code></strong> +</pre><p> + sets up a queue named “<span class="quote">rawprinter</span>”, connected via the “<span class="quote">socket</span>” protocol (a.k.a. + “<span class="quote">HP JetDirect</span>”) to the device at IP address 11.12.1.3.14, using port 9100. (If you had added a + PPD with <code class="literal">-P /path/to/PPD</code> to this command line, you would have installed a + “<span class="quote">normal</span>” print queue.) + </p><p> + CUPS will automatically treat each job sent to a queue as a “<span class="quote">raw</span>” one + if it can't find a PPD associated with the queue. However, CUPS will + only send known MIME types (as defined in its own mime.types file) and + refuse others. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id405826"></a>application/octet-stream Printing</h3></div></div></div><p> +<a class="indexterm" name="id405834"></a> +<a class="indexterm" name="id405840"></a> + Any MIME type with no rule in the <code class="filename">/etc/cups/mime.types</code> file is regarded as unknown + or <em class="parameter"><code>application/octet-stream</code></em> and will not be + sent. Because CUPS refuses to print unknown MIME types by default, + you will probably have experienced that print jobs originating + from Windows clients were not printed. You may have found an error + message in your CUPS logs like: + </p><p><code class="computeroutput"> + Unable to convert file 0 to printable format for job + </code></p><p> + To enable the printing of <em class="parameter"><code>application/octet-stream</code></em> files, edit + these two files: + </p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">/etc/cups/mime.convs</code></p></li><li><p><code class="filename">/etc/cups/mime.types</code></p></li></ul></div><p> +<a class="indexterm" name="id405901"></a> + Both contain entries (at the end of the respective files) that must be uncommented to allow raw mode + operation for <em class="parameter"><code>application/octet-stream</code></em>. In <code class="filename">/etc/cups/mime.types</code> + make sure this line is present: + <a class="indexterm" name="id405921"></a> +</p><pre class="programlisting"> +application/octet-stream +</pre><p> + This line (with no specific autotyping rule set) makes all files + not otherwise auto-typed a member of <em class="parameter"><code>application/octet-stream</code></em>. In + <code class="filename">/etc/cups/mime.convs</code>, have this + line: +</p><pre class="programlisting"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + <a class="indexterm" name="id405953"></a> + This line tells CUPS to use the <span class="emphasis"><em>Null Filter</em></span> + (denoted as “<span class="quote">-</span>”, doing nothing at all) on + <em class="parameter"><code>application/octet-stream</code></em>, and tag the result as + <em class="parameter"><code>application/vnd.cups-raw</code></em>. This last one is + always a green light to the CUPS scheduler to now hand the file over + to the backend connecting to the printer and sending it over. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Editing the <code class="filename">mime.convs</code> and the <code class="filename">mime.types</code> file does not + <span class="emphasis"><em>enforce</em></span> “<span class="quote">raw</span>” printing, it only <span class="emphasis"><em>allows</em></span> it. + </p></div><p><b>Background. </b> +<a class="indexterm" name="id406018"></a> +<a class="indexterm" name="id406024"></a> +<a class="indexterm" name="id406031"></a> +<a class="indexterm" name="id406038"></a> + That CUPS is a more security-aware printing system than traditional ones + does not by default allow one to send deliberate (possibly binary) + data to printing devices. (This could be easily abused to launch a + Denial of Service attack on your printer(s), causing at least the loss + of a lot of paper and ink.) “<span class="quote">Unknown</span>” data are regarded by CUPS + as <span class="emphasis"><em>MIME type</em></span> <span class="emphasis"><em>application/octet-stream</em></span>. While you + <span class="emphasis"><em>can</em></span> send data “<span class="quote">raw</span>”, the MIME type for these must + be one that is known to CUPS and allowed by it. The file + <code class="filename">/etc/cups/mime.types</code> defines the “<span class="quote">rules</span>” of how CUPS + recognizes MIME types. The file <code class="filename">/etc/cups/mime.convs</code> decides which file + conversion filter(s) may be applied to which MIME types. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id406086"></a>PostScript Printer Descriptions for Non-PostScript Printers</h3></div></div></div><p> + <a class="indexterm" name="id406094"></a> +<a class="indexterm" name="id406101"></a> +<a class="indexterm" name="id406108"></a> +<a class="indexterm" name="id406115"></a> +<a class="indexterm" name="id406121"></a> +<a class="indexterm" name="id406128"></a> + Originally PPDs were meant to be used for PostScript printers + only. Here, they help to send device-specific commands and settings + to the RIP, which processes the job file. CUPS has extended this + scope for PPDs to cover non-PostScript printers too. This was not + difficult, because it is a standardized file format. In a way + it was logical too: CUPS handles PostScript and uses a PostScript + RIP (Ghostscript) to process the job files. The only difference is that + a PostScript printer has the RIP built-in, for other types of + printers the Ghostscript RIP runs on the host computer. + </p><p> + PPDs for a non-PostScript printer have a few lines that are unique to + CUPS. The most important one looks similar to this: + <a class="indexterm" name="id406144"></a> +</p><pre class="programlisting"> +*cupsFilter: application/vnd.cups-raster 66 rastertoprinter +</pre><p> + It is the last piece in the CUPS filtering puzzle. This line tells the + CUPS daemon to use as a last filter <em class="parameter"><code>rastertoprinter</code></em>. This filter + should be served as input an <em class="parameter"><code>application/vnd.cups-raster</code></em> MIME type + file. Therefore, CUPS should autoconstruct a filtering chain, which + delivers as its last output the specified MIME type. This is then + taken as input to the specified <em class="parameter"><code>rastertoprinter</code></em> filter. After + the last filter has done its work (<em class="parameter"><code>rastertoprinter</code></em> is a Gimp-Print + filter), the file should go to the backend, which sends it to the + output device. + </p><p> + CUPS by default ships only a few generic PPDs, but they are good for + several hundred printer models. You may not be able to control + different paper trays, or you may get larger margins than your + specific model supports. See Table 21.1<a href="CUPS-printing.html#cups-ppds" title="Table 22.1. PPDs Shipped with CUPS">???</a> for summary information. + </p><div class="table"><a name="cups-ppds"></a><p class="title"><b>Table 22.1. PPDs Shipped with CUPS</b></p><div class="table-contents"><table summary="PPDs Shipped with CUPS" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">PPD file</th><th align="justify">Printer type</th></tr></thead><tbody><tr><td align="left">deskjet.ppd</td><td align="justify">older HP inkjet printers and compatible</td></tr><tr><td align="left">deskjet2.ppd</td><td align="justify">newer HP inkjet printers and compatible </td></tr><tr><td align="left">dymo.ppd</td><td align="justify">label printers </td></tr><tr><td align="left">epson9.ppd</td><td align="justify">Epson 24-pin impact printers and compatible </td></tr><tr><td align="left">epson24.ppd</td><td align="justify">Epson 24-pin impact printers and compatible </td></tr><tr><td align="left">okidata9.ppd</td><td align="justify">Okidata 9-pin impact printers and compatible </td></tr><tr><td align="left">okidat24.ppd</td><td align="justify">Okidata 24-pin impact printers and compatible </td></tr><tr><td align="left">stcolor.ppd</td><td align="justify">older Epson Stylus Color printers </td></tr><tr><td align="left">stcolor2.ppd</td><td align="justify">newer Epson Stylus Color printers </td></tr><tr><td align="left">stphoto.ppd</td><td align="justify">older Epson Stylus Photo printers </td></tr><tr><td align="left">stphoto2.ppd</td><td align="justify">newer Epson Stylus Photo printers </td></tr><tr><td align="left">laserjet.ppd</td><td align="justify">all PCL printers </td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id406350"></a><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</h3></div></div></div><p> + <a class="indexterm" name="id406364"></a> + <a class="indexterm" name="id406371"></a> + Native CUPS rasterization works in two steps: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id406384"></a> + First is the <em class="parameter"><code>pstoraster</code></em> step. It uses the special CUPS + <a class="indexterm" name="id406398"></a> + device from ESP Ghostscript 7.05.x as its tool. + </p></li><li><p> + Second is the <em class="parameter"><code>rasterdriver</code></em> step. It uses various + device-specific filters; there are several vendors who provide good + quality filters for this step. Some are free software, some are + shareware, and some are proprietary. + </p></li></ul></div><p> + Often this produces better quality (and has several more advantages) than other methods. + This is shown in <a href="CUPS-printing.html#cupsomatic-dia" title="Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS."> the cupsomatic/foomatic Processing Versus Native CUPS + illustration</a>. + </p><div class="figure"><a name="cupsomatic-dia"></a><p class="title"><b>Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/10small.png" alt="cupsomatic/foomatic Processing Versus Native CUPS."></div></div></div><br class="figure-break"><p> + One other method is the <em class="parameter"><code>cupsomatic/foomatic-rip</code></em> + way. Note that <em class="parameter"><code>cupsomatic</code></em> is <span class="emphasis"><em>not</em></span> made by the CUPS + developers. It is an independent contribution to printing development, + made by people from Linuxprinting.org.<sup>[<a name="id406492" href="#ftn.id406492">6</a>]</sup> + <em class="parameter"><code>cupsomatic</code></em> is no longer developed, maintained, or supported. It now been + replaced by <em class="parameter"><code>foomatic-rip</code></em>. <em class="parameter"><code>foomatic-rip</code></em> is a complete rewrite + of the old <em class="parameter"><code>cupsomatic</code></em> idea, but very much improved and generalized to + other (non-CUPS) spoolers. An upgrade to <em class="parameter"><code>foomatic-rip</code></em> is strongly + advised, especially if you are upgrading to a recent version of CUPS, + too. + </p><p> + <a class="indexterm" name="id406539"></a> + <a class="indexterm" name="id406546"></a> + Like the old <em class="parameter"><code>cupsomatic</code></em> method, the <em class="parameter"><code>foomatic-rip</code></em> (new) method + from Linuxprinting.org uses the traditional Ghostscript print file processing, doing everything in a single + step. It therefore relies on all the other devices built into Ghostscript. The quality is as good (or bad) as + Ghostscript rendering is in other spoolers. The advantage is that this method supports many printer models not + supported (yet) by the more modern CUPS method. + </p><p> + Of course, you can use both methods side by side on one system (and even for one printer, if you set up + different queues) and find out which works best for you. + </p><p> +<a class="indexterm" name="id406576"></a> +<a class="indexterm" name="id406583"></a> +<a class="indexterm" name="id406589"></a> +<a class="indexterm" name="id406596"></a> +<a class="indexterm" name="id406603"></a> +<a class="indexterm" name="id406610"></a> + <em class="parameter"><code>cupsomatic</code></em> kidnaps the print file after the + <em class="parameter"><code>application/vnd.cups-postscript</code></em> stage and deviates it through the CUPS-external, + systemwide Ghostscript installation. Therefore, the print file bypasses the <em class="parameter"><code>pstoraster</code></em> + filter (and also bypasses the CUPS raster drivers <em class="parameter"><code>rastertosomething</code></em>). After Ghostscript + finished its rasterization, <em class="parameter"><code>cupsomatic</code></em> hands the rendered file directly to the CUPS + backend. <a href="CUPS-printing.html#cupsomatic-dia" title="Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS.">cupsomatic/foomatic Processing Versus Native + CUPS</a>, illustrates the difference between native CUPS rendering and the + <em class="parameter"><code>Foomatic/cupsomatic</code></em> method. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id406664"></a>Examples for Filtering Chains</h3></div></div></div><p> + Here are a few examples of commonly occurring filtering chains to + illustrate the workings of CUPS. + </p><p> +<a class="indexterm" name="id406676"></a> +<a class="indexterm" name="id406683"></a> +<a class="indexterm" name="id406690"></a> +<a class="indexterm" name="id406697"></a> + Assume you want to print a PDF file to an HP JetDirect-connected + PostScript printer, but you want to print pages 3-5, 7, and 11-13 + only, and you want to print them “<span class="quote">two-up</span>” and “<span class="quote">duplex</span>”: + </p><div class="itemizedlist"><ul type="disc"><li><p>Your print options (page selection as required, two-up, + duplex) are passed to CUPS on the command line.</p></li><li><p>The (complete) PDF file is sent to CUPS and autotyped as + <em class="parameter"><code>application/pdf</code></em>.</p></li><li><p>The file therefore must first pass the + <em class="parameter"><code>pdftops</code></em> prefilter, which produces PostScript + MIME type <em class="parameter"><code>application/postscript</code></em> (a preview here + would still show all pages of the original PDF).</p></li><li><p>The file then passes the <em class="parameter"><code>pstops</code></em> + filter that applies the command-line options: it selects pages + 2-5, 7, and 11-13, creates the imposed layout “<span class="quote">two pages on one sheet</span>”, and + inserts the correct “<span class="quote">duplex</span>” command (as defined in the printer's + PPD) into the new PostScript file; the file is now of PostScript MIME + type + <em class="parameter"><code>application/vnd.cups-postscript</code></em>.</p></li><li><p>The file goes to the <em class="parameter"><code>socket</code></em> + backend, which transfers the job to the printers.</p></li></ul></div><p> + The resulting filter chain, therefore, is as shown in <a href="CUPS-printing.html#pdftosocket" title="Figure 22.11. PDF to Socket Chain.">the PDF to socket chain + illustration</a>. + </p><a class="indexterm" name="id406798"></a><div class="figure"><a name="pdftosocket"></a><p class="title"><b>Figure 22.11. PDF to Socket Chain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/pdftosocket.png" alt="PDF to Socket Chain."></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="id406847"></a> +<a class="indexterm" name="id406854"></a> +<a class="indexterm" name="id406860"></a> + Assume you want to print the same filter to an USB-connected Epson Stylus Photo Printer installed with the CUPS + <code class="filename">stphoto2.ppd</code>. The first few filtering stages are nearly the same: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Your print options (page selection as required, two-up, + duplex) are passed to CUPS on the command line. + </p></li><li><p> + The (complete) PDF file is sent to CUPS and autotyped as + <em class="parameter"><code>application/pdf</code></em>. + </p></li><li><p> +<a class="indexterm" name="id406897"></a> +<a class="indexterm" name="id406904"></a> + The file must first pass the <em class="parameter"><code>pdftops</code></em> prefilter, which produces PostScript + MIME type <em class="parameter"><code>application/postscript</code></em> (a preview here would still show all + pages of the original PDF). + </p></li><li><p> +<a class="indexterm" name="id406928"></a> +<a class="indexterm" name="id406935"></a> + The file then passes the “<span class="quote">pstops</span>” filter that applies + the command-line options: it selects the pages 2-5, 7, and 11-13, + creates the imposed layout “<span class="quote">two pages on one sheet,</span>” and inserts the + correct “<span class="quote">duplex</span>” command (oops this printer and PPD + do not support duplex printing at all, so this option will + be ignored) into the new PostScript file; the file is now of PostScript + MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em>. + </p></li><li><p> + The file then passes the <em class="parameter"><code>pstoraster</code></em> stage and becomes MIME type + <em class="parameter"><code>application/cups-raster</code></em>. + </p></li><li><p> +<a class="indexterm" name="id406985"></a> + Finally, the <em class="parameter"><code>rastertoepson</code></em> filter + does its work (as indicated in the printer's PPD), creating the + printer-specific raster data and embedding any user-selected + print options into the print data stream. + </p></li><li><p> + The file goes to the <em class="parameter"><code>usb</code></em> backend, which transfers the job to the printers. + </p></li></ul></div><p> + The resulting filter chain therefore is as shown in <a href="CUPS-printing.html#pdftoepsonusb" title="Figure 22.12. PDF to USB Chain.">the PDF to USB Chain + illustration</a>. + </p><div class="figure"><a name="pdftoepsonusb"></a><p class="title"><b>Figure 22.12. PDF to USB Chain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/pdftoepsonusb.png" alt="PDF to USB Chain."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407066"></a>Sources of CUPS Drivers/PPDs</h3></div></div></div><p> + On the Internet you can now find many thousands of CUPS-PPD files + (with their companion filters), in many national languages + supporting more than 1,000 non-PostScript models. + </p><div class="itemizedlist"><a class="indexterm" name="id407079"></a><a class="indexterm" name="id407088"></a><ul type="disc"><li><p> + <a href="http://www.easysw.com/printpro/" target="_top">ESP PrintPro</a> + (commercial, non-free) is packaged with more than 3,000 PPDs, ready for + successful use “<span class="quote">out of the box</span>” on Linux, Mac OS X, IBM-AIX, + HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital UNIX, and + other commercial Unices (it is written by the CUPS developers + themselves and its sales help finance the further development of + CUPS, as they feed their creators). + </p></li><li><p> + The <a href="http://gimp-print.sourceforge.net/" target="_top">Gimp-Print Project</a> + (GPL, free software) provides around 140 PPDs (supporting nearly 400 printers, many driven + to photo quality output), to be used alongside the Gimp-Print CUPS filters. + </p></li><li><p> + <a href="http://www.turboprint.de/english.html/" target="_top">TurboPrint </a> (shareware, non-free) supports + roughly the same number of printers in excellent quality. + </p></li><li><p> + <a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">OMNI </a> + (LPGL, free) is a package made by IBM, now containing support for more + than 400 printers, stemming from the inheritance of IBM OS/2 know-how + ported over to Linux (CUPS support is in a beta stage at present). + </p></li><li><p> + <a href="http://hpinkjet.sourceforge.net/" target="_top">HPIJS </a> (BSD-style licenses, free) + supports approximately 150 of HP's own printers and also provides + excellent print quality now (currently available only via the Foomatic path). + </p></li><li><p> + <a href="http://www.linuxprinting.org/" target="_top">Foomatic/cupsomatic </a> + (LPGL, free) from Linuxprinting.org provide PPDs for practically every Ghostscript + filter known to the world (including Omni, Gimp-Print, and HPIJS). + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407175"></a>Printing with Interface Scripts</h3></div></div></div><p> +<a class="indexterm" name="id407182"></a> +<a class="indexterm" name="id407189"></a> + CUPS also supports the use of “<span class="quote">interface scripts</span>” as known from + System V AT&T printing systems. These are often used for PCL + printers, from applications that generate PCL print jobs. Interface + scripts are specific to printer models. They have a role similar to + PPDs for PostScript printers. Interface scripts may inject the Escape + sequences as required into the print data stream if the user, for example, selects + a certain paper tray, or changes paper orientation, or uses A3 + paper. Interface scripts are practically unknown in the Linux + realm. On HP-UX platforms they are more often used. You can use any + working interface script on CUPS too. Just install the printer with + the <code class="literal">-i</code> option: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p pclprinter -v socket://11.12.13.14:9100 \ + -i /path/to/interface-script</code></strong> +</pre><p> + Interface scripts might be the “<span class="quote">unknown animal</span>” to many. However, + with CUPS they provide the easiest way to plug in your own custom-written filtering + script or program into one specific print queue (some information about the traditional + use of interface scripts is found at + <a href="http://playground.sun.com/printing/documentation/interface.html" target="_top"> + http://playground.sun.com/printing/documentation/interface.html</a>). + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id407253"></a>Network Printing (Purely Windows)</h2></div></div></div><p> +Network printing covers a lot of ground. To understand what exactly +goes on with Samba when it is printing on behalf of its Windows +clients, let's first look at a “<span class="quote">purely Windows</span>” setup: Windows clients +with a Windows NT print server. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407268"></a>From Windows Clients to an NT Print Server</h3></div></div></div><p> +Windows clients printing to an NT-based print server have two +options. They may: +<a class="indexterm" name="id407277"></a> +<a class="indexterm" name="id407283"></a> +</p><div class="itemizedlist"><ul type="disc"><li><p>Execute the driver locally and render the GDI output + (EMF) into the printer-specific format on their own. + </p></li><li><p>Send the GDI output (EMF) to the server, where the + driver is executed to render the printer-specific output. + </p></li></ul></div><p> +Both print paths are shown in the flowcharts in <a href="CUPS-printing.html#small11" title="Figure 22.13. Print Driver Execution on the Client."> +Print Driver Execution on the Client</a>, and +<a href="CUPS-printing.html#small12" title="Figure 22.14. Print Driver Execution on the Server.">Print Driver Execution on the Server</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407326"></a>Driver Execution on the Client</h3></div></div></div><p> +In the first case, the print server must spool the file as raw, meaning it shouldn't touch the job file and try +to convert it in any way. This is what a traditional UNIX-based print server can do too, and at a better +performance and more reliably than an NT print server. This is what most Samba administrators probably are +familiar with. One advantage of this setup is that this “<span class="quote">spooling-only</span>” print server may be used +even if no driver(s) for UNIX is available. It is sufficient to have the Windows client drivers available and +installed on the clients. This is illustrated in <a href="CUPS-printing.html#small11" title="Figure 22.13. Print Driver Execution on the Client.">the Print Driver Execution on the +Client diagram</a>. +</p><div class="figure"><a name="small11"></a><p class="title"><b>Figure 22.13. Print Driver Execution on the Client.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/11small.png" alt="Print Driver Execution on the Client."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407391"></a>Driver Execution on the Server</h3></div></div></div><p> +<a class="indexterm" name="id407399"></a> +<a class="indexterm" name="id407406"></a> +<a class="indexterm" name="id407412"></a> +<a class="indexterm" name="id407419"></a> +<a class="indexterm" name="id407425"></a> +The other path executes the printer driver on the server. The client transfers print files in EMF format to +the server. The server uses the PostScript, PCL, ESC/P, or other driver to convert the EMF file into the +printer-specific language. It is not possible for UNIX to do the same. Currently, there is no program or +method to convert a Windows client's GDI output on a UNIX server into something a printer could understand. +This is illustrated in <a href="CUPS-printing.html#small12" title="Figure 22.14. Print Driver Execution on the Server.">the Print Driver Execution on the Server diagram</a>. +</p><div class="figure"><a name="small12"></a><p class="title"><b>Figure 22.14. Print Driver Execution on the Server.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/12small.png" alt="Print Driver Execution on the Server."></div></div></div><br class="figure-break"><p> +However, something similar is possible with CUPS, so read on. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id407490"></a>Network Printing (Windows Clients and UNIX/Samba Print +Servers)</h2></div></div></div><p> +Since UNIX print servers <span class="emphasis"><em>cannot</em></span> execute the Win32 +program code on their platform, the picture is somewhat +different. However, this does not limit your options all that +much. On the contrary, you may have a way here to implement printing +features that are not possible otherwise. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407506"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div></div><p> +Here is a simple recipe showing how you can take advantage of CUPS's +powerful features for the benefit of your Windows network printing +clients: +</p><div class="itemizedlist"><ul type="disc"><li><p>Let the Windows clients send PostScript to the CUPS + server.</p></li><li><p>Let the CUPS server render the PostScript into device-specific raster format.</p></li></ul></div><p> +This requires the clients to use a PostScript driver (even if the +printer is a non-PostScript model. It also requires that you have a +driver on the CUPS server. +</p><p> +First, to enable CUPS-based printing through Samba, the following options should be set in your <code class="filename">smb.conf</code> +file <em class="parameter"><code>[global]</code></em> section: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id407555"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id407568"></a><em class="parameter"><code>printcap = cups</code></em></td></tr></table><p> +When these parameters are specified, all manually set print directives (like <a class="indexterm" name="id407583"></a>print command or <a class="indexterm" name="id407590"></a>lppause command) in <code class="filename">smb.conf</code> (as well as in Samba itself) will be +ignored. Instead, Samba will directly interface with CUPS through its application program interface (API), as +long as Samba has been compiled with CUPS library (libcups) support. If Samba has not been compiled with CUPS +support, and if no other print commands are set up, then printing will use the <span class="emphasis"><em>System V</em></span> +AT&T command set, with the -oraw option automatically passing through (if you want your own defined print +commands to work with a Samba server that has CUPS support compiled in, simply use <a class="indexterm" name="id407613"></a>classicalprinting = sysv). This is illustrated in <a href="CUPS-printing.html#13small" title="Figure 22.15. Printing via CUPS/Samba Server.">the Printing via +CUPS/Samba Server diagram</a>. +</p><div class="figure"><a name="13small"></a><p class="title"><b>Figure 22.15. Printing via CUPS/Samba Server.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/13small.png" alt="Printing via CUPS/Samba Server."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407671"></a>Samba Receiving Job-Files and Passing Them to CUPS</h3></div></div></div><p> +Samba <span class="emphasis"><em>must</em></span> use its own spool directory (it is set by a line similar to <a class="indexterm" name="id407683"></a>path = /var/spool/samba, in the <em class="parameter"><code>[printers]</code></em> or <em class="parameter"><code>[printername]</code></em> section of <code class="filename">smb.conf</code>). Samba receives the job in its own spool space and passes it +into the spool directory of CUPS (the CUPS spool directory is set by the <em class="parameter"><code>RequestRoot</code></em> +directive in a line that defaults to <em class="parameter"><code>RequestRoot /var/spool/cups</code></em>). CUPS checks the +access rights of its spool directory and resets it to healthy values with every restart. We have seen quite a +few people who used a common spooling space for Samba and CUPS, and struggled for weeks with this +“<span class="quote">problem.</span>” +</p><p> +A Windows user authenticates only to Samba (by whatever means is +configured). If Samba runs on the same host as CUPS, you only need to +allow “<span class="quote">localhost</span>” to print. If it runs on different machines, you +need to make sure the Samba host gets access to printing on CUPS. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id407739"></a>Network PostScript RIP</h2></div></div></div><p> +This section discusses the use of CUPS filters on the server configuration where +clients make use of a PostScript driver with CUPS-PPDs. +</p><p> +<a class="indexterm" name="id407754"></a> +<a class="indexterm" name="id407761"></a> +<a class="indexterm" name="id407768"></a> +PPDs can control all print device options. They are usually provided by the manufacturer if you own +a PostScript printer, that is. PPD files are always a component of PostScript printer drivers on MS Windows or +Apple Mac OS systems. They are ASCII files containing user-selectable print options, mapped to appropriate +PostScript, PCL, or PJL commands for the target printer. Printer driver GUI dialogs translate these options +“<span class="quote">on the fly</span>” into buttons and drop-down lists for the user to select. +</p><p> +CUPS can load, without any conversions, the PPD file from any Windows (NT is recommended) PostScript driver +and handle the options. There is a Web browser interface to the print options (select <a href="http://localhost:631/printers/" target="_top">http://localhost:631/printers/</a> and click on one +<span class="guibutton">Configure Printer</span> button to see it) or a command-line interface (see <code class="literal">man +lpoptions</code> or see if you have <code class="literal">lphelp</code> on your system). There are also some +different GUI front-ends on Linux/UNIX, which can present PPD options to users. PPD options are normally meant +to be evaluated by the PostScript RIP on the real PostScript printer. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407819"></a>PPDs for Non-PS Printers on UNIX</h3></div></div></div><p> +<a class="indexterm" name="id407827"></a> +CUPS does not limit itself to “<span class="quote">real</span>” PostScript printers in its use of PPDs. The CUPS developers +have extended the scope of the PPD concept to also describe available device and driver options for +non-PostScript printers through CUPS-PPDs. +</p><p> +This is logical, because CUPS includes a fully featured PostScript interpreter (RIP). This RIP is based on +Ghostscript. It can process all received PostScript (and additionally many other file formats) from clients. +All CUPS-PPDs geared to non-PostScript printers contain an additional line, starting with the keyword +<em class="parameter"><code>*cupsFilter</code></em>. This line tells the CUPS print system which printer-specific filter to use +for the interpretation of the supplied PostScript. Thus CUPS lets all its printers appear as PostScript +devices to its clients, because it can act as a PostScript RIP for those printers, processing the received +PostScript code into a proper raster print format. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407856"></a>PPDs for Non-PS Printers on Windows</h3></div></div></div><p> +<a class="indexterm" name="id407864"></a> +CUPS-PPDs can also be used on Windows clients, on top of a “<span class="quote">core</span>” PostScript driver (now +recommended is the CUPS PostScript Driver for Windows NT/200x/XP; you can also use the Adobe one, with +limitations). This feature enables CUPS to do a few tricks no other spooler can do: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Act as a networked PostScript RIP handling print files from all client platforms in a uniform way. + </p></li><li><p> + Act as a central accounting and billing server, since all files are passed through the pstops filter and are therefore + logged in the CUPS <code class="filename">page_log</code> file. <span class="emphasis"><em>Note:</em></span> this cannot happen with + “<span class="quote">raw</span>” print jobs, which always remain unfiltered per definition. + </p></li><li><p> + Enable clients to consolidate on a single PostScript driver, even for many different target printers. + </p></li></ul></div><p> +Using CUPS PPDs on Windows clients enables them to control all print job settings just as a UNIX client can do. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id407917"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div></div><p> +This setup may be of special interest to people experiencing major problems in WTS environments. WTS often +need a multitude of non-PostScript drivers installed to run their clients' variety of different printer +models. This often imposes the price of much increased instability. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407928"></a>Printer Drivers Running in “<span class="quote">Kernel Mode</span>” Cause Many +Problems</h3></div></div></div><p> +Windows NT printer drivers, which run in “<span class="quote">kernel mode</span>”, introduce a high risk for the stability +of the system if the driver is not really stable and well-tested. And there are a lot of bad drivers out +there! Especially notorious is the example of the PCL printer driver that had an additional sound module +running to notify users via soundcard of their finished jobs. Do I need to say that this one was also reliably +causing “<span class="quote">blue screens of death</span>” on a regular basis? +</p><p> +PostScript drivers are generally well-tested. They are not known to cause any problems, even though they also +run in kernel mode. This might be because until now there have been only two different PostScript drivers: the +one from Adobe and the one from Microsoft. Both are well-tested and are as stable as you can imagine on +Windows. The CUPS driver is derived from the Microsoft one. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407959"></a>Workarounds Impose Heavy Limitations</h3></div></div></div><p> +In an attempt to work around problems, site administrators have resorted to restricting the +allowed drivers installed on their WTS to one generic PCL and one PostScript driver. This, however, restricts +the number of printer options available for clients to use. Often they can't get out more than simplex +prints from one standard paper tray, while their devices could do much better if driven by a different driver! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id407973"></a>CUPS: A “<span class="quote">Magical Stone</span>”?</h3></div></div></div><p> +<a class="indexterm" name="id407984"></a> +<a class="indexterm" name="id407991"></a> +Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very elegant way to overcome all these +shortcomings. There are, depending on the version of Windows OS you use, up to three different PostScript +drivers now available: Adobe, Microsoft, and CUPS PostScript drivers. None of them is known to cause major +stability problems on WTS (even if used with many different PPDs). The clients will be able to (again) choose +paper trays, duplex printing, and other settings. However, there is a certain price for this too: a CUPS +server acting as a PostScript RIP for its clients requires more CPU and RAM than when just acting as a +“<span class="quote">raw spooling</span>” device. Plus, this setup is not yet widely tested, although the first feedbacks +look very promising. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408015"></a>PostScript Drivers with No Major Problems, Even in Kernel +Mode</h3></div></div></div><p> +<a class="indexterm" name="id408023"></a> +<a class="indexterm" name="id408030"></a> +<a class="indexterm" name="id408037"></a> +<a class="indexterm" name="id408043"></a> +<a class="indexterm" name="id408050"></a> +<a class="indexterm" name="id408057"></a> +More recent printer drivers on W200x and XP no longer run in kernel mode (unlike Windows NT). However, both +operating systems can still use the NT drivers, running in kernel mode (you can roughly tell which is which as +the drivers in subdirectory “<span class="quote">2</span>” of “<span class="quote">W32X86</span>” are “<span class="quote">old</span>” ones). As was +said before, the Adobe as well as the Microsoft PostScript drivers are not known to cause any stability +problems. The CUPS driver is derived from the Microsoft one. There is a simple reason for this: the MS DDK +(Device Development Kit) for Windows NT (which used to be available at no cost to licensees of Visual Studio) +includes the source code of the Microsoft driver, and licensees of Visual Studio are allowed to use and modify +it for their own driver development efforts. This is what the CUPS people have done. The license does not +allow them to publish the whole of the source code. However, they have released the “<span class="quote">diff</span>” under +the GPL, and if you are the owner of an “<span class="quote">MS DDK for Windows NT,</span>” you can check the driver +yourself. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id408093"></a>Configuring CUPS for Driver Download</h2></div></div></div><p> +As we have said before, all previously known methods to prepare client printer drivers on the Samba server for +download and Point'n'Print convenience of Windows workstations are working with CUPS, too. These methods were +described in <a href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing</a>. In reality, this is a pure Samba +business and relates only to the Samba-Windows client relationship. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408112"></a><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</h3></div></div></div><p> +<a class="indexterm" name="id408122"></a> +The <em class="parameter"><code>cupsaddsmb</code></em> utility (shipped with all current CUPS versions) is an alternative +method to transfer printer drivers into the Samba <em class="parameter"><code>[print$]</code></em> share. Remember, this +share is where clients expect drivers deposited and set up for download and installation. It makes the sharing +of any (or all) installed CUPS printers quite easy. <code class="literal">cupsaddsmb</code> can use the Adobe PostScript +driver as well as the newly developed CUPS PostScript driver for Windows NT/200x/XP. +<em class="parameter"><code>cupsaddsmb</code></em> does <span class="emphasis"><em>not</em></span> work with arbitrary vendor printer drivers, +but only with the <span class="emphasis"><em>exact</em></span> driver files that are named in its man page. +</p><p> +The CUPS printer driver is available from the CUPS download site. Its package name is +<code class="filename">cups-samba-[version].tar.gz</code>. It is preferred over the Adobe drivers because it has a +number of advantages: +</p><div class="itemizedlist"><ul type="disc"><li><p>It supports a much more accurate page accounting.</p></li><li><p>It supports banner pages and page labels on all printers.</p></li><li><p>It supports the setting of a number of job IPP attributes + (such as job priority, page label, and job billing).</p></li></ul></div><p> +However, currently only Windows NT, 2000, and XP are supported by the +CUPS drivers. You will also need to get the respective part of the Adobe driver +if you need to support Windows 95, 98, and Me clients. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408200"></a>Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></h3></div></div></div><p> +Prior to running <code class="literal">cupsaddsmb</code>, you need the settings in +<code class="filename">smb.conf</code> as shown in <a href="CUPS-printing.html#cupsadd-ex" title="Example 22.3. smb.conf for cupsaddsmb Usage">the <code class="filename">smb.conf</code> for cupsaddsmb Usage</a>. +</p><div class="example"><a name="cupsadd-ex"></a><p class="title"><b>Example 22.3. smb.conf for cupsaddsmb Usage</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id408268"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id408281"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id408293"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id408315"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id408327"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id408340"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td><a class="indexterm" name="id408352"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td># setting depends on your requirements</td></tr><tr><td><a class="indexterm" name="id408368"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id408381"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id408394"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id408406"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id408428"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id408440"></a><em class="parameter"><code>path = /etc/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id408453"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id408465"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id408478"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id408490"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408505"></a>CUPS “<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</h3></div></div></div><p> +<a class="indexterm" name="id408516"></a> +CUPS users may get the exact same package from <a href="http://www.cups.org/software.html" target="_top">http://www.cups.org/software.html</a>. It is a separate package +from the CUPS-based software files, tagged as CUPS 1.1.x Windows NT/200x/XP Printer Driver for Samba (tar.gz, +192k). The filename to download is <code class="filename">cups-samba-1.1.x.tar.gz</code>. Upon untar and unzipping, it +will reveal these files: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>tar xvzf cups-samba-1.1.19.tar.gz</code></strong> +cups-samba.install +cups-samba.license +cups-samba.readme +cups-samba.remove +cups-samba.ss +</pre><p> +<a class="indexterm" name="id408558"></a> +<a class="indexterm" name="id408567"></a> +These have been packaged with the ESP meta-packager software EPM. The <code class="filename">*.install</code> and +<code class="filename">*.remove</code> files are simple shell scripts, which untar the <code class="filename">*.ss</code> (the +<code class="filename">*.ss</code> is nothing else but a tar archive, which can be untarred by “<span class="quote">tar</span>” too). +Then it puts the content into <code class="filename">/usr/share/cups/drivers/</code>. This content includes three +files: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>tar tv cups-samba.ss</code></strong> +cupsdrvr.dll +cupsui.dll +cups.hlp +</pre><p> +The <em class="parameter"><code>cups-samba.install</code></em> shell scripts are easy to +handle: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>./cups-samba.install</code></strong> +[....] +Installing software... +Updating file permissions... +Running post-install commands... +Installation is complete. +</pre><p> +The script should automatically put the driver files into the +<code class="filename">/usr/share/cups/drivers/</code> directory: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</code></strong> +</pre><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Due to a bug, one recent CUPS release puts the <code class="filename">cups.hlp</code> driver file +into<code class="filename">/usr/share/drivers/</code> instead of <code class="filename">/usr/share/cups/drivers/</code>. To work +around this, copy/move the file (after running the <code class="literal">./cups-samba.install</code> script) manually to +the correct place. +</p></div><p> +<a class="indexterm" name="id408710"></a> +This new CUPS PostScript driver is currently binary only, but free of charge. No complete source code is +provided (yet). The reason is that it has been developed with the help of the Microsoft DDK and compiled with +Microsoft Visual Studio 6. Driver developers are not allowed to distribute the whole of the source code as +free software. However, CUPS developers released the “<span class="quote">diff</span>” in source code under the GPL, so +anybody with a license for Visual Studio and a DDK will be able to compile for himself or herself. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408727"></a>Recognizing Different Driver Files</h3></div></div></div><p> +The CUPS drivers do not support the older Windows 95/98/Me, but only the Windows NT/2000/XP client. +</p><p>Windows NT, 2000, and XP are supported by:</p><div class="itemizedlist"><ul type="disc"><li><p>cups.hlp</p></li><li><p>cupsdrvr.dll</p></li><li><p>cupsui.dll</p></li></ul></div><p> +Adobe drivers are available for the older Windows 95/98/Me as well as +for Windows NT/2000/XP clients. The set of files is different from the +different platforms. +</p><p>Windows 95, 98, and ME are supported by:</p><div class="itemizedlist"><ul type="disc"><li><p>ADFONTS.MFM</p></li><li><p>ADOBEPS4.DRV</p></li><li><p>ADOBEPS4.HLP</p></li><li><p>DEFPRTR2.PPD</p></li><li><p>ICONLIB.DLL</p></li><li><p>PSMON.DLL</p></li></ul></div><p>Windows NT, 2000, and XP are supported by:</p><div class="itemizedlist"><ul type="disc"><li><p>ADOBEPS5.DLL</p></li><li><p>ADOBEPSU.DLL</p></li><li><p>ADOBEPSU.HLP</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id408820"></a> +If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently +installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer + for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. +The Windows 9x/Me clients use the Adobe drivers in any case. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408838"></a>Acquiring the Adobe Driver Files</h3></div></div></div><p> +Acquiring the Adobe driver files seems to be unexpectedly difficult for many users. They are not available on +the Adobe Web site as single files, and the self-extracting and/or self-installing Windows-.exe is not easy to +locate either. You probably need to use the included native installer and run the installation process on one +client once. This will install the drivers (and one generic PostScript printer) locally on the client. When +they are installed, share the generic PostScript printer. After this, the client's <em class="parameter"><code>[print$]</code></em> share holds the Adobe files, which you can get with smbclient from the CUPS host. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408858"></a>ESP Print Pro PostScript Driver for Windows NT/200x/XP</h3></div></div></div><p> +<a class="indexterm" name="id408866"></a> +Users of the ESP Print Pro software are able to install the ESP print drivers package as an alternative to the +Adobe PostScript drivers. To do so, retrieve the driver files from the normal download area of the ESP Print +Pro software at <a href="http://www.easysw.com/software.html" target="_top">Easy Software</a> web site. +You need to locate the link labeled “<span class="quote">SAMBA</span>” among the <span class="guilabel">Download Printer Drivers for ESP +Print Pro 4.x</span> area and download the package. Once installed, you can prepare any driver by simply +highlighting the printer in the Printer Manager GUI and selecting <span class="guilabel">Export Driver...</span> from +the menu. Of course, you need to have prepared Samba beforehand to handle the driver files; that is, set up +the <em class="parameter"><code>[print$]</code></em> share, and so on. The ESP Print Pro package includes the CUPS driver +files as well as a (licensed) set of Adobe drivers for the Windows 95/98/Me client family. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id408912"></a>Caveats to Be Considered</h3></div></div></div><p> +<a class="indexterm" name="id408920"></a> +<a class="indexterm" name="id408927"></a> +<a class="indexterm" name="id408934"></a> +<a class="indexterm" name="id408941"></a> +Once you have run the install script (and possibly manually moved the <code class="filename">cups.hlp</code> file to +<code class="filename">/usr/share/cups/drivers/</code>), the driver is ready to be put into Samba's <em class="parameter"><code>[print$]</code></em> share (which often maps to <code class="filename">/etc/samba/drivers/</code> and contains a +subdirectory tree with <span class="emphasis"><em>WIN40</em></span> and <span class="emphasis"><em>W32X86</em></span> branches). You do this by +running <code class="literal">cupsaddsmb</code> (see also <code class="literal">man cupsaddsmb</code> for CUPS since release +1.1.16). +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="id408997"></a> +<a class="indexterm" name="id409004"></a> +You may need to put root into the smbpasswd file by running <code class="literal">smbpasswd</code>; this is especially +important if you should run this whole procedure for the first time and are not working in an environment +where everything is configured for <span class="emphasis"><em>single sign-on</em></span> to a Windows Domain Controller. +</p></div><p> +Once the driver files are in the <em class="parameter"><code>[print$]</code></em> share and are initialized, they are ready +to be downloaded and installed by the Windows NT/200x/XP clients. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Win 9x/Me clients will not work with the CUPS PostScript driver. For these you still need to use the +<code class="filename">ADOBE*.*</code> drivers, as previously stated. +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +It is not harmful if you still have the <code class="filename">ADOBE*.*</code> driver files from previous installations +in the <code class="filename">/usr/share/cups/drivers/</code> directory. The new <code class="literal">cupsaddsmb</code> (from +1.1.16) will automatically prefer its own drivers if it finds both. +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id409073"></a> +<a class="indexterm" name="id409080"></a> +Should your Windows clients have had the old <code class="filename">ADOBE*.*</code> files for the Adobe PostScript +driver installed, the download and installation of the new CUPS PostScript driver for Windows NT/200x/XP will +fail at first. You need to wipe the old driver from the clients first. It is not enough to +“<span class="quote">delete</span>” the printer, because the driver files will still be kept by the clients and re-used if +you try to re-install the printer. To really get rid of the Adobe driver files on the clients, open the +<span class="guilabel">Printers</span> folder (possibly via <span class="guilabel">Start -> Settings -> Control Panel -> +Printers</span>), right-click on the folder background, and select <span class="guimenuitem">Server +Properties</span>. When the new dialog opens, select the <span class="guilabel">Drivers</span> tab. On the list +select the driver you want to delete and click the <span class="guilabel">Delete</span> button. This will only work if +there is not one single printer left that uses that particular driver. You need to “<span class="quote">delete</span>” all +printers using this driver in the <span class="guilabel">Printers</span> folder first. You will need Administrator +privileges to do this. +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id409147"></a> +<a class="indexterm" name="id409156"></a> +Once you have successfully downloaded the CUPS PostScript driver to a client, you can easily switch all +printers to this one by proceeding as described in <a href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing +Support</a>. Either change a driver for an existing printer by running the <span class="guilabel">Printer +Properties</span> dialog, or use <code class="literal">rpcclient</code> with the <code class="literal">setdriver</code> +subcommand. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409192"></a>Windows CUPS PostScript Driver Versus Adobe Driver</h3></div></div></div><p> +Are you interested in a comparison between the CUPS and the Adobe PostScript drivers? For our purposes, these +are the most important items that weigh in favor of CUPS: +</p><div class="itemizedlist"><ul type="disc"><li><p>No hassle with the Adobe EULA.</p></li><li><p>No hassle with the question, “<span class="quote">Where do I + get the ADOBE*.* driver files?</span>”</p></li><li><p> + <a class="indexterm" name="id409220"></a> + The Adobe drivers (on request of the printer PPD associated with them) often put a PJL header in front of the + main PostScript part of the print file. Thus, the print file starts with <em class="parameter"><code><1B + >%-12345X</code></em> or <em class="parameter"><code><escape>%-12345X</code></em> instead of + <em class="parameter"><code>%!PS</code></em>. This leads to the CUPS daemon autotyping the incoming file as a print-ready file, + not initiating a pass through the <em class="parameter"><code>pstops</code></em> filter (to speak more technically, it is not + regarded as the generic MIME-type <a class="indexterm" name="id409254"></a> + <em class="parameter"><code>application/postscript</code></em>, but as the more special MIME type + <a class="indexterm" name="id409267"></a> + <em class="parameter"><code>application/cups.vnd-postscript</code></em>), which therefore also leads to the page accounting in + <em class="parameter"><code>/var/log/cups/page_log</code></em> not receiving the exact number of pages; instead the dummy page + number of “<span class="quote">1</span>” is logged in a standard setup). + </p></li><li><p>The Adobe driver has more options to misconfigure the +<a class="indexterm" name="id409295"></a> + PostScript generated by it (like setting it inadvertently to + <span class="guilabel">Optimize for Speed</span> instead of + <span class="guilabel">Optimize for Portability</span>, which + could lead to CUPS being unable to process it).</p></li><li><p>The CUPS PostScript driver output sent by Windows +<a class="indexterm" name="id409320"></a> + clients to the CUPS server is guaranteed to autotype + as the generic MIME type <em class="parameter"><code>application/postscript</code></em>, + thus passing through the CUPS <em class="parameter"><code>pstops</code></em> filter and logging the + correct number of pages in the <code class="filename">page_log</code> for + accounting and quota purposes.</p></li><li><p> + <a class="indexterm" name="id409350"></a> + The CUPS PostScript driver supports the sending of additional standard (IPP) print options by Windows + NT/200x/XP clients. Such additional print options are naming the CUPS standard <span class="emphasis"><em>banner + pages</em></span> (or the custom ones, should they be installed at the time of driver download), using the CUPS + page-label option, setting a job priority, and setting the scheduled time of printing (with the option to + support additional useful IPP job attributes in the future). + </p></li><li><p>The CUPS PostScript driver supports the inclusion of + the new <em class="parameter"><code>*cupsJobTicket</code></em> comments at the + beginning of the PostScript file (which could be used in the future + for all sorts of beneficial extensions on the CUPS side, but which will + not disturb any other applications because they will regard it as a comment + and simply ignore it).</p></li><li><p>The CUPS PostScript driver will be the heart of the + fully fledged CUPS IPP client for Windows NT/200x/XP to be released soon + (probably alongside the first beta release for CUPS 1.2).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409387"></a>Run cupsaddsmb (Quiet Mode)</h3></div></div></div><p> +<a class="indexterm" name="id409395"></a> +<a class="indexterm" name="id409402"></a> +The <code class="literal">cupsaddsmb</code> command copies the needed files into your <em class="parameter"><code>[print$]</code></em> +share. Additionally, the PPD associated with this printer is copied from <code class="filename">/etc/cups/ppd/</code> +to <em class="parameter"><code>[print$]</code></em>. There the files wait for convenient Windows client installations via +Point'n'Print. Before we can run the command successfully, we need to be sure that we can authenticate toward +Samba. If you have a small network, you are probably using user-level security (<a class="indexterm" name="id409436"></a>security = user). +</p><p> +Here is an example of a successfully run <code class="literal">cupsaddsmb</code> command: +<a class="indexterm" name="id409452"></a> +<a class="indexterm" name="id409459"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U root infotec_IS2027</code></strong> +Password for root required to access localhost via Samba: <strong class="userinput"><code>['secret']</code></strong> +</pre><p> +<a class="indexterm" name="id409490"></a> +To share <span class="emphasis"><em>all</em></span> printers and drivers, use the +<code class="option">-a</code> parameter instead of a printer name. Since +<code class="literal">cupsaddsmb</code> “<span class="quote">exports</span>” the printer drivers to Samba, it should be +obvious that it only works for queues with a CUPS driver associated. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409517"></a>Run cupsaddsmb with Verbose Output</h3></div></div></div><p> +<a class="indexterm" name="id409525"></a> +Probably you want to see what's going on. Use the +<code class="option">-v</code> parameter to get a more verbose output. The +output below was edited for better readability: all “<span class="quote">\</span>” at the end of +a line indicate that I inserted an artificial line break plus some +indentation here: +<a class="indexterm" name="id409541"></a> +<a class="indexterm" name="id409550"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U root -v infotec_2105</code></strong> +Password for root required to access localhost via GANDALF: +Running command: smbclient //localhost/print\$ -N -U'root%secret' \ + -c 'mkdir W32X86; \ + put /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd; \ + put /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll; \ + put /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll; \ + put /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp' +added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 +Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] +NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 +putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd +putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll +putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll +putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp + +Running command: rpcclient localhost -N -U'root%secret' + -c 'adddriver "Windows NT x86" \ + "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \ + RAW:NULL"' +cmd = adddriver "Windows NT x86" \ + "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \ + RAW:NULL" +Printer Driver infotec_2105 successfully installed. + +Running command: smbclient //localhost/print\$ -N -U'root%secret' \ +-c 'mkdir WIN40; \ + put /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; \ + put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM; \ + put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV; \ + put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP; \ + put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD; \ + put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL; \ + put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 + Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL + + Running command: rpcclient localhost -N -U'root%secret' \ + -c 'adddriver "Windows 4.0" \ + "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \ + PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \ + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_2105:ADOBEPS4.DRV:\ + infotec_2105.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,\ + infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,\ + ICONLIB.DLL" + Printer Driver infotec_2105 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' \ + -c 'setdriver infotec_2105 infotec_2105' + cmd = setdriver infotec_2105 infotec_2105 + Successfully set infotec_2105 to driver infotec_2105. +</pre><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +You will see the root password for the Samba account printed on screen. +</p></div><p> +If you look closely, you'll discover your root password was transferred unencrypted over the wire, so beware! +Also, if you look further, you may discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in the output. +This will occur when the directories WIN40 and W32X86 already existed in the <em class="parameter"><code>[print$]</code></em> +driver download share (from a previous driver installation). These are harmless warning messages. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409621"></a>Understanding cupsaddsmb</h3></div></div></div><p> +<a class="indexterm" name="id409629"></a> +What has happened? What did <code class="literal">cupsaddsmb</code> do? There are five stages of the procedure: +</p><div class="orderedlist"><ol type="1"><li><p> + <a class="indexterm" name="id409653"></a> + Call the CUPS server via IPP and request the driver files and the PPD file for the named printer.</p></li><li><p>Store the files temporarily in the local TEMPDIR (as defined in <code class="filename">cupsd.conf</code>).</p></li><li><p>Connect via smbclient to the Samba server's <em class="parameter"><code>[print$]</code></em> share and put the files into the + share's WIN40 (for Windows 9x/Me) and W32X86 (for Windows NT/200x/XP) subdirectories.</p></li><li><p> + <a class="indexterm" name="id409687"></a> + Connect via rpcclient to the Samba server and execute the <code class="literal">adddriver</code> command with the correct parameters. + </p></li><li><p> + <a class="indexterm" name="id409708"></a> + Connect via rpcclient to the Samba server a second time and execute the <code class="literal">setdriver</code> command.</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +You can run the <code class="literal">cupsaddsmb</code> utility with parameters to specify one remote host as Samba host +and a second remote host as CUPS host. Especially if you want to get a deeper understanding, it is a good idea +to try it and see more clearly what is going on (though in real life most people will have their CUPS and +Samba servers run on the same host): +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H sambaserver -h cupsserver -v printer</code></strong> +</pre><p> +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409757"></a>How to Recognize If cupsaddsmb Completed Successfully</h3></div></div></div><p> +You <span class="emphasis"><em>must</em></span> always check if the utility completed +successfully in all fields. You need at minimum these three messages +among the output: +</p><div class="orderedlist"><ol type="1"><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully + installed.</em></span> # (for the W32X86 == Windows NT/200x/XP + architecture).</p></li><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully + installed.</em></span> # (for the WIN40 == Windows 9x/Me + architecture).</p></li><li><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver + [printerXYZ].</em></span></p></li></ol></div><p> +These messages are probably not easily recognized in the general +output. If you run <code class="literal">cupsaddsmb</code> with the <code class="option">-a</code> +parameter (which tries to prepare <span class="emphasis"><em>all</em></span> active CUPS +printer drivers for download), you might miss if individual printer +drivers had problems installing properly. A redirection of the +output will help you analyze the results in retrospective. +</p><p> +If you get: +</p><pre class="screen"> +SetPrinter call failed! +result was WERR_ACCESS_DENIED +</pre><p> +it means that you might have set <a class="indexterm" name="id409827"></a>use client driver = yes for this printer. +Setting it to “<span class="quote">no</span>” will solve the problem. Refer to the <code class="filename">smb.conf</code> man page for explanation of +the <em class="parameter"><code>use client driver</code></em>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +It is impossible to see any diagnostic output if you do not run <code class="literal">cupsaddsmb</code> in verbose mode. +Therefore, we strongly recommend against use of the default quiet mode. It will hide any problems from you that +might occur. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409864"></a>cupsaddsmb with a Samba PDC</h3></div></div></div><p> +<a class="indexterm" name="id409872"></a> +<a class="indexterm" name="id409879"></a> +Can't get the standard <code class="literal">cupsaddsmb</code> command to run on a Samba PDC? Are you asked for the +password credential again and again, and the command just will not take off at all? Try one of these +variations: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U MIDEARTH\\root -v printername</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H SAURON -U MIDEARTH\\root -v printername</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername</code></strong> +</pre><p> +(Note the two backslashes: the first one is required to “<span class="quote">escape</span>” the second one). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id409942"></a>cupsaddsmb Flowchart</h3></div></div></div><p> +<a class="indexterm" name="id409949"></a> +<a class="indexterm" name="id409956"></a> +<a href="CUPS-printing.html#small14" title="Figure 22.16. cupsaddsmb Flowchart.">The cupsaddsmb Flowchart</a> shows a chart about the procedures, command flows, and +data flows of the <code class="literal">cupaddsmb</code> command. Note again: cupsaddsmb is +not intended to, and does not work with, raw print queues! +</p><div class="figure"><a name="small14"></a><p class="title"><b>Figure 22.16. cupsaddsmb Flowchart.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/14small.png" alt="cupsaddsmb Flowchart."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410020"></a>Installing the PostScript Driver on a Client</h3></div></div></div><p> +<a class="indexterm" name="id410028"></a> +<a class="indexterm" name="id410035"></a> +After <code class="literal">cupsaddsmb</code> is completed, your driver is prepared for the clients to use. Here are the +steps you must perform to download and install it via Point'n'Print. From a Windows client, browse to the +CUPS/Samba server: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id410056"></a> + Open the <span class="guilabel">Printers</span> share of Samba in Network Neighborhood.</p></li><li><p>Right-click on the printer in question.</p></li><li><p>From the opening context menu select + <span class="guimenuitem">Install...</span> or + <span class="guimenuitem">Connect...</span> (depending on the Windows version you use).</p></li></ul></div><p> +After a few seconds, there should be a new printer in your client's <span class="emphasis"><em>local</em></span> +<span class="guilabel">Printers</span> folder. On Windows XP it will follow a naming convention of +<span class="emphasis"><em>PrinterName on SambaServer</em></span>. (In my current case it is infotec_2105 on kde-bitshop). If +you want to test it and send your first job from an application like Winword, the new printer appears in a +<code class="filename">\\SambaServer\PrinterName</code> entry in the drop-down list of available printers. +</p><p> +<a class="indexterm" name="id410120"></a> +<a class="indexterm" name="id410127"></a> +<a class="indexterm" name="id410134"></a> +<code class="literal">cupsaddsmb</code> will only reliably work with CUPS version 1.1.15 or higher and with Samba +version 2.2.4, or later. If it does not work, or if the automatic printer driver download to the clients does +not succeed, you can still manually install the CUPS printer PPD on top of the Adobe PostScript driver on +clients. Then point the client's printer queue to the Samba printer share for a UNC type of connection: +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>net use lpt1: \\sambaserver\printershare /user:ntadmin</code></strong> +</pre><p> +should you desire to use the CUPS networked PostScript RIP functions. (Note that user “<span class="quote">ntadmin</span>” +needs to be a valid Samba user with the required privileges to access the printershare.) This sets up the +printer connection in the traditional LanMan way (not using MS-RPC). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="cups-avoidps1"></a>Avoiding Critical PostScript Driver Settings on the Client</h3></div></div></div><p> +Printing works, but there are still problems. Most jobs print well, some do not print at all. Some jobs have +problems with fonts, which do not look very good. Some jobs print fast and some are dead-slow. Many of these +problems can be greatly reduced or even completely eliminated if you follow a few guidelines. Remember, if +your print device is not PostScript-enabled, you are treating your Ghostscript installation on your CUPS host +with the output your client driver settings produce. Treat it well: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Avoid the PostScript Output Option: Optimize for Speed setting. Use the Optimize for Portability instead + (Adobe PostScript driver).</p></li><li><p> + Don't use the Page Independence: NO setting. Instead, use Page Independence: YES (CUPS PostScript Driver). + </p></li><li><p> + Recommended is the True Type Font Downloading Option: Native True Type over Automatic and Outline; + you should by all means avoid Bitmap (Adobe PostScript Driver).</p></li><li><p> + Choose True Type Font: Download as Softfont into Printer over the default Replace by Device + Font (for exotic fonts, you may need to change it back to get a printout at all; Adobe).</p></li><li><p> + Sometimes you can choose PostScript Language Level: in case of problems try 2 + instead of 3 (the latest ESP Ghostscript package handles Level 3 PostScript very well; Adobe). + </p></li><li><p> + Say Yes to PostScript Error Handler (Adobe).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id410229"></a>Installing PostScript Driver Files Manually Using rpcclient</h2></div></div></div><p> +Of course, you can run all the commands that are embedded into the +cupsaddsmb convenience utility yourself, one by one, and upload +and prepare the driver files for future client downloads. +</p><div class="orderedlist"><ol type="1"><li><p>Prepare Samba (a CUPS print queue with the name of the + printer should be there. We are providing the driver now).</p></li><li><p>Copy all files to <em class="parameter"><code>[print$]</code></em>.</p></li><li><p> + <a class="indexterm" name="id410265"></a> + Run <code class="literal">rpcclient adddriver</code> + (for each client architecture you want to support).</p></li><li><p> + <a class="indexterm" name="id410285"></a> + Run <code class="literal">rpcclient setdriver.</code></p></li></ol></div><p> +<a class="indexterm" name="id410304"></a> +<a class="indexterm" name="id410313"></a> +<a class="indexterm" name="id410322"></a> +<a class="indexterm" name="id410331"></a> +<a class="indexterm" name="id410340"></a> +We are going to do this now. First, read the man page on <em class="parameter"><code>rpcclient</code></em> to get a first idea. +Look at all the printing-related subcommands: <code class="literal">enumprinters</code>, <code class="literal">enumdrivers</code>, +<code class="literal">enumports</code>, <code class="literal">adddriver</code>, and <code class="literal">setdriver</code> are among the +most interesting ones. <em class="parameter"><code>rpcclient</code></em> implements an important part of the MS-RPC protocol. +You can use it to query (and command) a Windows NT (or 200x/XP) PC, too. MS-RPC is used by Windows clients, +among other things, to benefit from the Point'n'Print features. Samba can now mimic this as well. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410395"></a>A Check of the rpcclient man Page</h3></div></div></div><p> +First let's check the <em class="parameter"><code>rpcclient</code></em> man page. Here are two relevant passages: +</p><p> +<a class="indexterm" name="id410413"></a> +<a class="indexterm" name="id410420"></a> +<a class="indexterm" name="id410426"></a> +<code class="literal">adddriver <arch> <config></code> Execute an <code class="literal">AddPrinterDriver()</code> RPC +to install the printer driver information on the server. The driver files should already exist in the +directory returned by <code class="literal">getdriverdir</code>. Possible values for <em class="parameter"><code>arch</code></em> are the +same as those for the <code class="literal">getdriverdir</code> command. The <em class="parameter"><code>config</code></em> parameter is +defined as follows: +</p><pre class="screen"> +Long Printer Name:\ +Driver File Name:\ +Data File Name:\ +Config File Name:\ +Help File Name:\ +Language Monitor Name:\ +Default Data Type:\ +Comma Separated list of Files +</pre><p> +Any empty fields should be entered as the string “<span class="quote">NULL</span>”. +</p><p> +Samba does not need to support the concept of print monitors, since these only apply to local printers whose +drivers can use a bidirectional link for communication. This field should be “<span class="quote">NULL</span>”. On a remote +NT print server, the print monitor for a driver must already be installed before adding the driver or else the +RPC will fail. +</p><p> +<a class="indexterm" name="id410497"></a> +<a class="indexterm" name="id410504"></a> +<code class="literal">setdriver <printername> <drivername></code> Execute a <code class="literal">SetPrinter()</code> +command to update the printer driver associated with an installed printer. The printer driver must already be +correctly installed on the print server. +</p><p> +<a class="indexterm" name="id410527"></a> +<a class="indexterm" name="id410534"></a> +See also the <code class="literal">enumprinters</code> and <code class="literal">enumdrivers</code> commands to +obtain a list of installed printers and drivers. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410555"></a>Understanding the rpcclient man Page</h3></div></div></div><p> +<a class="indexterm" name="id410563"></a> +The <span class="emphasis"><em>exact</em></span> format isn't made too clear by the man page, since you have to deal with some +parameters containing spaces. Here is a better description for it. We have line-broken the command and +indicated the breaks with “<span class="quote">\</span>”. Usually you would type the command in one line without the line +breaks: +</p><pre class="screen"> +adddriver "Architecture" \ + "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\ + LanguageMonitorFile:DataType:ListOfFiles,Comma-separated" +</pre><p> +What the man pages denote as a simple <em class="parameter"><code><config></code></em> keyword in reality consists of +eight colon-separated fields. The last field may take multiple (in some very insane cases, even 20 different +additional) files. This might sound confusing at first. What the man pages call the +“<span class="quote">LongPrinterName</span>” in reality should be called the “<span class="quote">Driver Name</span>”. You can name it +anything you want, as long as you use this name later in the <code class="literal">rpcclient ... setdriver</code> +command. For practical reasons, many name the driver the same as the printer. +</p><p> +It isn't simple at all. I hear you asking: “<span class="quote">How do I know which files are Driver File</span>”, +“<span class="quote">Data File</span>”, “<span class="quote">Config File</span>”, “<span class="quote">Help File</span>” and “<span class="quote">Language Monitor +File in each case?</span>” For an answer, you may want to have a look at how a Windows NT box with a shared +printer presents the files to us. Remember that this whole procedure has to be developed by the Samba Team by +listening to the traffic caused by Windows computers on the wire. We may as well turn to a Windows box now and +access it from a UNIX workstation. We will query it with <code class="literal">rpcclient</code> to see what it tells us +and try to understand the man page more clearly. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410647"></a>Producing an Example by Querying a Windows Box</h3></div></div></div><p> +<a class="indexterm" name="id410655"></a> +<a class="indexterm" name="id410665"></a> +We could run <code class="literal">rpcclient</code> with a <code class="literal">getdriver</code> or a +<code class="literal">getprinter</code> subcommand (in level 3 verbosity) against it. Just sit down at a UNIX or Linux +workstation with the Samba utilities installed, then type the following command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'user%secret' NT-SERVER -c 'getdriver printername 3'</code></strong> +</pre><p> +From the result it should become clear which is which. Here is an example from my installation: +<a class="indexterm" name="id410713"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'Danka%xxxx' W200xSERVER \ + -c'getdriver "DANKA InfoStream Virtual Printer" 3'</code></strong> + cmd = getdriver "DANKA InfoStream Virtual Printer" 3 + + [Windows NT x86] + Printer Driver Info 3: + Version: [2] + Driver Name: [DANKA InfoStream] + Architecture: [Windows NT x86] + Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL] + Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD] + Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL] + Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP] + + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + + Monitorname: [] + Defaultdatatype: [] +</pre><p> +Some printer drivers list additional files under the label <em class="parameter"><code>Dependentfiles</code></em>, and these +would go into the last field <em class="parameter"><code>ListOfFiles,Comma-separated</code></em>. For the CUPS PostScript +drivers, we do not need any (nor would we for the Adobe PostScript driver); therefore, the field will get a +“<span class="quote">NULL</span>” entry. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410767"></a>Requirements for adddriver and setdriver to Succeed</h3></div></div></div><p> +<a class="indexterm" name="id410775"></a> +<a class="indexterm" name="id410784"></a> +<a class="indexterm" name="id410791"></a> +From the man page (and from the quoted output of <code class="literal">cupsaddsmb</code> above) it becomes clear that +you need to have certain conditions in order to make the manual uploading and initializing of the driver files +succeed. The two <code class="literal">rpcclient</code> subcommands (<code class="literal">adddriver</code> and +<code class="literal">setdriver</code>) need to encounter the following preconditions to complete successfully: +</p><div class="itemizedlist"><ul type="disc"><li><p>You are connected as <a class="indexterm" name="id410831"></a>printer admin or root (this is + <span class="emphasis"><em>not</em></span> the “<span class="quote">Printer Operators</span>” group in NT, but the <span class="emphasis"><em>printer + admin</em></span> group as defined in the <em class="parameter"><code>[global]</code></em> section of <code class="filename">smb.conf</code>). + </p></li><li><p>Copy all required driver files to <code class="filename">\\SAMBA\print$\w32x86</code> and + <code class="filename">\\SAMBA\print$\win40</code> as appropriate. They will end up in the “<span class="quote">0</span>” respective + “<span class="quote">2</span>” subdirectories later. For now, <span class="emphasis"><em>do not</em></span> put them there; they'll be + automatically used by the <code class="literal">adddriver</code> subcommand. (If you use <code class="literal">smbclient</code> to + put the driver files into the share, note that you need to escape the “<span class="quote">$</span>”: <code class="literal">smbclient + //sambaserver/print\$ -U root.</code>)</p></li><li><p>The user you're connecting as must be able to write to + the <em class="parameter"><code>[print$]</code></em> share and create + subdirectories.</p></li><li><p>The printer you are going to set up for the Windows + clients needs to be installed in CUPS already.</p></li><li><p> + <a class="indexterm" name="id410932"></a> + <a class="indexterm" name="id410941"></a> + The CUPS printer must be known to Samba; otherwise the <code class="literal">setdriver</code> subcommand fails with an + NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by Samba, you may use the + <code class="literal">enumprinters</code> subcommand to <code class="literal">rpcclient</code>. A long-standing bug prevented a + proper update of the printer list until every smbd process had received a SIGHUP or was restarted. Remember + this in case you've created the CUPS printer just recently and encounter problems: try restarting Samba. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id410975"></a>Manual Driver Installation in 15 Steps</h3></div></div></div><p> +We are going to install a printer driver now by manually executing all +required commands. Because this may seem a rather complicated process at +first, we go through the procedure step by step, explaining every +single action item as it comes up. +</p><div class="procedure"><a name="id410986"></a><p class="title"><b>Procedure 22.2. Manual Driver Installation</b></p><ol type="1"><li><p class="title"><b>Install the printer on CUPS.</b></p><pre class="screen"> + <code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E \ + -P canonIR85.ppd</code></strong> + </pre><p> + This installs a printer with the name <em class="parameter"><code>mysmbtstprn</code></em> + to the CUPS system. The printer is accessed via a socket + (a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root + for this step. + </p></li><li><p class="title"><b>(Optional.) Check if the printer is recognized by Samba.</b></p><p> + <a class="indexterm" name="id411039"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \ + | grep -C2 mysmbtstprn</code></strong> +flags:[0x800000] +name:[\\kde-bitshop\mysmbtstprn] +description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn] +comment:[mysmbtstprn] +</pre><p> + </p><p> + This should show the printer in the list. If not, stop and restart the Samba daemon (smbd) or send a HUP signal: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>kill -HUP `pidof smbd`</code></strong> +</pre><p> + Check again. Troubleshoot and repeat until successful. Note the “<span class="quote">empty</span>” field between the two + commas in the “<span class="quote">description</span>” line. The driver name would appear here if there was one already. You + need to know root's Samba password (as set by the <code class="literal">smbpasswd</code> command) for this step and most + of the following steps. Alternatively, you can authenticate as one of the users from the “<span class="quote">write + list</span>” as defined in <code class="filename">smb.conf</code> for <em class="parameter"><code>[print$]</code></em>. + </p></li><li><p class="title"><b>(Optional.) Check if Samba knows a driver for the printer.</b></p><p> + <a class="indexterm" name="id411130"></a> + <a class="indexterm" name="id411139"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2'\ + localhost | grep driver </code></strong> + +drivername:[] + +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' \ + localhost | grep -C4 driv</code></strong> + +servername:[\\kde-bitshop] +printername:[\\kde-bitshop\mysmbtstprn] +sharename:[mysmbtstprn] +portname:[Samba Printer Port] +drivername:[] +comment:[mysmbtstprn] +location:[] +sepfile:[] +printprocessor:[winprint] + +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</code></strong> + result was WERR_UNKNOWN_PRINTER_DRIVER +</pre><p> +None of the three commands shown above should show a driver. +This step was done for the purpose of demonstrating this condition. An +attempt to connect to the printer at this stage will prompt a +message along the lines of, “<span class="quote">The server does not have the required printer +driver installed.</span>” +</p></li><li><p class="title"><b>Put all required driver files into Samba's +[print$].</b></p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //localhost/print\$ -U 'root%xxxx' \ + -c 'cd W32X86; \ + put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \ + put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \ + put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \ + put /usr/share/cups/drivers/cups.hlp cups.hlp'</code></strong> +</pre><p> +(This command should be entered in one long single line. Line breaks and the line ends indicated by +“<span class="quote">\</span>” have been inserted for readability reasons.) This step is <span class="emphasis"><em>required</em></span> for +the next one to succeed. It makes the driver files physically present in the <em class="parameter"><code>[print$]</code></em> +share. However, clients would still not be able to install them, because Samba does not yet treat them as +driver files. A client asking for the driver would still be presented with a “<span class="quote">not installed here</span>” +message. +</p></li><li><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/</code></strong> +total 669 +drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2 +drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 +-rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp +-rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll +-rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll +-rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD +</pre><p> +The driver files now are in the W32X86 architecture “<span class="quote">root</span>” of +<em class="parameter"><code>[print$]</code></em>. +</p></li><li><p class="title"><b>Tell Samba that these are driver files (<code class="literal">adddriver</code>).</b></p><p> +<a class="indexterm" name="id411310"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \ + "mydrivername:cupsdrvr.dll:mysmbtstprn.PPD: \ + cupsui.dll:cups.hlp:NULL:RAW:NULL"' \ + localhost</code></strong> +Printer Driver mydrivername successfully installed. +</pre><p> +You cannot repeat this step if it fails. It could fail even as a result of a simple typo. It will most likely +have moved a part of the driver files into the “<span class="quote">2</span>” subdirectory. If this step fails, you need to +go back to the fourth step and repeat it before you can try this one again. In this step, you need to choose a +name for your driver. It is normally a good idea to use the same name as is used for the printer name; +however, in big installations you may use this driver for a number of printers that obviously have different +names, so the name of the driver is not fixed. +</p></li><li><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/</code></strong> +total 1 +drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2 +drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 + +<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/2</code></strong> +total 5039 +[....] +-rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp +-rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll +-rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll +-rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD +</pre><p> +Notice how step 6 also moved the driver files to the appropriate +subdirectory. Compare this with the situation after step 5. +</p></li><li><p class="title"><b>(Optional.) Verify if Samba now recognizes the driver.</b></p><p> +<a class="indexterm" name="id411404"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumdrivers 3' \ + localhost | grep -B2 -A5 mydrivername</code></strong> +Printer Driver Info 3: +Version: [2] +Driver Name: [mydrivername] +Architecture: [Windows NT x86] +Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] +Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] +Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] +Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] +</pre><p> +Remember, this command greps for the name you chose for the +driver in step 6. This command must succeed before you can proceed. +</p></li><li><p><font color="red"><title>Tell Samba which printer should use these driver files (<code class="literal">setdriver</code>).</title></font></p><p> +<a class="indexterm" name="id411456"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' \ + localhost</code></strong> +Successfully set mysmbtstprn to driver mydrivername +</pre><p> +Since you can bind any printer name (print queue) to any driver, this is a convenient way to set up many +queues that use the same driver. You do not need to repeat all the previous steps for the setdriver command to +succeed. The only preconditions are that <code class="literal">enumdrivers</code> must find the driver and +<code class="literal">enumprinters</code> must find the printer. +</p></li><li><p class="title"><b>(Optional) Verify if Samba has recognized this association.</b></p><p> +<a class="indexterm" name="id411511"></a> +<a class="indexterm" name="id411520"></a> +<a class="indexterm" name="id411529"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \ + | grep driver</code></strong> +drivername:[mydrivername] + +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \ + | grep -C4 driv</code></strong> +servername:[\\kde-bitshop] +printername:[\\kde-bitshop\mysmbtstprn] +sharename:[mysmbtstprn] +portname:[Done] +drivername:[mydrivername] +comment:[mysmbtstprn] +location:[] +sepfile:[] +printprocessor:[winprint] + +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</code></strong> +[Windows NT x86] +Printer Driver Info 3: + Version: [2] + Driver Name: [mydrivername] + Architecture: [Windows NT x86] + Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] + Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] + Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] + Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] + Monitorname: [] + Defaultdatatype: [RAW] + Monitorname: [] + Defaultdatatype: [RAW] + +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \ + | grep mysmbtstprn</code></strong> + name:[\\kde-bitshop\mysmbtstprn] + description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn] + comment:[mysmbtstprn] + +</pre><p> +<a class="indexterm" name="id411597"></a> +Compare these results with the ones from steps 2 and 3. Every one of these commands show the driver is installed. Even +the <code class="literal">enumprinters</code> command now lists the driver +on the “<span class="quote">description</span>” line. +</p></li><li><p class="title"><b>(Optional.) Tickle the driver into a correct +device mode.</b></p><p> +<a class="indexterm" name="id411630"></a> +You certainly know how to install the driver on the client. In case +you are not particularly familiar with Windows, here is a short +recipe: Browse the Network Neighborhood, go to the Samba server, and look +for the shares. You should see all shared Samba printers. +Double-click on the one in question. The driver should get +installed and the network connection set up. Another way is to +open the <span class="guilabel">Printers (and Faxes)</span> folder, right-click on the printer in +question, and select <span class="guilabel">Connect</span> or <span class="guilabel">Install</span>. As a result, a new printer +should appear in your client's local <span class="guilabel">Printers (and Faxes)</span> +folder, named something like <span class="guilabel">printersharename on Sambahostname</span>. +</p><p> +It is important that you execute this step as a Samba printer admin +(as defined in <code class="filename">smb.conf</code>). Here is another method +to do this on Windows XP. It uses a command line, which you may type +into the “<span class="quote">DOS box</span>” (type root's smbpassword when prompted): +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry \ + /in /n \\sambaserver\mysmbtstprn"</code></strong> +</pre><p> +Change any printer setting once (like changing <span class="emphasis"><em><span class="guilabel">portrait</span> to +<span class="guilabel">landscape</span></em></span>), click on <span class="guibutton">Apply</span>, and change the setting back. +</p></li><li><p class="title"><b>Install the printer on a client (Point'n'Print).</b></p><p> +<a class="indexterm" name="id411739"></a> +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn"</code></strong> +</pre><p> +If it does not work, it could be a permissions problem with the <em class="parameter"><code>[print$]</code></em> share. +</p></li><li><p class="title"><b>(Optional) Print a test page.</b></p><a class="indexterm" name="id411779"></a><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /p /n "\\sambaserver\mysmbtstprn"</code></strong> +</pre><p> +Then hit [TAB] five times, [ENTER] twice, [TAB] once, and [ENTER] again, and march to the printer. +</p></li><li><p class="title"><b>(Recommended.) Study the test page.</b></p><p> +Hmmm. Just kidding! By now you know everything about printer installations and you do not need to read a word. +Just put it in a frame and bolt it to the wall with the heading "MY FIRST RPCCLIENT-INSTALLED PRINTER" + why not just throw it away! +</p></li><li><p class="title"><b>(Obligatory.) Enjoy. Jump. Celebrate your success.</b></p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd</code></strong> +</pre></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id411854"></a>Troubleshooting Revisited</h3></div></div></div><p> +<a class="indexterm" name="id411862"></a> +The setdriver command will fail if in Samba's mind the queue is not +already there. A successful installation displys the promising message that the: +</p><pre class="screen"> +Printer Driver ABC successfully installed. +</pre><p> +following the <code class="literal">adddriver</code> parts of the procedure. But you may also see +a disappointing message like this one: +<code class="computeroutput"> +result was NT_STATUS_UNSUCCESSFUL +</code></p><p> +<a class="indexterm" name="id411890"></a> +<a class="indexterm" name="id411897"></a> +It is not good enough that you can see the queue in CUPS, using the <code class="literal">lpstat -p ir85wm</code> +command. A bug in most recent versions of Samba prevents the proper update of the queue list. The recognition +of newly installed CUPS printers fails unless you restart Samba or send a HUP to all smbd processes. To verify +if this is the reason why Samba does not execute the <code class="literal">setdriver</code> command successfully, check +if Samba “<span class="quote">sees</span>” the printer: +<a class="indexterm" name="id411923"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm</code></strong> + printername:[ir85wm] +</pre><p> +An alternate command could be this: +<a class="indexterm" name="id411951"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' </code></strong> + cmd = getprinter ir85wm + flags:[0x800000] + name:[\\transmeta\ir85wm] + description:[\\transmeta\ir85wm,ir85wm,DPD] + comment:[CUPS PostScript-Treiber for Windows NT/200x/XP] +</pre><p> +By the way, you can use these commands, plus a few more, of course, to install drivers on remote Windows NT print servers too! +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id411985"></a>The Printing <code class="filename">*.tdb</code> Files</h2></div></div></div><p> +<a class="indexterm" name="id411999"></a> +<a class="indexterm" name="id412005"></a> +<a class="indexterm" name="id412014"></a> +<a class="indexterm" name="id412023"></a> +<a class="indexterm" name="id412032"></a> +<a class="indexterm" name="id412041"></a> +<a class="indexterm" name="id412050"></a> +<a class="indexterm" name="id412059"></a> +<a class="indexterm" name="id412068"></a> +<a class="indexterm" name="id412077"></a> +<a class="indexterm" name="id412086"></a> +<a class="indexterm" name="id412095"></a> +<a class="indexterm" name="id412104"></a> +Some mystery is associated with the series of files with a tdb suffix appearing in every Samba installation. +They are <code class="filename">connections.tdb</code>, <code class="filename">printing.tdb</code>, +<code class="filename">share_info.tdb</code>, <code class="filename">ntdrivers.tdb</code>, <code class="filename">unexpected.tdb</code>, +<code class="filename">brlock.tdb</code>, <code class="filename">locking.tdb</code>, <code class="filename">ntforms.tdb</code>, +<code class="filename">messages.tdb</code> , <code class="filename">ntprinters.tdb</code>, <code class="filename">sessionid.tdb</code>, +and <code class="filename">secrets.tdb</code>. What is their purpose? +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id412184"></a>Trivial Database Files</h3></div></div></div><p> +<a class="indexterm" name="id412192"></a> +A Windows NT (print) server keeps track of all information needed to serve its duty toward its clients by +storing entries in the Windows registry. Client queries are answered by reading from the registry, +Administrator or user configuration settings that are saved by writing into the registry. Samba and UNIX +obviously do not have such a Registry. Samba instead keeps track of all client-related information in a series +of <code class="filename">*.tdb</code> files. (TDB stands for trivial data base). These are often located in +<code class="filename">/var/lib/samba/</code> or <code class="filename">/var/lock/samba/</code>. The printing-related files are +<code class="filename">ntprinters.tdb</code>, <code class="filename">printing.tdb</code>,<code class="filename">ntforms.tdb</code>, and +<code class="filename">ntdrivers.tdb</code>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id412246"></a>Binary Format</h3></div></div></div><p> +<code class="filename">*.tdb</code> files are not human readable. They are written in a binary format. “<span class="quote">Why not +ASCII?</span>”, you may ask. “<span class="quote">After all, ASCII configuration files are a good and proven tradition on +UNIX.</span>” The reason for this design decision by the Samba Team is mainly performance. Samba needs to be +fast; it runs a separate <code class="literal">smbd</code> process for each client connection, in some environments many +thousands of them. Some of these <code class="literal">smbds</code> might need to write-access the same +<code class="filename">*.tdb</code> file <span class="emphasis"><em>at the same time</em></span>. The file format of Samba's +<code class="filename">*.tdb</code> files allows for this provision. Many smbd processes may write to the same +<code class="filename">*.tdb</code> file at the same time. This wouldn't be possible with pure ASCII files. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id412307"></a>Losing <code class="filename">*.tdb</code> Files</h3></div></div></div><p> +It is very important that all <code class="filename">*.tdb</code> files remain consistent over all write and read +accesses. However, it may happen that these files <span class="emphasis"><em>do</em></span> get corrupted. (A <code class="literal">kill -9 +`pidof smbd'</code> while a write access is in progress could do the damage, as could a power interruption, +etc.). In cases of trouble, a deletion of the old printing-related <code class="filename">*.tdb</code> files may be the +only option. After that, you need to re-create all print-related setups unless you have made a backup of the +<code class="filename">*.tdb</code> files in time. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id412353"></a>Using <code class="literal">tdbbackup</code></h3></div></div></div><p> +<a class="indexterm" name="id412366"></a> +<a class="indexterm" name="id412377"></a> +Samba ships with a little utility that helps the root user of your system to backup your +<code class="filename">*.tdb</code> files. If you run it with no argument, it prints a usage message: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>tdbbackup</code></strong> + Usage: tdbbackup [options] <fname...> + + Version:3.0a + -h this help message + -s suffix set the backup suffix + -v verify mode (restore if corrupt) +</pre><p> +Here is how I backed up my <code class="filename">printing.tdb</code> file: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ls</code></strong> +. browse.dat locking.tdb ntdrivers.tdb printing.tdb +.. share_info.tdb connections.tdb messages.tdb ntforms.tdb +printing.tdbkp unexpected.tdb brlock.tdb gmon.out namelist.debug +ntprinters.tdb sessionid.tdb + +<code class="prompt">root# </code><strong class="userinput"><code>tdbbackup -s .bak printing.tdb</code></strong> + printing.tdb : 135 records + +<code class="prompt">root# </code><strong class="userinput"><code>ls -l printing.tdb*</code></strong> + -rw------- 1 root root 40960 May 2 03:44 printing.tdb + -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak + +</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id412464"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div></div><p> +<a class="indexterm" name="id412472"></a> +CUPS ships with good support for HP LaserJet-type printers. You can install the generic driver as follows: +<a class="indexterm" name="id412480"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd</code></strong> +</pre><p> +The <code class="option">-m</code> switch will retrieve the <code class="filename">laserjet.ppd</code> from the standard +repository for not-yet-installed PPDs, which CUPS typically stores in +<code class="filename">/usr/share/cups/model</code>. Alternatively, you may use <code class="option">-P /path/to/your.ppd</code>. +</p><p> +The generic <code class="filename">laserjet.ppd,</code> however, does not support every special option for every +LaserJet-compatible model. It constitutes a sort of “<span class="quote">least common denominator</span>” of all the models. +If for some reason you must pay for the commercially available ESP Print Pro drivers, your first move should +be to consult the database on the <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">Linuxprinting</a> Web site. Linuxprinting.org has +excellent recommendations about which driver is best used for each printer. Its database is kept current by +the tireless work of Till Kamppeter from Mandrakesoft, who is also the principal author of the +<code class="literal">foomatic-rip</code> utility. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id412561"></a> +<a class="indexterm" name="id412568"></a> +<a class="indexterm" name="id412574"></a> +The former <code class="literal">cupsomatic</code> concept is now being replaced by the new successor, a much more +powerful <code class="literal">foomatic-rip</code>. <code class="literal">cupsomatic</code> is no longer maintained. Here is the +new URL to the <a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">Foomatic-3.0</a> +database. If you upgrade to <code class="literal">foomatic-rip</code>, remember to also upgrade to the new-style PPDs +for your Foomatic-driven printers. foomatic-rip will not work with PPDs generated for the old +<code class="literal">cupsomatic</code>. The new-style PPDs are 100% compliant with the Adobe PPD specification. They +are also intended to be used by Samba and the cupsaddsmb utility, to provide the driver files for the Windows +clients! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id412624"></a>foomatic-rip and Foomatic Explained</h3></div></div></div><p> +<a class="indexterm" name="id412632"></a> +<a class="indexterm" name="id412639"></a> +Nowadays, most Linux distributions rely on the utilities from the <a href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a> to create their printing-related software +(which, by the way, works on all UNIXes and on Mac OS X and Darwin, too). The utilities from this sire have a +very end-user-friendly interface that allows for an easy update of drivers and PPDs for all supported models, +all spoolers, all operating systems, and all package formats (because there is none). Its history goes back a +few years. +</p><p> +Recently, Foomatic has achieved the astonishing milestone of <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">1,000 listed</a> printer models. +Linuxprinting.org keeps all the important facts about printer drivers, supported models, and which options are +available for the various driver/printer combinations in its <a href="http://www.linuxprinting.org/foomatic.html" target="_top">Foomatic</a> database. Currently there are <a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">245 drivers</a> in the database. Many drivers support +various models, and many models may be driven by different drivers its your choice! +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id412685"></a>690 “<span class="quote">Perfect</span>” Printers</h4></div></div></div><p> +<a class="indexterm" name="id412696"></a> +At present, there are 690 devices dubbed as working perfectly: 181 are <span class="emphasis"><em>mostly</em></span> perfect, 96 +are <span class="emphasis"><em>partially</em></span> perfect, and 46 are paperweights. Keeping in mind that most of these are +non-PostScript models (PostScript printers are automatically supported by CUPS to perfection by using their +own manufacturer-provided Windows PPD), and that a multifunctional device never qualifies as working perfectly +if it does not also scan and copy and fax under GNU/Linux then this is a truly astonishing +achievement! Three years ago the number was not more than 500, and Linux or UNIX printing at the time wasn't +anywhere near the quality it is today. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id412721"></a>How the Printing HOWTO Started It All</h4></div></div></div><p> +A few years ago <a href="http://www2.picante.com/" target="_top">Grant Taylor</a> started it all. The +roots of today's Linuxprinting.org are in the first <a href="http://www.linuxprinting.org/foomatic2.9/howto/" target="_top">Linux Printing HOWTO</a> that he authored. As a +side-project to this document, which served many Linux users and admins to guide their first steps in this +complicated and delicate setup (to a scientist, printing is “<span class="quote">applying a structured deposition of +distinct patterns of ink or toner particles on paper substrates</span>”), he started to build in a little +Postgres database with information about the hardware and driver zoo that made up Linux printing of the time. +This database became the core component of today's Foomatic collection of tools and data. In the meantime, it +has moved to an XML representation of the data. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id412752"></a>Foomatic's Strange Name</h4></div></div></div><p> +<a class="indexterm" name="id412759"></a> +“<span class="quote">Why the funny name?</span>” you ask. When it really took off, around spring 2000, CUPS was far less +popular than today, and most systems used LPD, LPRng, or even PDQ to print. CUPS shipped with a few generic +drivers (good for a few hundred different printer models). These didn't support many device-specific options. +CUPS also shipped with its own built-in rasterization filter (<em class="parameter"><code>pstoraster</code></em>, derived from +Ghostscript). On the other hand, CUPS provided brilliant support for <span class="emphasis"><em>controlling</em></span> all +printer options through standardized and well-defined PPD files. Plus, CUPS was designed to be easily +extensible. +</p><p> +Taylor already had in his database a respectable compilation of facts about many more printers and the +Ghostscript “<span class="quote">drivers</span>” they run with. His idea, to generate PPDs from the database information and +use them to make standard Ghostscript filters work within CUPS, proved to work very well. It also killed +several birds with one stone: +</p><div class="itemizedlist"><ul type="disc"><li><p>It made all current and future Ghostscript filter + developments available for CUPS.</p></li><li><p>It made available a lot of additional printer models + to CUPS users (because often the traditional Ghostscript way of + printing was the only one available).</p></li><li><p>It gave all the advanced CUPS options (Web interface, + GUI driver configurations) to users wanting (or needing) to use + Ghostscript filters.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id412815"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div></div><p> +<a class="indexterm" name="id412823"></a> +<a class="indexterm" name="id412830"></a> +<a class="indexterm" name="id412837"></a> +CUPS worked through a quickly hacked-up filter script named <a href="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0" target="_top">cupsomatic</a>. cupsomatic +ran the printfile through Ghostscript, constructing automatically the rather complicated command line needed. +It just needed to be copied into the CUPS system to make it work. To configure the way cupsomatic controls the +Ghostscript rendering process, it needs a CUPS-PPD. This PPD is generated directly from the contents of the +database. For CUPS and the respective printer/filter combo, another Perl script named CUPS-O-Matic did the PPD +generation. After that was working, Taylor implemented within a few days a similar thing for two other +spoolers. Names chosen for the config-generator scripts were <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">PDQ-O-Matic</a> (for PDQ) +and <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">LPD-O-Matic</a> +(for you guessed it LPD); the configuration here didn't use PPDs but other +spooler-specific files. +</p><p> +From late summer of that year, <a href="http://www.linuxprinting.org/till/" target="_top">Till Kamppeter</a> started +to put work into the database. Kamppeter had been newly employed by <a href="http://www.mandrakesoft.com/" target="_top">Mandrakesoft</a> to convert its printing system over to CUPS, after +they had seen his <a href="http://www.fltk.org/" target="_top">FLTK</a>-based <a href="http://cups.sourceforge.net/xpp/" target="_top">XPP</a> (a GUI front-end to the CUPS lp-command). He added a huge +amount of new information and new printers. He also developed the support for other spoolers, like <a href="http://ppr.sourceforge.net/" target="_top">PPR</a> (via ppromatic), <a href="http://sourceforge.net/projects/lpr/" target="_top">GNUlpr</a>, and <a href="http://www.lprng.org/" target="_top">LPRng</a> (both via an extended lpdomatic) and spooler-less printing (<a href="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0" target="_top">directomatic</a>). +</p><p> +So, to answer your question, “<span class="quote">Foomatic</span>” is the general name for all the overlapping code and data +behind the “<span class="quote">*omatic</span>” scripts. Foomatic, up to versions 2.0.x, required (ugly) Perl data +structures attached to Linuxprinting.org PPDs for CUPS. It had a different “<span class="quote">*omatic</span>” script for +every spooler, as well as different printer configuration files. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id412953"></a>The <span class="emphasis"><em>Grand Unification</em></span> Achieved</h4></div></div></div><p> +<a class="indexterm" name="id412964"></a> +This has all changed in Foomatic versions 2.9 (beta) and released as “<span class="quote">stable</span>” 3.0. It has now +achieved the convergence of all *omatic scripts and is called the <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">foomatic-rip</a>. +This single script is the unification of the previously different spooler-specific *omatic scripts. +foomatic-rip is used by all the different spoolers alike, and because it can read PPDs (both the original +PostScript printer PPDs and the Linuxprinting.org-generated ones), all of a sudden all supported spoolers can +have the power of PPDs at their disposal. Users only need to plug foomatic-rip into their system. For users +there is improved media type and source support paper sizes and trays are easier to configure. +</p><p> +<a class="indexterm" name="id412994"></a> +<a class="indexterm" name="id413000"></a> +<a class="indexterm" name="id413007"></a> +Also, the new generation of Linuxprinting.org PPDs no longer contains Perl data structures. If you are a +distro maintainer and have used the previous version of Foomatic, you may want to give the new one a spin, but +remember to generate a new-version set of PPDs via the new <a href="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz" target="_top">foomatic-db-engine!</a>. +Individual users just need to generate a single new PPD specific to their model by <a href="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html" target="_top">following +the steps</a> outlined in the Foomatic tutorial or in this chapter. This new development is truly amazing. +</p><p> +<a class="indexterm" name="id413034"></a> +<a class="indexterm" name="id413040"></a> +<a class="indexterm" name="id413047"></a> +foomatic-rip is a very clever wrapper around the need to run Ghostscript with a different syntax, options, +device selections, and/or filters for each different printer or spooler. At the same time, it can read the PPD +associated with a print queue and modify the print job according to the user selections. Together with this +comes the 100% compliance of the new Foomatic PPDs with the Adobe spec. Some innovative features of the +Foomatic concept may surprise users. It will support custom paper sizes for many printers and will support +printing on media drawn from different paper trays within the same job (in both cases, even where there is no +support for this from Windows-based vendor printer drivers). +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id413062"></a>Driver Development Outside</h4></div></div></div><p> +<a class="indexterm" name="id413070"></a> +Most driver development itself does not happen within Linuxprinting.org. Drivers are written by independent +maintainers. Linuxprinting.org just pools all the information and stores it in its database. In addition, it +also provides the Foomatic glue to integrate the many drivers into any modern (or legacy) printing system +known to the world. +</p><p> +Speaking of the different driver development groups, most of the work is currently done in three projects: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id413091"></a> + <a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">Omni</a> + a free software project by IBM that tries to convert its printer + driver knowledge from good-ol' OS/2 times into a modern, modular, + universal driver architecture for Linux/UNIX (still beta). This + currently supports 437 models.</p></li><li><p> +<a class="indexterm" name="id413113"></a> + <a href="http://hpinkjet.sf.net/" target="_top">HPIJS</a> + a free software project by HP to provide the support for its own + range of models (very mature, printing in most cases is perfect and + provides true photo quality). This currently supports 369 + models.</p></li><li><p> +<a class="indexterm" name="id413134"></a> + <a href="http://gimp-print.sf.net/" target="_top">Gimp-Print</a> a free software + effort, started by Michael Sweet (also lead developer for CUPS), now + directed by Robert Krawitz, which has achieved an amazing level of + photo print quality (many Epson users swear that its quality is + better than the vendor drivers provided by Epson for the Microsoft + platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id413155"></a>Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</h4></div></div></div><p> +Linuxprinting.org today is the one-stop shop to download printer drivers. Look for printer information and +<a href="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/" target="_top">tutorials</a> or solve +printing problems in its popular <a href="http://www.linuxprinting.org/newsportal/" target="_top">forums</a>. This +forum is not just for GNU/Linux users, but admins of <a href="http://www.linuxprinting.org/macosx/" target="_top"> +commercial UNIX systems</a> are also going there, and the relatively new +<a href="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general" target="_top">Mac OS X +forum</a> has turned out to be one of the most frequented forums after only a few weeks. +</p><p> +<a class="indexterm" name="id413194"></a> +<a class="indexterm" name="id413201"></a> +<a class="indexterm" name="id413208"></a> +Linuxprinting.org and the Foomatic driver wrappers around Ghostscript are now a standard tool-chain for +printing on all the important distros. Most of them also have CUPS underneath. While in recent years most +printer data had been added by Kamppeter, many additional contributions came from engineers with SuSE, Red +Hat, Conectiva, Debian, and others. Vendor-neutrality is an important goal of the Foomatic project. Mandrake +and Conectiva have merged and are now called Mandriva. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Till Kamppeter from Mandrakesoft is doing an excellent job in his spare time to maintain Linuxprinting.org and +Foomatic. So if you use it often, please send him a note showing your appreciation. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id413227"></a>Foomatic Database-Generated PPDs</h4></div></div></div><p> +<a class="indexterm" name="id413235"></a> +<a class="indexterm" name="id413241"></a> +<a class="indexterm" name="id413248"></a> +<a class="indexterm" name="id413255"></a> +<a class="indexterm" name="id413262"></a> +<a class="indexterm" name="id413269"></a> +<a class="indexterm" name="id413275"></a> +<a class="indexterm" name="id413282"></a> +<a class="indexterm" name="id413289"></a> +The Foomatic database is an amazing piece of ingenuity in itself. Not only does it keep the printer and driver +information, but it is organized in a way that it can generate PPD files on the fly from its internal +XML-based datasets. While these PPDs are modeled to the Adobe specification of PPDs, the +Linuxprinting.org/Foomatic-PPDs do not normally drive PostScript printers. They are used to describe all the +bells and whistles you could ring or blow on an Epson Stylus inkjet, or an HP Photosmart, or what-have-you. +The main trick is one little additional line, not envisaged by the PPD specification, starting with the +<em class="parameter"><code>*cupsFilter</code></em> keyword. It tells the CUPS daemon how to proceed with the PostScript print +file (old-style Foomatic-PPDs named the cupsomatic filter script, while the new-style PPDs are now call +foomatic-rip). This filter script calls Ghostscript on the host system (the recommended variant is ESP +Ghostscript) to do the rendering work. foomatic-rip knows which filter or internal device setting it should +ask from Ghostscript to convert the PostScript print job into a raster format ready for the target device. +This usage of PPDs to describe the options of non-PostScript printers was the invention of the CUPS +developers. The rest is easy. GUI tools (like KDE's marvelous <a href="http://printing.kde.org/overview/kprinter.phtml" target="_top">kprinter</a> or the GNOME <a href="http://gtklp.sourceforge.net/" target="_top">gtklp</a> xpp and the CUPS Web interface) read the PPD as well and use +this information to present the available settings to the user as an intuitive menu selection. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id413329"></a>foomatic-rip and Foomatic PPD Download and Installation</h3></div></div></div><p> +Here are the steps to install a foomatic-rip-driven LaserJet 4 Plus-compatible +printer in CUPS (note that recent distributions of SuSE, UnitedLinux and +Mandrake may ship with a complete package of Foomatic-PPDs plus the +<code class="literal">foomatic-rip</code> utility. Going directly to +Linuxprinting.org ensures that you get the latest driver/PPD files). +</p><div class="itemizedlist"><ul type="disc"><li><p>Open your browser at the Linuxprinting.org printer list <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">page.</a> + </p></li><li><p>Check the complete list of printers in the + <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">database.</a>. + </p></li><li><p>Select your model and click on the link. + </p></li><li><p>You'll arrive at a page listing all drivers working with this + model (for all printers, there will always be <span class="emphasis"><em>one</em></span> + recommended driver. Try this one first). + </p></li><li><p>In our case (HP LaserJet 4 Plus), we'll arrive at the default driver for the + <a href="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus" target="_top">HP-LaserJet 4 Plus.</a> + </p></li><li><p>The recommended driver is ljet4.</p></li><li><p>Several links are provided here. You should visit them all if you + are not familiar with the Linuxprinting.org database. + </p></li><li><p>There is a link to the database page for the + <a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">ljet4</a>. + On the driver's page, you'll find important and detailed information + about how to use that driver within the various available + spoolers.</p></li><li><p>Another link may lead you to the home page of the + author of the driver.</p></li><li><p>Important links are the ones that provide hints with + setup instructions for <a href="http://www.linuxprinting.org/cups-doc.html" target="_top">CUPS</a>; + <a href="http://www.linuxprinting.org/pdq-doc.html" target="_top">PDQ</a>; + <a href="http://www.linuxprinting.org/lpd-doc.html" target="_top">LPD, LPRng, and GNUlpr</a>); + as well as <a href="http://www.linuxprinting.org/ppr-doc.html" target="_top">PPR</a> + or “<span class="quote">spoolerless</span>” <a href="http://www.linuxprinting.org/direct-doc.html" target="_top">printing</a>. + </p></li><li><p>You can view the PPD in your browser through this link: + <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</a> + </p></li><li><p>Most importantly, you can also generate and download + the <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0" target="_top">PPD</a>. + </p></li><li><p>The PPD contains all the information needed to use our + model and the driver; once installed, this works transparently + for the user. Later you'll only need to choose resolution, paper size, + and so on, from the Web-based menu, or from the print dialog GUI, or from + the command line.</p></li><li><p>If you ended up on the drivers + <a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">page</a>, + you can choose to use the “<span class="quote">PPD-O-Matic</span>” online PPD generator + program.</p></li><li><p>Select the exact model and check either <span class="guilabel">Download</span> or + <span class="guilabel">Display PPD file</span> and click <span class="guilabel">Generate PPD file</span>.</p></li><li><p>If you save the PPD file from the browser view, please + do not use cut and paste (since it could possibly damage line endings + and tabs, which makes the PPD likely to fail its duty), but use <span class="guimenuitem">Save + as...</span> in your browser's menu. (It is best to use the <span class="guilabel">Download</span> option + directly from the Web page.)</p></li><li><p>Another interesting part on each driver page is + the <span class="guimenuitem">Show execution details</span> button. If you + select your printer model and click on that button, + a complete Ghostscript command line will be displayed, enumerating all options + available for that combination of driver and printer model. This is a great way to + “<span class="quote">learn Ghostscript by doing</span>”. It is also an excellent cheat sheet + for all experienced users who need to reconstruct a good command line + for that darned printing script, but can't remember the exact + syntax. </p></li><li><p>Sometime during your visit to Linuxprinting.org, save + the PPD to a suitable place on your hard disk, say + <code class="filename">/path/to/my-printer.ppd</code> (if you prefer to install + your printers with the help of the CUPS Web interface, save the PPD to + the <code class="filename">/usr/share/cups/model/</code> path and restart + cupsd).</p></li><li><p>Then install the printer with a suitable command line, + like this: + </p><pre class="screen"> + <code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \ + -P path/to/my-printer.ppd</code></strong> + </pre></li><li><p>For all the new-style “<span class="quote">Foomatic-PPDs</span>” + from Linuxprinting.org, you also need a special CUPS filter named + foomatic-rip. + </p></li><li><p>The foomatic-rip Perl script itself also makes some + interesting <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1" target="_top">reading</a> + because it is well documented by Kamppeter's in-line comments (even + non-Perl hackers will learn quite a bit about printing by reading + it).</p></li><li><p>Save foomatic-rip either directly in + <code class="filename">/usr/lib/cups/filter/foomatic-rip</code> or somewhere in + your $PATH (and remember to make it world-executable). Again, + do not save by copy and paste but use the appropriate link or the + <span class="guimenuitem">Save as...</span> menu item in your browser.</p></li><li><p>If you save foomatic-rip in your $PATH, create a symlink: + </p><pre class="screen"> + <code class="prompt">root# </code><strong class="userinput"><code>cd /usr/lib/cups/filter/ ; ln -s `which foomatic-rip'</code></strong> + </pre><p> + </p><p> + CUPS will discover this new available filter at startup after restarting + cupsd.</p></li></ul></div><p> +Once you print to a print queue set up with the Foomatic PPD, CUPS will insert the appropriate commands and +comments into the resulting PostScript job file. foomatic-rip is able to read and act upon these and uses some +specially encoded Foomatic comments embedded in the job file. These in turn are used to construct +(transparently for you, the user) the complicated Ghostscript command line telling the printer driver exactly +how the resulting raster data should look and which printer commands to embed into the data stream. You need: +</p><div class="itemizedlist"><ul type="disc"><li><p>A “<span class="quote">foomatic+something</span>” PPD but this is not enough + to print with CUPS (it is only <span class="emphasis"><em>one</em></span> important + component).</p></li><li><p>The <em class="parameter"><code>foomatic-rip</code></em> filter script (Perl) in + <code class="filename">/usr/lib/cups/filters/</code>.</p></li><li><p>Perl to make foomatic-rip run.</p></li><li><p>Ghostscript (because it is doing the main work, + controlled by the PPD/foomatic-rip combo) to produce the raster data + fit for your printer model's consumption.</p></li><li><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on + the driver/model) contain support for a certain device representing + the selected driver for your model (as shown by <code class="literal">gs -h</code>).</p></li><li><p>foomatic-rip needs a new version of PPDs (PPD versions + produced for cupsomatic do not work with foomatic-rip).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id413751"></a>Page Accounting with CUPS</h2></div></div></div><p> +<a class="indexterm" name="id413759"></a> +Often there are questions regarding print quotas where Samba users (that is, Windows clients) should not be +able to print beyond a certain number of pages or data volume per day, week, or month. This feature is +dependent on the real print subsystem you're using. Samba's part is always to receive the job files from the +clients (filtered <span class="emphasis"><em>or</em></span> unfiltered) and hand them over to this printing subsystem. +</p><p> +Of course one could hack things with one's own scripts. But then there is CUPS. CUPS supports quotas that can +be based on the size of jobs or on the number of pages or both, and can span any time period you want. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id413781"></a>Setting Up Quotas</h3></div></div></div><p> +<a class="indexterm" name="id413789"></a> +This is an example command of how root would set a print quota in CUPS, assuming an existing printer named +“<span class="quote">quotaprinter</span>”: +<a class="indexterm" name="id413803"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p quotaprinter -o job-quota-period=604800 \ + -o job-k-limit=1024 -o job-page-limit=100</code></strong> +</pre><p> +This would limit every single user to print no more than 100 pages or 1024 KB of +data (whichever comes first) within the last 604,800 seconds ( = 1 week). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id413832"></a>Correct and Incorrect Accounting</h3></div></div></div><p> +For CUPS to count correctly, the printfile needs to pass the CUPS pstops filter; otherwise it uses a dummy +count of “<span class="quote">one</span>”. Some print files do not pass it (e.g., image files), but then those are mostly +one-page jobs anyway. This also means that proprietary drivers for the target printer running on the client +computers and CUPS/Samba, which then spool these files as “<span class="quote">raw</span>” (i.e., leaving them untouched, +not filtering them), will be counted as one-pagers too! +</p><p> +You need to send PostScript from the clients (i.e., run a PostScript driver there) to have the chance to get +accounting done. If the printer is a non-PostScript model, you need to let CUPS do the job to convert the file +to a print-ready format for the target printer. This is currently working for about a thousand different +printer models. Linuxprinting.org has a driver <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">list</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id413865"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div></div><p> +<a class="indexterm" name="id413873"></a> +<a class="indexterm" name="id413880"></a> +<a class="indexterm" name="id413886"></a> +<a class="indexterm" name="id413893"></a> +<a class="indexterm" name="id413900"></a> +Before CUPS 1.1.16, your only option was to use the Adobe PostScript driver on the Windows clients. The output +of this driver was not always passed through the <code class="literal">pstops</code> filter on the CUPS/Samba side, and +therefore was not counted correctly (the reason is that it often, depending on the PPD being used, wrote a +PJL-header in front of the real PostScript, which caused CUPS to skip <code class="literal">pstops</code> and go +directly to the <code class="literal">pstoraster</code> stage). +</p><p> +From CUPS 1.1.16 and later releases, you can use the CUPS PostScript driver for Windows NT/200x/XP +clients (which is tagged in the download area of <code class="filename">http://www.cups.org/</code> as the +<code class="filename">cups-samba-1.1.16.tar.gz</code> package). It does <span class="emphasis"><em>not</em></span> work for Windows +9x/Me clients, but it guarantees: +</p><div class="itemizedlist"><ul type="disc"><li><p> <a class="indexterm" name="id413955"></a> To not write a PJL-header.</p></li><li><p>To still read and support all PJL-options named in the + driver PPD with its own means.</p></li><li><p>That the file will pass through the <code class="literal">pstops</code> filter + on the CUPS/Samba server.</p></li><li><p>To page-count correctly the print file.</p></li></ul></div><p> +You can read more about the setup of this combination in the man page for <code class="literal">cupsaddsmb</code> (which +is only present with CUPS installed, and only current from CUPS 1.1.16). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id413996"></a>The page_log File Syntax</h3></div></div></div><p> +<a class="indexterm" name="id414004"></a> +These are the items CUPS logs in the <code class="filename">page_log</code> for every page of a job: +</p><div class="itemizedlist"><ul type="disc"><li><p>Printer name</p></li><li><p>User name</p></li><li><p>Job ID</p></li><li><p>Time of printing</p></li><li><p>Page number</p></li><li><p>Number of copies</p></li><li><p>A billing information string (optional)</p></li><li><p>The host that sent the job (included since version 1.1.19)</p></li></ul></div><p> +Here is an extract of my CUPS server's <code class="filename">page_log</code> file to illustrate the +format and included items: +</p><pre class="screen"> +tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13 +tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13 +tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13 +tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13 +Dig9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33 +</pre><p> +This was job ID <em class="parameter"><code>401</code></em>, printed on <em class="parameter"><code>tec_IS2027</code></em> +by user <em class="parameter"><code>kurt</code></em>, a 64-page job printed in three copies, billed to +<em class="parameter"><code>#marketing</code></em>, and sent from IP address <code class="constant">10.160.50.13.</code> + The next job had ID <em class="parameter"><code>402</code></em>, was sent by user <em class="parameter"><code>boss</code></em> +from IP address <code class="constant">10.160.51.33</code>, printed from one page 440 copies, and +is set to be billed to <em class="parameter"><code>finance-dep</code></em>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414132"></a>Possible Shortcomings</h3></div></div></div><p> +What flaws or shortcomings are there with this quota system? +</p><div class="itemizedlist"><ul type="disc"><li><p>The ones named above (wrongly logged job in case of + printer hardware failure, and so on).</p></li><li><p>In reality, CUPS counts the job pages that are being + processed in <span class="emphasis"><em>software</em></span> (that is, going through the + RIP) rather than the physical sheets successfully leaving the + printing device. Thus, if there is a jam while printing the fifth sheet out + of 1,000 and the job is aborted by the printer, the page count will + still show the figure of 1,000 for that job.</p></li><li><p>All quotas are the same for all users (no flexibility + to give the boss a higher quota than the clerk) and no support for + groups.</p></li><li><p>No means to read out the current balance or the + “<span class="quote">used-up</span>” number of current quota.</p></li><li><p>A user having used up 99 sheets of a 100 quota will + still be able to send and print a 1,000 sheet job.</p></li><li><p>A user being denied a job because of a filled-up quota + does not get a meaningful error message from CUPS other than + “<span class="quote">client-error-not-possible</span>”.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414190"></a>Future Developments</h3></div></div></div><p> +This is the best system currently available, and there are huge +improvements under development for CUPS 1.2: +</p><div class="itemizedlist"><ul type="disc"><li><p>Page counting will go into the backends (these talk + directly to the printer and will increase the count in sync with the + actual printing process; thus, a jam at the fifth sheet will lead to a + stop in the counting).</p></li><li><p>Quotas will be handled more flexibly.</p></li><li><p>Probably there will be support for users to inquire + about their accounts in advance.</p></li><li><p>Probably there will be support for some other tools + around this topic.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414225"></a>Other Accounting Tools</h3></div></div></div><p> +Other accounting tools that can be used includes: PrintAnalyzer, pyKota, printbill, LogReport. +For more information regarding these tools you can try a Google search. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414238"></a>Additional Material</h2></div></div></div><p> +A printer queue with <span class="emphasis"><em>no</em></span> PPD associated to it is a +“<span class="quote">raw</span>” printer, and all files will go directly there as received by the +spooler. The exceptions are file types <em class="parameter"><code>application/octet-stream</code></em> +that need the pass-through feature enabled. “<span class="quote">Raw</span>” queues do not do any +filtering at all; they hand the file directly to the CUPS backend. +This backend is responsible for sending the data to the device +(as in the “<span class="quote">device URI</span>” notation: <code class="filename">lpd://, socket://, +smb://, ipp://, http://, parallel:/, serial:/, usb:/</code>, and so on). +</p><p> +cupsomatic/Foomatic are <span class="emphasis"><em>not</em></span> native CUPS drivers +and they do not ship with CUPS. They are a third-party add-on +developed at Linuxprinting.org. As such, they are a brilliant hack to +make all models (driven by Ghostscript drivers/filters in traditional +spoolers) also work via CUPS, with the same (good or bad!) quality as +in these other spoolers. <em class="parameter"><code>cupsomatic</code></em> is only a vehicle to execute a +Ghostscript command line at that stage in the CUPS filtering chain +where normally the native CUPS <em class="parameter"><code>pstoraster</code></em> filter would kick +in. <em class="parameter"><code>cupsomatic</code></em> bypasses <em class="parameter"><code>pstoraster</code></em>, kidnaps the print file from CUPS, +and redirects it to go through Ghostscript. CUPS accepts this +because the associated cupsomatic/foomatic-PPD specifies: + +</p><pre class="programlisting"> +*cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" +</pre><p> + +This line persuades CUPS to hand the file to <em class="parameter"><code>cupsomatic</code></em> once it has +successfully converted it to the MIME type +<em class="parameter"><code>application/vnd.cups-postscript</code></em>. This conversion will not happen for +jobs arriving from Windows that are autotyped +<em class="parameter"><code>application/octet-stream</code></em>, with the according changes in +<code class="filename">/etc/cups/mime.types</code> in place. +</p><p> +CUPS is widely configurable and flexible, even regarding its filtering +mechanism. Another workaround in some situations would be to have in +<code class="filename">/etc/cups/mime.types</code> entries as follows: + +</p><pre class="programlisting"> +application/postscript application/vnd.cups-raw 0 - +application/vnd.cups-postscript application/vnd.cups-raw 0 - +</pre><p> + +This would prevent all PostScript files from being filtered (rather, +they will through the virtual <span class="emphasis"><em>nullfilter</em></span> +denoted with “<span class="quote">-</span>”). This could only be useful for PostScript printers. If you +want to print PostScript code on non-PostScript printers (provided they support ASCII +text printing), an entry as follows could be useful: + +</p><pre class="programlisting"> +*/* application/vnd.cups-raw 0 - +</pre><p> + +and would effectively send <span class="emphasis"><em>all</em></span> files to the +backend without further processing. +</p><p> +You could have the following entry: + +</p><pre class="programlisting"> +application/vnd.cups-postscript application/vnd.cups-raw 0 \ + my_PJL_stripping_filter +</pre><p> + +You will need to write a <em class="parameter"><code>my_PJL_stripping_filter</code></em> +(which could be a shell script) that parses the PostScript and removes the +unwanted PJL. This needs to conform to CUPS filter design +(mainly, receive and pass the parameters printername, job-id, +username, jobtitle, copies, print options, and possibly the +filename). It is installed as world executable into +<code class="filename">/usr/lib/cups/filters/</code> and is called by CUPS +if it encounters a MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em>. +</p><p> +CUPS can handle <em class="parameter"><code>-o job-hold-until=indefinite</code></em>. +This keeps the job in the queue on hold. It will only be printed +upon manual release by the printer operator. This is a requirement in +many central reproduction departments, where a few operators manage +the jobs of hundreds of users on some big machine, where no user is +allowed to have direct access (such as when the operators often need +to load the proper paper type before running the 10,000 page job +requested by marketing for the mailing, and so on). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414430"></a>Autodeletion or Preservation of CUPS Spool Files</h2></div></div></div><p> +<a class="indexterm" name="id414438"></a> +<a class="indexterm" name="id414444"></a> +<a class="indexterm" name="id414451"></a> +Samba print files pass through two spool directories. One is the incoming directory managed by Samba (set in +the <a class="indexterm" name="id414459"></a>path = /var/spool/samba directive in the <em class="parameter"><code>[printers]</code></em> section of <code class="filename">smb.conf</code>). The other is the spool directory of your UNIX print subsystem. For +CUPS it is normally <code class="filename">/var/spool/cups/</code>, as set by the <code class="filename">cupsd.conf</code> +directive <code class="filename">RequestRoot /var/spool/cups</code>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414498"></a>CUPS Configuration Settings Explained</h3></div></div></div><p> +Some important parameter settings in the CUPS configuration file +<code class="filename">cupsd.conf</code> are: +</p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p> + This keeps some details of jobs in cupsd's mind (well, it keeps the + c12345, c12346, and so on, files in the CUPS spool directory, which does a + similar job as the old-fashioned BSD-LPD control files). This is set + to “<span class="quote">Yes</span>” as a default. + </p></dd><dt><span class="term">PreserveJobFiles Yes</span></dt><dd><p> + This keeps the job files themselves in cupsd's mind + (it keeps the d12345, d12346, etc., files in the CUPS spool + directory). This is set to “<span class="quote">No</span>” as the CUPS + default. + </p></dd><dt><span class="term">“<span class="quote">MaxJobs 500</span>”</span></dt><dd><p> + This directive controls the maximum number of jobs + that are kept in memory. Once the number of jobs reaches the limit, + the oldest completed job is automatically purged from the system to + make room for the new one. If all of the known jobs are still + pending or active, then the new job will be rejected. Setting the + maximum to 0 disables this functionality. The default setting is + 0. + </p></dd></dl></div><p> +(There are also additional settings for <em class="parameter"><code>MaxJobsPerUser</code></em> and +<em class="parameter"><code>MaxJobsPerPrinter</code></em>.) +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414575"></a>Preconditions</h3></div></div></div><p> +For everything to work as it should, you need to have three things: +</p><div class="itemizedlist"><ul type="disc"><li><p>A Samba smbd that is compiled against <code class="filename">libcups</code> (check + on Linux by running <strong class="userinput"><code>ldd `which smbd'</code></strong>).</p></li><li><p>A Samba-<code class="filename">smb.conf</code> setting of + <a class="indexterm" name="id414612"></a>printing = cups.</p></li><li><p>Another Samba <code class="filename">smb.conf</code> setting of + <a class="indexterm" name="id414630"></a>printcap = cups.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +In this case, all other manually set printing-related commands (like +<a class="indexterm" name="id414643"></a>print command, +<a class="indexterm" name="id414650"></a>lpq command, +<a class="indexterm" name="id414657"></a>lprm command, +<a class="indexterm" name="id414664"></a>lppause command, and +<a class="indexterm" name="id414671"></a>lpresume command) are ignored, and they should normally have no +influence whatsoever on your printing. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id414681"></a>Manual Configuration</h3></div></div></div><p> +If you want to do things manually, replace the <a class="indexterm" name="id414690"></a>printing = cups +by <a class="indexterm" name="id414697"></a>printing = bsd. Then your manually set commands may work +(I haven't tested this), and a <a class="indexterm" name="id414704"></a>print command = lp -d %P %s; rm %s +may do what you need. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414715"></a>Printing from CUPS to Windows-Attached Printers</h2></div></div></div><p> +<a class="indexterm" name="id414723"></a> +<a class="indexterm" name="id414730"></a> +From time to time the question arises, how can you print <span class="emphasis"><em>to</em></span> a Windows-attached printer +<span class="emphasis"><em>from</em></span> Samba? Normally the local connection from Windows host to printer would be done by +USB or parallel cable, but this does not matter to Samba. From here only an SMB connection needs to be opened +to the Windows host. Of course, this printer must be shared first. As you have learned by now, CUPS uses +<span class="emphasis"><em>backends</em></span> to talk to printers and other servers. To talk to Windows shared printers, you +need to use the <code class="filename">smb</code> (surprise, surprise!) backend. Check if this is in the CUPS backend +directory. This usually resides in <code class="filename">/usr/lib/cups/backend/</code>. You need to find an +<code class="filename">smb</code> file there. It should be a symlink to <code class="filename">smbspool</code>, and the file +must exist and be executable: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ls -l /usr/lib/cups/backend/</code></strong> +total 253 +drwxr-xr-x 3 root root 720 Apr 30 19:04 . +drwxr-xr-x 6 root root 125 Dec 19 17:13 .. +-rwxr-xr-x 1 root root 10692 Feb 16 21:29 canon +-rwxr-xr-x 1 root root 10692 Feb 16 21:29 epson +lrwxrwxrwx 1 root root 3 Apr 17 22:50 http -> ipp +-rwxr-xr-x 1 root root 17316 Apr 17 22:50 ipp +-rwxr-xr-x 1 root root 15420 Apr 20 17:01 lpd +-rwxr-xr-x 1 root root 8656 Apr 20 17:01 parallel +-rwxr-xr-x 1 root root 2162 Mar 31 23:15 pdfdistiller +lrwxrwxrwx 1 root root 25 Apr 30 19:04 ptal -> /usr/sbin/ptal-cups +-rwxr-xr-x 1 root root 6284 Apr 20 17:01 scsi +lrwxrwxrwx 1 root root 17 Apr 2 03:11 smb -> /usr/bin/smbspool +-rwxr-xr-x 1 root root 7912 Apr 20 17:01 socket +-rwxr-xr-x 1 root root 9012 Apr 20 17:01 usb + +<code class="prompt">root# </code><strong class="userinput"><code>ls -l `which smbspool`</code></strong> +-rwxr-xr-x 1 root root 563245 Dec 28 14:49 /usr/bin/smbspool +</pre><p> +If this symlink does not exist, create it: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s `which smbspool` /usr/lib/cups/backend/smb</code></strong> +</pre><p> +<a class="indexterm" name="id414838"></a> +<a class="indexterm" name="id414845"></a> +<code class="literal">smbspool</code> was written by Mike Sweet from the CUPS folks. It is included and ships with +Samba. It may also be used with print subsystems other than CUPS, to spool jobs to Windows printer shares. To +set up printer <em class="replaceable"><code>winprinter</code></em> on CUPS, you need to have a driver for it. Essentially +this means to convert the print data on the CUPS/Samba host to a format that the printer can digest (the +Windows host is unable to convert any files you may send). This also means you should be able to print to the +printer if it were hooked directly at your Samba/CUPS host. For troubleshooting purposes, this is what you +should do to determine if that part of the process chain is in order. Then proceed to fix the network +connection/authentication to the Windows host, and so on. +</p><p> +To install a printer with the <em class="parameter"><code>smb</code></em> backend on CUPS, use this command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \ + -P /path/to/PPD</code></strong> +</pre><p> +<a class="indexterm" name="id414898"></a> +<a class="indexterm" name="id414905"></a> +<a class="indexterm" name="id414911"></a> +The PPD must be able to direct CUPS to generate the print data for the target model. For PostScript printers, +just use the PPD that would be used with the Windows NT PostScript driver. But what can you do if the printer +is only accessible with a password? Or if the printer's host is part of another workgroup? This is provided +for: You can include the required parameters as part of the <code class="filename">smb://</code> device-URI like this: +</p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename</code></p></li><li><p><code class="filename">smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename</code></p></li><li><p><code class="filename">smb://username:password@WINDOWSNETBIOSNAME/printersharename</code></p></li></ul></div><p> +Note that the device URI will be visible in the process list of the Samba server (e.g., when someone uses the +<code class="literal">ps -aux</code> command on Linux), even if the username and passwords are sanitized before they get +written into the log files. This is an inherently insecure option; however, it is the only one. Don't use it +if you want to protect your passwords. Better share the printer in a way that does not require a password! +Printing will only work if you have a working NetBIOS name resolution up and running. Note that this is a +feature of CUPS and you do not necessarily need to have smbd running. + +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414972"></a>More CUPS Filtering Chains</h2></div></div></div><p> +The diagrams in <a href="CUPS-printing.html#cups1" title="Figure 22.17. Filtering Chain 1.">Filtering Chain 1</a> and <a href="CUPS-printing.html#cups2" title="Figure 22.18. Filtering Chain with cupsomatic">Filtering Chain with +cupsomatic</a> show how CUPS handles print jobs. +</p><div class="figure"><a name="cups1"></a><p class="title"><b>Figure 22.17. Filtering Chain 1.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/cups1.png" alt="Filtering Chain 1."></div></div></div><br class="figure-break"><div class="figure"><a name="cups2"></a><p class="title"><b>Figure 22.18. Filtering Chain with cupsomatic</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/cups2.png" width="243" alt="Filtering Chain with cupsomatic"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id415081"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415086"></a>Windows 9x/Me Client Can't Install Driver</h3></div></div></div><p>For Windows 9x/Me, clients require the printer names to be eight + characters (or “<span class="quote">8 plus 3 chars suffix</span>”) max; otherwise, the driver files + will not get transferred when you want to download them from Samba.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="root-ask-loop"></a>“<span class="quote">cupsaddsmb</span>” Keeps Asking for Root Password in Never-ending Loop</h3></div></div></div><p>Have you set <a class="indexterm" name="id415116"></a>security = user? Have + you used <code class="literal">smbpasswd</code> to give root a Samba account? + You can do two things: open another terminal and execute + <code class="literal">smbpasswd -a root</code> to create the account and + continue entering the password into the first terminal. Or, break + out of the loop by pressing Enter twice (without trying to type a + password).</p><p> + If the error is “<span class="quote">Tree connect failed: NT_STATUS_BAD_NETWORK_NAME</span>”, + you may have forgotten to create the <code class="filename">/etc/samba/drivers</code> directory. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415153"></a>“<span class="quote">cupsaddsmb</span>” or “<span class="quote">rpcclient addriver</span>” Emit Error</h3></div></div></div><p> + If <code class="literal">cupsaddsmb</code>, or <code class="literal">rpcclient addriver</code> emit the error message + WERR_BAD_PASSWORD, refer to <a href="CUPS-printing.html#root-ask-loop" title="“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop">the previous common error</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415189"></a>“<span class="quote">cupsaddsmb</span>” Errors</h3></div></div></div><p> + The use of “<span class="quote">cupsaddsmb</span>” gives “<span class="quote">No PPD file for printer...</span>” + message while PPD file is present. What might the problem be? + </p><p> + Have you enabled printer sharing on CUPS? This means, do you have a <code class="literal"><Location + /printers>....</Location></code> section in CUPS server's <code class="filename">cupsd.conf</code> that + does not deny access to the host you run “<span class="quote">cupsaddsmb</span>” from? It <span class="emphasis"><em>could</em></span> be an + issue if you use cupsaddsmb remotely, or if you use it with a <code class="option">-h</code> parameter: + <strong class="userinput"><code>cupsaddsmb -H sambaserver -h cupsserver -v printername</code></strong>. + </p><p>Is your <em class="parameter"><code>TempDir</code></em> directive in + <code class="filename">cupsd.conf</code> set to a valid value, and is it writable? + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415259"></a>Client Can't Connect to Samba Printer</h3></div></div></div><p>Use <code class="literal">smbstatus</code> to check which user + you are from Samba's point of view. Do you have the privileges to + write into the <em class="parameter"><code>[print$]</code></em> + share?</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415282"></a>New Account Reconnection from Windows 200x/XP Troubles</h3></div></div></div><p> +Once you are connected as the wrong user (for example, as <code class="constant">nobody</code>, which often occurs if +you have <a class="indexterm" name="id415295"></a>map to guest = bad user), Windows Explorer will not accept an +attempt to connect again as a different user. There will not be any bytes transferred on the wire to Samba, +but still you'll see a stupid error message that makes you think Samba has denied access. Use +<code class="literal">smbstatus</code> to check for active connections. Kill the PIDs. You still can't re-connect, and +you get the dreaded <code class="computeroutput">You can't connect with a second account from the same +machine</code> message as soon as you try. And you do not see a single byte arriving at Samba (see +logs; use “<span class="quote">ethereal</span>”) indicating a renewed connection attempt. Shut all Explorer Windows. This +makes Windows forget what it has cached in its memory as established connections. Then reconnect as the right +user. The best method is to use a DOS terminal window and <span class="emphasis"><em>first</em></span> do <strong class="userinput"><code>net use z: +\\GANDALF\print$ /user:root</code></strong>. Check with <code class="literal">smbstatus</code> that you are +connected under a different account. Now open the <span class="guilabel">Printers</span> folder (on the Samba server in +the <span class="guilabel">Network Neighborhood</span>), right-click on the printer in question, and select +<span class="guibutton">Connect....</span>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415360"></a>Avoid Being Connected to the Samba Server as the Wrong User</h3></div></div></div><p> +<a class="indexterm" name="id415368"></a> +You see per <code class="literal">smbstatus</code> that you are connected as user nobody, but you want to be root or +printer admin. This is probably due to <a class="indexterm" name="id415382"></a>map to guest = bad user, which +silently connected you under the guest account when you gave (maybe by accident) an incorrect username. Remove +<a class="indexterm" name="id415390"></a>map to guest if you want to prevent this. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415399"></a>Upgrading to CUPS Drivers from Adobe Drivers</h3></div></div></div><p> +This information came from a mailing list posting regarding problems experienced when +upgrading from Adobe drivers to CUPS drivers on Microsoft Windows NT/200x/XP clients. +</p><p>First delete all old Adobe-using printers. Then delete all old Adobe drivers. (On Windows 200x/XP, right-click in +the background of <span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties...</span>, select +tab <span class="guilabel">Drivers</span>, and delete here).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415434"></a>Can't Use “<span class="quote">cupsaddsmb</span>” on Samba Server, Which Is a PDC</h3></div></div></div><p>Do you use the “<span class="quote">naked</span>” root user name? Try to do it +this way: <strong class="userinput"><code>cupsaddsmb -U <em class="replaceable"><code>DOMAINNAME</code></em>\\root -v +<em class="replaceable"><code>printername</code></em></code></strong>> (note the two backslashes: the first one is +required to “<span class="quote">escape</span>” the second one).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415468"></a>Deleted Windows 200x Printer Driver Is Still Shown</h3></div></div></div><p>Deleting a printer on the client will not delete the +driver too (to verify, right-click on the white background of the +<span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties</span> and click on the +<span class="guilabel">Drivers</span> tab). These same old drivers will be re-used when you try to +install a printer with the same name. If you want to update to a new +driver, delete the old ones first. Deletion is only possible if no +other printer uses the same driver.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415499"></a>Windows 200x/XP Local Security Policies</h3></div></div></div><a class="indexterm" name="id415505"></a><a class="indexterm" name="id415512"></a><p>Local security policies may not allow the installation of unsigned drivers “<span class="quote">local +security policies</span>” may not allow the installation of printer drivers at all.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415530"></a>Administrator Cannot Install Printers for All Local Users</h3></div></div></div><p> +<a class="indexterm" name="id415538"></a> +<a class="indexterm" name="id415545"></a> +Windows XP handles SMB printers on a “<span class="quote">per-user</span>” basis. +This means every user needs to install the printer himself or herself. To have a printer available for +everybody, you might want to use the built-in IPP client capabilities of Win XP. Add a printer with the print +path of <em class="parameter"><code>http://cupsserver:631/printers/printername</code></em>. We're still looking into this one. +Maybe a logon script could automatically install printers for all users. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415567"></a>Print Change, Notify Functions on NT Clients</h3></div></div></div><p>For print change, notify functions on NT++ clients. These need to run the <code class="literal">Server</code> +service first (renamed to <code class="literal">File & Print Sharing for MS Networks</code> in XP).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415591"></a>Win XP-SP1</h3></div></div></div><p>Win XP-SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to +“<span class="quote">Administrator</span>” or “<span class="quote">Power User</span>” groups of users). In Group Policy Object Editor, go +to <span class="guimenu">User Configuration -> Administrative Templates -> Control Panel -> Printers</span>. The policy +is automatically set to <code class="constant">Enabled</code> and the <code class="constant">Users can only Point and Print to +machines in their Forest</code> . You probably need to change it to <code class="constant">Disabled</code> or +<code class="constant">Users can only Point and Print to these servers</code> to make driver downloads from Samba +possible. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415632"></a>Print Options for All Users Can't Be Set on Windows 200x/XP</h3></div></div></div><p>How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three +different ways to bring you to a dialog that <span class="emphasis"><em>seems</em></span> to set everything. All three dialogs +<span class="emphasis"><em>look</em></span> the same, yet only one of them does what you intend. You need to be Administrator or +Print Administrator to do this for all users. Here is how I do in on XP: +</p><div class="orderedlist"><ol type="A"><li><p>The first wrong way: + + </p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span> + folder.</p></li><li><p>Right-click on the printer + (<span class="guilabel">remoteprinter on cupshost</span>) and + select in context menu <span class="guimenuitem">Printing + Preferences...</span></p></li><li><p>Look at this dialog closely and remember what it looks like.</p></li></ol></div><p> + </p></li><li><p>The second wrong way: + </p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="guilabel">remoteprinter on + cupshost</span>) and select the context menu + <span class="guimenuitem">Properties</span>.</p></li><li><p>Click on the <span class="guilabel">General</span> tab.</p></li><li><p>Click on the button <span class="guibutton">Printing + Preferences...</span></p></li><li><p>A new dialog opens. Keep this dialog open and go back + to the parent dialog.</p></li></ol></div><p> + </p></li><li><p>The third and correct way: + </p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="guilabel">remoteprinter on + cupshost</span>) and select the context menu + <span class="guimenuitem">Properties</span>.</p></li><li><p>Click on the <span class="guilabel">Advanced</span> + tab. (If everything is “<span class="quote">grayed out,</span>” then you are not logged + in as a user with enough privileges).</p></li><li><p>Click on the <span class="guibutton">Printing + Defaults...</span> button.</p></li><li><p>On any of the two new tabs, click on the + <span class="guibutton">Advanced...</span> button.</p></li><li><p>A new dialog opens. Compare this one to the other + identical-looking one from step “<span class="quote">B.5</span>” or A.3".</p></li></ol></div><p> + </p></li></ol></div><p> +Do you see any difference? I don't either. However, only the last one, which you arrived at with steps +“<span class="quote">C.1. to C.6.</span>”, will save any settings permanently and be the defaults for new users. If you want +all clients to get the same defaults, you need to conduct these steps <span class="emphasis"><em>as Administrator</em></span> +(<a class="indexterm" name="id415866"></a>printer admin in <code class="filename">smb.conf</code>) <span class="emphasis"><em>before</em></span> a client downloads the +driver (the clients can later set their own <span class="emphasis"><em>per-user defaults</em></span> by following the procedures +<span class="emphasis"><em>A</em></span> or <span class="emphasis"><em>B</em></span>). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415896"></a>Most Common Blunders in Driver Settings on Windows Clients</h3></div></div></div><p> +Don't use <em class="parameter"><code>Optimize for Speed</code></em>, but use <em class="parameter"><code>Optimize for Portability</code></em> +instead (Adobe PS Driver). Don't use <em class="parameter"><code>Page Independence: No</code></em>. Always settle with +<em class="parameter"><code>Page Independence: Yes</code></em> (Microsoft PS Driver and CUPS PS Driver for Windows NT/200x/XP). +If there are problems with fonts, use <em class="parameter"><code>Download as Softfont into printer</code></em> (Adobe PS +Driver). For <span class="guilabel">TrueType Download Options</span> choose <code class="constant">Outline</code>. Use +PostScript Level 2 if you are having trouble with a non-PS printer and if there is a choice. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415949"></a><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</h3></div></div></div><p> +Symptom: The last command of <code class="literal">cupsaddsmb</code> does not complete successfully. If the <code class="literal">cmd += setdriver printername printername</code> result was NT_STATUS_UNSUCCESSFUL, then possibly the printer was +not yet recognized by Samba. Did it show up in Network Neighborhood? Did it show up in <code class="literal">rpcclient +hostname -c `enumprinters'</code>? Restart smbd (or send a <code class="literal">kill -HUP</code> to all processes +listed by <code class="literal">smbstatus</code>, and try again. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id415995"></a>Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</h3></div></div></div><p> +Have you ever by accident set the CUPS spool directory to the same location (<em class="parameter"><code>RequestRoot +/var/spool/samba/</code></em> in <code class="filename">cupsd.conf</code> or the other way round: +<code class="filename">/var/spool/cups/</code> is set as <a class="indexterm" name="id416028"></a>path> in the <em class="parameter"><code>[printers]</code></em> section)? These <em class="parameter"><code>must</code></em> be different. Set <em class="parameter"><code>RequestRoot +/var/spool/cups/</code></em> in <code class="filename">cupsd.conf</code> and <a class="indexterm" name="id416059"></a>path = +/var/spool/samba in the <em class="parameter"><code>[printers]</code></em> section of <code class="filename">smb.conf</code>. Otherwise, +cupsd will sanitize permissions to its spool directory with each restart and printing will not work reliably. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id416081"></a>Print Queue Called “<span class="quote">lp</span>” Mishandles Print Jobs</h3></div></div></div><p> +In this case a print queue called “<span class="quote">lp</span>” intermittently swallows jobs and +spits out completely different ones from what was sent. +</p><p> +<a class="indexterm" name="id416100"></a> +<a class="indexterm" name="id416107"></a> +<a class="indexterm" name="id416114"></a> +It is a bad idea to name any printer “<span class="quote">lp</span>”. This is the traditional UNIX name for the default +printer. CUPS may be set up to do an automatic creation of Implicit Classes. This means, to group all printers +with the same name to a pool of devices and load-balance the jobs across them in a round-robin fashion. +Chances are high that someone else has a printer named “<span class="quote">lp</span>” too. You may receive that person's +jobs and send your own to his or her device unwittingly. To have tight control over the printer names, set +<em class="parameter"><code>BrowseShortNames No</code></em>. It will present any printer as +<em class="replaceable"><code>printername@cupshost</code></em>, which gives you better control over what may happen in a +large networked environment. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id416144"></a>Location of Adobe PostScript Driver Files for “<span class="quote">cupsaddsmb</span>”</h3></div></div></div><p> +Use <code class="literal">smbclient</code> to connect to any Windows box with a shared PostScript printer: +<code class="literal">smbclient //windowsbox/print\$ -U guest</code>. You can navigate to the +<code class="filename">W32X86/2</code> subdir to <code class="literal">mget ADOBE*</code> and other files or to +<code class="filename">WIN40/0</code> to do the same. Another option is to download the <code class="filename">*.exe</code> +packaged files from the Adobe Web site. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416195"></a>Overview of the CUPS Printing Processes</h2></div></div></div><p> +A complete overview of the CUPS printing processes can be found in <a href="CUPS-printing.html#a_small" title="Figure 22.19. CUPS Printing Overview.">the CUPS +Printing Overview diagram</a>. +</p><div class="figure"><a name="a_small"></a><p class="title"><b>Figure 22.19. CUPS Printing Overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/a_small.png" width="243" alt="CUPS Printing Overview."></div></div></div><br class="figure-break"></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id406492" href="#id406492">6</a>] </sup>See also <a href="http://www.cups.org/cups-help.html" target="_top">http://www.cups.org/cups-help.html</a></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="classicalprinting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Classical Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. Stackable VFS modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html b/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html new file mode 100644 index 0000000000..0cdb3e16aa --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html @@ -0,0 +1,144 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id351284">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id351294">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id351342">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351632">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351743">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></div><p> +Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical +or very important information here. Comprehensive change notes and guidance information can be found in the +section <a href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba">Updating and Upgrading Samba</a>. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id351284"></a>Important Samba-3.2.x Change Notes</h2></div></div></div><p> +!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!! +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id351294"></a>Important Samba-3.0.x Change Notes</h2></div></div></div><p> +These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25 +update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are +documented in this documention - See <a href="upgrading-to-3.0.html#oldupdatenotes" title="Upgrading from Samba-2.x to Samba-3.0.25">Upgrading from Samba-2.x to Samba-3.0.25</a>. +</p><p> +Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to +reflect the impact of new or modified features. At other times it becomes clear that the documentation is in +need of being restructured. +</p><p> +In recent times a group of Samba users has joined the thrust to create a new <a href="http://wiki.samba.org/" target="_top">Samba Wiki</a> that is slated to become the all-singing and all-dancing +new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and +thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to +continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until +such time as the body of this HOWTO is restructured or modified. +</p><p> +This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided +in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id351342"></a>User and Group Changes</h3></div></div></div><p> +The change documented here affects unmapped user and group accounts only. +</p><p> +<a class="indexterm" name="id351354"></a> +<a class="indexterm" name="id351361"></a> +<a class="indexterm" name="id351368"></a> +<a class="indexterm" name="id351377"></a> +<a class="indexterm" name="id351386"></a> +The user and group internal management routines have been rewritten to prevent overlaps of +assigned Relative Identifiers (RIDs). In the past the has been a potential problem when +either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or +when migrating a Windows domain to a Samba domain by executing: +<code class="literal">net rpc vampire</code>. +</p><p> +<a class="indexterm" name="id351414"></a> +<a class="indexterm" name="id351421"></a> +<a class="indexterm" name="id351427"></a> +<a class="indexterm" name="id351434"></a> +Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped +groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were +assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the +authority of the domain SID where as on a member server or standalone server, this would have +been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>). +</p><p> +<a class="indexterm" name="id351467"></a> +<a class="indexterm" name="id351474"></a> +<a class="indexterm" name="id351480"></a> +<a class="indexterm" name="id351487"></a> +<a class="indexterm" name="id351494"></a> +The result is that any unmapped users or groups on an upgraded Samba domain controller may +be assigned a new SID. Because the SID rather than a name is stored in Windows security +descriptors, this can cause a user to no longer have access to a resource for example if a +file was copied from a Samba file server to a local Windows client NTFS partition. Any files +stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX +GID and not the SID for authorization checks. +</p><p> +An example helps to illustrate the change: +</p><p> +<a class="indexterm" name="id351512"></a> +<a class="indexterm" name="id351518"></a> +<a class="indexterm" name="id351525"></a> +<a class="indexterm" name="id351531"></a> +Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this +case this user does not exist in Samba's group mapping table. It would be perfectly normal for +this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>. +</p><p> +<a class="indexterm" name="id351553"></a> +<a class="indexterm" name="id351560"></a> +<a class="indexterm" name="id351566"></a> +<a class="indexterm" name="id351573"></a> +With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>. Any +security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based +on the group permissions if the user was not a member of the +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> group. Because this group SID is +<code class="literal">S-1-22-2-782</code> and not reported in a user's token, Windows would fail the authorization check +even though both SIDs in some respect refer to the same UNIX group. +</p><p> +<a class="indexterm" name="id351605"></a> +<a class="indexterm" name="id351611"></a> +The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping +entry for the group <span class="emphasis"><em>developers</em></span> to point at the +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this +workaround is no longer needed. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id351632"></a>Essential Group Mappings</h3></div></div></div><p> +Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows +domain groups <code class="literal">Domain Admins, Domain Users, Domain Guests</code>. Commencing with Samba 3.0.23 +these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to +correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto +the Windows client. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not +require these group mappings. +</p></div><p> +The following mappings are required: +</p><div class="table"><a name="TOSH-domgroups"></a><p class="title"><b>Table 9.1. Essential Domain Group Mappings</b></p><div class="table-contents"><table summary="Essential Domain Group Mappings" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Domain Group</th><th align="center">RID</th><th align="center">Example UNIX Group</th></tr></thead><tbody><tr><td align="center">Domain Admins</td><td align="center">512</td><td align="center">root</td></tr><tr><td align="center">Domain Users</td><td align="center">513</td><td align="center">users</td></tr><tr><td align="center">Domain Guests</td><td align="center">514</td><td align="center">nobody</td></tr></tbody></table></div></div><br class="table-break"><p> +When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these <code class="literal">domadmins, domusers, +domguests</code> respectively. +</p><p> +For further information regarding group mappings see <a href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows +and UNIX</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id351743"></a>Passdb Changes</h3></div></div></div><p> +<a class="indexterm" name="id351751"></a> +<a class="indexterm" name="id351758"></a> +<a class="indexterm" name="id351764"></a> +<a class="indexterm" name="id351771"></a> +The <a class="indexterm" name="id351778"></a>passdb backend parameter no long accepts multiple passdb backends in a +chained configuration. Also be aware that the SQL and XML based passdb modules have been +removed in the Samba-3.0.23 release. More information regarding external support for a SQL +passdb module can be found on the <a href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id351795"></a>Group Mapping Changes in Samba-3.0.23</h3></div></div></div><p> +<a class="indexterm" name="id351803"></a> +<a class="indexterm" name="id351810"></a> +<a class="indexterm" name="id351817"></a> +<a class="indexterm" name="id351824"></a> +<a class="indexterm" name="id351830"></a> +<a class="indexterm" name="id351837"></a> +<a class="indexterm" name="id351844"></a> +<a class="indexterm" name="id351851"></a> +<a class="indexterm" name="id351857"></a> +<a class="indexterm" name="id351864"></a> +<a class="indexterm" name="id351871"></a> +The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer +created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb +backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code> +to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the +Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality +for domain groups. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id351912"></a>LDAP Changes in Samba-3.0.23</h3></div></div></div><p> +<a class="indexterm" name="id351920"></a> +<a class="indexterm" name="id351927"></a> +<a class="indexterm" name="id351934"></a> +<a class="indexterm" name="id351940"></a> +<a class="indexterm" name="id351947"></a> +There has been a minor update the Samba LDAP schema file. A substring matching rule has been +added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this +will require the addition of <code class="literal">index sambaSID sub</code> to the +<code class="filename">slapd.conf</code> configuration file. It will be necessary to execute the +<code class="literal">slapindex</code> command after making this change. There has been no change to the +actual data storage schema. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Network Browsing</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ClientConfig.html b/docs/htmldocs/Samba3-HOWTO/ClientConfig.html new file mode 100644 index 0000000000..bbb40e5b13 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ClientConfig.html @@ -0,0 +1,363 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 8. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ClientConfig.html#id348335">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id348389">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id348430">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id351062">Common Errors</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348335"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id348343"></a> +<a class="indexterm" name="id348350"></a> +<a class="indexterm" name="id348357"></a> +Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate +correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way +to configure an MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x +servers. Yet there is repetitious need to provide detailed Windows client configuration instructions. +</p><p> +<a class="indexterm" name="id348370"></a> +<a class="indexterm" name="id348378"></a> +The purpose of this chapter is to graphically illustrate MS Windows client configuration for the most common +critical aspects of such configuration. An experienced network administrator will not be interested in the +details of this chapter. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348389"></a>Technical Details</h2></div></div></div><p> +<a class="indexterm" name="id348396"></a> +<a class="indexterm" name="id348403"></a> +This chapter discusses TCP/IP protocol configuration as well as network membership for the platforms +that are in common use today. These are: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Microsoft Windows XP Professional + </p></li><li><p> + Windows 2000 Professional + </p></li><li><p> + Windows Millennium edition (Me) + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id348430"></a>TCP/IP Configuration</h3></div></div></div><p> +<a class="indexterm" name="id348438"></a> +<a class="indexterm" name="id348444"></a> + The builder of a house must ensure that all construction takes place on a firm foundation. + The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems + will plague all network users until they are resolved. + </p><p> +<a class="indexterm" name="id348457"></a> +<a class="indexterm" name="id348464"></a> + MS Windows workstations and servers can be configured either with fixed + IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP + and make only passing reference to those situations where fixed IP configuration + settings can be effected. + </p><p> +<a class="indexterm" name="id348476"></a> +<a class="indexterm" name="id348483"></a> + It is possible to use shortcuts or abbreviated keystrokes to arrive at a + particular configuration screen. The decision was made to base all examples in this + chapter on use of the <span class="guibutton">Start</span> button. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348498"></a>MS Windows XP Professional</h4></div></div></div><p> +<a class="indexterm" name="id348506"></a> + There are two paths to the Windows XP TCP/IP configuration panel. Choose the access method that you prefer: + </p><p> + Click <span class="guimenu">Start -> Control Panel -> Network Connections</span>. + </p><p> + <span class="emphasis"><em>Alternately,</em></span> click <span class="guimenu">Start -></span>, and right-click <span class="guimenu">My Network Places</span> + then select <span class="guimenuitem">Properties</span>. + </p><p> +<a class="indexterm" name="id348552"></a> + The following procedure steps through the Windows XP Professional TCP/IP configuration process: + </p><div class="procedure"><ol type="1"><li><p> +<a class="indexterm" name="id348568"></a> +<a class="indexterm" name="id348575"></a> +<a class="indexterm" name="id348582"></a> + On some installations the interface will be called <span class="guimenu">Local Area Connection</span> and + on others it will be called <span class="guimenu">Network Bridge</span>. On our system it is called <span class="guimenu">Network Bridge</span>. + Right-click on <span class="guimenu">Network Bridge -> Properties</span>. See <a href="ClientConfig.html#WXPP002" title="Figure 8.1. Network Bridge Configuration.">???</a>. + </p><div class="figure"><a name="WXPP002"></a><p class="title"><b>Figure 8.1. Network Bridge Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP002.png" alt="Network Bridge Configuration."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id348664"></a> +<a class="indexterm" name="id348671"></a> + The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings. + In <span class="guimenuitem">This connection uses the following items:</span> box, + click on <span class="guimenu">Internet Protocol (TCP/IP)</span>, then click on <span class="guibutton">Properties</span>. + </p><p> +<a class="indexterm" name="id348701"></a> +<a class="indexterm" name="id348708"></a> + The default setting is DHCP-enabled operation + (i.e., “<span class="quote">Obtain an IP address automatically</span>”). See <a href="ClientConfig.html#WXPP003" title="Figure 8.2. Internet Protocol (TCP/IP) Properties.">???</a>. + </p><div class="figure"><a name="WXPP003"></a><p class="title"><b>Figure 8.2. Internet Protocol (TCP/IP) Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP003.png" alt="Internet Protocol (TCP/IP) Properties."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id348769"></a> +<a class="indexterm" name="id348776"></a> +<a class="indexterm" name="id348782"></a> +<a class="indexterm" name="id348789"></a> + Many network administrators will want to use DHCP to configure all client TCP/IP + protocol stack settings. (For information on how to configure the ISC DHCP server + for Windows client support see <a href="DNSDHCP.html#DHCP" title="DHCP Server">the DNS and DHCP Configuration Guide</a>, + <a href="DNSDHCP.html#DHCP" title="DHCP Server">DHCP Server</a>. + </p><p> +<a class="indexterm" name="id348815"></a> +<a class="indexterm" name="id348822"></a> +<a class="indexterm" name="id348829"></a> + If it is necessary to provide a fixed IP address, click on “<span class="quote">Use the following IP address</span>” and enter the + IP Address, the subnet mask, and the default gateway address in the boxes provided. + </p></li><li><p> +<a class="indexterm" name="id348848"></a> +<a class="indexterm" name="id348854"></a> +<a class="indexterm" name="id348861"></a> +<a class="indexterm" name="id348868"></a> + Click the <span class="guibutton">Advanced</span> button to proceed with TCP/IP configuration. + This opens a panel in which it is possible to create additional IP addresses for this interface. + The technical name for the additional addresses is <span class="emphasis"><em>IP aliases</em></span>, and additionally this + panel permits the setting of more default gateways (routers). In most cases where DHCP is used, it will not be + necessary to create additional settings. See <a href="ClientConfig.html#WXPP005" title="Figure 8.3. Advanced Network Settings">???</a> to see the appearance of this panel. + </p><div class="figure"><a name="WXPP005"></a><p class="title"><b>Figure 8.3. Advanced Network Settings</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP005.png" alt="Advanced Network Settings"></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id348934"></a> +<a class="indexterm" name="id348941"></a> +<a class="indexterm" name="id348948"></a> + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. + </p></li><li><p> +<a class="indexterm" name="id348962"></a> +<a class="indexterm" name="id348969"></a> + Click the <span class="guimenu">DNS</span> tab to add DNS server settings. + The example system uses manually configured DNS settings. When finished making changes, click the + <span class="guibutton">OK</span> to commit the settings. See <a href="ClientConfig.html#WXPP014" title="Figure 8.4. DNS Configuration.">???</a>. + </p><div class="figure"><a name="WXPP014"></a><p class="title"><b>Figure 8.4. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP014.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id349041"></a> +<a class="indexterm" name="id349048"></a> + Click the <span class="guibutton">WINS</span> tab to add manual WINS server entries. + This step demonstrates an example system that uses manually configured WINS settings. + When finished making changes, click <span class="guibutton">OK</span> to commit + the settings. See <a href="ClientConfig.html#WXPP009" title="Figure 8.5. WINS Configuration">???</a>. + </p><div class="figure"><a name="WXPP009"></a><p class="title"><b>Figure 8.5. WINS Configuration</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP009.png" alt="WINS Configuration"></div></div></div><p><br class="figure-break"> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id349114"></a>MS Windows 2000</h4></div></div></div><p> +<a class="indexterm" name="id349122"></a> +<a class="indexterm" name="id349129"></a> + There are two paths to the Windows 2000 Professional TCP/IP configuration panel. Choose the access method that you prefer: + </p><p> + Click <span class="guimenu">Start -> Control Panel -> Network and Dial-up Connections</span>. + </p><p> + <span class="emphasis"><em>Alternatively,</em></span> click <span class="guimenu">Start</span>, then right-click <span class="guimenu">My Network Places</span>, and + select <span class="guimenuitem">Properties</span>. + </p><p> +<a class="indexterm" name="id349175"></a> + The following procedure steps through the Windows XP Professional TCP/IP configuration process: + </p><div class="procedure"><ol type="1"><li><p> + Right-click on <span class="guimenu">Local Area Connection</span>, then click + <span class="guimenuitem">Properties</span>. See <a href="ClientConfig.html#w2kp001" title="Figure 8.6. Local Area Connection Properties.">???</a>. + </p><div class="figure"><a name="w2kp001"></a><p class="title"><b>Figure 8.6. Local Area Connection Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp001.png" alt="Local Area Connection Properties."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id349254"></a> +<a class="indexterm" name="id349261"></a> + The Local Area Connection Properties is used to set TCP/IP protocol settings. Click on + <span class="guimenu">Internet Protocol (TCP/IP)</span> in the <span class="guimenuitem">Components checked are used by this + connection:</span> box, then click the <span class="guibutton">Properties</span> button. + </p></li><li><p> +<a class="indexterm" name="id349293"></a> +<a class="indexterm" name="id349300"></a> + The default setting is DHCP-enabled operation + (i.e., “<span class="quote">Obtain an IP address automatically</span>”). See <a href="ClientConfig.html#w2kp002" title="Figure 8.7. Internet Protocol (TCP/IP) Properties.">???</a>. + </p><div class="figure"><a name="w2kp002"></a><p class="title"><b>Figure 8.7. Internet Protocol (TCP/IP) Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp002.png" alt="Internet Protocol (TCP/IP) Properties."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id349358"></a> +<a class="indexterm" name="id349365"></a> + Many network administrators will want to use DHCP to configure all client TCP/IP + protocol stack settings. (For information on how to configure the ISC DHCP server + for Windows client support, see, <a href="DNSDHCP.html#DHCP" title="DHCP Server">???</a>. + </p><p> +<a class="indexterm" name="id349382"></a> +<a class="indexterm" name="id349389"></a> + If it is necessary to provide a fixed IP address, click on “<span class="quote">Use the following IP address</span>” and enter the + IP Address, the subnet mask, and the default gateway address in the boxes provided. + For this example we are assuming that all network clients will be configured using DHCP. + </p></li><li><p> + Click the <span class="guimenu">Advanced</span> button to proceed with TCP/IP configuration. + Refer to <a href="ClientConfig.html#w2kp003" title="Figure 8.8. Advanced Network Settings.">???</a>. + </p><div class="figure"><a name="w2kp003"></a><p class="title"><b>Figure 8.8. Advanced Network Settings.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp003.png" alt="Advanced Network Settings."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id349461"></a> +<a class="indexterm" name="id349468"></a> +<a class="indexterm" name="id349475"></a> + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. + </p></li><li><p> +<a class="indexterm" name="id349489"></a> +<a class="indexterm" name="id349496"></a> + Click the <span class="guimenu">DNS</span> tab to add DNS server settings. + The example system uses manually configured DNS settings. When finished making changes, + click <span class="guibutton">OK</span> to commit the settings. See <a href="ClientConfig.html#w2kp004" title="Figure 8.9. DNS Configuration.">???</a>. + </p><div class="figure"><a name="w2kp004"></a><p class="title"><b>Figure 8.9. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp004.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id349565"></a> +<a class="indexterm" name="id349572"></a> + Click the <span class="guibutton">WINS</span> tab to add manual WINS server entries. + This step demonstrates an example system that uses manually configured WINS settings. + When finished making changes, click <span class="guibutton">OK</span> to commit the settings. + See <a href="ClientConfig.html#w2kp005" title="Figure 8.10. WINS Configuration.">???</a>. + </p><div class="figure"><a name="w2kp005"></a><p class="title"><b>Figure 8.10. WINS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp005.png" alt="WINS Configuration."></div></div></div><p><br class="figure-break"> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id349640"></a>MS Windows Me</h4></div></div></div><p> +<a class="indexterm" name="id349648"></a> +<a class="indexterm" name="id349655"></a> +<a class="indexterm" name="id349662"></a> + There are two paths to the Windows Millennium edition (Me) TCP/IP configuration panel. Choose the access method that you prefer: + </p><p> + Click <span class="guimenu">Start -> Control Panel -> Network Connections</span>. + </p><p> +<a class="indexterm" name="id349683"></a> +<a class="indexterm" name="id349690"></a> + <span class="emphasis"><em>Alternatively,</em></span> click on <span class="guimenu">Start -></span>, and right click on <span class="guimenu">My Network Places</span> + then select <span class="guimenuitem">Properties</span>. + </p><p> +<a class="indexterm" name="id349721"></a> + The following procedure steps through the Windows Me TCP/IP configuration process: + </p><div class="procedure"><ol type="1"><li><p> +<a class="indexterm" name="id349738"></a> + In the box labeled <span class="guimenuitem">The following network components are installed:</span>, + click on <span class="guimenu">Internet Protocol TCP/IP</span>, then click on the <span class="guibutton">Properties</span> button. + See <a href="ClientConfig.html#WME001" title="Figure 8.11. The Windows Me Network Configuration Panel.">???</a>. + </p><div class="figure"><a name="WME001"></a><p class="title"><b>Figure 8.11. The Windows Me Network Configuration Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME001.png" alt="The Windows Me Network Configuration Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id349817"></a> +<a class="indexterm" name="id349823"></a> +<a class="indexterm" name="id349830"></a> + Many network administrators will want to use DHCP to configure all client TCP/IP + protocol stack settings. (For information on how to configure the ISC DHCP server + for Windows client support see <a href="DNSDHCP.html#DHCP" title="DHCP Server">the DNS and DHCP Configuration Guide</a>, + <a href="DNSDHCP.html#DHCP" title="DHCP Server">DHCP Server</a>. The default setting on Windows Me workstations is for DHCP-enabled operation + (i.e., <span class="guimenu">Obtain IP address automatically</span> is enabled). See <a href="ClientConfig.html#WME002" title="Figure 8.12. IP Address.">???</a>. + </p><div class="figure"><a name="WME002"></a><p class="title"><b>Figure 8.12. IP Address.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME002.png" alt="IP Address."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id349907"></a> +<a class="indexterm" name="id349913"></a> +<a class="indexterm" name="id349920"></a> + If it is necessary to provide a fixed IP address, click on <span class="guimenuitem">Specify an IP address</span> and enter the + IP Address and the subnet mask in the boxes provided. For this example we are assuming that all + network clients will be configured using DHCP. + </p></li><li><p> +<a class="indexterm" name="id349941"></a> +<a class="indexterm" name="id349948"></a> + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. + </p></li><li><p> +<a class="indexterm" name="id349962"></a> + If necessary, click the <span class="guimenu">DNS Configuration</span> tab to add DNS server settings. + Click the <span class="guibutton">WINS Configuration</span> tab to add WINS server settings. + The <span class="guimenu">Gateway</span> tab allows additional gateways (router addresses) to be added to the network + interface settings. In most cases where DHCP is used, it will not be necessary to + create these manual settings. + </p></li><li><p> +<a class="indexterm" name="id349996"></a> +<a class="indexterm" name="id350003"></a> + The following example uses manually configured WINS settings. See <a href="ClientConfig.html#WME005" title="Figure 8.13. DNS Configuration.">???</a>. + When finished making changes, click <span class="guibutton">OK</span> to commit the settings. + </p><div class="figure"><a name="WME005"></a><p class="title"><b>Figure 8.13. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME005.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id350062"></a> +<a class="indexterm" name="id350069"></a> + This is an example of a system that uses manually configured WINS settings. One situation where + this might apply is on a network that has a single DHCP server that provides settings for multiple + Windows workgroups or domains. See <a href="ClientConfig.html#WME003" title="Figure 8.14. WINS Configuration.">???</a>. + </p><div class="figure"><a name="WME003"></a><p class="title"><b>Figure 8.14. WINS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME003.png" alt="WINS Configuration."></div></div></div><p><br class="figure-break"> + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id350125"></a>Joining a Domain: Windows 2000/XP Professional</h3></div></div></div><p> +<a class="indexterm" name="id350133"></a> +<a class="indexterm" name="id350140"></a> +<a class="indexterm" name="id350147"></a> +<a class="indexterm" name="id350154"></a> + Microsoft Windows NT/200x/XP Professional platforms can participate in domain security. + This section steps through the process for making a Windows 200x/XP Professional machine a + member of a domain security environment. It should be noted that this process is identical + when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span>. + </p></li><li><p> + Right-click <span class="guimenu">My Computer</span>, then select <span class="guimenuitem">Properties</span>. + </p></li><li><p> +<a class="indexterm" name="id350204"></a> + The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. + See <a href="ClientConfig.html#wxpp001" title="Figure 8.15. The General Panel.">???</a>. + </p><div class="figure"><a name="wxpp001"></a><p class="title"><b>Figure 8.15. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id350268"></a> + Click the <span class="guimenu">Computer Name</span> tab. + This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, + and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. + </p><p> +<a class="indexterm" name="id350308"></a> +<a class="indexterm" name="id350315"></a> + Clicking the <span class="guimenu">Network ID</span> button will launch the configuration wizard. Do not use this with + Samba-3. If you wish to change the computer name or join or leave the domain, click the <span class="guimenu">Change</span> button. + See <a href="ClientConfig.html#wxpp004" title="Figure 8.16. The Computer Name Panel.">???</a>. + </p><div class="figure"><a name="wxpp004"></a><p class="title"><b>Figure 8.16. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. + We will join the domain called MIDEARTH. See <a href="ClientConfig.html#wxpp006" title="Figure 8.17. The Computer Name Changes Panel.">???</a>. + </p><div class="figure"><a name="wxpp006"></a><p class="title"><b>Figure 8.17. The Computer Name Changes Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id350443"></a> + Enter the name <span class="guimenu">MIDEARTH</span> in the field below the domain radio button. + </p><p> + This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="ClientConfig.html#wxpp007" title="Figure 8.18. The Computer Name Changes Panel Domain MIDEARTH.">???</a>. + </p><div class="figure"><a name="wxpp007"></a><p class="title"><b>Figure 8.18. The Computer Name Changes Panel Domain MIDEARTH.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id350513"></a> +<a class="indexterm" name="id350520"></a> + Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the + credentials (username and password) of a domain administrative account that has the rights to add machines to + the domain. + </p><p> +<a class="indexterm" name="id350537"></a> + Enter the name “<span class="quote">root</span>” and the root password from your Samba-3 server. See <a href="ClientConfig.html#wxpp008" title="Figure 8.19. Computer Name Changes Username and Password Panel.">???</a>. + </p><div class="figure"><a name="wxpp008"></a><p class="title"><b>Figure 8.19. Computer Name Changes Username and Password Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes Username and Password Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click on <span class="guimenu">OK</span>. + </p><p> +<a class="indexterm" name="id350612"></a> +<a class="indexterm" name="id350619"></a> + The “<span class="quote">Welcome to the MIDEARTH domain.</span>” dialog box should appear. At this point the machine must be rebooted. + Joining the domain is now complete. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id350634"></a>Domain Logon Configuration: Windows 9x/Me</h3></div></div></div><p> +<a class="indexterm" name="id350642"></a> +<a class="indexterm" name="id350649"></a> +<a class="indexterm" name="id350655"></a> + We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is + that these platforms can use only the LanManager network logon protocols. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id350668"></a> +<a class="indexterm" name="id350675"></a> +<a class="indexterm" name="id350682"></a> + Windows XP Home edition cannot participate in domain or LanManager network logons. + </p></div><div class="procedure"><ol type="1"><li><p> + Right-click on the <span class="guimenu">Network Neighborhood</span> icon. + </p></li><li><p> + The Network Configuration Panel allows all common network settings to be changed. + See <a href="ClientConfig.html#WME009" title="Figure 8.20. The Network Panel.">???</a>. + </p><div class="figure"><a name="WME009"></a><p class="title"><b>Figure 8.20. The Network Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME009.png" alt="The Network Panel."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id350758"></a> +<a class="indexterm" name="id350765"></a> + Make sure that the <span class="guimenu">Client for Microsoft Networks</span> driver is installed as shown. + Click on the <span class="guimenu">Client for Microsoft Networks</span> entry in <span class="guimenu">The following network + components are installed:</span> box. Then click the <span class="guibutton">Properties</span> button. + </p></li><li><p> +<a class="indexterm" name="id350803"></a> +<a class="indexterm" name="id350810"></a> + The Client for Microsoft Networks Properties panel is the correct location to configure network logon + settings. See <a href="ClientConfig.html#WME010" title="Figure 8.21. Client for Microsoft Networks Properties Panel.">???</a>. + </p><div class="figure"><a name="WME010"></a><p class="title"><b>Figure 8.21. Client for Microsoft Networks Properties Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME010.png" alt="Client for Microsoft Networks Properties Panel."></div></div></div><p><br class="figure-break"> + </p><p> +<a class="indexterm" name="id350865"></a> +<a class="indexterm" name="id350872"></a> + Enter the Windows NT domain name, check the <span class="guimenu">Log on to Windows NT domain</span> box, + and click <span class="guimenu">OK</span>. + </p></li><li><p> +<a class="indexterm" name="id350898"></a> +<a class="indexterm" name="id350904"></a> +<a class="indexterm" name="id350911"></a> + Click on the <span class="guimenu">Identification</span> button. This is the location at which the workgroup + (domain) name and the machine name (computer name) need to be set. See <a href="ClientConfig.html#WME013" title="Figure 8.22. Identification Panel.">???</a>. + </p><div class="figure"><a name="WME013"></a><p class="title"><b>Figure 8.22. Identification Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME013.png" alt="Identification Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> +<a class="indexterm" name="id350974"></a> +<a class="indexterm" name="id350981"></a> +<a class="indexterm" name="id350988"></a> +<a class="indexterm" name="id350995"></a> + Now click the <span class="guimenu">Access Control</span> button. If you want to be able to assign share access + permissions using domain user and group accounts, it is necessary to enable + <span class="guimenu">User-level access control</span> as shown in this panel. See <a href="ClientConfig.html#WME014" title="Figure 8.23. Access Control Panel.">???</a>. + </p><div class="figure"><a name="WME014"></a><p class="title"><b>Figure 8.23. Access Control Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME014.png" alt="Access Control Panel."></div></div></div><p><br class="figure-break"> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id351062"></a>Common Errors</h2></div></div></div><p> +<a class="indexterm" name="id351070"></a> +<a class="indexterm" name="id351077"></a> +The most common errors that can afflict Windows networking systems include: +</p><div class="itemizedlist"><ul type="disc"><li><p>Incorrect IP address.</p></li><li><p>Incorrect or inconsistent netmasks.</p></li><li><p>Incorrect router address.</p></li><li><p>Incorrect DNS server address.</p></li><li><p>Incorrect WINS server address.</p></li><li><p>Use of a Network Scope setting watch out for this one!</p></li></ul></div><p> +<a class="indexterm" name="id351122"></a> +<a class="indexterm" name="id351129"></a> +The most common reasons for which a Windows NT/200x/XP Professional client cannot join the Samba controlled domain are: +</p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">smb.conf</code> does not have correct <a class="indexterm" name="id351148"></a>add machine script settings.</p></li><li><p>“<span class="quote">root</span>” account is not in password backend database.</p></li><li><p>Attempt to use a user account instead of the “<span class="quote">root</span>” account to join a machine to the domain.</p></li><li><p>Open connections from the workstation to the server.</p></li><li><p>Firewall or filter configurations in place on either the client or the Samba server.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Standalone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html b/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html new file mode 100644 index 0000000000..c60749e902 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html @@ -0,0 +1,265 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 47. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="ch46.html" title="Chapter 46. Samba Support"><link rel="next" href="apa.html" title="Appendix A. GNU General Public License version 3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 47. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch46.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 47. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454865">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id455025">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id455101">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454865"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id454873"></a> +<a class="indexterm" name="id454882"></a> +There are few subjects in the UNIX world that might raise as much contention as +Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). +Not all opinions held for or against particular implementations of DNS and DHCP +are valid. +</p><p> +We live in a modern age where many information technology users demand mobility +and freedom. Microsoft Windows users in particular expect to be able to plug their +notebook computer into a network port and have things “<span class="quote">just work.</span>” +</p><p> +<a class="indexterm" name="id454905"></a> +UNIX administrators have a point. Many of the normative practices in the Microsoft +Windows world at best border on bad practice from a security perspective. +Microsoft Windows networking protocols allow workstations to arbitrarily register +themselves on a network. Windows 2000 Active Directory registers entries in the DNS namespace +that are equally perplexing to UNIX administrators. Welcome to the new world! +</p><p> +<a class="indexterm" name="id454919"></a> +<a class="indexterm" name="id454928"></a> +<a class="indexterm" name="id454936"></a> +The purpose of this chapter is to demonstrate the configuration of the Internet +Software Consortium (ISC) DNS and DHCP servers to provide dynamic services that are +compatible with their equivalents in the Microsoft Windows 2000 Server products. +</p><p> +This chapter provides no more than a working example of configuration files for both DNS and DHCP servers. The +examples used match configuration examples used elsewhere in this document. +</p><p> +<a class="indexterm" name="id454956"></a> +<a class="indexterm" name="id454962"></a> +<a class="indexterm" name="id454969"></a> +This chapter explicitly does not provide a tutorial, nor does it pretend to be a reference guide on DNS and +DHCP, as this is well beyond the scope and intent of this document as a whole. Anyone who wants more detailed +reference materials on DNS or DHCP should visit the ISC Web site at <a href="http://www.isc.org" target="_top"> http://www.isc.org</a>. Those wanting a written text might also be interested +in the O'Reilly publications on DNS, see the <a href="http://www.oreilly.com/catalog/dns/index.htm" target="_top">O'Reilly</a> web site, and the <a href="http://www.bind9.net/books-dhcp" target="_top">BIND9.NET</a> web site for details. +The books are: +</p><div class="orderedlist"><ol type="1"><li><p>DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4</p></li><li><p>DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9</p></li><li><p>The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id455025"></a>Example Configuration</h2></div></div></div><p> +<a class="indexterm" name="id455033"></a> +<a class="indexterm" name="id455040"></a> +The DNS is to the Internet what water is to life. Nearly all information resources (host names) are resolved +to their Internet protocol (IP) addresses through DNS. Windows networking tried hard to avoid the +complexities of DNS, but alas, DNS won. <a class="indexterm" name="id455048"></a> The alternative to +DNS, the Windows Internet Name Service (WINS) an artifact of NetBIOS networking over the TCP/IP +protocols has demonstrated scalability problems as well as a flat, nonhierarchical namespace that +became unmanageable as the size and complexity of information technology networks grew. +</p><p> +<a class="indexterm" name="id455067"></a> +<a class="indexterm" name="id455073"></a> +WINS is a Microsoft implementation of the RFC1001/1002 NetBIOS Name Service (NBNS). +It allows NetBIOS clients (like Microsoft Windows machines) to register an arbitrary +machine name that the administrator or user has chosen together with the IP +address that the machine has been given. Through the use of WINS, network client machines +could resolve machine names to their IP address. +</p><p> +The demand for an alternative to the limitations of NetBIOS networking finally drove +Microsoft to use DNS and Active Directory. Microsoft's new implementation attempts +to use DNS in a manner similar to the way that WINS is used for NetBIOS networking. +Both WINS and Microsoft DNS rely on dynamic name registration. +</p><p> +Microsoft Windows clients can perform dynamic name registration to the DNS server +on startup. Alternatively, where DHCP is used to assign workstation IP addresses, +it is possible to register hostnames and their IP address by the DHCP server as +soon as a client acknowledges an IP address lease. Finally, Microsoft DNS can resolve +hostnames via Microsoft WINS. +</p><p> +The following configurations demonstrate a simple, insecure dynamic DNS server and +a simple DHCP server that matches the DNS configuration. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id455101"></a>Dynamic DNS</h3></div></div></div><p> + <a class="indexterm" name="id455109"></a> + The example DNS configuration is for a private network in the IP address + space for network 192.168.1.0/24. The private class network address space + is set forth in RFC1918. + </p><p> + <a class="indexterm" name="id455123"></a> + It is assumed that this network will be situated behind a secure firewall. + The files that follow work with ISC BIND version 9. BIND is the Berkeley + Internet Name Daemon. + </p><p> + The master configuration file <code class="filename">/etc/named.conf</code> + determines the location of all further configuration files used. + The location and name of this file is specified in the startup script + that is part of the operating system. +</p><pre class="programlisting"> +# Quenya.Org configuration file + +acl mynet { + 192.168.1.0/24; + 127.0.0.1; +}; + +options { + + directory "/var/named"; + listen-on-v6 { any; }; + notify no; + forward first; + forwarders { + 192.168.1.1; + }; + auth-nxdomain yes; + multiple-cnames yes; + listen-on { + mynet; + }; +}; + +# The following three zone definitions do not need any modification. +# The first one defines localhost while the second defines the +# reverse lookup for localhost. The last zone "." is the +# definition of the root name servers. + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +# You can insert further zone records for your own domains below. + +zone "quenya.org" { + type master; + file "/var/named/quenya.org.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; + }; + +zone "1.168.192.in-addr.arpa" { + type master; + file "/var/named/192.168.1.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</pre><p> + </p><p> + The following files are all located in the directory <code class="filename">/var/named</code>. + This is the <code class="filename">/var/named/localhost.zone</code> file: +</p><pre class="programlisting"> +$TTL 1W +@ IN SOA @ root ( + 42 ; serial (d. adams) + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS @ + IN A 127.0.0.1 + </pre><p> + </p><p> + The <code class="filename">/var/named/127.0.0.zone</code> file: +</p><pre class="programlisting"> +$TTL 1W +@ IN SOA localhost. root.localhost. ( + 42 ; serial (d. adams) + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS localhost. +1 IN PTR localhost. +</pre><p> + </p><p> + The <code class="filename">/var/named/quenya.org.host</code> file: +</p><pre class="programlisting"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +quenya.org IN SOA marvel.quenya.org. root.quenya.org. ( + 2003021832 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS marvel.quenya.org. + MX 10 mail.quenya.org. +$ORIGIN quenya.org. +frodo A 192.168.1.1 +marvel A 192.168.1.2 +; +mail CNAME marvel +www CNAME marvel +</pre><p> +</p><p> + The <code class="filename">/var/named/192.168.1.0.rev</code> file: +</p><pre class="programlisting"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +1.168.192.in-addr.arpa IN SOA marvel.quenya.org. root.quenya.org. ( + 2003021824 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS marvel.quenya.org. +$ORIGIN 1.168.192.in-addr.arpa. +1 PTR frodo.quenya.org. +2 PTR marvel.quenya.org. +</pre><p> + </p><p> +<a class="indexterm" name="id455249"></a> +<a class="indexterm" name="id455256"></a> + The configuration files shown here were copied from a fully working system. All dynamically registered + entries have been removed. In addition to these files, BIND version 9 will + create for each of the dynamic registration files a file that has a + <code class="filename">.jnl</code> extension. Do not edit or tamper with the configuration + files or with the <code class="filename">.jnl</code> files that are created. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="DHCP"></a>DHCP Server</h3></div></div></div><p> + The following file is used with the ISC DHCP Server version 3. + The file is located in <code class="filename">/etc/dhcpd.conf</code>: + </p><p> + </p><pre class="programlisting"> +ddns-updates on; +ddns-domainname "quenya.org"; +option ntp-servers 192.168.1.2; +ddns-update-style ad-hoc; +allow unknown-clients; +default-lease-time 86400; +max-lease-time 172800; + +option domain-name "quenya.org"; +option domain-name-servers 192.168.1.2; +option netbios-name-servers 192.168.1.2; +option netbios-dd-server 192.168.1.2; +option netbios-node-type 8; + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.60 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.2; + allow unknown-clients; +} +</pre><p> + </p><p> + In this example, IP addresses between 192.168.1.1 and 192.168.1.59 are + reserved for fixed-address (commonly called <code class="constant">hard-wired</code>) IP addresses. The + addresses between 192.168.1.60 and 192.168.1.254 are allocated for dynamic use. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch46.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 46. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/FastStart.html b/docs/htmldocs/Samba3-HOWTO/FastStart.html new file mode 100644 index 0000000000..8a17bd6fb1 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/FastStart.html @@ -0,0 +1,698 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Fast Start: Cure for Impatience</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="install.html" title="Chapter 1. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Fast Start: Cure for Impatience</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 2. Fast Start: Cure for Impatience</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="FastStart.html#id327874">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327893">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327959">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id327975">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id329828">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id330741">Domain Controller</a></span></dt></dl></dd></dl></div><p> +When we first asked for suggestions for inclusion in the Samba HOWTO documentation, +someone wrote asking for example configurations and lots of them. That is remarkably +difficult to do without losing a lot of value that can be derived from presenting +many extracts from working systems. That is what the rest of this document does. +It does so with extensive descriptions of the configuration possibilities within the +context of the chapter that covers it. We hope that this chapter is the medicine +that has been requested. +</p><p> +The information in this chapter is very sparse compared with the book “<span class="quote">Samba-3 by Example</span>” +that was written after the original version of this book was nearly complete. “<span class="quote">Samba-3 by Example</span>” +was the result of feedback from reviewers during the final copy editing of the first edition. It +was interesting to see that reader feedback mirrored that given by the original reviewers. +In any case, a month and a half was spent in doing basic research to better understand what +new as well as experienced network administrators would best benefit from. The book “<span class="quote">Samba-3 by Example</span>” +is the result of that research. What is presented in the few pages of this book is covered +far more comprehensively in the second edition of “<span class="quote">Samba-3 by Example</span>”. The second edition +of both books will be released at the same time. +</p><p> +So in summary, the book “<span class="quote">The Official Samba-3 HOWTO & Reference Guide</span>” is intended +as the equivalent of an auto mechanic's repair guide. The book “<span class="quote">Samba-3 by Example</span>” is the +equivalent of the driver's guide that explains how to drive the car. If you want complete network +configuration examples, go to <a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by +Example</a>. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327874"></a>Features and Benefits</h2></div></div></div><p> +Samba needs very little configuration to create a basic working system. +In this chapter we progress from the simple to the complex, for each providing +all steps and configuration file changes needed to make each work. Please note +that a comprehensively configured system will likely employ additional smart +features. These additional features are covered in the remainder of this document. +</p><p> +The examples used here have been obtained from a number of people who made +requests for example configurations. All identities have been obscured to protect +the guilty, and any resemblance to unreal nonexistent sites is deliberate. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327893"></a>Description of Example Sites</h2></div></div></div><p> +In the first set of configuration examples we consider the case of exceptionally simple system requirements. +There is a real temptation to make something that should require little effort much too complex. +</p><p> +<a href="FastStart.html#anon-ro" title="Anonymous Read-Only Document Server">???</a> documents the type of server that might be sufficient to serve CD-ROM images, +or reference document files for network client use. This configuration is also discussed in <a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#RefDocServer" title="Reference Documentation Server">???</a>. The purpose for this configuration +is to provide a shared volume that is read-only that anyone, even guests, can access. +</p><p> +The second example shows a minimal configuration for a print server that anyone can print to as long as they +have the correct printer drivers installed on their computer. This is a mirror of the system described in +<a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">???</a>. +</p><p> +The next example is of a secure office file and print server that will be accessible only to users who have an +account on the system. This server is meant to closely resemble a workgroup file and print server, but has to +be more secure than an anonymous access machine. This type of system will typically suit the needs of a small +office. The server provides no network logon facilities, offers no domain control; instead it is just a +network-attached storage (NAS) device and a print server. +</p><p> +The later example consider more complex systems that will either integrate into existing MS Windows networks +or replace them entirely. These cover domain member servers as well as Samba domain control (PDC/BDC) and +finally describes in detail a large distributed network with branch offices in remote locations. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327959"></a>Worked Examples</h2></div></div></div><p> +The configuration examples are designed to cover everything necessary to get Samba +running. They do not cover basic operating system platform configuration, which is +clearly beyond the scope of this text. +</p><p> +It is also assumed that Samba has been correctly installed, either by way of installation +of the packages that are provided by the operating system vendor or through other means. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327975"></a>Standalone Server</h3></div></div></div><p> + <a class="indexterm" name="id327982"></a> + A standalone server implies no more than the fact that it is not a domain controller + and it does not participate in domain control. It can be a simple, workgroup-like + server, or it can be a complex server that is a member of a domain security context. + </p><p> + As the examples are developed, every attempt is made to progress the system toward greater capability, just as + one might expect would happen in a real business office as that office grows in size and its needs change. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="anon-ro"></a>Anonymous Read-Only Document Server</h4></div></div></div><p> + <a class="indexterm" name="id328011"></a> + The purpose of this type of server is to make available to any user + any documents or files that are placed on the shared resource. The + shared resource could be a CD-ROM drive, a CD-ROM image, or a file + storage area. + </p><div class="itemizedlist"><ul type="disc"><li><p> + The file system share point will be <code class="filename">/export</code>. + </p></li><li><p> + All files will be owned by a user called Jack Baumbach. + Jack's login name will be <span class="emphasis"><em>jackb</em></span>. His password will be + <span class="emphasis"><em>m0r3pa1n</em></span> of course, that's just the example we are + using; do not use this in a production environment because + all readers of this document will know it. + </p></li></ul></div><div class="procedure"><a name="id328055"></a><p class="title"><b>Procedure 2.1. Installation Procedure: Read-Only Server</b></p><div class="example"><a name="anon-example"></a><p class="title"><b>Example 2.1. Anonymous Read-Only Server Configuration</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328188"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id328201"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id328213"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id328235"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id328247"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id328260"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328272"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + Add user to system (with creation of the user's home directory): +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong> +</pre><p> + </p></li><li><p> + Create directory, and set permissions and ownership: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chmod u+rwx,g+rx,o+rx /export</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown jackb.users /export</code></strong> +</pre><p> + </p></li><li><p> + Copy the files that should be shared to the <code class="filename">/export</code> + directory. + </p></li><li><p> + Install the Samba configuration file (<code class="filename">/etc/samba/smb.conf</code>) + as shown in <a href="FastStart.html#anon-example" title="Example 2.1. Anonymous Read-Only Server Configuration">Anonymous Read-Only Server Configuration</a>. + </p></li><li><p> + Test the configuration file by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>testparm</code></strong> +</pre><p> + Alternatively, where you are operating from a master configuration file called + <code class="filename">smb.conf.master</code>, the following sequence of commands might prove + more appropriate: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +<code class="prompt">root# </code> testparm +</pre><p> + Note any error messages that might be produced. Proceed only if error-free output has been + obtained. An example of typical output that should be generated from the above configuration + file is shown here: +</p><pre class="screen"> +Load smb config files from /etc/samba/smb.conf +Processing section "[data]" +Loaded services file OK. +Server role: ROLE_STANDALONE +Press enter to see a dump of your service definitions +<strong class="userinput"><code>[Press enter]</code></strong> + +# Global parameters +[global] + workgroup = MIDEARTH + netbios name = HOBBIT + security = share + +[data] + comment = Data + path = /export + read only = Yes + guest only = Yes +</pre><p> + </p></li><li><p> + Start Samba using the method applicable to your operating system platform. The method that + should be used is platform dependent. Refer to <a href="compiling.html#startingSamba" title="Starting the smbd nmbd and winbindd">Starting Samba</a> + for further information regarding the starting of Samba. + </p></li><li><p> + Configure your MS Windows client for workgroup <span class="emphasis"><em>MIDEARTH</em></span>, + set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes, + then open Windows Explorer and visit the Network Neighborhood. + The machine HOBBIT should be visible. When you click this machine + icon, it should open up to reveal the <span class="emphasis"><em>data</em></span> share. After + you click the share, it should open up to reveal the files previously + placed in the <code class="filename">/export</code> directory. + </p></li></ol></div><p> + The information above (following # Global parameters) provides the complete + contents of the <code class="filename">/etc/samba/smb.conf</code> file. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328408"></a>Anonymous Read-Write Document Server</h4></div></div></div><p> + <a class="indexterm" name="id328416"></a> + We should view this configuration as a progression from the previous example. + The difference is that shared access is now forced to the user identity of jackb + and to the primary group jackb belongs to. One other refinement we can make is to + add the user <span class="emphasis"><em>jackb</em></span> to the <code class="filename">smbpasswd</code> file. + To do this, execute: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong> +New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> +Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> +Added user jackb. +</pre><p> + Addition of this user to the <code class="filename">smbpasswd</code> file allows all files + to be displayed in the Explorer Properties boxes as belonging to <span class="emphasis"><em>jackb</em></span> + instead of to <span class="emphasis"><em>User Unknown</em></span>. + </p><p> + The complete, modified <code class="filename">smb.conf</code> file is as shown in <a href="FastStart.html#anon-rw" title="Example 2.2. Modified Anonymous Read-Write smb.conf">???</a>. + </p><div class="example"><a name="anon-rw"></a><p class="title"><b>Example 2.2. Modified Anonymous Read-Write smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328524"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id328536"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id328549"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id328570"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id328583"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id328595"></a><em class="parameter"><code>force user = jackb</code></em></td></tr><tr><td><a class="indexterm" name="id328608"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id328620"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id328633"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id328648"></a>Anonymous Print Server</h4></div></div></div><p> + <a class="indexterm" name="id328655"></a> + An anonymous print server serves two purposes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + It allows printing to all printers from a single location. + </p></li><li><p> + It reduces network traffic congestion due to many users trying + to access a limited number of printers. + </p></li></ul></div><p> + In the simplest of anonymous print servers, it is common to require the installation + of the correct printer drivers on the Windows workstation. In this case the print + server will be designed to just pass print jobs through to the spooler, and the spooler + should be configured to do raw pass-through to the printer. In other words, the print + spooler should not filter or process the data stream being passed to the printer. + </p><p> + In this configuration, it is undesirable to present the Add Printer Wizard, and we do + not want to have automatic driver download, so we disable it in the following + configuration. <a href="FastStart.html#anon-print" title="Example 2.3. Anonymous Print Server smb.conf">???</a> is the resulting <code class="filename">smb.conf</code> file. + </p><div class="example"><a name="anon-print"></a><p class="title"><b>Example 2.3. Anonymous Print Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328731"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id328743"></a><em class="parameter"><code>netbios name = LUTHIEN</code></em></td></tr><tr><td><a class="indexterm" name="id328756"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td><a class="indexterm" name="id328768"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id328781"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328793"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id328806"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id328827"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id328840"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id328852"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328865"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328878"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328890"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> + The above configuration is not ideal. It uses no smart features, and it deliberately + presents a less than elegant solution. But it is basic, and it does print. Samba makes + use of the direct printing application program interface that is provided by CUPS. + When Samba has been compiled and linked with the CUPS libraries, the default printing + system will be CUPS. By specifying that the printcap name is CUPS, Samba will use + the CUPS library API to communicate directly with CUPS for all printer functions. + It is possible to force the use of external printing commands by setting the value + of the <em class="parameter"><code>printing</code></em> to either SYSV or BSD, and thus the value of + the parameter <em class="parameter"><code>printcap name</code></em> must be set to something other than + CUPS. In such case, it could be set to the name of any file that contains a list + of printers that should be made available to Windows clients. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Windows users will need to install a local printer and then change the print + to device after installation of the drivers. The print to device can then be set to + the network printer on this machine. + </p></div><p> + Make sure that the directory <code class="filename">/var/spool/samba</code> is capable of being used + as intended. The following steps must be taken to achieve this: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The directory must be owned by the superuser (root) user and group: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>chown root.root /var/spool/samba</code></strong> +</pre><p> + </p></li><li><p> + Directory permissions should be set for public read-write with the + sticky bit set as shown: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>chmod a+twrx /var/spool/samba</code></strong> +</pre><p> + The purpose of setting the sticky bit is to prevent who does not own the temporary print file + from being able to take control of it with the potential for devious misuse. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id328993"></a> + <a class="indexterm" name="id329002"></a> + On CUPS-enabled systems there is a facility to pass raw data directly to the printer without + intermediate processing via CUPS print filters. Where use of this mode of operation is desired, + it is necessary to configure a raw printing device. It is also necessary to enable the raw mime + handler in the <code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code> + files. Refer to <a href="CUPS-printing.html#cups-raw" title="Explicitly Enable “raw” Printing for application/octet-stream">???</a>. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329032"></a>Secure Read-Write File and Print Server</h4></div></div></div><p> + We progress now from simple systems to a server that is slightly more complex. + </p><p> + Our new server will require a public data storage area in which only authenticated + users (i.e., those with a local account) can store files, as well as a home directory. + There will be one printer that should be available for everyone to use. + </p><p> + In this hypothetical environment (no espionage was conducted to obtain this data), + the site is demanding a simple environment that is <span class="emphasis"><em>secure enough</em></span> + but not too difficult to use. + </p><p> + Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have + a password (not shown in further examples). Mary will be the printer administrator and will + own all files in the public share. + </p><p> + This configuration will be based on <span class="emphasis"><em>user-level security</em></span> that + is the default, and for which the default is to store Microsoft Windows-compatible + encrypted passwords in a file called <code class="filename">/etc/samba/smbpasswd</code>. + The default <code class="filename">smb.conf</code> entry that makes this happen is + <a class="indexterm" name="id329080"></a>passdb backend = smbpasswd, guest. Since this is the default, + it is not necessary to enter it into the configuration file. Note that the guest backend is + added to the list of active passdb backends no matter whether it specified directly in Samba configuration + file or not. + </p><div class="procedure"><a name="id329090"></a><p class="title"><b>Procedure 2.2. Installing the Secure Office Server</b></p><div class="example"><a name="OfficeServer"></a><p class="title"><b>Example 2.4. Secure Office Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id329193"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id329206"></a><em class="parameter"><code>netbios name = OLORIN</code></em></td></tr><tr><td><a class="indexterm" name="id329218"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id329231"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329243"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id329256"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id329278"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id329290"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id329303"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id329315"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id329337"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id329349"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id329362"></a><em class="parameter"><code>force user = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id329374"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id329387"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id329408"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id329421"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id329433"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id329446"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id329459"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329471"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329484"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329496"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + <a class="indexterm" name="id329101"></a> + Add all users to the operating system: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Mary Orville" -m -g users -p secret maryo</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Amed Sehkah" -m -g users -p secret ameds</code></strong> +</pre><p> + </p></li><li><p> + Configure the Samba <code class="filename">smb.conf</code> file as shown in <a href="FastStart.html#OfficeServer" title="Example 2.4. Secure Office Server smb.conf">???</a>. + </p></li><li><p> + Initialize the Microsoft Windows password database with the new users: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a root</code></strong> +New SMB password: <strong class="userinput"><code>bigsecret</code></strong> +Reenter smb password: <strong class="userinput"><code>bigsecret</code></strong> +Added user root. + +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong> +New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> +Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> +Added user jackb. + +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a maryo</code></strong> +New SMB password: <strong class="userinput"><code>secret</code></strong> +Reenter smb password: <strong class="userinput"><code>secret</code></strong> +Added user maryo. + +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a ameds</code></strong> +New SMB password: <strong class="userinput"><code>mysecret</code></strong> +Reenter smb password: <strong class="userinput"><code>mysecret</code></strong> +Added user ameds. +</pre><p> + </p></li><li><p> + Install printer using the CUPS Web interface. Make certain that all + printers that will be shared with Microsoft Windows clients are installed + as raw printing devices. + </p></li><li><p> + Start Samba using the operating system administrative interface. + Alternately, this can be done manually by executing: + <a class="indexterm" name="id329628"></a> + <a class="indexterm" name="id329635"></a> + <a class="indexterm" name="id329642"></a> + <a class="indexterm" name="id329651"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code> nmbd; smbd;</code></strong> +</pre><p> + Both applications automatically execute as daemons. Those who are paranoid about + maintaining control can add the <code class="constant">-D</code> flag to coerce them to start + up in daemon mode. + </p></li><li><p> + Configure the <code class="filename">/export</code> directory: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.users /export</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chmod u=rwx,g=rwx,o-rwx /export</code></strong> +</pre><p> + </p></li><li><p> + Check that Samba is running correctly: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient -L localhost -U%</code></strong> +Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20] + +Sharename Type Comment +--------- ---- ------- +public Disk Data +IPC$ IPC IPC Service (Samba-3.0.20) +ADMIN$ IPC IPC Service (Samba-3.0.20) +hplj4 Printer hplj4 + +Server Comment +--------- ------- +OLORIN Samba-3.0.20 + +Workgroup Master +--------- ------- +MIDEARTH OLORIN +</pre><p> + The following error message indicates that Samba was not running: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L olorin -U% +Error connecting to 192.168.1.40 (Connection refused) +Connection to olorin failed +</pre><p> + </p></li><li><p> + Connect to OLORIN as maryo: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //olorin/maryo -Umaryo%secret</code></strong> +OS=[UNIX] Server=[Samba-3.0.20] +smb: \> <strong class="userinput"><code>dir</code></strong> +. D 0 Sat Jun 21 10:58:16 2003 +.. D 0 Sat Jun 21 10:54:32 2003 +Documents D 0 Fri Apr 25 13:23:58 2003 +DOCWORK D 0 Sat Jun 14 15:40:34 2003 +OpenOffice.org D 0 Fri Apr 25 13:55:16 2003 +.bashrc H 1286 Fri Apr 25 13:23:58 2003 +.netscape6 DH 0 Fri Apr 25 13:55:13 2003 +.mozilla DH 0 Wed Mar 5 11:50:50 2003 +.kermrc H 164 Fri Apr 25 13:23:58 2003 +.acrobat DH 0 Fri Apr 25 15:41:02 2003 + + 55817 blocks of size 524288. 34725 blocks available +smb: \> <strong class="userinput"><code>q</code></strong> +</pre><p> + </p></li></ol></div><p> + By now you should be getting the hang of configuration basics. Clearly, it is time to + explore slightly more complex examples. For the remainder of this chapter we abbreviate + instructions, since there are previous examples. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id329828"></a>Domain Member Server</h3></div></div></div><p> + <a class="indexterm" name="id329835"></a> + In this instance we consider the simplest server configuration we can get away with + to make an accounting department happy. Let's be warned, the users are accountants and they + do have some nasty demands. There is a budget for only one server for this department. + </p><p> + The network is managed by an internal Information Services Group (ISG), to which we belong. + Internal politics are typical of a medium-sized organization; Human Resources is of the + opinion that they run the ISG because they are always adding and disabling users. Also, + departmental managers have to fight tooth and nail to gain basic network resources access for + their staff. Accounting is different, though, they get exactly what they want. So this should + set the scene. + </p><p> + We use the users from the last example. The accounting department + has a general printer that all departmental users may use. There is also a check printer + that may be used only by the person who has authority to print checks. The chief financial + officer (CFO) wants that printer to be completely restricted and for it to be located in the + private storage area in her office. It therefore must be a network printer. + </p><p> + The accounting department uses an accounting application called <span class="emphasis"><em>SpytFull</em></span> + that must be run from a central application server. The software is licensed to run only off + one server, there are no workstation components, and it is run off a mapped share. The data + store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our + problem. + </p><p> + The accounting department manager (maryo) wants a general filing system as well as a separate + file storage area for form letters (nastygrams). The form letter area should be read-only to + all accounting staff except the manager. The general filing system has to have a structured + layout with a general area for all staff to store general documents as well as a separate + file area for each member of her team that is private to that person, but she wants full + access to all areas. Users must have a private home share for personal work-related files + and for materials not related to departmental operations. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329884"></a>Example Configuration</h4></div></div></div><p> + The server <span class="emphasis"><em>valinor</em></span> will be a member server of the company domain. + Accounting will have only a local server. User accounts will be on the domain controllers, + as will desktop profiles and all network policy files. + </p><div class="procedure"><div class="example"><a name="fast-member-server"></a><p class="title"><b>Example 2.5. Member Server smb.conf (Globals)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id329964"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id329977"></a><em class="parameter"><code>netbios name = VALINOR</code></em></td></tr><tr><td><a class="indexterm" name="id329989"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id330002"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id330014"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330027"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id330040"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330052"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330065"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330078"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-memberserver-shares"></a><p class="title"><b>Example 2.6. Member Server smb.conf (Shares and Services)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id330115"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id330127"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id330140"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id330152"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[spytfull]</code></em></td></tr><tr><td><a class="indexterm" name="id330174"></a><em class="parameter"><code>comment = Accounting Application Only</code></em></td></tr><tr><td><a class="indexterm" name="id330187"></a><em class="parameter"><code>path = /export/spytfull</code></em></td></tr><tr><td><a class="indexterm" name="id330199"></a><em class="parameter"><code>valid users = @Accounts</code></em></td></tr><tr><td><a class="indexterm" name="id330212"></a><em class="parameter"><code>admin users = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id330224"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id330246"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id330258"></a><em class="parameter"><code>path = /export/public</code></em></td></tr><tr><td><a class="indexterm" name="id330271"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id330292"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id330305"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id330317"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id330330"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id330342"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330355"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330368"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330380"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + Do not add users to the UNIX/Linux server; all of this will run off the + central domain. + </p></li><li><p> + Configure <code class="filename">smb.conf</code> according to <a href="FastStart.html#fast-member-server" title="Example 2.5. Member Server smb.conf (Globals)">Member server smb.conf + (globals)</a> and <a href="FastStart.html#fast-memberserver-shares" title="Example 2.6. Member Server smb.conf (Shares and Services)">Member server smb.conf (shares + and services)</a>. + </p></li><li><p> + <a class="indexterm" name="id330399"></a> + Join the domain. Note: Do not start Samba until this step has been completed! +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -Uroot%'bigsecret'</code></strong> +Joined domain MIDEARTH. +</pre><p> + </p></li><li><p> + Make absolutely certain that you disable (shut down) the <code class="literal">nscd</code> + daemon on any system on which <code class="literal">winbind</code> is configured to run. + </p></li><li><p> + Start Samba following the normal method for your operating system platform. + If you wish to do this manually, execute as root: + <a class="indexterm" name="id330453"></a> + <a class="indexterm" name="id330460"></a> + <a class="indexterm" name="id330466"></a> + <a class="indexterm" name="id330473"></a> + <a class="indexterm" name="id330482"></a> + <a class="indexterm" name="id330492"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>nmbd; smbd; winbindd;</code></strong> +</pre><p> + </p></li><li><p> + Configure the name service switch (NSS) control file on your system to resolve user and group names + via winbind. Edit the following lines in <code class="filename">/etc/nsswitch.conf</code>: +</p><pre class="programlisting"> +passwd: files winbind +group: files winbind +hosts: files dns winbind +</pre><p> + </p></li><li><p> + Set the password for <code class="literal">wbinfo</code> to use: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo --set-auth-user=root%'bigsecret'</code></strong> +</pre><p> + </p></li><li><p> + Validate that domain user and group credentials can be correctly resolved by executing: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> +MIDEARTH\maryo +MIDEARTH\jackb +MIDEARTH\ameds +... +MIDEARTH\root + +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> +MIDEARTH\Domain Users +MIDEARTH\Domain Admins +MIDEARTH\Domain Guests +... +MIDEARTH\Accounts +</pre><p> + </p></li><li><p> + Check that <code class="literal">winbind</code> is working. The following demonstrates correct + username resolution via the <code class="literal">getent</code> system utility: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>getent passwd maryo</code></strong> +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false +</pre><p> + </p></li><li><p> + A final test that we have this under control might be reassuring: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>touch /export/a_file</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown maryo /export/a_file</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>ls -al /export/a_file</code></strong> +... +-rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file +... + +<code class="prompt">root# </code><strong class="userinput"><code>rm /export/a_file</code></strong> +</pre><p> + </p></li><li><p> + Configuration is now mostly complete, so this is an opportune time + to configure the directory structure for this site: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /export/{spytfull,public}</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chmod ug=rwxS,o=x /export/{spytfull,public}</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.Accounts /export/{spytfull,public}</code></strong> +</pre><p> + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330741"></a>Domain Controller</h3></div></div></div><p> + <a class="indexterm" name="id330749"></a> + For the remainder of this chapter the focus is on the configuration of domain control. + The examples that follow are for two implementation strategies. Remember, our objective is + to create a simple but working solution. The remainder of this book should help to highlight + opportunity for greater functionality and the complexity that goes with it. + </p><p> + A domain controller configuration can be achieved with a simple configuration using the new + tdbsam password backend. This type of configuration is good for small + offices, but has limited scalability (cannot be replicated), and performance can be expected + to fall as the size and complexity of the domain increases. + </p><p> + The use of tdbsam is best limited to sites that do not need + more than a Primary Domain Controller (PDC). As the size of a domain grows the need + for additional domain controllers becomes apparent. Do not attempt to under-resource + a Microsoft Windows network environment; domain controllers provide essential + authentication services. The following are symptoms of an under-resourced domain control + environment: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Domain logons intermittently fail. + </p></li><li><p> + File access on a domain member server intermittently fails, giving a permission denied + error message. + </p></li></ul></div><p> + A more scalable domain control authentication backend option might use + Microsoft Active Directory or an LDAP-based backend. Samba-3 provides + for both options as a domain member server. As a PDC, Samba-3 is not able to provide + an exact alternative to the functionality that is available with Active Directory. + Samba-3 can provide a scalable LDAP-based PDC/BDC solution. + </p><p> + The tdbsam authentication backend provides no facility to replicate + the contents of the database, except by external means (i.e., there is no self-contained protocol + in Samba-3 for Security Account Manager database [SAM] replication). + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + If you need more than one domain controller, do not use a tdbsam authentication backend. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id330805"></a>Example: Engineering Office</h4></div></div></div><p> + The engineering office network server we present here is designed to demonstrate use + of the new tdbsam password backend. The tdbsam + facility is new to Samba-3. It is designed to provide many user and machine account controls + that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks. + </p><div class="procedure"><div class="example"><a name="fast-engoffice-global"></a><p class="title"><b>Example 2.7. Engineering Office smb.conf (globals)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id330873"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id330885"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id330898"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id330910"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id330923"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m %u</code></em></td></tr><tr><td><a class="indexterm" name="id330936"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r %u</code></em></td></tr><tr><td><a class="indexterm" name="id330948"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd %g</code></em></td></tr><tr><td><a class="indexterm" name="id330961"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel %g</code></em></td></tr><tr><td><a class="indexterm" name="id330974"></a><em class="parameter"><code>add user to group script = /usr/sbin/groupmod -A %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id330987"></a><em class="parameter"><code>delete user from group script = /usr/sbin/groupmod -R %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id331000"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</code></em></td></tr><tr><td># Note: The following specifies the default logon script.</td></tr><tr><td># Per user logon scripts can be specified in the user account using pdbedit </td></tr><tr><td><a class="indexterm" name="id331021"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td># This sets the default profile path. Set per user paths with pdbedit</td></tr><tr><td><a class="indexterm" name="id331037"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id331050"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id331063"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id331075"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331088"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id331100"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331113"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331125"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id331138"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id331150"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-engoffice-shares"></a><p class="title"><b>Example 2.8. Engineering Office smb.conf (shares and services)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id331187"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id331200"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id331212"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id331225"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># Printing auto-share (makes printers available thru CUPS)</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id331250"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id331263"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id331275"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id331288"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id331301"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331313"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331326"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id331347"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id331360"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id331372"></a><em class="parameter"><code>write list = maryo, root</code></em></td></tr><tr><td><a class="indexterm" name="id331385"></a><em class="parameter"><code>printer admin = maryo, root</code></em></td></tr><tr><td># Needed to support domain logons</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id331410"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id331423"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id331436"></a><em class="parameter"><code>admin users = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id331448"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331461"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># For profiles to work, create a user directory under the path</td></tr><tr><td># shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id331490"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id331503"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id331515"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id331528"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td># Other resource (share/printer) definitions would follow below.</td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + A working PDC configuration using the tdbsam + password backend can be found in <a href="FastStart.html#fast-engoffice-global" title="Example 2.7. Engineering Office smb.conf (globals)">Engineering Office smb.conf + (globals)</a> together with <a href="FastStart.html#fast-engoffice-shares" title="Example 2.8. Engineering Office smb.conf (shares and services)">Engineering Office smb.conf + (shares and services)</a>: + <a class="indexterm" name="id330842"></a> + </p></li><li><p> + Create UNIX group accounts as needed using a suitable operating system tool: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>groupadd ntadmins</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>groupadd designers</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>groupadd engineers</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>groupadd qateam</code></strong> +</pre><p> + </p></li><li><p> + Create user accounts on the system using the appropriate tool + provided with the operating system. Make sure all user home directories + are created also. Add users to groups as required for access control + on files, directories, printers, and as required for use in the Samba + environment. + </p></li><li><p> + <a class="indexterm" name="id331614"></a> + <a class="indexterm" name="id331623"></a> + Assign each of the UNIX groups to NT groups by executing this shell script + (You could name the script <code class="filename">initGroups.sh</code>): +</p><pre class="screen"> +#!/bin/bash +#### Keep this as a shell script for future re-use + +# First assign well known groups +net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type= +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d + +# Now for our added Domain Groups +net groupmap add ntgroup="Designers" unixgroup=designers type=d +net groupmap add ntgroup="Engineers" unixgroup=engineers type=d +net groupmap add ntgroup="QA Team" unixgroup=qateam type=d +</pre><p> + </p></li><li><p> + Create the <code class="filename">scripts</code> directory for use in the + <em class="parameter"><code>[NETLOGON]</code></em> share: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /var/lib/samba/netlogon/scripts</code></strong> +</pre><p> + Place the logon scripts that will be used (batch or cmd scripts) + in this directory. + </p></li></ol></div><p> + The above configuration provides a functional PDC + system to which must be added file shares and printers as required. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id331691"></a>A Big Organization</h4></div></div></div><p> + In this section we finally get to review in brief a Samba-3 configuration that + uses a Lightweight Directory Access (LDAP)-based authentication backend. The + main reasons for this choice are to provide the ability to host primary + and Backup Domain Control (BDC), as well as to enable a higher degree of + scalability to meet the needs of a very distributed environment. + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id331703"></a>The Primary Domain Controller</h5></div></div></div><p> + This is an example of a minimal configuration to run a Samba-3 PDC + using an LDAP authentication backend. It is assumed that the operating system + has been correctly configured. + </p><p> + The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or + SambaSamAccounts. The Idealx scripts may be downloaded from the <a href="http://www.idealx.org" target="_top"> + Idealx</a> Web site. They may also be obtained from the Samba tarball. Linux + distributions tend to install the Idealx scripts in the + <code class="filename">/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</code> directory. + Idealx scripts version <code class="constant">smbldap-tools-0.9.1</code> are known to work well. + </p><div class="procedure"><div class="example"><a name="fast-ldap"></a><p class="title"><b>Example 2.9. LDAP backend smb.conf for PDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id331919"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id331932"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id331944"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id331957"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id331970"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id331982"></a><em class="parameter"><code>add user script = /usr/local/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id331995"></a><em class="parameter"><code>delete user script = /usr/local/sbin/smbldap-userdel %u</code></em></td></tr><tr><td><a class="indexterm" name="id332008"></a><em class="parameter"><code>add group script = /usr/local/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id332021"></a><em class="parameter"><code>delete group script = /usr/local/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id332034"></a><em class="parameter"><code>add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id332047"></a><em class="parameter"><code>delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id332060"></a><em class="parameter"><code>set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id332074"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id332086"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id332099"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id332112"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id332124"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id332137"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332149"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id332162"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332174"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332187"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id332200"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332212"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332225"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332238"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332250"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id332263"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id332276"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332288"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id332301"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id332313"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + Obtain from the Samba sources <code class="filename">~/examples/LDAP/samba.schema</code> + and copy it to the <code class="filename">/etc/openldap/schema/</code> directory. + </p></li><li><p> + Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x. + The <code class="filename">/etc/openldap/slapd.conf</code> file. + <a class="indexterm" name="id331769"></a> +<font color="red"><title>Example slapd.conf File</title></font> +</p><pre class="screen"> +# Note commented out lines have been removed +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=quenya,dc=org" +rootdn "cn=Manager,dc=quenya,dc=org" +rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P +# The password for the above is 'nastyon3' + +directory /var/lib/ldap + +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUid eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre><p> + </p></li><li><p> + Create the following file <code class="filename">initdb.ldif</code>: + <a class="indexterm" name="id331807"></a> +</p><pre class="programlisting"> +# Organization for SambaXP Demo +dn: dc=quenya,dc=org +objectclass: dcObject +objectclass: organization +dc: quenya +o: SambaXP Demo +description: The SambaXP Demo LDAP Tree + +# Organizational Role for Directory Management +dn: cn=Manager,dc=quenya,dc=org +objectclass: organizationalRole +cn: Manager +description: Directory Manager + +# Setting up the container for users +dn: ou=People, dc=quenya, dc=org +objectclass: top +objectclass: organizationalUnit +ou: People + +# Set up an admin handle for People OU +dn: cn=admin, ou=People, dc=quenya, dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb +# The password for above is 'mordonL8' +</pre><p> + </p></li><li><p> + Load the initial data above into the LDAP database: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>slapadd -v -l initdb.ldif</code></strong> +</pre><p> + </p></li><li><p> + Start the LDAP server using the appropriate tool or method for + the operating system platform on which it is installed. + </p></li><li><p> + Install the Idealx script files in the <code class="filename">/usr/local/sbin</code> directory, + then configure the smbldap_conf.pm file to match your system configuration. + </p></li><li><p> + The <code class="filename">smb.conf</code> file that drives this backend can be found in example <a href="FastStart.html#fast-ldap" title="Example 2.9. LDAP backend smb.conf for PDC">LDAP backend smb.conf for PDC</a>. Add additional stanzas + as required. + </p></li><li><p> + Add the LDAP password to the <code class="filename">secrets.tdb</code> file so Samba can update + the LDAP database: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w mordonL8</code></strong> +</pre><p> + </p></li><li><p> + Add users and groups as required. Users and groups added using Samba tools + will automatically be added to both the LDAP backend and the operating + system as required. + </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id332366"></a>Backup Domain Controller</h5></div></div></div><p> + <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a> shows the example configuration for the BDC. Note that + the <code class="filename">smb.conf</code> file does not specify the smbldap-tools scripts they are + not needed on a BDC. Add additional stanzas for shares and printers as required. + </p><div class="procedure"><div class="example"><a name="fast-bdc"></a><p class="title"><b>Example 2.10. Remote LDAP BDC smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id332441"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id332454"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id332466"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id332479"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id332492"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id332504"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id332517"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id332530"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id332542"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id332555"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332567"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id332580"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332592"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id332605"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id332617"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332630"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332643"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332655"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id332668"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id332681"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id332693"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332706"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id332718"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id332731"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + Decide if the BDC should have its own LDAP server or not. If the BDC is to be + the LDAP server, change the following <code class="filename">smb.conf</code> as indicated. The default + configuration in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">Remote LDAP BDC smb.conf</a> + uses a central LDAP server. + </p></li><li><p> + Configure the NETLOGON and PROFILES directory as for the PDC in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a>. + </p></li></ol></div></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html b/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html new file mode 100644 index 0000000000..b75bd7872d --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html @@ -0,0 +1,398 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id388758">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id390117">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id390128">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id390165">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id388548"></a> +<a class="indexterm" name="id388555"></a> +<a class="indexterm" name="id388562"></a> +<a class="indexterm" name="id388569"></a> +<a class="indexterm" name="id388576"></a> +<a class="indexterm" name="id388582"></a> +<a class="indexterm" name="id388589"></a> +<a class="indexterm" name="id388596"></a> +<a class="indexterm" name="id388603"></a> +Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites +will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to +adopt Active Directory or an LDAP-based authentication backend. This chapter explains +some background information regarding trust relationships and how to create them. It is now +possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba +trusts. +</p><p> +<a class="indexterm" name="id388616"></a> +<a class="indexterm" name="id388623"></a> +<a class="indexterm" name="id388630"></a> +<a class="indexterm" name="id388637"></a> +<a class="indexterm" name="id388644"></a> +The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the +<code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is +dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file. +These are specified respectively using: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id388676"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id388688"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p> +<a class="indexterm" name="id388701"></a> +<a class="indexterm" name="id388708"></a> +<a class="indexterm" name="id388714"></a> +<a class="indexterm" name="id388721"></a> +The range of values specified must not overlap values used by the host operating system and must +not overlap values used in the passdb backend for POSIX user accounts. The maximum value is +limited by the upper-most value permitted by the host operating system. This is a UNIX kernel +limited parameter. Linux kernel 2.6-based systems support a maximum value of 4294967295 +(32-bit unsigned variable). +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id388736"></a> +<a class="indexterm" name="id388743"></a> +<a class="indexterm" name="id388749"></a> +The use of winbind is necessary only when Samba is the trusting domain, not when it is the +trusted domain. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388758"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id388766"></a> +<a class="indexterm" name="id388773"></a> +Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style +trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4. +</p><p> +<a class="indexterm" name="id388784"></a> +<a class="indexterm" name="id388791"></a> +<a class="indexterm" name="id388798"></a> +<a class="indexterm" name="id388805"></a> +<a class="indexterm" name="id388812"></a> +Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its +ability to run in primary as well as backup domain control modes, the administrator would be well-advised to +consider alternatives to the use of interdomain trusts simply because, by the very nature of how trusts +function, this system is fragile. That was, after all, a key reason for the development and adoption of +Microsoft Active Directory. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388824"></a>Trust Relationship Background</h2></div></div></div><p> +<a class="indexterm" name="id388832"></a> +<a class="indexterm" name="id388839"></a> +<a class="indexterm" name="id388846"></a> +<a class="indexterm" name="id388852"></a> +<a class="indexterm" name="id388859"></a> +<a class="indexterm" name="id388866"></a> +MS Windows NT3/4-type security domains employ a nonhierarchical security structure. +The limitations of this architecture as it effects the scalability of MS Windows networking +in large organizations is well known. Additionally, the flat namespace that results from +this design significantly impacts the delegation of administrative responsibilities in +large and diverse organizations. +</p><p> +<a class="indexterm" name="id388880"></a> +<a class="indexterm" name="id388886"></a> +<a class="indexterm" name="id388893"></a> +<a class="indexterm" name="id388900"></a> +<a class="indexterm" name="id388906"></a> +Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means +of circumventing the limitations of the older technologies. Not every organization is ready +or willing to embrace ADS. For small companies the older NT4-style domain security paradigm +is quite adequate, and so there remains an entrenched user base for whom there is no direct +desire to go through a disruptive change to adopt ADS. +</p><p> +<a class="indexterm" name="id388920"></a> +<a class="indexterm" name="id388927"></a> +<a class="indexterm" name="id388934"></a> +<a class="indexterm" name="id388940"></a> +<a class="indexterm" name="id388947"></a> +<a class="indexterm" name="id388954"></a> +<a class="indexterm" name="id388961"></a> +With Windows NT, Microsoft introduced the ability to allow different security domains +to effect a mechanism so users from one domain may be given access rights and privileges +in another domain. The language that describes this capability is couched in terms of +<span class="emphasis"><em>trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users +from another domain. The domain from which users can access another security domain is +said to be a trusted domain. The domain in which those users have assigned rights and privileges +is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, +so if users in both domains are to have privileges and rights in each others' domain, then it is +necessary to establish two relationships, one in each direction. +</p><p> +<a class="indexterm" name="id388984"></a> +<a class="indexterm" name="id388991"></a> +<a class="indexterm" name="id388998"></a> +<a class="indexterm" name="id389005"></a> +<a class="indexterm" name="id389012"></a> +Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three +domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and +blue have a trust relationship, then it holds that there is no implied trust between the red and blue domains. +Relationships are explicit and not transitive. +</p><p> +<a class="indexterm" name="id389025"></a> +<a class="indexterm" name="id389031"></a> +<a class="indexterm" name="id389038"></a> +<a class="indexterm" name="id389045"></a> +<a class="indexterm" name="id389052"></a> +<a class="indexterm" name="id389059"></a> +<a class="indexterm" name="id389065"></a> +New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default. +Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with +Windows 2000 and ADS, the red and blue domains can trust each other. This is an inherent feature of ADS +domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS +security domains in similar manner to MS Windows NT4-style domains. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389083"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p> +<a class="indexterm" name="id389091"></a> +<a class="indexterm" name="id389100"></a> +<a class="indexterm" name="id389107"></a> +There are two steps to creating an interdomain trust relationship. To effect a two-way trust +relationship, it is necessary for each domain administrator to create a trust account for the +other domain to use in verifying security credentials. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389117"></a>Creating an NT4 Domain Trust</h3></div></div></div><p> +<a class="indexterm" name="id389125"></a> +<a class="indexterm" name="id389131"></a> +<a class="indexterm" name="id389138"></a> +<a class="indexterm" name="id389145"></a> +<a class="indexterm" name="id389152"></a> +For MS Windows NT4, all domain trust relationships are configured using the +<span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies +entry on the menu bar. From the <span class="guimenu">Policy</span> menu, select +<span class="guimenuitem">Trust Relationships</span>. Next to the lower box labeled +<span class="guilabel">Permitted to Trust this Domain</span> are two buttons, <span class="guibutton">Add</span> +and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> button will open a panel in which +to enter the name of the remote domain that will be able to assign access rights to users in +your domain. You will also need to enter a password for this trust relationship, which the +trusting domain will use when authenticating users from the trusted domain. +The password needs to be typed twice (for standard confirmation). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389207"></a>Completing an NT4 Domain Trust</h3></div></div></div><p> +<a class="indexterm" name="id389215"></a> +<a class="indexterm" name="id389222"></a> +<a class="indexterm" name="id389228"></a> +<a class="indexterm" name="id389235"></a> +<a class="indexterm" name="id389242"></a> +<a class="indexterm" name="id389249"></a> +A trust relationship will work only when the other (trusting) domain makes the appropriate connections +with the trusted domain. To consummate the trust relationship, the administrator launches the +Domain User Manager from the menu selects <span class="guilabel">Policies</span>, then select +<span class="guilabel">Trust Relationships</span>, and clicks on the <span class="guibutton">Add</span> button +next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which +must be entered the name of the remote domain as well as the password assigned to that trust. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389287"></a>Interdomain Trust Facilities</h3></div></div></div><p> +<a class="indexterm" name="id389295"></a> +<a class="indexterm" name="id389302"></a> +<a class="indexterm" name="id389309"></a> +<a class="indexterm" name="id389315"></a> +<a class="indexterm" name="id389322"></a> +<a class="indexterm" name="id389329"></a> +A two-way trust relationship is created when two one-way trusts are created, one in each direction. +Where a one-way trust has been established between two MS Windows NT4 domains (let's call them +DomA and DomB), the following facilities are created: +</p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 19.1. Trusts overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/trusts1.png" alt="Trusts overview."></div></div></div><br class="figure-break"><div class="itemizedlist"><ul type="disc"><li><p> + DomA (completes the trust connection) <em class="parameter"><code>Trusts</code></em> DomB. + </p></li><li><p> + DomA is the <em class="parameter"><code>Trusting</code></em> domain. + </p></li><li><p> + DomB is the <em class="parameter"><code>Trusted</code></em> domain (originates the trust account). + </p></li><li><p> + Users in DomB can access resources in DomA. + </p></li><li><p> + Users in DomA cannot access resources in DomB. + </p></li><li><p> + Global groups from DomB can be used in DomA. + </p></li><li><p> + Global groups from DomA cannot be used in DomB. + </p></li><li><p> + DomB does appear in the logon dialog box on client workstations in DomA. + </p></li><li><p> + DomA does not appear in the logon dialog box on client workstations in DomB. + </p></li></ul></div><div class="itemizedlist"><ul type="disc"><li><p> + Users and groups in a trusting domain cannot be granted rights, permissions, or access + to a trusted domain. + </p></li><li><p> + The trusting domain can access and use accounts (users/global groups) in the + trusted domain. + </p></li><li><p> + Administrators of the trusted domain can be granted administrative rights in the + trusting domain. + </p></li><li><p> + Users in a trusted domain can be given rights and privileges in the trusting + domain. + </p></li><li><p> + Trusted domain global groups can be given rights and permissions in the trusting + domain. + </p></li><li><p> + Global groups from the trusted domain can be made members in local groups on + MS Windows domain member machines. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389483"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p> +<a class="indexterm" name="id389491"></a> +This description is meant to be a fairly short introduction about how to set up a Samba server so +that it can participate in interdomain trust relationships. Trust relationship support in Samba +is at an early stage, so do not be surprised if something does not function as it should. +</p><p> +<a class="indexterm" name="id389504"></a> +<a class="indexterm" name="id389511"></a> +<a class="indexterm" name="id389517"></a> +<a class="indexterm" name="id389524"></a> +Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a +Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly +seen, after reading this document, that combining Samba-specific parts of what's written in the following +sections leads to trust between domains in a purely Samba environment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p> +<a class="indexterm" name="id389547"></a> +<a class="indexterm" name="id389554"></a> +<a class="indexterm" name="id389560"></a> +<a class="indexterm" name="id389567"></a> +<a class="indexterm" name="id389574"></a> +In order to set the Samba PDC to be the trusted party of the relationship, you first need +to create a special account for the domain that will be the trusting party. To do that, +you can use the <code class="literal">smbpasswd</code> utility. Creating the trusted domain account is +similar to creating a trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favorite shell: +</p><p> +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>smbpasswd -a -i rumba</code></strong> +New SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong> +Retype SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong> +Added user rumba$ +</pre><p> + +where <code class="option">-a</code> means to add a new account into the +passdb database and <code class="option">-i</code> means to “<span class="quote">create this +account with the Interdomain trust flag</span>”. +</p><p> +<a class="indexterm" name="id389637"></a> +<a class="indexterm" name="id389644"></a> +<a class="indexterm" name="id389651"></a> +<a class="indexterm" name="id389657"></a> +The account name will be “<span class="quote">rumba$</span>” (the name of the remote domain). +If this fails, you should check that the trust account has been added to the system +password database (<code class="filename">/etc/passwd</code>). If it has not been added, you +can add it manually and then repeat the previous step. +</p><p> +<a class="indexterm" name="id389679"></a> +<a class="indexterm" name="id389686"></a> +<a class="indexterm" name="id389693"></a> +<a class="indexterm" name="id389700"></a> +After issuing this command, you will be asked to enter the password for the account. You can use any password +you want, but be aware that Windows NT will not change this password until 7 days following account creation. +After the command returns successfully, you can look at the entry for the new account (in the standard way as +appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the +“<span class="quote">I</span>” flag set in the flags field. Now you are ready to confirm the trust by establishing it from +Windows NT Server. +</p><p> +<a class="indexterm" name="id389718"></a> +<a class="indexterm" name="id389724"></a> +<a class="indexterm" name="id389731"></a> +<a class="indexterm" name="id389738"></a> +<a class="indexterm" name="id389745"></a> +Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select +<span class="guimenuitem">Trust Relationships...</span>. Beside the <span class="guilabel">Trusted domains</span> list box, +click the <span class="guimenu">Add...</span> button. You will be prompted for the trusted domain name and the +relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the +time of account creation. Click on <span class="guibutton">OK</span> and, if everything went without incident, you +will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id389798"></a>Samba as the Trusting Domain</h3></div></div></div><p> +<a class="indexterm" name="id389806"></a> +<a class="indexterm" name="id389813"></a> +This time activities are somewhat reversed. Again, we'll assume that your domain +controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA. +</p><p> +The very first step is to add an account for the SAMBA domain on RUMBA's PDC. +</p><p> +<a class="indexterm" name="id389828"></a> +<a class="indexterm" name="id389835"></a> +<a class="indexterm" name="id389842"></a> +Launch the <span class="application">Domain User Manager</span>, then from the menu select +<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>. +Now, next to the <span class="guilabel">Trusting Domains</span> box, press the <span class="guibutton">Add</span> +button and type in the name of the trusted domain (SAMBA) and the password to use in securing +the relationship. +</p><p> +<a class="indexterm" name="id389882"></a> +<a class="indexterm" name="id389889"></a> +The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you +want. After you confirm the password, your account is ready for use. Now its Samba's turn. +</p><p> +Using your favorite shell while logged in as root, issue this command: +<a class="indexterm" name="id389902"></a> +</p><p> +<code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong> +</p><p> +<a class="indexterm" name="id389930"></a> +<a class="indexterm" name="id389937"></a> +<a class="indexterm" name="id389944"></a> +You will be prompted for the password you just typed on your Windows NT4 Server box. +An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code> +that may be reported periodically is of no concern and may safely be ignored. +It means the password you gave is correct and the NT4 server says the account is ready for +interdomain connection and not for ordinary connection. After that, be patient; +it can take a while (especially in large networks), but eventually you should see +the <code class="literal">Success</code> message. Congratulations! Your trust +relationship has just been established. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +You have to run this command as root because you must have write access to +the <code class="filename">secrets.tdb</code> file. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389981"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p> +<a class="indexterm" name="id389989"></a> +<a class="indexterm" name="id389996"></a> +<a class="indexterm" name="id390003"></a> +<a class="indexterm" name="id390010"></a> +Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is +also possible to establish an NT4-style trust relationship with a Windows 2000 domain +controller running in mixed mode as the trusting server. It should also be possible for +Samba to trust a Windows 2000 server; however, more testing is still needed in this area. +</p><p> +<a class="indexterm" name="id390028"></a> +<a class="indexterm" name="id390035"></a> +<a class="indexterm" name="id390042"></a> +<a class="indexterm" name="id390049"></a> +After <a href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a> +as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD +controller of the domain whose resources you wish Samba users to have access to. Remember that since NT4-style +trusts are not transitive, if you want your users to have access to multiple mixed-mode domains in your AD +forest, you will need to repeat this process for each of those domains. With <span class="application">Active Directory +domains and trusts</span> open, right-click on the name of the Active Directory domain that will trust +our Samba domain and choose <span class="guimenuitem">Properties</span>, then click on the +<span class="guilabel">Trusts</span> tab. In the upper part of the panel, you will see a list box labeled +<span class="guilabel">Domains trusted by this domain:</span> and an <span class="guilabel">Add...</span> button next to it. +Press this button and, just as with NT4, you will be prompted for the trusted domain name and the relationship +password. Press <span class="emphasis"><em>OK</em></span> and after a moment, Active Directory will respond with +<code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your +Samba users can now be granted access to resources in the AD domain. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390117"></a>Common Errors</h2></div></div></div><p> +Interdomain trust relationships should not be attempted on networks that are unstable +or that suffer regular outages. Network stability and integrity are key concerns with +distributed trusted domains. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id390128"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p> +<span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of +a trusting Samba domain, I get the following error:</em></span> +</p><pre class="screen"> +The system detected a possible attempt to compromise security. Please +ensure that you can contact the server that authenticated you. +</pre><p> +</p><p> +<span class="emphasis"><em>The event logs on the box I'm trying to connect to have entries regarding group +policy not being applied because it is a member of a down-level domain.</em></span> +</p><p>If there is a computer account in the Windows +200x domain for the machine in question, and it is disabled, this problem can +occur. If there is no computer account (removed or never existed), or if that +account is still intact (i.e., you just joined it to another domain), everything +seems to be fine. By default, when you unjoin a domain (the Windows 200x +domain), the computer tries to automatically disable the computer account in +the domain. If you are running as an account that has privileges to do this +when you unjoin the machine, it is done; otherwise it is not done. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id390165"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p> +If you use the <code class="literal">smbldap-useradd</code> script to create a trust +account to set up interdomain trusts, the process of setting up the trust will +fail. The account that was created in the LDAP database will have an account +flags field that has <code class="literal">[W ]</code>, when it must have +<code class="literal">[I ]</code> for interdomain trusts to work. +</p><p>Here is a simple solution. +Create a machine account as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbldap-useradd -w domain_name +</pre><p> +Then set the desired trust account password as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> smbldap-passwd domain_name\$ +</pre><p> +Using a text editor, create the following file: +</p><pre class="screen"> +dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain} +changetype: modify +sambaAcctFlags: [I ] +</pre><p> +Then apply the text file to the LDAP database as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapmodify -x -h localhost \ + -D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \ + -W -f /path-to/foobar +</pre><p> +Create a single-sided trust under the NT4 Domain User Manager, then execute: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom establish domain_name +</pre><p> +</p><p> +It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. +Both domain controllers, Samba and NT must have the same WINS server; otherwise, +the trust will never work. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Hosting a Microsoft Distributed File System Tree</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/IntroSMB.html b/docs/htmldocs/Samba3-HOWTO/IntroSMB.html new file mode 100644 index 0000000000..3b331099cc --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/IntroSMB.html @@ -0,0 +1,134 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Introduction</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="TOSHpreface.html" title="Preface"><link rel="next" href="introduction.html" title="Part I. General Installation"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Introduction</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="TOSHpreface.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Introduction</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 29, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="IntroSMB.html#id325287">What Is Samba?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id325330">Why This Book?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id325410">Book Structure and Layout</a></span></dt></dl></div><p>“<span class="quote"> +A man's gift makes room for him before great men. Gifts are like hooks that can catch +hold of the mind taking it beyond the reach of forces that otherwise might constrain it. +</span>” --- Anon. +</p><p> +This is a book about Samba. It is a tool, a derived work of the labors +of many and of the diligence and goodwill of more than a few. +This book contains material that has been contributed in a persistent belief +that each of us can add value to our neighbors as well as to those who will +follow us. +</p><p> +This book is designed to meet the needs of the Microsoft network administrator. +UNIX administrators will benefit from this book also, though they may complain +that it is hard to find the information they think they need. So if you are a +Microsoft certified specialist, this book should meet your needs rather well. +If you are a UNIX or Linux administrator, there is no need to feel badly you +should have no difficulty finding answers to your current concerns also. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325287"></a>What Is Samba?</h2></div></div></div><p> + Samba is a big, complex project. The Samba project is ambitious and exciting. + The team behind Samba is a group of some thirty individuals who are spread + the world over and come from an interesting range of backgrounds. This team + includes scientists, engineers, programmers, business people, and students. + </p><p> + Team members were drawn into active participation through the desire to help + deliver an exciting level of transparent interoperability between Microsoft + Windows and the non-Microsoft information + technology world. + </p><p> + The slogan that unites the efforts behind the Samba project says: + <span class="emphasis"><em>Samba, Opening Windows to a Wider World!</em></span> The goal + behind the project is one of removing barriers to interoperability. + </p><p> + Samba provides file and print services for Microsoft Windows clients. These + services may be hosted off any TCP/IP-enabled platform. The original deployment + platforms were UNIX and Linux, though today it is in common use across + a broad variety of systems. + </p><p> + The Samba project includes not only an impressive feature set in file and print + serving capabilities, but has been extended to include client functionality, + utilities to ease migration to Samba, tools to aid interoperability with + Microsoft Windows, and administration tools. + </p><p> + The real people behind Samba are users like you. You have inspired the + developers (the Samba Team) to do more than any of them imagined could or should + be done. User feedback drives Samba development. Samba-3 in particular incorporates + a huge amount of work done as a result of user requests, suggestions and direct + code contributions. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325330"></a>Why This Book?</h2></div></div></div><p> + There is admittedly a large number of Samba books on the market today and + each book has its place. Despite the apparent plethora of books, Samba + as a project continues to receive much criticism for failing to provide + sufficient documentation. Samba is also criticized for being too complex + and too difficult to configure. In many ways this is evidence of the + success of Samba as there would be no complaints if it was not successful. + </p><p> + The Samba Team members work predominantly with UNIX and Linux, so + it is hardly surprising that existing Samba documentation should reflect + that orientation. The original HOWTO text documents were intended to provide + some tips, a few golden nuggets, and if they helped anyone then that was + just wonderful. But the HOWTO documents lacked structure and context. They were + isolated snapshots of information that were written to pass information + on to someone else who might benefit. They reflected a need to transmit + more information that could be conveniently put into manual pages. + </p><p> + The original HOWTO documents were written by different authors. Most HOWTO + documents are the result of feedback and contributions from numerous + authors. In this book we took care to preserve as much original content as + possible. As you read this book you will note that chapters were written by + multiple authors, each of whom has his own style. This demonstrates + the nature of the Open Source software development process. + </p><p> + Out of the original HOWTO documents sprang a collection of unofficial + HOWTO documents that are spread over the Internet. It is sincerely intended + that this work will <span class="emphasis"><em>not</em></span> replace the valuable unofficial + HOWTO work that continues to flourish. If you are involved in unofficial + HOWTO production then please continue your work! + </p><p> + Those of you who have dedicated your labors to the production of unofficial + HOWTOs, to Web page information regarding Samba, or to answering questions + on the mailing lists or elsewhere, may be aware that this is a labor + of love. We would like to know about your contribution and willingly receive + the precious pearls of wisdom you have collected. Please email your contribution to + <a href="mailto:jht@samba.org" target="_top">John H. Terpstra (jht@samba.org)</a>. + As a service to other users we will gladly adopt material that is technically accurate. + </p><p> + Existing Samba books are largely addressed to the UNIX administrator. + From the perspective of this target group the existing books serve + an adequate purpose, with one exception now that Samba-3 is out + they need to be updated! + </p><p> + This book, the <span class="emphasis"><em>Official Samba-3 HOWTO and Reference Guide</em></span>, + includes the Samba-HOWTO-Collection.pdf that ships with Samba. + These documents have been written with a new design intent and purpose. + </p><p> + Over the past two years many Microsoft network administrators have adopted + Samba and have become interested in its deployment. Their information needs + are very different from that of the UNIX administrator. This book has been + arranged and the information presented from the perspective of someone with previous + Microsoft Windows network administrative training and experience. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325410"></a>Book Structure and Layout</h2></div></div></div><p> + This book is presented in six parts: + </p><div class="variablelist"><dl><dt><span class="term">General Installation</span></dt><dd><p> + Designed to help you get Samba-3 running quickly. + The Fast Start chapter is a direct response to requests from + Microsoft network administrators for some sample configurations + that <span class="emphasis"><em>just work</em></span>. + </p></dd><dt><span class="term">Server Configuration Basics</span></dt><dd><p> + The purpose of this section is to aid the transition from existing + Microsoft Windows network knowledge to Samba terminology and norms. + The chapters in this part each cover the installation of one type of + Samba server. + </p></dd><dt><span class="term">Advanced Configuration</span></dt><dd><p> + The mechanics of network browsing have long been the Achilles heel of + all Microsoft Windows users. Samba-3 introduces new user and machine + account management facilities, a new way to map UNIX groups and Windows + groups, Interdomain trusts, new loadable file system drivers (VFS), and + more. New with this document is expanded printing documentation, as well + as a wealth of information regarding desktop and user policy handling, + use of desktop profiles, and techniques for enhanced network integration. + This section makes up the core of the book. Read and enjoy. + </p></dd><dt><span class="term">Migration and Updating</span></dt><dd><p> + A much requested addition to the book is information on how to migrate + from Microsoft Windows NT4 to Samba-3, as well as an overview of what the + issues are when moving from Samba-2.x to Samba-3. + </p></dd><dt><span class="term">Troubleshooting</span></dt><dd><p> + This short section should help you when all else fails. + </p></dd><dt><span class="term">Reference Section</span></dt><dd><p> + Here you will find a collection of things that are either too peripheral + for most users, or are a little left of field to be included in the + main body of information. + </p></dd></dl></div><p> +Welcome to Samba-3 and the first published document to help you and your users to enjoy a whole +new world of interoperability between Microsoft Windows and the rest of the world. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="TOSHpreface.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Preface </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. General Installation</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NT4Migration.html b/docs/htmldocs/Samba3-HOWTO/NT4Migration.html new file mode 100644 index 0000000000..b02063447b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/NT4Migration.html @@ -0,0 +1,279 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 36. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba"><link rel="next" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 36. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 36. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NT4Migration.html#id442739">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442769">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id443632">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id443855">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id443938">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id442723"></a> +<a class="indexterm" name="id442730"></a> +This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3-based domain control. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id442739"></a>Planning and Getting Started</h2></div></div></div><p> +<a class="indexterm" name="id442747"></a> +In the IT world there is often a saying that all problems are encountered because of +poor planning. The corollary to this saying is that not all problems can be anticipated +and planned for. Then again, good planning will anticipate most show-stopper-type situations. +</p><p> +<a class="indexterm" name="id442759"></a> +Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get underway. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id442769"></a>Objectives</h3></div></div></div><p> +<a class="indexterm" name="id442777"></a> +The key objective for most organizations is to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft-based platform solution at the first sign of trouble. +</p><p> +<a class="indexterm" name="id442791"></a> +Before attempting a migration to a Samba-3-controlled network, make every possible effort to +gain all-round commitment to the change. Know precisely <span class="emphasis"><em>why</em></span> the change +is important for the organization. Possible motivations to make a change include: +</p><a class="indexterm" name="id442804"></a><a class="indexterm" name="id442811"></a><a class="indexterm" name="id442818"></a><a class="indexterm" name="id442825"></a><a class="indexterm" name="id442832"></a><div class="itemizedlist"><ul type="disc"><li><p>Improve network manageability.</p></li><li><p>Obtain better user-level functionality.</p></li><li><p>Reduce network operating costs.</p></li><li><p>Reduce exposure caused by Microsoft withdrawal of NT4 support.</p></li><li><p>Avoid MS License 6 implications.</p></li><li><p>Reduce organization's dependency on Microsoft.</p></li></ul></div><p> +<a class="indexterm" name="id442872"></a> +<a class="indexterm" name="id442879"></a> +<a class="indexterm" name="id442886"></a> +<a class="indexterm" name="id442892"></a> +<a class="indexterm" name="id442899"></a> +<a class="indexterm" name="id442906"></a> +Make sure everyone knows that Samba-3 is not MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and offers +advantages compared with it. Gain recognition that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services). +</p><p> +What are the features that Samba-3 cannot provide? +</p><a class="indexterm" name="id442921"></a><a class="indexterm" name="id442928"></a><a class="indexterm" name="id442934"></a><a class="indexterm" name="id442941"></a><a class="indexterm" name="id442948"></a><div class="itemizedlist"><ul type="disc"><li><p>Active Directory Server.</p></li><li><p>Group Policy Objects (in Active Directory).</p></li><li><p>Machine Policy Objects.</p></li><li><p>Logon Scripts in Active Directory.</p></li><li><p>Software Application and Access Controls in Active Directory.</p></li></ul></div><p> +The features that Samba-3 does provide and that may be of compelling interest to your site +include: +</p><a class="indexterm" name="id442986"></a><a class="indexterm" name="id442993"></a><a class="indexterm" name="id442999"></a><a class="indexterm" name="id443006"></a><a class="indexterm" name="id443013"></a><a class="indexterm" name="id443020"></a><a class="indexterm" name="id443027"></a><a class="indexterm" name="id443034"></a><a class="indexterm" name="id443040"></a><a class="indexterm" name="id443047"></a><a class="indexterm" name="id443054"></a><a class="indexterm" name="id443061"></a><a class="indexterm" name="id443068"></a><a class="indexterm" name="id443074"></a><a class="indexterm" name="id443081"></a><div class="itemizedlist"><ul type="disc"><li><p>Lower cost of ownership.</p></li><li><p>Global availability of support with no strings attached.</p></li><li><p>Dynamic SMB servers (can run more than one SMB/CIFS server per UNIX/Linux system).</p></li><li><p>Creation of on-the-fly logon scripts.</p></li><li><p>Creation of on-the-fly policy files.</p></li><li><p>Greater stability, reliability, performance, and availability.</p></li><li><p>Manageability via an SSH connection.</p></li><li><p>Flexible choices of backend authentication technologies (tdbsam, ldapsam).</p></li><li><p>Ability to implement a full single-sign-on architecture.</p></li><li><p>Ability to distribute authentication systems for absolute minimum wide-area network bandwidth demand.</p></li></ul></div><p> +<a class="indexterm" name="id443142"></a> +Before migrating a network from MS Windows NT4 to Samba-3, consider all necessary factors. Users +should be educated about changes they may experience so the change will be a welcome one +and not become an obstacle to the work they need to do. The following sections explain factors that will +help ensure a successful migration. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id443153"></a>Domain Layout</h4></div></div></div><p> +<a class="indexterm" name="id443161"></a> +<a class="indexterm" name="id443168"></a> +<a class="indexterm" name="id443174"></a> +<a class="indexterm" name="id443181"></a> +<a class="indexterm" name="id443188"></a> +<a class="indexterm" name="id443195"></a> +<a class="indexterm" name="id443202"></a> +<a class="indexterm" name="id443208"></a> +<a class="indexterm" name="id443215"></a> +<a class="indexterm" name="id443222"></a> +<a class="indexterm" name="id443229"></a> +<a class="indexterm" name="id443235"></a> +<a class="indexterm" name="id443242"></a> +<a class="indexterm" name="id443249"></a> +<a class="indexterm" name="id443256"></a> +<a class="indexterm" name="id443263"></a> +Samba-3 can be configured as a domain controller, a backup domain controller (probably best called +a secondary controller), a domain member, or a standalone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the Primary Domain Controller (PDC) as well as backup controllers (BDCs). +One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP +authentication backend, then the same database can be used by several different domains. In a +complex organization, there can be a single LDAP database, which itself can be distributed (have +a master server and multiple slave servers) that can simultaneously serve multiple domains. +</p><p> +<a class="indexterm" name="id443279"></a> +From a design perspective, the number of users per server as well as the number of servers per +domain should be scaled taking into consideration server capacity and network bandwidth. +</p><p> +<a class="indexterm" name="id443291"></a> +<a class="indexterm" name="id443298"></a> +<a class="indexterm" name="id443305"></a> +<a class="indexterm" name="id443311"></a> +<a class="indexterm" name="id443318"></a> +<a class="indexterm" name="id443325"></a> +A physical network segment may house several domains. Each may span multiple network segments. +Where domains span routed network segments, consider and test the performance implications of +the design and layout of a network. A centrally located domain controller that is designed to +serve multiple routed network segments may result in severe performance problems. Check the +response time (ping timing) between the remote segment and the PDC. If it's long (more than 100 ms), +locate a BDC on the remote segment to serve as the local authentication and access control server. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id443343"></a>Server Share and Directory Layout</h4></div></div></div><p> +<a class="indexterm" name="id443351"></a> +<a class="indexterm" name="id443358"></a> +There are cardinal rules to effective network design that cannot be broken with impunity. +The most important rule: Simplicity is king in every well-controlled network. Every part of +the infrastructure must be managed; the more complex it is, the greater will be the demand +of keeping systems secure and functional. +</p><p> +<a class="indexterm" name="id443371"></a> +<a class="indexterm" name="id443378"></a> +<a class="indexterm" name="id443384"></a> +<a class="indexterm" name="id443391"></a> +<a class="indexterm" name="id443398"></a> +<a class="indexterm" name="id443405"></a> +Keep in mind the nature of how data must be shared. Physical disk space layout should be considered +carefully. Some data must be backed up. The simpler the disk layout, the easier it will be to +keep track of backup needs. Identify what backup media will meet your needs; consider backup to tape, +CD-ROM or DVD-ROM, or other offline storage medium. Plan and implement for minimum +maintenance. Leave nothing to chance in your design; above all, do not leave backups to chance: +backup, test, and validate every backup; create a disaster recovery plan and prove that it works. +</p><p> +<a class="indexterm" name="id443420"></a> +<a class="indexterm" name="id443427"></a> +<a class="indexterm" name="id443433"></a> +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions, and the use of the “<span class="quote">sticky bit</span>” on group-controlled +directories may substantially avoid file access complaints from Samba share users. +</p><p> +<a class="indexterm" name="id443449"></a> +<a class="indexterm" name="id443456"></a> +<a class="indexterm" name="id443463"></a> +<a class="indexterm" name="id443470"></a> +<a class="indexterm" name="id443477"></a> +Inexperienced network administrators often attempt elaborate techniques to set access +controls on files, directories, shares, as well as in share definitions. +Keep your design and implementation simple and document your design extensively. Have others +audit your documentation. Do not create a complex mess that your successor will not understand. +Remember, job security through complex design and implementation may cause loss of operations +and downtime to users as the new administrator learns to untangle your knots. Keep access +controls simple and effective, and make sure that users will never be interrupted by obtuse +complexity. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id443491"></a>Logon Scripts</h4></div></div></div><p> +<a class="indexterm" name="id443499"></a> +Logon scripts can help to ensure that all users gain the share and printer connections they need. +</p><p> +Logon scripts can be created on the fly so all commands executed are specific to the +rights and privileges granted to the user. The preferred controls should be effected through +group membership so group information can be used to create a custom logon script using +the <a class="indexterm" name="id443512"></a>root preexec parameters to the <em class="parameter"><code>NETLOGON</code></em> share. +</p><p> +<a class="indexterm" name="id443528"></a> +Some sites prefer to use a tool such as <code class="literal">kixstart</code> to establish a controlled +user environment. In any case, you may wish to do a Google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft Knowledge Base article KB189105 that +deals with how to add printers without user intervention via the logon script process. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id443546"></a>Profile Migration/Creation</h4></div></div></div><p> +User and group profiles may be migrated using the tools described in the section titled Desktop Profile +Management. +</p><p> +<a class="indexterm" name="id443559"></a> +<a class="indexterm" name="id443565"></a> +Profiles may also be managed using the Samba-3 tool <code class="literal">profiles</code>. This tool allows the MS +Windows NT-style security identifiers (SIDs) that are stored inside the profile +<code class="filename">NTuser.DAT</code> file to be changed to the SID of the Samba-3 domain. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id443588"></a>User and Group Accounts</h4></div></div></div><p> +<a class="indexterm" name="id443595"></a> +<a class="indexterm" name="id443602"></a> +<a class="indexterm" name="id443609"></a> +<a class="indexterm" name="id443616"></a> +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before +attempting to migrate user and group accounts, you are STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to map them to +suitable UNIX/Linux groups. By following this simple advice, all user and group attributes +should migrate painlessly. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id443632"></a>Steps in Migration Process</h3></div></div></div><p> +The approximate migration process is described below. +</p><div class="itemizedlist"><ul type="disc"><li><p> + You have an NT4 PDC that has the users, groups, policies, and profiles to be migrated. + </p></li><li><p> +<a class="indexterm" name="id443652"></a> +<a class="indexterm" name="id443659"></a> +<a class="indexterm" name="id443666"></a> + Samba-3 is set up as a domain controller with netlogon share, profile share, and so on. Configure the <code class="filename">smb.conf</code> file + to function as a BDC: <em class="parameter"><code>domain master = No</code></em>. + </p></li></ul></div><div class="procedure"><a name="id443687"></a><p class="title"><b>Procedure 36.1. The Account Migration Process</b></p><a class="indexterm" name="id443774"></a><ol type="1"><li><p> + <a class="indexterm" name="id443699"></a> + Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. + <span class="emphasis"><em>Samba must not be running.</em></span> + </p></li><li><p> + <a class="indexterm" name="id443716"></a> + <strong class="userinput"><code>net rpc join -S <em class="replaceable"><code>NT4PDC</code></em> -w <em class="replaceable"><code>DOMNAME</code></em> -U + Administrator%<em class="replaceable"><code>passwd</code></em></code></strong> + </p></li><li><p> +<a class="indexterm" name="id443750"></a> + <strong class="userinput"><code>net rpc vampire -S <em class="replaceable"><code>NT4PDC</code></em> -U + administrator%<em class="replaceable"><code>passwd</code></em></code></strong> + </p></li><li><p><strong class="userinput"><code>pdbedit -L</code></strong></p><p>Note: Did the users migrate?</p></li><li><p> + <a class="indexterm" name="id443801"></a> + <a class="indexterm" name="id443810"></a> + Now assign each of the UNIX groups to NT groups: + (It may be useful to copy this text to a script called <code class="filename">initGroups.sh</code>) + </p><pre class="programlisting"> +#!/bin/bash +#### Keep this as a shell script for future re-use + +# First assign well known domain global groups +net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d + +# Now for our added domain global groups +net groupmap add ntgroup="Designers" unixgroup=designers type=d +net groupmap add ntgroup="Engineers" unixgroup=engineers type=d +net groupmap add ntgroup="QA Team" unixgroup=qateam type=d +</pre><p> + </p></li><li><p><strong class="userinput"><code>net groupmap list</code></strong></p><p>Check that all groups are recognized. + </p></li></ol></div><p> +Migrate all the profiles, then migrate all policy files. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id443855"></a>Migration Options</h2></div></div></div><p> +Sites that wish to migrate from MS Windows NT4 domain control to a Samba-based solution +generally fit into three basic categories. <a href="NT4Migration.html#majtypes" title="Table 36.1. The Three Major Site Types">Following table</a> shows the possibilities. +</p><div class="table"><a name="majtypes"></a><p class="title"><b>Table 36.1. The Three Major Site Types</b></p><div class="table-contents"><table summary="The Three Major Site Types" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Number of Users</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">< 50</td><td align="justify"><p>Want simple conversion with no pain.</p></td></tr><tr><td align="left">50 - 250</td><td align="justify"><p>Want new features; can manage some inhouse complexity.</p></td></tr><tr><td align="left">> 250</td><td align="justify"><p>Solution/implementation must scale well; complex needs. + Cross-departmental decision process. Local expertise in most areas.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id443938"></a>Planning for Success</h3></div></div></div><p> +There are three basic choices for sites that intend to migrate from MS Windows NT4 +to Samba-3: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Simple conversion (total replacement). + </p></li><li><p> + Upgraded conversion (could be one of integration). + </p></li><li><p> + Complete redesign (completely new solution). + </p></li></ul></div><p> +Minimize downstream problems by: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Taking sufficient time. + </p></li><li><p> + Avoiding panic. + </p></li><li><p> + Testing all assumptions. + </p></li><li><p> + Testing the full roll-out program, including workstation deployment. + </p></li></ul></div><p><a href="NT4Migration.html#natconchoices" title="Table 36.2. Nature of the Conversion Choices">Following table</a> lists the conversion choices given the type of migration +being contemplated. +</p><div class="table"><a name="natconchoices"></a><p class="title"><b>Table 36.2. Nature of the Conversion Choices</b></p><div class="table-contents"><table summary="Nature of the Conversion Choices" border="1"><colgroup><col align="justify"><col align="justify"><col align="justify"></colgroup><thead><tr><th align="justify">Simple Install</th><th align="justify">Upgrade Decisions</th><th align="justify">Redesign Decisions</th></tr></thead><tbody><tr><td align="justify"><p>Make use of minimal OS-specific features</p></td><td align="justify"><p>Translate NT4 features to new host OS features</p></td><td align="justify"><p>Improve on NT4 functionality, enhance management capabilities</p></td></tr><tr><td align="justify"><p>Move all accounts from NT4 into Samba-3</p></td><td align="justify"><p>Copy and improve</p></td><td align="justify"><p>Authentication regime (database location and access)</p></td></tr><tr><td align="justify"><p>Make least number of operational changes</p></td><td align="justify"><p>Make progressive improvements</p></td><td align="justify"><p>Desktop management methods</p></td></tr><tr><td align="justify"><p>Take least amount of time to migrate</p></td><td align="justify"><p>Minimize user impact</p></td><td align="justify"><p>Better control of Desktops/Users</p></td></tr><tr><td align="justify"><p>Live versus isolated conversion</p></td><td align="justify"><p>Maximize functionality</p></td><td align="justify"><p>Identify Needs for: <span class="emphasis"><em>Manageability, Scalability, Security, Availability</em></span></p></td></tr><tr><td align="justify"><p>Integrate Samba-3, then migrate while users are active, then change of control (swap out)</p></td><td align="justify"><p>Take advantage of lower maintenance opportunity</p></td><td align="justify"><p></p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id444159"></a>Samba-3 Implementation Choices</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Authentication Database/Backend</span></dt><dd><p> + Samba-3 can use an external authentication backend: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>Winbind (external Samba or NT4/200x server).</p></li><li><p>External server could use Active Directory or NT4 domain.</p></li><li><p>Can use pam_mkhomedir.so to autocreate home directories.</p></li><li><p> Samba-3 can use a local authentication backend: <em class="parameter"><code>smbpasswd</code></em>, + <em class="parameter"><code>tdbsam</code></em>, <em class="parameter"><code>ldapsam</code></em> + </p></li></ul></div></dd><dt><span class="term">Access Control Points</span></dt><dd><p> + Samba permits Access Control points to be set: + </p><a class="indexterm" name="id444229"></a><a class="indexterm" name="id444236"></a><a class="indexterm" name="id444242"></a><a class="indexterm" name="id444249"></a><div class="itemizedlist"><ul type="disc"><li><p>On the share itself using share ACLs.</p></li><li><p>On the file system using UNIX permissions on files and directories.</p><p>Note: Can enable Posix ACLs in file system also.</p></li><li><p>Through Samba share parameters not recommended except as last resort.</p></li></ul></div></dd><dt><span class="term">Policies (migrate or create new ones)</span></dt><dd><p> +<a class="indexterm" name="id444294"></a> +<a class="indexterm" name="id444301"></a> + Exercise great caution when making registry changes; use the right tool and be aware + that changes made through NT4-style <code class="filename">NTConfig.POL</code> files can leave + permanent changes. +<a class="indexterm" name="id444315"></a> +<a class="indexterm" name="id444322"></a> +<a class="indexterm" name="id444329"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Using Group Policy Editor (NT4).</p></li><li><p>Watch out for tattoo effect.</p></li></ul></div></dd><dt><span class="term">User and Group Profiles</span></dt><dd><p> +<a class="indexterm" name="id444359"></a> +<a class="indexterm" name="id444366"></a> + Platform-specific, so use platform tool to change from a local to a roaming profile. + Can use new profiles tool to change SIDs (<code class="filename">NTUser.DAT</code>). + </p></dd><dt><span class="term">Logon Scripts</span></dt><dd><p> + Know how they work. + </p></dd><dt><span class="term">User and Group Mapping to UNIX/Linux</span></dt><dd><p> + <a class="indexterm" name="id444402"></a> + User and group mapping code is new. Many problems have been experienced as network administrators + who are familiar with Samba-2.2.x migrate to Samba-3. Carefully study the chapters that document + the new password backend behavior and the new group mapping functionality. + </p><div class="itemizedlist"><ul type="disc"><li><p>The <em class="parameter"><code>username map</code></em> facility may be needed.</p></li><li><p>Use <code class="literal">net groupmap</code> to connect NT4 groups to UNIX groups.</p></li><li><p> + Use <code class="literal">pdbedit</code> to set/change user configuration. + </p><p> + When migrating to LDAP backend, it may be easier to dump the initial + LDAP database to LDIF, edit, then reload into LDAP. + </p></li></ul></div></dd><dt><span class="term">OS-Specific Scripts/Programs May be Needed</span></dt><dd><p> + Every operating system has its peculiarities. These are the result of engineering decisions + that were based on the experience of the designer and may have side effects that were not + anticipated. Limitations that may bite the Windows network administrator include: + </p><div class="itemizedlist"><ul type="disc"><li><p>Add/Delete Users: Note OS limits on size of name + (Linux 8 chars, NT4 up to 254 chars).</p></li><li><p>Add/Delete Machines: Applied only to domain members + (Note: machine names may be limited to 16 characters).</p></li><li><p>Use <code class="literal">net groupmap</code> to connect NT4 groups to UNIX groups.</p></li><li><p>Add/Delete Groups: Note OS limits on size and nature. + Linux limit is 16 char, no spaces, and no uppercase chars (<code class="literal">groupadd</code>).</p></li></ul></div></dd><dt><span class="term">Migration Tools</span></dt><dd><p> + <a class="indexterm" name="id444509"></a> + Domain Control (NT4-Style) Profiles, Policies, Access Controls, Security + </p><div class="itemizedlist"><ul type="disc"><li><p>Samba: <code class="literal">net, rpcclient, smbpasswd, pdbedit, profiles</code></p></li><li><p>Windows: <code class="literal">NT4 Domain User Manager, Server Manager (NEXUS)</code></p></li></ul></div></dd></dl></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Updating and Upgrading Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 37. SWAT: The Samba Web Administration Tool</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NetCommand.html b/docs/htmldocs/Samba3-HOWTO/NetCommand.html new file mode 100644 index 0000000000..48e9029b4b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/NetCommand.html @@ -0,0 +1,1391 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id370067">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370344">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370568">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id371804">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371995">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372040">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372102">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372494">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372506">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372844">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id373255">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373453">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373480">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374016">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id374226">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374244">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374303">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374407">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374423">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id374462">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374493">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p> +<a class="indexterm" name="id369939"></a> +<a class="indexterm" name="id369945"></a> +<a class="indexterm" name="id369952"></a> +<a class="indexterm" name="id369959"></a> +The <code class="literal">net</code> command is one of the new features of Samba-3 and is an attempt to provide a useful +tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code> +tool is flexible by design and is intended for command-line use as well as for scripted control application. +</p><p> +<a class="indexterm" name="id369983"></a> +<a class="indexterm" name="id369989"></a> +<a class="indexterm" name="id369996"></a> +<a class="indexterm" name="id370003"></a> +Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the +<code class="literal">net</code> command has morphed into a very powerful instrument that has become an essential part +of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as +<code class="literal">smbgroupedit</code> and <code class="literal">rpcclient</code>, from which really useful capabilities have +been integrated into the <code class="literal">net</code>. The <code class="literal">smbgroupedit</code> command was absorbed +entirely into the <code class="literal">net</code>, while only some features of the <code class="literal">rpcclient</code> command +have been ported to it. Anyone who finds older references to these utilities and to the functionality they +provided should look at the <code class="literal">net</code> command before searching elsewhere. +</p><p> +A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause +the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370067"></a>Overview</h2></div></div></div><p> +<a class="indexterm" name="id370075"></a> +<a class="indexterm" name="id370082"></a> +<a class="indexterm" name="id370089"></a> +<a class="indexterm" name="id370095"></a> +<a class="indexterm" name="id370102"></a> +<a class="indexterm" name="id370108"></a> + The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a + domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the + creation of user and group accounts is essential for both a standalone server and a PDC. + In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from + the central domain authentication backend. + </p><p> +<a class="indexterm" name="id370122"></a> +<a class="indexterm" name="id370129"></a> +<a class="indexterm" name="id370136"></a> +<a class="indexterm" name="id370143"></a> +<a class="indexterm" name="id370149"></a> +<a class="indexterm" name="id370156"></a> +<a class="indexterm" name="id370162"></a> +<a class="indexterm" name="id370169"></a> + Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows + networking domain global group accounts. Do you ask why? Because Samba always limits its access to + the resources of the host server by way of traditional UNIX UID and GID controls. This means that local + groups must be mapped to domain global groups so that domain users who are members of the domain + global groups can be given access rights based on UIDs and GIDs local to the server that is hosting + Samba. Such mappings are implemented using the <code class="literal">net</code> command. + </p><p> +<a class="indexterm" name="id370190"></a> +<a class="indexterm" name="id370196"></a> +<a class="indexterm" name="id370203"></a> +<a class="indexterm" name="id370209"></a> +<a class="indexterm" name="id370216"></a> +<a class="indexterm" name="id370223"></a> +<a class="indexterm" name="id370230"></a> + UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have + a machine security account in the domain authentication database (or directory). The creation of such + security (or trust) accounts is also handled using the <code class="literal">net</code> command. + </p><p> +<a class="indexterm" name="id370247"></a> +<a class="indexterm" name="id370254"></a> +<a class="indexterm" name="id370261"></a> +<a class="indexterm" name="id370268"></a> +<a class="indexterm" name="id370274"></a> +<a class="indexterm" name="id370281"></a> +<a class="indexterm" name="id370288"></a> +<a class="indexterm" name="id370295"></a> +<a class="indexterm" name="id370302"></a> + The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as + may a plethora of typical administrative duties such as user management, group management, share and + printer management, file and printer migration, security identifier management, and so on. + </p><p> +<a class="indexterm" name="id370320"></a> +<a class="indexterm" name="id370326"></a> + The overall picture should be clear now: the <code class="literal">net</code> command plays a central role + on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is + evidence of its importance, one that has grown in complexity to the point that it is no longer considered + prudent to cover its use fully in the online UNIX man pages. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370344"></a>Administrative Tasks and Methods</h2></div></div></div><p> +<a class="indexterm" name="id370352"></a> +<a class="indexterm" name="id370358"></a> +<a class="indexterm" name="id370365"></a> +<a class="indexterm" name="id370374"></a> + The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not + exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba + server, the emphasis is on the use of the Distributed Computing Environment Remote Procedure Call (DCE RPC) + mode of operation. When used against a server that is a member of an Active Directory domain, it is preferable + (and often necessary) to use ADS mode operations. The <code class="literal">net</code> command supports both, but not + for every operation. For most operations, if the mode is not specified, <code class="literal">net</code> will + automatically fall back via the <code class="constant">ads</code>, <code class="constant">rpc</code>, and + <code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the + capabilities of this utility. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370418"></a>UNIX and Windows Group Management</h2></div></div></div><p> +<a class="indexterm" name="id370426"></a> +<a class="indexterm" name="id370433"></a> +<a class="indexterm" name="id370441"></a> +<a class="indexterm" name="id370450"></a> +<a class="indexterm" name="id370459"></a> + As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of + operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code> + mode when used in connection with Active Directory. The <code class="literal">net rap</code> operating mode is + also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several + earlier SMB servers. + </p><p> +<a class="indexterm" name="id370489"></a> +<a class="indexterm" name="id370496"></a> +<a class="indexterm" name="id370503"></a> + Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative + tasks to be completed from the command line. In this section each of the essential user and group management + facilities are explored. + </p><p> +<a class="indexterm" name="id370520"></a> +<a class="indexterm" name="id370527"></a> +<a class="indexterm" name="id370536"></a> +<a class="indexterm" name="id370546"></a> + Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local + groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups + can contain local users, domain users, and domain groups as members. + </p><p> + The purpose of a local group is to permit file permission to be set for a group account that, like the + usual UNIX/Linux group, is persistent across redeployment of a Windows file server. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id370568"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p> + Samba provides file and print services to Windows clients. The file system resources it makes available + to the Windows environment must, of necessity, be provided in a manner that is compatible with the + Windows networking environment. UNIX groups are created and deleted as required to serve operational + needs in the UNIX operating system and its file systems. + </p><p> + In order to make available to the Windows environment, Samba has a facility by which UNIX groups can + be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows + groups, local and global. Global groups can contain as members, global users. This membership is + affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist + of a mapping between a user SambaSAMAccount (logical entity) and a UNIX user account. Therefore, + a UNIX user is mapped to a Windows user (i.e., is given a Windows user account and password) and the + UNIX groups to which that user belongs, is mapped to a Windows group account. The result is that in + the Windows account environment that user is also a member of the Windows group account by virtue + of UNIX group memberships. + </p><p> + The following sub-sections that deal with management of Windows groups demonstrates the relationship + between the UNIX group account and its members to the respective Windows group accounts. It goes on to + show how UNIX group members automatically pass-through to Windows group membership as soon as a logical + mapping has been created. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id370603"></a>Adding or Creating a New Group</h4></div></div></div><p> + Before attempting to add a Windows group account, the currently available groups can be listed as shown + here: +<a class="indexterm" name="id370612"></a> +<a class="indexterm" name="id370623"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group list -Uroot%not24get +Password: +Domain Admins +Domain Users +Domain Guests +Print Operators +Backup Operators +Replicator +Domain Computers +Engineers +</pre><p> + </p><p> + A Windows group account called “<span class="quote">SupportEngrs</span>” can be added by executing the following +command: +<a class="indexterm" name="id370657"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group add "SupportEngrs" -Uroot%not24get +</pre><p> + The addition will result in immediate availability of the new group account as validated by executing +this command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group list -Uroot%not24get +Password: +Domain Admins +Domain Users +Domain Guests +Print Operators +Backup Operators +Replicator +Domain Computers +Engineers +SupportEngrs +</pre><p> + </p><p> +<a class="indexterm" name="id370697"></a> +<a class="indexterm" name="id370704"></a> +<a class="indexterm" name="id370710"></a> + The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling + the <a class="indexterm" name="id370718"></a>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" interface + script: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root +Domain Users:x:513:jht,lct,ajt,met +Domain Guests:x:514: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Engineers:x:1002:jht +SupportEngrs:x:1003: +</pre><p> + The following demonstrates that the use of the <code class="literal">net</code> command to add a group account +results in immediate mapping of the POSIX group that has been created to the Windows group account as shown +here: +<a class="indexterm" name="id370746"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins +Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users +Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests +Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators +Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators +Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator +Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers +Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers +SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs +</pre><p> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id370780"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p> +<a class="indexterm" name="id370787"></a> +<a class="indexterm" name="id370794"></a> +<a class="indexterm" name="id370801"></a> +<a class="indexterm" name="id370808"></a> + Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls + can be asserted in a manner that is consistent with the methods appropriate to the operating + system that is hosting the Samba server. + </p><p> +<a class="indexterm" name="id370820"></a> +<a class="indexterm" name="id370827"></a> +<a class="indexterm" name="id370833"></a> +<a class="indexterm" name="id370840"></a> + All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is + hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override + or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that + access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group + account. The user account must also map to a locally known UID. Note that the <code class="literal">net</code> + command does not call any RPC-functions here but directly accesses the passdb. + </p><p> +<a class="indexterm" name="id370860"></a> +<a class="indexterm" name="id370867"></a> +<a class="indexterm" name="id370874"></a> +<a class="indexterm" name="id370881"></a> +<a class="indexterm" name="id370888"></a> +<a class="indexterm" name="id370894"></a> +<a class="indexterm" name="id370901"></a> + Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and + <code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the + examples just given. There are times when it is necessary to map an existing UNIX group account + to a Windows group. This operation, in effect, creates a Windows group account as a consequence + of creation of the mapping. + </p><p> +<a class="indexterm" name="id370922"></a> +<a class="indexterm" name="id370933"></a> +<a class="indexterm" name="id370944"></a> + The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>, + and <code class="constant">delete</code>. An example of each operation is shown here. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all + UNIX groups are exposed to Windows networking as Windows local groups. + </p></div><p> + An existing UNIX group may be mapped to an existing Windows group by this example: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap modify ntgroup="Domain Users" unixgroup=users +</pre><p> + An existing UNIX group may be mapped to a new Windows group as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d +</pre><p> + Supported mapping types are 'd' (domain global) and 'l' (domain local). + A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by + executing these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap delete ntgroup=Engineers +<code class="prompt">root# </code> net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d +</pre><p> + The deletion and addition operations affected only the logical entities known as Windows groups, or domain + groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX + system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows + groups so that files and folders on domain member clients (workstations and servers) can be given + domain-wide access controls for domain users and groups. + </p><p> + Two types of Windows groups can be created: <code class="constant">domain (global)</code> and <code class="constant">local</code>. + In the previous examples the Windows groups created were of type <code class="constant">domain</code> or global. The + following command will create a Windows group of type <code class="constant">local</code>. +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap add ntgroup=Pixies unixgroup=pixies type=l +</pre><p> + Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is + treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple + nested group support. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371060"></a>Deleting a Group Account</h4></div></div></div><p> +<a class="indexterm" name="id371068"></a> + A group account may be deleted by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get +</pre><p> + </p><p> + Validation of the deletion is advisable. The same commands may be executed as shown above. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371098"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + This command is not documented in the man pages; it is implemented in the source code, but it does not + work at this time. The example given documents, from the source code, how it should work. Watch the + release notes of a future release to see when this may have been fixed. + </p></div><p> + Sometimes it is necessary to rename a group account. Good administrators know how painful some managers' + demands can be if this simple request is ignored. The following command demonstrates how the Windows group + “<span class="quote">SupportEngrs</span>” can be renamed to “<span class="quote">CustomerSupport</span>”: +<a class="indexterm" name="id371122"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group rename SupportEngrs \ + CustomerSupport -Uroot%not24get +</pre><p> + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p> + Three operations can be performed regarding group membership. It is possible to (1) add Windows users + to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are + members of a Windows group. + </p><p> + To avoid confusion, it makes sense to check group membership before attempting to make any changes. + The <code class="literal">getent group</code> will list UNIX/Linux group membership. UNIX/Linux group members are + seen also as members of a Windows group that has been mapped using the <code class="literal">net groupmap</code> + command (see <a href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">???</a>). The following list of UNIX/Linux group membership shows + that the user <code class="constant">ajt</code> is a member of the UNIX/Linux group <code class="constant">Engineers</code>. +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root +Domain Users:x:513:jht,lct,ajt,met,vlendecke +Domain Guests:x:514: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Engineers:x:1000:jht,ajt +</pre><p> + The UNIX/Linux groups have been mapped to Windows groups, as is shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins +Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users +Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests +Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators +Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators +Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator +Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers +Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers +</pre><p> + </p><p> + Given that the user <code class="constant">ajt</code> is already a member of the UNIX/Linux group and, via the + group mapping, a member of the Windows group, an attempt to add this account again should fail. This is + demonstrated here: +<a class="indexterm" name="id371234"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP +</pre><p> + This shows that the group mapping between UNIX/Linux groups and Windows groups is effective and + transparent. + </p><p> + To permit the user <code class="constant">ajt</code> to be added using the <code class="literal">net rpc group</code> utility, + this account must first be removed. The removal and confirmation of its effect is shown here: +<a class="indexterm" name="id371272"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get +<code class="prompt">root# </code> getent group Engineers +Engineers:x:1000:jht +<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get +MIDEARTH\jht +</pre><p> + In this example both at the UNIX/Linux system level, the group no longer has the <code class="constant">ajt</code> + as a member. The above also shows this to be the case for Windows group membership. + </p><p> + The account is now added again, using the <code class="literal">net rpc group</code> utility: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +<code class="prompt">root# </code> getent group Engineers +Engineers:x:1000:jht,ajt +<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get +MIDEARTH\jht +MIDEARTH\ajt +</pre><p> + </p><p> + In this example the members of the Windows <code class="constant">Domain Users</code> account are validated using + the <code class="literal">net rpc group</code> utility. Note the this contents of the UNIX/Linux group was shown + four paragraphs earlier. The Windows (domain) group membership is shown here: +<a class="indexterm" name="id371361"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group members "Domain Users" -Uroot%not24get +MIDEARTH\jht +MIDEARTH\lct +MIDEARTH\ajt +MIDEARTH\met +MIDEARTH\vlendecke +</pre><p> + This express example shows that Windows group names are treated by Samba (as with + MS Windows) in a case-insensitive manner: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group members "DomAiN USerS" -Uroot%not24get +MIDEARTH\jht +MIDEARTH\lct +MIDEARTH\ajt +MIDEARTH\met +MIDEARTH\vlendecke +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of + just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group + is to direct the command at the local machine. The Windows group is treated as being local to the machine. + If it is necessary to query another machine, its name can be specified using the <code class="constant">-S + servername</code> parameter to the <code class="literal">net</code> command. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p> + It is possible in Windows (and now in Samba also) to create a local group that has members (contains), + domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is + achieved by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group add demo -L -S MORDON -Uroot%not24get +</pre><p> + The -L switch means create a local group. Use the -S argument to direct the operation to a particular + server. The parameters to the -U argument should be for a user who has appropriate administrative right + and privileges on the machine. + </p><p> + Addition and removal of group members can be achieved using the <code class="constant">addmem</code> and + <code class="constant">delmem</code> subcommands of <code class="literal">net rpc group</code> command. For example, + addition of “<span class="quote">DOM\Domain Users</span>” to the local group <code class="constant">demo</code> would be + done by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get +</pre><p> + </p><p> + The members of a nested group can be listed by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group members demo -Uroot%not24get +DOM\Domain Users +DOM\Engineers +DOM\jamesf +DOM\jht +</pre><p> + </p><p> + Nested group members can be removed (deleted) as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get +</pre><p> + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id371525"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p> + Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone + administrative rights on their own workstation. This is of course a very bad practice, but commonly done + to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: +<a class="indexterm" name="id371536"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \ + -S WINPC032 -Uadministrator%secret +</pre><p> + </p><p> + This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows + workstation. Here is a simple example that shows how this can be done. + </p><div class="procedure"><a name="id371565"></a><p class="title"><b>Procedure 13.1. Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \ + -UAdministrator%secret -S $2 + +exit 0 +</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id371713"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id371726"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id371739"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id371752"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id371764"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> + Create the script shown in <a href="NetCommand.html#autopoweruserscript" title="Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group">???</a> and locate it in + the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>. +<a class="indexterm" name="id371595"></a> +<a class="indexterm" name="id371606"></a> +<a class="indexterm" name="id371613"></a> + </p></li><li><p> + Set the permissions on this script to permit it to be executed as part of the logon process: +</p><pre class="screen"> +<code class="prompt">root# </code> chown root:root /etc/samba/autopoweruser.sh +<code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh +</pre><p> + </p></li><li><p> + Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters + shown in <a href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf file</a>. + </p></li><li><p> + Ensure that every Windows workstation Administrator account has the same password that you + have used in the script shown in <a href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf + file</a> + </p></li></ol></div><p> + This script will be executed every time a user logs on to the network. Therefore every user will + have local Windows workstation management rights. This could of course be assigned using a group, + in which case there is little justification for the use of this procedure. The key justification + for the use of this method is that it will guarantee that all users have appropriate rights on + the workstation. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id371804"></a>UNIX and Windows User Management</h2></div></div></div><p> +<a class="indexterm" name="id371811"></a> +<a class="indexterm" name="id371818"></a> +<a class="indexterm" name="id371825"></a> +<a class="indexterm" name="id371831"></a> +<a class="indexterm" name="id371838"></a> +<a class="indexterm" name="id371845"></a> +<a class="indexterm" name="id371852"></a> +<a class="indexterm" name="id371858"></a> + Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact, + the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either + from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose + of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a + particular user will be allocated by <code class="literal">winbindd</code>. + </p><p> + Although this is not the appropriate place to discuss the <a class="indexterm" name="id371879"></a>username map facility, + this interface is an important method of mapping a Windows user account to a UNIX account that has a + different name. Refer to the man page for the <code class="filename">smb.conf</code> file for more information regarding this + facility. User name mappings cannot be managed using the <code class="literal">net</code> utility. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p> + The syntax for adding a user account via the <code class="literal">net</code> (according to the man page) is shown + here: +</p><pre class="screen"> +net [<method>] user ADD <name> [-c container] [-F user flags] \ + [misc. options] [targets] +</pre><p> + The user account password may be set using this syntax: +</p><pre class="screen"> +net rpc password <username> [<password>] -Uadmin_username%admin_pass +</pre><p> + </p><p> + The following demonstrates the addition of an account to the server <code class="constant">FRODO</code>: +<a class="indexterm" name="id371940"></a> +<a class="indexterm" name="id371951"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc user add jacko -S FRODO -Uroot%not24get +Added user jacko +</pre><p> + The account password can be set with the following methods (all show the same operation): +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get +<code class="prompt">root# </code> net rpc user password jacko f4sth0rse \ + -S FRODO -Uroot%not24get +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id371995"></a>Deletion of User Accounts</h3></div></div></div><p> + Deletion of a user account can be done using the following syntax: +</p><pre class="screen"> +net [<method>] user DELETE <name> [misc. options] [targets] +</pre><p> + The following command will delete the user account <code class="constant">jacko</code>: +<a class="indexterm" name="id372015"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get +Deleted user account +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372040"></a>Managing User Accounts</h3></div></div></div><p> + Two basic user account operations are routinely used: change of password and querying which groups a user + is a member of. The change of password operation is shown in <a href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">???</a>. + </p><p> + The ability to query Windows group membership can be essential. Here is how a remote server may be + interrogated to find which groups a user is a member of: +<a class="indexterm" name="id372060"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get +net rpc user info jacko -S SAURON -Uroot%not24get +Domain Users +Domain Admins +Engineers +TorridGroup +BOP Shop +Emergency Services +</pre><p> + </p><p> + It is also possible to rename user accounts: +<a class="indexterm" name="id372088"></a>oldusername newusername + Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on + Windows Servers. + + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372102"></a>User Mapping</h3></div></div></div><p> +<a class="indexterm" name="id372110"></a> +<a class="indexterm" name="id372117"></a> +<a class="indexterm" name="id372124"></a> + In some situations it is unavoidable that a user's Windows logon name will differ from the login ID + that user has on the Samba server. It is possible to create a special file on the Samba server that + will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code> + file must also be amended so that the <code class="constant">[global]</code> stanza contains the parameter: +</p><pre class="screen"> +username map = /etc/samba/smbusers +</pre><p> + The content of the <code class="filename">/etc/samba/smbusers</code> file is shown here: +</p><pre class="screen"> +parsonsw: "William Parsons" +marygee: geeringm +</pre><p> + In this example the Windows user account “<span class="quote">William Parsons</span>” will be mapped to the UNIX user + <code class="constant">parsonsw</code>, and the Windows user account “<span class="quote">geeringm</span>” will be mapped to the + UNIX user <code class="constant">marygee</code>. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372180"></a>Administering User Rights and Privileges</h2></div></div></div><p> +<a class="indexterm" name="id372188"></a> +<a class="indexterm" name="id372195"></a> +<a class="indexterm" name="id372202"></a> +<a class="indexterm" name="id372208"></a> +<a class="indexterm" name="id372215"></a> + With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could + manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused + problems for some users and was a frequent source of scorn over the necessity to hand out the + credentials for the most security-sensitive account on a UNIX/Linux system. + </p><p> +<a class="indexterm" name="id372232"></a> +<a class="indexterm" name="id372239"></a> +<a class="indexterm" name="id372246"></a> +<a class="indexterm" name="id372252"></a> +<a class="indexterm" name="id372259"></a> + New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either + a normal user or to groups of users. The significance of the administrative privileges is documented + in <a href="rights.html" title="Chapter 15. User Rights and Privileges">???</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege + management is appropriate to this chapter. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + When user rights and privileges are correctly set, there is no longer a need for a Windows + network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0. + Initial user rights and privileges can be assigned by any account that is a member of the <code class="constant"> + Domain Admins</code> group. Rights can be assigned to user as well as group accounts. + </p></div><p> + By default, no privileges and rights are assigned. This is demonstrated by executing the command + shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get +BUILTIN\Print Operators +No privileges assigned + +BUILTIN\Account Operators +No privileges assigned + +BUILTIN\Backup Operators +No privileges assigned + +BUILTIN\Server Operators +No privileges assigned + +BUILTIN\Administrators +No privileges assigned + +Everyone +No privileges assigned +</pre><p> + </p><p> + The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights + and privileges using this method: +<a class="indexterm" name="id372322"></a> +<a class="indexterm" name="id372329"></a> +<a class="indexterm" name="id372336"></a> +<a class="indexterm" name="id372343"></a> +<a class="indexterm" name="id372350"></a> +<a class="indexterm" name="id372357"></a> +<a class="indexterm" name="id372364"></a> +<a class="indexterm" name="id372370"></a> +<a class="indexterm" name="id372377"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights list -U root%not24get + SeMachineAccountPrivilege Add machines to domain + SePrintOperatorPrivilege Manage printers + SeAddUsersPrivilege Add users and groups to the domain + SeRemoteShutdownPrivilege Force shutdown from a remote system + SeDiskOperatorPrivilege Manage disk shares + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeTakeOwnershipPrivilege Take ownership of files or other objects +</pre><p> + Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the + domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and + directory ACLs for objects not owned by the user. + </p><p> + In this example, all rights are assigned to the <code class="constant">Domain Admins</code> group. This is a good + idea since members of this group are generally expected to be all-powerful. This assignment makes that + the reality: +<a class="indexterm" name="id372419"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \ + SeMachineAccountPrivilege SePrintOperatorPrivilege \ + SeAddUsersPrivilege SeRemoteShutdownPrivilege \ + SeDiskOperatorPrivilege -U root%not24get +Successfully granted rights. +</pre><p> + Next, the domain user <code class="constant">jht</code> is given the privileges needed for day-to-day + administration: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\jht" \ + SeMachineAccountPrivilege SePrintOperatorPrivilege \ + SeAddUsersPrivilege SeDiskOperatorPrivilege \ + -U root%not24get +Successfully granted rights. +</pre><p> + </p><p> + The following step permits validation of the changes just made: +<a class="indexterm" name="id372465"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get +MIDEARTH\jht +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeDiskOperatorPrivilege + +BUILTIN\Print Operators +No privileges assigned + +BUILTIN\Account Operators +No privileges assigned + +BUILTIN\Backup Operators +No privileges assigned + +BUILTIN\Server Operators +No privileges assigned + +BUILTIN\Administrators +No privileges assigned + +Everyone +No privileges assigned + +MIDEARTH\Domain Admins +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeRemoteShutdownPrivilege +SeDiskOperatorPrivilege +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372494"></a>Managing Trust Relationships</h2></div></div></div><p> + There are essentially two types of trust relationships: the first is between domain controllers and domain + member machines (network clients), the second is between domains (called interdomain trusts). All + Samba servers that participate in domain security require a domain membership trust account, as do like + Windows NT/200x/XP workstations. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372506"></a>Machine Trust Accounts</h3></div></div></div><p> + The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following + command 'knows' which domain to join from the <code class="filename">smb.conf</code> file. + </p><p> + A Samba server domain trust account can be validated as shown in this example: +<a class="indexterm" name="id372531"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc testjoin +Join to 'MIDEARTH' is OK +</pre><p> + Where there is no domain membership account, or when the account credentials are not valid, the following + results will be observed: +</p><pre class="screen"> +net rpc testjoin -S DOLPHIN +Join to domain 'WORLDOCEAN' is not valid +</pre><p> + </p><p> + The equivalent command for joining a Samba server to a Windows ADS domain is shown here: +<a class="indexterm" name="id372566"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +Using short domain name -- TAKEAWAY +Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ' +</pre><p> + In the event that the ADS trust was not established, or is broken for one reason or another, the following + error message may be obtained: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin -UAdministrator%secret +Join to domain is not valid +</pre><p> + </p><p> + The following demonstrates the process of creating a machine trust account in the target domain for the + Samba server from which the command is executed: +<a class="indexterm" name="id372607"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S FRODO -Uroot%not24get +Joined domain MIDEARTH. +</pre><p> + The joining of a Samba server to a Samba domain results in the creation of a machine account. An example + of this is shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw merlin\$ +merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\ +176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919: +</pre><p> + The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join + purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The + following command can be used to affect this: +<a class="indexterm" name="id372645"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join member -S FRODO -Uroot%not24get +Joined domain MIDEARTH. +</pre><p> + Note that the command-line parameter <code class="constant">member</code> makes this join specific. By default + the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the + command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example: +<a class="indexterm" name="id372683"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get +Joined domain MIDEARTH. +</pre><p> + It is best to let Samba figure out the domain join type from the settings in the <code class="filename">smb.conf</code> file. + </p><p> + The command to join a Samba server to a Windows ADS domain is shown here: +<a class="indexterm" name="id372717"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%not24get +Using short domain name -- GDANSK +Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ' +</pre><p> + </p><p> + There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a + Windows machine is withdrawn from the domain, the domain membership account is not automatically removed + either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the + machine account can be removed using the following <code class="literal">net</code> command: +<a class="indexterm" name="id372753"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get +Deleted user account. +</pre><p> + The removal is made possible because machine accounts are just like user accounts with a trailing $ + character. The account management operations treat user and machine accounts in like manner. + </p><p> + A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the + domain: +<a class="indexterm" name="id372782"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net ads leave +</pre><p> + </p><p> + Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the + following: +<a class="indexterm" name="id372808"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net ads status +</pre><p> + The volume of information is extensive. Please refer to the book “<span class="quote">Samba-3 by Example</span>”, + Chapter 7 for more information regarding its use. This book may be obtained either in print or online from + the <a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id372844"></a>Interdomain Trusts</h3></div></div></div><p> + Interdomain trust relationships form the primary mechanism by which users from one domain can be granted + access rights and privileges in another domain. + </p><p> + To discover what trust relationships are in effect, execute this command: +<a class="indexterm" name="id372857"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get +Trusted domains list: + +none + +Trusting domains list: + +none +</pre><p> + There are no interdomain trusts at this time; the following steps will create them. + </p><p> + It is necessary to create a trust account in the local domain. A domain controller in a second domain can + create a trusted connection with this account. That means that the foreign domain is being trusted + to access resources in the local domain. This command creates the local trust account: +<a class="indexterm" name="id372887"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get +</pre><p> + The account can be revealed by using the <code class="literal">pdbedit</code> as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw DAMNATION\$ +DAMNATION$:1016:9AC1F121DF897688AAD3B435B51404EE: \ +7F845808B91BB9F7FEF44B247D9DC9A6:[I ]:LCT-428934B1: +</pre><p> + A trust account will always have an I in the field within the square brackets. + </p><p> + If the trusting domain is not capable of being reached, the following command will fail: +<a class="indexterm" name="id372934"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get +Trusted domains list: + +none + +Trusting domains list: + +DAMNATION S-1-5-21-1385457007-882775198-1210191635 +</pre><p> + The above command executed successfully; a failure is indicated when the following response is obtained: +</p><pre class="screen"> +net rpc trustdom list -Uroot%not24get +Trusted domains list: + +DAMNATION S-1-5-21-1385457007-882775198-1210191635 + +Trusting domains list: + +DAMNATION domain controller is not responding +</pre><p> + </p><p> + Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with) + the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This + command achieves the objective of joining the trust relationship: +<a class="indexterm" name="id372972"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom establish DAMNATION +Password: xxxxxxx == f00db4r +Could not connect to server TRANSGRESSION +Trust to domain DAMNATION established +</pre><p> + Validation of the two-way trust now established is possible as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get +Trusted domains list: + +DAMNATION S-1-5-21-1385457007-882775198-1210191635 + +Trusting domains list: + +DAMNATION S-1-5-21-1385457007-882775198-1210191635 +</pre><p> + </p><p> + Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting + connection can be revoked as shown here: +<a class="indexterm" name="id373014"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom revoke DAMNATION -Uroot%not24get +</pre><p> + At other times it becomes necessary to remove the ability for users from a foreign domain to be able to + access resources in the local domain. The command shown here will do that: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc trustdom del DAMNATION -Uroot%not24get +</pre><p> + + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373053"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p> +<a class="indexterm" name="id373061"></a> +<a class="indexterm" name="id373068"></a> +<a class="indexterm" name="id373075"></a> +<a class="indexterm" name="id373081"></a> +<a class="indexterm" name="id373088"></a> + The basic security identifier that is used by all Windows networking operations is the Windows security + identifier (SID). All Windows network machines (servers and workstations), users, and groups are + identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that + are specific to the SID of the domain to which the user belongs. + </p><p> +<a class="indexterm" name="id373102"></a> +<a class="indexterm" name="id373108"></a> +<a class="indexterm" name="id373115"></a> +<a class="indexterm" name="id373122"></a> + It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because + a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you + have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of + having to recover user desktop profiles and perhaps rejoin all member machines to the domain. + </p><p> + First, do not forget to store the local SID in a file. It is a good idea to put this in the directory + in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this: +<a class="indexterm" name="id373143"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-sid +</pre><p> + Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also. + </p><p> + The following command reveals what the former one should have placed into the file called + <code class="filename">my-sid</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> net getlocalsid +SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + </p><p> + If ever it becomes necessary to restore the SID that has been stored in the <code class="filename">my-sid</code> + file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to + the command line shown here: +<a class="indexterm" name="id373200"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635 +</pre><p> + Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very + problematic. + </p><p> + The following operation is useful only for machines that are being configured as a PDC or a BDC. + DMS and workstation clients should have their own machine SID to avoid + any potential namespace collision. Here is the way that the BDC SID can be synchronized to that + of the PDC (this is the default NT4 domain practice also): +<a class="indexterm" name="id373228"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get +Storing SID S-1-5-21-726309263-4128913605-1168186429 \ + for Domain MIDEARTH in secrets.tdb +</pre><p> + Usually it is not necessary to specify the target server (-S FRODO) or the administrator account + credentials (-Uroot%not24get). + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373255"></a>Share Management</h2></div></div></div><p> + Share management is central to all file serving operations. Typical share operations include: + </p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p> + Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code> + command. Operations outside of this command are covered elsewhere in this document. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373297"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p> + A share can be added using the <code class="literal">net rpc share</code> command capabilities. + The target machine may be local or remote and is specified by the -S option. It must be noted + that the addition and deletion of shares using this tool depends on the availability of a suitable + interface script. The interface scripts Sambas <code class="literal">smbd</code> uses are called + <a class="indexterm" name="id373319"></a>add share command, <a class="indexterm" name="id373326"></a>delete share command and + <a class="indexterm" name="id373334"></a>change share command A set of example scripts are provided in the Samba source + code tarball in the directory <code class="filename">~samba/examples/scripts</code>. + </p><p> + The following steps demonstrate the use of the share management capabilities of the <code class="literal">net</code> + utility. In the first step a share called <code class="constant">Bulge</code> is added. The sharepoint within the + file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the + addition of this share is shown here: +<a class="indexterm" name="id373368"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get +</pre><p> + Validation is an important process, and by executing the command <code class="literal">net rpc share</code> + with no other operators it is possible to obtain a listing of available shares, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get +profdata +archive +Bulge <--- This one was added +print$ +netlogon +profiles +IPC$ +kyocera +ADMIN$ +</pre><p> + </p><p> + Often it is desirable also to permit a share to be removed using a command-line tool. + The following step permits the share that was previously added to be removed: +<a class="indexterm" name="id373415"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get +</pre><p> + A simple validation shown here demonstrates that the share has been removed: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get +profdata +archive +print$ +netlogon +profiles +IPC$ +ADMIN$ +kyocera +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373453"></a>Creating and Changing Share ACLs</h3></div></div></div><p> + At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows + language this is called Share Permissions. + </p><p> + It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager + or using the Computer Management MMC snap-in. Neither is covered here, + but see <a href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">???</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373480"></a>Share, Directory, and File Migration</h3></div></div></div><p> +<a class="indexterm" name="id373488"></a> + Shares and files can be migrated in the same manner as user, machine, and group accounts. + It is possible to preserve access control settings (ACLs) as well as security settings + throughout the migration process. The <code class="literal">net rpc vampire</code> facility is used + to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process + preserves passwords and account security settings and is a precursor to the migration + of shares and files. + </p><p> + The <code class="literal">net rpc share</code> command may be used to migrate shares, directories, + files, and all relevant data from a Windows server to a Samba server. + </p><p> + A set of command-line switches permit the creation of almost direct clones of Windows file + servers. For example, when migrating a fileserver, file ACLs and DOS file attributes from + the Windows server can be included in the migration process and will reappear, almost identically, + on the Samba server when the migration has been completed. + </p><p> + The migration process can be completed only with the Samba server already being fully operational. + The user and group accounts must be migrated before attempting to migrate data + share, files, and printers. The migration of files and printer configurations involves the use + of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has + been implemented is that the possibility now exists to use a Samba server as a man-in-middle migration + service that affects a transfer of data from one server to another. For example, if the Samba + server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba + server is called GONZALES, the machine MESSER can be used to effect the migration of all data + (files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local + server is assumed by default - as net's general rule of thumb . + </p><p> + The success of server migration requires a firm understanding of the structure of the source + server (or domain) as well as the processes on which the migration is critically dependant. + </p><p> + There are two known limitations to the migration process: + </p><div class="orderedlist"><ol type="1"><li><p> + The <code class="literal">net</code> command requires that the user credentials provided exist on both + the migration source and the migration target. + </p></li><li><p> + Printer settings may not be fully or may be incorrectly migrated. This might in particular happen + when migrating a Windows 2003 print server to Samba. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id373571"></a>Share Migration</h4></div></div></div><p> + The <code class="literal">net rpc share migrate</code> command operation permits the migration of plain + share stanzas. A stanza contains the parameters within which a file or print share are defined. + The use of this migration method will create share stanzas that have as parameters the file + system directory path, an optional description, and simple security settings that permit write + access to files. One of the first steps necessary following migration is to review the share + stanzas to ensure that the settings are suitable for use. + </p><p> + The shares are created on the fly as part of the migration process. The <code class="literal">smbd</code> + application does this by calling on the operating system to execute the script specified by the + <code class="filename">smb.conf</code> parameter <em class="parameter"><code>add share command</code></em>. + </p><p> + There is a suitable example script for the <em class="parameter"><code>add share command</code></em> in the + <code class="filename">$SAMBA_SOURCES/examples/scripts</code> directory. It should be noted that + the account that is used to drive the migration must, of necessity, have appropriate file system + access privileges and have the right to create shares and to set ACLs on them. Such rights are + conferred by these rights: <em class="parameter"><code>SeAddUsersPrivilege</code></em> and <em class="parameter"><code>SeDiskOperatorPrivilege</code></em>. + For more information regarding rights and privileges please refer to <a href="rights.html" title="Chapter 15. User Rights and Privileges">???</a>. + </p><p> + The syntax of the share migration command is shown here: +</p><pre class="screen"> +net rpc share MIGRATE SHARES <share-name> -S <source> + [--destination=localhost] [--exclude=share1,share2] [-v] +</pre><p> + When the parameter <share-name> is omitted, all shares will be migrated. The potentially + large list of available shares on the system that is being migrated can be limited using the + <em class="parameter"><code>--exclude</code></em> switch. For example: +<a class="indexterm" name="id373672"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share migrate shares myshare\ + -S win2k -U administrator%secret" +</pre><p> + This will migrate the share <code class="constant">myshare</code> from the server <code class="constant">win2k</code> + to the Samba Server using the permissions that are tied to the account <code class="constant">administrator</code> + with the password <code class="constant">secret</code>. The account that is used must be the same on both the + migration source server and the target Samba server. The use of the <code class="literal">net rpc + vampire</code>, prior to attempting the migration of shares, will ensure that accounts will be + identical on both systems. One precaution worth taking before commencement of migration of shares is + to validate that the migrated accounts (on the Samba server) have the needed rights and privileges. + This can be done as shown here: +<a class="indexterm" name="id373721"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get +</pre><p> + The steps taken so far perform only the migration of shares. Directories and directory contents + are not migrated by the steps covered up to this point. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id373747"></a>File and Directory Migration</h4></div></div></div><p> + Everything covered to this point has been done in preparation for the migration of file and directory + data. For many people preparation is potentially boring and the real excitement only begins when file + data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate) + data files using the <code class="literal">net</code> command. + </p><p> + Transfer of files from one server to another has always been a challenge for MS Windows + administrators because Windows NT and 200X servers do not always include the tools needed. The + <code class="literal">xcopy</code> from Windows NT is not capable of preserving file and directory ACLs, + it does so only with Windows 200x. Microsoft does provide a + utility that can copy ACLs (security settings) called <code class="literal">scopy</code>, but it is provided only + as part of the Windows NT or 200X Server Resource Kit. + </p><p> + There are several tools, both commercial and freeware, that can be used from a Windows server to copy files + and directories with full preservation of security settings. One of the best known of the free tools is + called <code class="literal">robocopy</code>. + </p><p> + The <code class="literal">net</code> utility can be used to copy files and directories with full preservation of + ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination + system will operate within the same security context as the source system. This applies both to a + DMS and to domain controllers that result from a vampired domain. + Before file and directory migration, all shares must already exist. + </p><p> + The syntax for the migration commands is shown here: +</p><pre class="screen"> +net rpc share MIGRATE FILES <share-name> -S <source> + [--destination=localhost] [--exclude=share1,share2] + [--acls] [--attrs] [--timestamps] [-v] +</pre><p> + If the <share-name> parameter is omitted, all shares will be migrated. The potentially large + list of shares on the source system can be restricted using the <em class="parameter"><code>--exclude</code></em> command + switch. + </p><p> + Where it is necessary to preserve all file ACLs, the <em class="parameter"><code>--acls</code></em> switch should be added + to the above command line. Original file timestamps can be preserved by specifying the + <em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can + be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system + semantics of the host operating system on the target server. A migration from one Windows file server to + another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs + onto a POSIX ACLs-supporting system, there can be no perfect migration of Windows ACLs to a Samba server. + </p></div><p> + The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows supports + the possibility of files that are owned only by a group. Group-alone file ownership is not possible under + UNIX/Linux. Errors in migrating group-owned files can be avoided by using the <code class="filename">smb.conf</code> file + <a class="indexterm" name="id373870"></a>force unknown acl user = yes parameter. This facility will + automatically convert group-owned files into correctly user-owned files on the Samba server. + </p><p> + An example for migration of files from a machine called <code class="constant">nt4box</code> to the Samba server + from which the process will be handled is shown here: +<a class="indexterm" name="id373886"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share migrate files -S nt4box --acls \ + --attrs -U administrator%secret +</pre><p> + </p><p> + This command will migrate all files and directories from all file shares on the Windows server called + <code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned + will be owned by the user account <code class="constant">administrator</code>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id373924"></a>Share-ACL Migration</h4></div></div></div><p> + It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to + copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate + function: +<a class="indexterm" name="id373933"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret +</pre><p> + </p><p> + This command will only copy the share-ACL of each share on nt4box to your local samba-system. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id373962"></a>Simultaneous Share and File Migration</h4></div></div></div><p> + The operating mode shown here is just a combination of the previous three. It first migrates + share definitions and then all shared files and directories and finally migrates the share-ACLs: +</p><pre class="screen"> +net rpc share MIGRATE ALL <share-name> -S <source> + [--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v] +</pre><p> + </p><p> + An example of simultaneous migration is shown here: +<a class="indexterm" name="id373984"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret +</pre><p> + This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id374016"></a>Printer Migration</h3></div></div></div><p> + The installation of a new server, as with the migration to a new network environment, often is similar to + building a house; progress is very rapid from the laying of foundations up to the stage at which + the house can be locked up, but the finishing off appears to take longer and longer as building + approaches completion. + </p><p> + Printing needs vary greatly depending on the network environment and may be very simple or complex. If + the need is very simple, the best solution to the implementation of printing support may well be to + re-install everything from a clean slate instead of migrating older configurations. On the other hand, + a complex network that is integrated with many international offices and a multiplexity of local branch + offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all + printer configurations is decidedly beneficial. To manually re-establish a complex printing network + will take much time and frustration. Often it will not be possible to find driver files that are + currently in use, necessitating the installation of newer drivers. Newer drivers often implement + printing features that will necessitate a change in the printer usage. Additionally, with very complex + printer configurations it becomes almost impossible to re-create the same environment no matter + how extensively it has been documented. + </p><p> + The migration of an existing printing architecture involves the following: + </p><div class="itemizedlist"><ul type="disc"><li><p>Establishment of print queues.</p></li><li><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li><p>Configuration of printing forms.</p></li><li><p>Implementation of security settings.</p></li><li><p>Configuration of printer settings.</p></li></ul></div><p> + The Samba <code class="literal">net</code> utility permits printer migration from one Windows print server + to another. When this tool is used to migrate printers to a Samba server <code class="literal">smbd</code>, + the application that receives the network requests to create the necessary services must call out + to the operating system in order to create the underlying printers. The call-out is implemented + by way of an interface script that can be specified by the <code class="filename">smb.conf</code> file parameter + <a class="indexterm" name="id374097"></a>. This script is essential to the migration process. + A suitable example script may be obtained from the <code class="filename">$SAMBA_SOURCES/examples/scripts</code> + directory. Take note that this script must be customized to suit the operating system environment + and may use its tools to create a print queue. + </p><p> + Each of the components listed above can be completed separately, or they can be completed as part of an + automated operation. Many network administrators prefer to deal with migration issues in a manner that + gives them the most control, particularly when things go wrong. The syntax for each operation is now + briefly described. + </p><p> + Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the + printer share to be created together with the underlying print queue: +<a class="indexterm" name="id374121"></a> +</p><pre class="screen"> +net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets] +</pre><p> + Printer drivers can be migrated from the Windows print server to the Samba server using this + command-line instruction: +<a class="indexterm" name="id374140"></a> +</p><pre class="screen"> +net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets] +</pre><p> + Printer forms can be migrated with the following operation: +<a class="indexterm" name="id374158"></a> +</p><pre class="screen"> +net rpc printer MIGRATE FORMS [printer] [misc. options] [targets] +</pre><p> + Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command: +<a class="indexterm" name="id374176"></a> +</p><pre class="screen"> +net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets] +</pre><p> + Printer configuration settings include factors such as paper size and default paper orientation. + These can be migrated from the Windows print server to the Samba server with this command: +<a class="indexterm" name="id374195"></a> +</p><pre class="screen"> +net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets] +</pre><p> + </p><p> + Migration of printers including the above-mentioned sets of information may be completed + with a single command using this syntax: +</p><pre class="screen"> +net rpc printer MIGRATE ALL [printer] [misc. options] [targets] +</pre><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374226"></a>Controlling Open Files</h2></div></div></div><p> + The man page documents the <code class="literal">net file</code> function suite, which provides the tools to + close open files using either RAP or RPC function calls. Please refer to the man page for specific + usage information. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374244"></a>Session and Connection Management</h2></div></div></div><p> + The session management interface of the <code class="literal">net session</code> command uses the old RAP + method to obtain the list of connections to the Samba server, as shown here: +<a class="indexterm" name="id374259"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get +Computer User name Client Type Opens Idle time +------------------------------------------------------------------------------ +\\merlin root Unknown Client 0 00:00:00 +\\marvel jht Unknown Client 0 00:00:00 +\\maggot jht Unknown Client 0 00:00:00 +\\marvel jht Unknown Client 0 00:00:00 +</pre><p> + </p><p> + A session can be closed by executing a command as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rap session close marvel -Uroot%not24get +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374303"></a>Printers and ADS</h2></div></div></div><p> + When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable + until they have been published to the ADS domain. Information regarding published printers may be obtained + from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax: +<a class="indexterm" name="id374319"></a> +</p><pre class="screen"> +net ads printer info <printer_name> <server_name> -Uadministrator%secret +</pre><p> + If the asterisk (*) is used in place of the printer_name argument, a list of all printers will be + returned. + </p><p> + To publish (make available) a printer to ADS, execute the following command: +<a class="indexterm" name="id374342"></a> +</p><pre class="screen"> +net ads printer publish <printer_name> -Uadministrator%secret +</pre><p> + This publishes a printer from the local Samba server to ADS. + </p><p> + Removal of a Samba printer from ADS is achieved by executing this command: +<a class="indexterm" name="id374365"></a> +</p><pre class="screen"> +net ads printer remove <printer_name> -Uadministrator%secret +</pre><p> + </p><p> + A generic search (query) can also be made to locate a printer across the entire ADS domain by executing: +<a class="indexterm" name="id374387"></a> +</p><pre class="screen"> +net ads printer search <printer_name> -Uadministrator%secret +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374407"></a>Manipulating the Samba Cache</h2></div></div></div><p> + Please refer to the <code class="literal">net</code> command man page for information regarding cache management. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374423"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p> + The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be + backed up to a text file. The text file can be manually edited, although it is highly recommended that + you attempt this only if you know precisely what you are doing. + </p><p> + An IDMAP text dump file can be restored (or reloaded). There are two situations that may necessitate + this action: a) The existing IDMAP file is corrupt, b) It is necessary to install an editted version + of the mapping information. + </p><p> + Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down + <code class="literal">winbindd</code> and delete the old <code class="filename">winbindd_idmap.tdb</code> file. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id374462"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p> + The IDMAP database can be dumped to a text file as shown here: +</p><pre class="screen"> +net idmap dump <full_path_and_tdb_filename> > dumpfile.txt +</pre><p> + Where a particular build of Samba the run-time tdb files are stored in the + <code class="filename">/var/lib/samba</code> directory the following commands to create the dump file will suffice: +</p><pre class="screen"> +net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id374493"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p> + The IDMAP dump file can be restored using the following command: +</p><pre class="screen"> +net idmap restore <full_path_and_tdb_filename> < dumpfile.txt +</pre><p> + Where the Samba run-time tdb files are stored in the <code class="filename">/var/lib/samba</code> directory + the following command can be used to restore the data to the tdb file: +</p><pre class="screen"> +net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt +</pre><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p> + The following command is useful for obtaining basic statistics regarding a Samba domain. This command does + not work with current Windows XP Professional clients. +<a class="indexterm" name="id374538"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info +Domain Name: RAPIDFLY +Domain SID: S-1-5-21-399034208-633907489-3292421255 +Sequence number: 1116312355 +Num users: 720 +Num domain groups: 27 +Num local groups: 6 +</pre><p> + </p><p> + Another useful tool is the <code class="literal">net time</code> tool set. This tool may be used to query the + current time on the target server as shown here: +<a class="indexterm" name="id374572"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net time -S SAURON +Tue May 17 00:50:43 2005 +</pre><p> + In the event that it is the intent to pass the time information obtained to the UNIX + <code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format + that is ready to be passed through. This may be done by executing: +<a class="indexterm" name="id374601"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net time system -S FRODO +051700532005.16 +</pre><p> + The time can be set on a target server by executing: +<a class="indexterm" name="id374624"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get +Tue May 17 00:55:30 MDT 2005 +</pre><p> + It is possible to obtain the time zone of a server by executing the following command against it: +<a class="indexterm" name="id374648"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net time zone -S SAURON +-0600 +</pre><p> + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Group Mapping: MS Windows and UNIX </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Identity Mapping (IDMAP)</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html b/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html new file mode 100644 index 0000000000..1b9384f09c --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html @@ -0,0 +1,1347 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Network Browsing</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Network Browsing</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ChangeNotes.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Network Browsing</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jonathan</span> <span class="surname">Johnson</span></h3><div class="affiliation"><span class="orgname">Sutinen Consulting, Inc.<br></span><div class="address"><p><code class="email"><<a href="mailto:jon@sutinen.com">jon@sutinen.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: September 20, 2006</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id352162">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355362">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355550">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356273">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356540">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357120">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id358283">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358373">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358414">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id352080"></a> +<a class="indexterm" name="id352087"></a> +<a class="indexterm" name="id352094"></a> +<a class="indexterm" name="id352101"></a> +This chapter contains detailed information as well as a fast-track guide to +implementing browsing across subnets and/or across workgroups (or domains). +WINS is the best tool for resolution of NetBIOS names to IP addresses; however, WINS is +not involved in browse list handling except by way of name-to-address resolution. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id352115"></a> +What is WINS? +</p><p> +WINS is a facility that provides resolution of a NetBIOS name to its IP address. WINS is like a +Dynamic-DNS service for NetBIOS networking names. +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id352131"></a> +<a class="indexterm" name="id352138"></a> +<a class="indexterm" name="id352144"></a> +<a class="indexterm" name="id352151"></a> +MS Windows 2000 and later versions can be configured to operate with no NetBIOS +over TCP/IP. Samba-3 and later versions also support this mode of operation. +When the use of NetBIOS over TCP/IP has been disabled, the primary +means for resolution of MS Windows machine names is via DNS and Active Directory. +The following information assumes that your site is running NetBIOS over TCP/IP. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352162"></a>Features and Benefits</h2></div></div></div><p> +Charles Dickens once referred to the past in these words: “<span class="quote"><span class="emphasis"><em>It was the best of times, +it was the worst of times.</em></span></span>” The more we look back, the more we long for what was and +hope it never returns. +</p><p> +<a class="indexterm" name="id352179"></a> +<a class="indexterm" name="id352186"></a> +<a class="indexterm" name="id352193"></a> +For many MS Windows network administrators, that statement sums up their feelings about +NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle +nature was just par for the course. For those who never quite managed to tame its +lusty features, NetBIOS is like Paterson's Curse. +</p><p> +For those not familiar with botanical problems in Australia, Paterson's Curse, +<span class="emphasis"><em>Echium plantagineum</em></span>, was introduced to Australia from Europe during the mid-19th +century. Since then it has spread rapidly. The high seed production, with densities of +thousands of seeds per square meter, a seed longevity of more than 7 years, and an +ability to germinate at any time of year, given the right conditions, are some of the +features that make it such a persistent weed. +</p><p> +<a class="indexterm" name="id352216"></a> +<a class="indexterm" name="id352225"></a> +<a class="indexterm" name="id352232"></a> +<a class="indexterm" name="id352239"></a> +<a class="indexterm" name="id352245"></a> +In this chapter we explore vital aspects of Server Message Block (SMB) networking with +a particular focus on SMB as implemented through running NetBIOS (Network Basic +Input/Output System) over TCP/IP. Since Samba does not implement SMB or NetBIOS over +any other protocols, we need to know how to configure our network environment and simply +remember to use nothing but TCP/IP on all our MS Windows network clients. +</p><p> +<a class="indexterm" name="id352259"></a> +<a class="indexterm" name="id352266"></a> +Samba provides the ability to implement a WINS (Windows Internetworking Name Server) +and implements extensions to Microsoft's implementation of WINS. These extensions +help Samba to effect stable WINS operations beyond the normal scope of MS WINS. +</p><p> +<a class="indexterm" name="id352278"></a> +<a class="indexterm" name="id352285"></a> +<a class="indexterm" name="id352292"></a> +WINS is exclusively a service that applies only to those systems +that run NetBIOS over TCP/IP. MS Windows 200x/XP have the capacity to operate with +support for NetBIOS disabled, in which case WINS is of no relevance. Samba supports this also. +</p><p> +<a class="indexterm" name="id352304"></a> +<a class="indexterm" name="id352311"></a> +<a class="indexterm" name="id352317"></a> +For those networks on which NetBIOS has been disabled (i.e., WINS is not required), +the use of DNS is necessary for hostname resolution. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352327"></a>What Is Browsing?</h2></div></div></div><p> +<a class="indexterm" name="id352335"></a> +<a class="indexterm" name="id352342"></a> +<a class="indexterm" name="id352349"></a> +<a class="indexterm" name="id352356"></a> +To most people, browsing means they can see the MS Windows and Samba servers +in the Network Neighborhood, and when the computer icon for a particular server is +clicked, it opens up and shows the shares and printers available on the target server. +</p><p> +What seems so simple is in fact a complex interaction of different technologies. +The technologies (or methods) employed in making all of this work include: +</p><div class="itemizedlist"><ul type="disc"><li><p>MS Windows machines register their presence to the network.</p></li><li><p>Machines announce themselves to other machines on the network.</p></li><li><p>One or more machines on the network collate the local announcements.</p></li><li><p>The client machine finds the machine that has the collated list of machines.</p></li><li><p>The client machine is able to resolve the machine names to IP addresses.</p></li><li><p>The client machine is able to connect to a target machine.</p></li></ul></div><p> +<a class="indexterm" name="id352406"></a> +<a class="indexterm" name="id352412"></a> +<a class="indexterm" name="id352419"></a> +The Samba application that controls browse list management and name resolution is +called <code class="filename">nmbd</code>. The configuration parameters involved in nmbd's operation are: +</p><p> +Browsing options: +</p><div class="itemizedlist"><ul type="disc"><li><a class="indexterm" name="id352441"></a>os level</li><li><a class="indexterm" name="id352450"></a>lm announce</li><li><a class="indexterm" name="id352459"></a>lm interval</li><li><a class="indexterm" name="id352469"></a>preferred master(*)</li><li><a class="indexterm" name="id352478"></a>local master(*)</li><li><a class="indexterm" name="id352487"></a>domain master(*)</li><li><a class="indexterm" name="id352496"></a>browse list</li><li><a class="indexterm" name="id352505"></a>enhanced browsing</li></ul></div><p> +Name Resolution Method: +</p><div class="itemizedlist"><ul type="disc"><li><a class="indexterm" name="id352521"></a>name resolve order(*)</li></ul></div><p> +WINS options: +</p><div class="itemizedlist"><ul type="disc"><li><a class="indexterm" name="id352537"></a>dns proxy</li><li><a class="indexterm" name="id352546"></a>wins proxy</li><li><a class="indexterm" name="id352556"></a>wins server(*)</li><li><a class="indexterm" name="id352565"></a>wins support(*)</li><li><a class="indexterm" name="id352574"></a>wins hook</li></ul></div><p> +Those marked with an (*) are the only options that commonly may need to be modified. Even if none of these +parameters is set, <code class="filename">nmbd</code> will still do its job. +</p><p> +<a class="indexterm" name="id352596"></a> +<a class="indexterm" name="id352603"></a> +<a class="indexterm" name="id352610"></a> +<a class="indexterm" name="id352616"></a> +<a class="indexterm" name="id352623"></a> +For Samba, the WINS Server and WINS Support are mutually exclusive options. When <code class="literal">nmbd</code> is +started it will fail to execute if both options are set in the <code class="filename">smb.conf</code> file. The <code class="literal">nmbd</code> +understands that when it spawns an instance of itself to run as a WINS server that it has to use its own WINS +server also. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netdiscuss"></a>Discussion</h2></div></div></div><p> +<a class="indexterm" name="id352663"></a> +<a class="indexterm" name="id352670"></a> +<a class="indexterm" name="id352677"></a> +<a class="indexterm" name="id352684"></a> +All MS Windows networking uses SMB-based messaging. SMB messaging may be implemented with or without NetBIOS. +MS Windows 200x supports NetBIOS over TCP/IP for backwards compatibility. Microsoft appears intent on phasing +out NetBIOS support. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id352694"></a>NetBIOS over TCP/IP</h3></div></div></div><p> +<a class="indexterm" name="id352701"></a> +<a class="indexterm" name="id352708"></a> +<a class="indexterm" name="id352715"></a> +<a class="indexterm" name="id352722"></a> +Samba implements NetBIOS, as does MS Windows NT/200x/XP, by encapsulating it over TCP/IP. +NetBIOS-based networking uses broadcast messaging to effect browse list management. When running NetBIOS over +TCP/IP, this uses UDP-based messaging. UDP messages can be broadcast or unicast. +</p><p> +<a class="indexterm" name="id352734"></a> +Normally, only unicast UDP messaging can be forwarded by routers. The <a class="indexterm" name="id352741"></a>remote announce +parameter to smb.conf helps to project browse announcements to remote network segments via unicast UDP. +Similarly, the <a class="indexterm" name="id352749"></a>remote browse sync parameter of <code class="filename">smb.conf</code> implements browse list +collation using unicast UDP. +</p><p> +The methods used by MS Windows to perform name lookup requests (name resolution) is determined by a +configuration parameter called the NetBIOS node-type. There are four basic NetBIOS node types: +</p><a class="indexterm" name="id352769"></a><a class="indexterm" name="id352775"></a><a class="indexterm" name="id352782"></a><a class="indexterm" name="id352789"></a><a class="indexterm" name="id352796"></a><a class="indexterm" name="id352803"></a><a class="indexterm" name="id352809"></a><a class="indexterm" name="id352816"></a><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>b-node (type 0x01):</em></span> The Windows client will use only + NetBIOS broadcast requests using UDP broadcast.</p></li><li><p><span class="emphasis"><em>p-node (type 0x02):</em></span> The Windows client will use point-to-point + (NetBIOS unicast) requests using UDP unicast directed to a WINS server.</p></li><li><p><span class="emphasis"><em>m-node (type 0x04):</em></span> The Windows client will first use + NetBIOS broadcast requests using UDP broadcast, then it will use (NetBIOS unicast) + requests using UDP unicast directed to a WINS server.</p></li><li><p><span class="emphasis"><em>h-node (type 0x08):</em></span> The Windows client will use + (NetBIOS unicast) requests using UDP unicast directed to a WINS server, then it will use + NetBIOS broadcast requests using UDP broadcast.</p></li></ul></div><p> +<a class="indexterm" name="id352860"></a> +<a class="indexterm" name="id352867"></a> +<a class="indexterm" name="id352874"></a> +<a class="indexterm" name="id352880"></a> +<a class="indexterm" name="id352887"></a> +<a class="indexterm" name="id352894"></a> +The default Windows network client (or server) network configuration enables NetBIOS over TCP/IP +and b-node configuration. The use of WINS makes most sense with h-node (hybrid mode) operation so that +in the event of a WINS breakdown or non-availability, the client can use broadcast-based name resolution. +</p><p> +<a class="indexterm" name="id352907"></a> +<a class="indexterm" name="id352916"></a> +<a class="indexterm" name="id352922"></a> +<a class="indexterm" name="id352929"></a> +<a class="indexterm" name="id352936"></a> +<a class="indexterm" name="id352943"></a> +<a class="indexterm" name="id352949"></a> +In those networks where Samba is the only SMB server technology, wherever possible <code class="filename">nmbd</code> +should be configured on one machine as the WINS server. This makes it easy to manage the browsing environment. +If each network segment is configured with its own Samba WINS server, then the only way to get cross-segment +browsing to work is by using the <a class="indexterm" name="id352965"></a>remote announce and the <a class="indexterm" name="id352972"></a>remote browse sync parameters to your <code class="filename">smb.conf</code> file. +</p><p> +<a class="indexterm" name="id352989"></a> +If only one WINS server is used for an entire multisegment network, then +the use of the <a class="indexterm" name="id352996"></a>remote announce and the +<a class="indexterm" name="id353004"></a>remote browse sync parameters should not be necessary. +</p><p> +<a class="indexterm" name="id353014"></a> +As of Samba-3, WINS replication is being worked on. The bulk of the code has been committed, but it still +needs maturation. This is not a supported feature of the Samba-3.0.20 release. Hopefully, this will become a +supported feature of one of the Samba-3 release series. The delay is caused by the fact that this feature has +not been of sufficient significance to inspire someone to pay a developer to complete it. +</p><p> +<a class="indexterm" name="id353030"></a> +<a class="indexterm" name="id353037"></a> +<a class="indexterm" name="id353044"></a> +<a class="indexterm" name="id353050"></a> +<a class="indexterm" name="id353057"></a> +<a class="indexterm" name="id353064"></a> +<a class="indexterm" name="id353071"></a> +<a class="indexterm" name="id353078"></a> +Right now Samba WINS does not support MS-WINS replication. This means that when setting up Samba as a WINS +server, there must only be one <code class="filename">nmbd</code> configured as a WINS server on the network. Some +sites have used multiple Samba WINS servers for redundancy (one server per subnet) and then used +<a class="indexterm" name="id353093"></a>remote browse sync and <a class="indexterm" name="id353100"></a>remote announce to effect browse list +collation across all segments. Note that this means clients will only resolve local names and must be +configured to use DNS to resolve names on other subnets in order to resolve the IP addresses of the servers +they can see on other subnets. This setup is not recommended but is mentioned as a practical consideration +(i.e., an “<span class="quote">if all else fails</span>” scenario). NetBIOS over TCP/IP is an ugly and difficult to manage +protocol. Its replacement, NetBIOSless SMB over TCP/IP is not without its own manageability concerns. NetBIOS +based networking is a life of compromise and trade-offs. WINS stores information that cannot be stored in +DNS; consequently, DNS is a poor substitute for WINS given that when NetBIOS over TCP/IP is used, Windows +clients are designed to use WINS. +</p><p> +<a class="indexterm" name="id353120"></a> +<a class="indexterm" name="id353127"></a> +<a class="indexterm" name="id353134"></a> +Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list, and it can take up to 45 +minutes to stabilize, particularly across network segments. +</p><p> +<a class="indexterm" name="id353146"></a> +When an MS Windows 200x/XP system attempts to resolve a host name to an IP address, it follows a defined path: +</p><div class="orderedlist"><ol type="1"><li><p> + Checks the <code class="filename">hosts</code> file. It is located in <code class="filename">%SystemRoot%\System32\Drivers\etc</code>. + </p></li><li><p> + Does a DNS lookup. + </p></li><li><p> + Checks the NetBIOS name cache. + </p></li><li><p> + Queries the WINS server. + </p></li><li><p> + Does a broadcast name lookup over UDP. + </p></li><li><p> + Looks up entries in LMHOSTS, located in <code class="filename">%SystemRoot%\System32\Drivers\etc</code>. + </p></li></ol></div><p> +<a class="indexterm" name="id353211"></a> +<a class="indexterm" name="id353218"></a> +<a class="indexterm" name="id353224"></a> +<a class="indexterm" name="id353231"></a> +Given the nature of how the NetBIOS over TCP/IP protocol is implemented, only WINS is capable of resolving +with any reliability name lookups for service-oriented names such as TEMPTATION<1C> a NetBIOS +name query that seeks to find network logon servers. DNS has no concept of service-oriented names such as +this. In fact, the Microsoft ADS implementation specifically manages a whole range of extended +service-oriented DNS entries. This type of facility is not implemented and is not supported for the NetBIOS +over TCP/IP protocol namespace. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353250"></a>TCP/IP without NetBIOS</h3></div></div></div><p> +<a class="indexterm" name="id353257"></a> +<a class="indexterm" name="id353263"></a> +<a class="indexterm" name="id353270"></a> +All TCP/IP-enabled systems use various forms of hostname resolution. The primary +methods for TCP/IP hostname resolution involve either a static file (<code class="filename">/etc/hosts</code>) +or the Domain Name System (DNS). DNS is the technology that makes +the Internet usable. DNS-based hostname resolution is supported by nearly all +TCP/IP-enabled systems. Only a few embedded TCP/IP systems do not support DNS. +</p><p> +<a class="indexterm" name="id353289"></a> +<a class="indexterm" name="id353296"></a> +<a class="indexterm" name="id353302"></a> +<a class="indexterm" name="id353309"></a> +Windows 200x/XP can register its hostname with a Dynamic DNS server (DDNS). It is possible to force register with a +dynamic DNS server in Windows 200x/XP using <code class="literal">ipconfig /registerdns</code>. +</p><p> +<a class="indexterm" name="id353329"></a> +<a class="indexterm" name="id353335"></a> +<a class="indexterm" name="id353342"></a> +With Active Directory, a correctly functioning DNS server is absolutely essential. In the absence of a working +DNS server that has been correctly configured, MS Windows clients and servers will be unable to locate each +other, so network services consequently will be severely impaired. +</p><p> +<a class="indexterm" name="id353354"></a> +<a class="indexterm" name="id353361"></a> +<a class="indexterm" name="id353368"></a> +<a class="indexterm" name="id353375"></a> +<a class="indexterm" name="id353382"></a> +<a class="indexterm" name="id353388"></a> +Use of raw SMB over TCP/IP (No NetBIOS layer) can be done only with Active Directory domains. Samba is not an +Active Directory domain controller: ergo, it is not possible to run Samba as a domain controller and at the same +time <span class="emphasis"><em>not</em></span> use NetBIOS. Where Samba is used as an Active Directory domain member server +(DMS) it is possible to configure Samba to not use NetBIOS over TCP/IP. A Samba DMS can integrate fully into +an Active Directory domain, however, if NetBIOS over TCP/IP is disabled, it is necessary to manually create +appropriate DNS entries for the Samba DMS because they will not be automatically generated either by Samba, or +by the ADS environment. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adsdnstech"></a>DNS and Active Directory</h3></div></div></div><p> +<a class="indexterm" name="id353417"></a> +<a class="indexterm" name="id353426"></a> +<a class="indexterm" name="id353433"></a> +<a class="indexterm" name="id353439"></a> +<a class="indexterm" name="id353446"></a> +Occasionally we hear from UNIX network administrators who want to use a UNIX-based DDNS server in place +of the Microsoft DNS server. While this might be desirable to some, the MS Windows 200x DNS server is +autoconfigured to work with Active Directory. It is possible to use BIND version 8 or 9, but it will almost +certainly be necessary to create service records (SRV records) so MS Active Directory clients can resolve +hostnames to locate essential network services. The following are some of the default service records that +Active Directory requires: +</p><p> +<a class="indexterm" name="id353463"></a> +<a class="indexterm" name="id353470"></a> +<a class="indexterm" name="id353476"></a> +The use of DDNS is highly recommended with Active Directory, in which case the use of BIND9 is preferred for +its ability to adequately support the SRV (service) records that are needed for Active Directory. Of course, +when running ADS, it makes sense to use Microsoft's own DDNS server because of the natural affinity between ADS +and MS DNS. +</p><div class="variablelist"><dl><dt><span class="term">_ldap._tcp.pdc._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> + This provides the address of the Windows NT PDC for the domain. + </p></dd><dt><span class="term">_ldap._tcp.pdc._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> + Resolves the addresses of global catalog servers in the domain. + </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> + Provides list of domain controllers based on sites. + </p></dd><dt><span class="term">_ldap._tcp.writable._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> + Enumerates list of domain controllers that have the writable copies of the Active Directory data store. + </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> + Entry used by MS Windows clients to locate machines using the global unique identifier. + </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> + Used by Microsoft Windows clients to locate the site configuration-dependent global catalog server. + </p></dd></dl></div><p> + Specific entries used by Microsoft clients to locate essential services for an example domain + called <code class="constant">quenya.org</code> include: + </p><div class="itemizedlist"><ul type="disc"><li><p> + _kerberos._udp.quenya.org Used to contact the KDC server via UDP. + This entry must list port 88 for each KDC. + </p></li><li><p> + _kpasswd._udp.quenya.org Used to locate the <code class="constant">kpasswd</code> server + when a user password change must be processed. This record must list port 464 on the + master KDC. + </p></li><li><p> + _kerberos._tcp.quenya.org Used to locate the KDC server via TCP. + This entry must list port 88 for each KDC. + </p></li><li><p> + _ldap._tcp.quenya.org Used to locate the LDAP service on the PDC. + This record must list port 389 for the PDC. + </p></li><li><p> + _kpasswd._tcp.quenya.org Used to locate the <code class="constant">kpasswd</code> server + to permit user password changes to be processed. This must list port 464. + </p></li><li><p> + _gc._tcp.quenya.org Used to locate the global catalog server for the + top of the domain. This must list port 3268. + </p></li></ul></div><p> + The following records are also used by the Windows domain member client to locate vital + services on the Windows ADS domain controllers. + </p><div class="itemizedlist"><ul type="disc"><li><p> + _ldap._tcp.pdc._msdcs.quenya.org + </p></li><li><p> + _ldap.gc._msdcs.quenya.org + </p></li><li><p> + _ldap.default-first-site-name._sites.gc._msdcs.quenya.org + </p></li><li><p> + _ldap.{SecID}.domains._msdcs.quenya.org + </p></li><li><p> + _ldap._tcp.dc._msdcs.quenya.org + </p></li><li><p> + _kerberos._tcp.dc._msdcs.quenya.org + </p></li><li><p> + _ldap.default-first-site-name._sites.dc._msdcs.quenya.org + </p></li><li><p> + _kerberos.default-first-site-name._sites.dc._msdcs.queyna.org + </p></li><li><p> + SecID._msdcs.quenya.org + </p></li></ul></div><p> + Presence of the correct DNS entries can be validated by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> dig @frodo -t any _ldap._tcp.dc._msdcs.quenya.org + +; <lt;>> DiG 9.2.2 <lt;>> @frodo -t any _ldap._tcp.dc._msdcs.quenya.org +;; global options: printcmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3072 +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 + + +;; QUESTION SECTION: +;_ldap._tcp.dc._msdcs.quenya.org. IN ANY + + +;; ANSWER SECTION: +_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 frodo.quenya.org. +_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 noldor.quenya.org. + + +;; ADDITIONAL SECTION: +frodo.quenya.org. 3600 IN A 10.1.1.16 +noldor.quenya.org. 1200 IN A 10.1.1.17 + + +;; Query time: 0 msec +;; SERVER: frodo#53(10.1.1.16) +;; WHEN: Wed Oct 7 14:39:31 2004 +;; MSG SIZE rcvd: 171 +</pre><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353751"></a>How Browsing Functions</h2></div></div></div><p> +<a class="indexterm" name="id353759"></a> +<a class="indexterm" name="id353766"></a> +<a class="indexterm" name="id353773"></a> +<a class="indexterm" name="id353779"></a> +<a class="indexterm" name="id353786"></a> +MS Windows machines register their NetBIOS names (i.e., the machine name for each service type in operation) +on startup. The exact method by which this name registration takes place is determined by whether or not the +MS Windows client/server has been given a WINS server address, whether or not LMHOSTS lookup is enabled, +whether or not DNS for NetBIOS name resolution is enabled, and so on. +</p><p> +<a class="indexterm" name="id353799"></a> +<a class="indexterm" name="id353806"></a> +<a class="indexterm" name="id353813"></a> +In the case where there is no WINS server, all name registrations as well as name lookups are done by UDP +broadcast. This isolates name resolution to the local subnet, unless LMHOSTS is used to list all names and IP +addresses. In such situations, Samba provides a means by which the Samba server name may be forcibly injected +into the browse list of a remote MS Windows network (using the <a class="indexterm" name="id353823"></a>remote announce +parameter). +</p><p> +<a class="indexterm" name="id353833"></a> +<a class="indexterm" name="id353840"></a> +<a class="indexterm" name="id353847"></a> +Where a WINS server is used, the MS Windows client will use UDP unicast to register with the WINS server. Such +packets can be routed, and thus WINS allows name resolution to function across routed networks. +</p><p> +<a class="indexterm" name="id353859"></a> +<a class="indexterm" name="id353865"></a> +<a class="indexterm" name="id353874"></a> +<a class="indexterm" name="id353881"></a> +<a class="indexterm" name="id353888"></a> +<a class="indexterm" name="id353894"></a> +<a class="indexterm" name="id353901"></a> +<a class="indexterm" name="id353908"></a> +During the startup process, an election takes place to create a local master browser (LMB) if one does not +already exist. On each NetBIOS network one machine will be elected to function as the domain master browser +(DMB). This domain browsing has nothing to do with MS security Domain Control. Instead, the DMB serves the +role of contacting each LMB (found by asking WINS or from LMHOSTS) and exchanging browse list contents. This +way every master browser will eventually obtain a complete list of all machines that are on the network. Every +11 to 15 minutes an election is held to determine which machine will be the master browser. By the nature of +the election criteria used, the machine with the highest uptime, or the most senior protocol version or other +criteria, will win the election as DMB. +</p><p> +<a class="indexterm" name="id353932"></a> +<a class="indexterm" name="id353938"></a> +<a class="indexterm" name="id353945"></a> +<a class="indexterm" name="id353952"></a> +<a class="indexterm" name="id353958"></a> +<a class="indexterm" name="id353965"></a> +<a class="indexterm" name="id353972"></a> +<a class="indexterm" name="id353979"></a> +Where a WINS server is used, the DMB registers its IP address with the WINS server using the name of the +domain and the NetBIOS name type 1B (e.g., DOMAIN<1B>). All LMBs register their IP addresses with the WINS +server, also with the name of the domain and the NetBIOS name type of 1D. The 1B name is unique to one +server within the domain security context, and only one 1D name is registered for each network segment. +Machines that have registered the 1D name will be authoritive browse list maintainers for the network segment +they are on. The DMB is responsible for synchronizing the browse lists it obtains from the LMBs. +</p><p> +<a class="indexterm" name="id354002"></a> +Clients wishing to browse the network make use of this list but also depend on the availability of correct +name resolution to the respective IP address or addresses. +</p><p> +<a class="indexterm" name="id354013"></a> +Any configuration that breaks name resolution and/or browsing intrinsics will annoy users because they will +have to put up with protracted inability to use the network services. +</p><p> +<a class="indexterm" name="id354025"></a> +<a class="indexterm" name="id354032"></a> +<a class="indexterm" name="id354038"></a> +<a class="indexterm" name="id354045"></a> +<a class="indexterm" name="id354052"></a> +<a class="indexterm" name="id354058"></a> +Samba supports a feature that allows forced synchronization of browse lists across routed networks using the +<a class="indexterm" name="id354066"></a>remote browse sync parameter in the <code class="filename">smb.conf</code> file. This causes Samba to contact the +LMB on a remote network and to request browse list synchronization. This effectively bridges two networks that +are separated by routers. The two remote networks may use either broadcast-based name resolution or WINS-based +name resolution, but it should be noted that the <a class="indexterm" name="id354082"></a>remote browse sync parameter provides +browse list synchronization and that is distinct from name-to-address resolution. In other words, +for cross-subnet browsing to function correctly, it is essential that a name-to-address resolution mechanism +be provided. This mechanism could be via DNS, <code class="filename">/etc/hosts</code>, and so on. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="DMB"></a>Configuring Workgroup Browsing</h3></div></div></div><p> +<a class="indexterm" name="id354112"></a> +<a class="indexterm" name="id354118"></a> +<a class="indexterm" name="id354125"></a> +<a class="indexterm" name="id354131"></a> +<a class="indexterm" name="id354138"></a> +<a class="indexterm" name="id354145"></a> +To configure cross-subnet browsing on a network containing machines in a workgroup, not an NT domain, you need +to set up one Samba server to be the DMB (note that this is not the same as a Primary Domain Controller, +although in an NT domain the same machine plays both roles). The role of a DMB is to collate the browse lists +from LMB on all the subnets that have a machine participating in the workgroup. Without one machine configured +as a DMB, each subnet would be an isolated workgroup unable to see any machines on another subnet. It is the +presence of a DMB that makes cross-subnet browsing possible for a workgroup. +</p><p> +<a class="indexterm" name="id354160"></a> +In a workgroup environment the DMB must be a Samba server, and there must only be one DMB per workgroup name. +To set up a Samba server as a DMB, set the following option in the <em class="parameter"><code>[global]</code></em> section +of the <code class="filename">smb.conf</code> file: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id354189"></a><em class="parameter"><code>domain master = yes</code></em></td></tr></table><p> +</p><p> +<a class="indexterm" name="id354204"></a> +<a class="indexterm" name="id354211"></a> +The DMB should preferably be the LMB for its own subnet. In order to achieve this, set the following options +in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in <a href="NetworkBrowsing.html#dmbexample" title="Example 10.1. Domain Master Browser smb.conf">Domain Master Browser smb.conf</a> +</p><div class="example"><a name="dmbexample"></a><p class="title"><b>Example 10.1. Domain Master Browser smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id354264"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354276"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354289"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354301"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id354317"></a> +<a class="indexterm" name="id354323"></a> +The DMB may be the same machine as the WINS server, if necessary. +</p><p> +<a class="indexterm" name="id354334"></a> +<a class="indexterm" name="id354341"></a> +<a class="indexterm" name="id354347"></a> +Next, you should ensure that each of the subnets contains a machine that can act as an LMB for the workgroup. +Any MS Windows NT/200x/XP machine should be able to do this, as will Windows 9x/Me machines (although these +tend to get rebooted more often, so it is not such a good idea to use them). To make a Samba server an LMB, +set the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in +<a href="NetworkBrowsing.html#lmbexample" title="Example 10.2. Local master browser smb.conf">Local master browser smb.conf</a> +</p><div class="example"><a name="lmbexample"></a><p class="title"><b>Example 10.2. Local master browser smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id354402"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id354415"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354427"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354440"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id354456"></a> +Do not do this for more than one Samba server on each subnet, or they will war with +each other over which is to be the LMB. +</p><p> +<a class="indexterm" name="id354467"></a> +<a class="indexterm" name="id354473"></a> +The <a class="indexterm" name="id354480"></a>local master parameter allows Samba to act as a +LMB. The <a class="indexterm" name="id354488"></a>preferred master causes <code class="literal">nmbd</code> +to force a browser election on startup and the <a class="indexterm" name="id354501"></a>os level +parameter sets Samba high enough so it should win any browser elections. +</p><p> +<a class="indexterm" name="id354512"></a> +If you have an NT machine on the subnet that you wish to be the LMB, you can disable Samba from +becoming an LMB by setting the following options in the <em class="parameter"><code>[global]</code></em> section of the +<code class="filename">smb.conf</code> file as shown in <a href="NetworkBrowsing.html#nombexample" title="Example 10.3. smb.conf for Not Being a Master Browser">smb.conf for Not Being a Master Browser</a>. +</p><p> +</p><div class="example"><a name="nombexample"></a><p class="title"><b>Example 10.3. smb.conf for Not Being a Master Browser</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id354566"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id354578"></a><em class="parameter"><code>local master = no</code></em></td></tr><tr><td><a class="indexterm" name="id354591"></a><em class="parameter"><code>preferred master = no</code></em></td></tr><tr><td><a class="indexterm" name="id354604"></a><em class="parameter"><code>os level = 0</code></em></td></tr></table></div></div><p><br class="example-break"> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id354619"></a>Domain Browsing Configuration</h3></div></div></div><p> +<a class="indexterm" name="id354627"></a> +<a class="indexterm" name="id354634"></a> +<a class="indexterm" name="id354640"></a> +<a class="indexterm" name="id354647"></a> +If you are adding Samba servers to a Windows NT domain, then you must not set up a Samba server as a DMB. By +default, a Windows NT PDC for a domain is also the DMB for that domain. Network browsing may break if a Samba +server other than the PDC registers the DMB NetBIOS name (<em class="replaceable"><code>DOMAIN</code></em><1B>) with +WINS. +</p><p> +<a class="indexterm" name="id354663"></a> +For subnets other than the one containing the Windows NT PDC, you may set up Samba servers as LMBs as +described. To make a Samba server a Local Master Browser, set the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in <a href="NetworkBrowsing.html#remsmb" title="Example 10.4. Local Master Browser smb.conf">Local Master Browser +smb.conf</a> +</p><div class="example"><a name="remsmb"></a><p class="title"><b>Example 10.4. Local Master Browser smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id354716"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id354729"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354741"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id354754"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id354770"></a> +<a class="indexterm" name="id354776"></a> +If you wish to have a Samba server fight the election with machines on the same subnet, you may set the +<a class="indexterm" name="id354784"></a>os level parameter to lower levels. By doing this you can tune the order of machines +that will become LMBs if they are running. For more details on this, refer to <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to Be the Master">Forcing Samba to Be the Master</a>. +</p><p> +<a class="indexterm" name="id354804"></a> +<a class="indexterm" name="id354810"></a> +<a class="indexterm" name="id354817"></a> +If you have Windows NT machines that are members of the domain on all subnets and you are sure they will +always be running, you can disable Samba from taking part in browser elections and ever becoming an LMB by +setting the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown +in <a href="NetworkBrowsing.html#xremmb" title="Example 10.5. smb.conf for Not Being a master browser"><code class="filename">smb.conf</code> for Not Being a master browser</a> +</p><p> +</p><div class="example"><a name="xremmb"></a><p class="title"><b>Example 10.5. <code class="filename">smb.conf</code> for Not Being a master browser</b></p><div class="example-contents"><em class="parameter"><code>[global]</code></em><a class="indexterm" name="id354873"></a>domain master = no +<a class="indexterm" name="id354880"></a>local master = no +<a class="indexterm" name="id354887"></a>preferred master = no +<a class="indexterm" name="id354894"></a>os level = 0 +</div></div><p><br class="example-break"> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to Be the Master</h3></div></div></div><p> +<a class="indexterm" name="id354916"></a> +<a class="indexterm" name="id354922"></a> +<a class="indexterm" name="id354929"></a> +<a class="indexterm" name="id354936"></a> +<a class="indexterm" name="id354943"></a> +<a class="indexterm" name="id354950"></a> +<a class="indexterm" name="id354956"></a> +Who becomes the master browser is determined by an election process using broadcasts. Each election packet +contains a number of parameters that determine what precedence (bias) a host should have in the election. By +default Samba uses a low precedence and thus loses elections to just about every Windows network server or +client. +</p><p> +If you want Samba to win elections, set the <a class="indexterm" name="id354970"></a>os level global option in <code class="filename">smb.conf</code> to a +higher number. It defaults to 20. Using 34 would make it win all elections over every other system (except +other Samba systems). +</p><p> +An <a class="indexterm" name="id354988"></a>os level of two would make it beat Windows for Workgroups and Windows 9x/Me, but +not MS Windows NT/200x Server. An MS Windows NT/200x Server domain controller uses level 32. The maximum os +level is 255. +</p><p> +<a class="indexterm" name="id354999"></a> +<a class="indexterm" name="id355006"></a> +<a class="indexterm" name="id355013"></a> +<a class="indexterm" name="id355020"></a> +If you want Samba to force an election on startup, set the <a class="indexterm" name="id355027"></a>preferred master global +option in <code class="filename">smb.conf</code> to <code class="constant">yes</code>. Samba will then have a slight advantage over other +potential master browsers that are not preferred master browsers. Use this parameter with care, because if +you have two hosts (whether they are Windows 9x/Me or NT/200x/XP or Samba) on the same local subnet both set +with <a class="indexterm" name="id355046"></a>preferred master to <code class="constant">yes</code>, then periodically and continually +they will force an election in order to become the LMB. +</p><p> +<a class="indexterm" name="id355060"></a> +<a class="indexterm" name="id355067"></a> +<a class="indexterm" name="id355074"></a> +<a class="indexterm" name="id355080"></a> +<a class="indexterm" name="id355087"></a> +If you want Samba to be a <span class="emphasis"><em>DMB</em></span>, then it is recommended that you also set <a class="indexterm" name="id355098"></a>preferred master to <code class="constant">yes</code>, because Samba will not become a DMB for the whole of +your LAN or WAN if it is not also a LMB on its own broadcast isolated subnet. +</p><p> +<a class="indexterm" name="id355112"></a> +<a class="indexterm" name="id355119"></a> +<a class="indexterm" name="id355126"></a> +<a class="indexterm" name="id355132"></a> +<a class="indexterm" name="id355139"></a> +It is possible to configure two Samba servers to attempt to become the DMB for a domain. The first server that +comes up will be the DMB. All other Samba servers will attempt to become the DMB every 5 minutes. They will +find that another Samba server is already the DMB and will fail. This provides automatic redundancy should the +current DMB fail. The network bandwidth overhead of browser elections is relatively small, requiring +approximately four UDP packets per machine per election. The maximum size of a UDP packet is 576 bytes. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355153"></a>Making Samba the Domain Master</h3></div></div></div><p> +<a class="indexterm" name="id355161"></a> +<a class="indexterm" name="id355167"></a> +<a class="indexterm" name="id355174"></a> +<a class="indexterm" name="id355181"></a> +The domain master browser is responsible for collating the browse lists of multiple subnets so browsing can +occur between subnets. You can make Samba act as the domain master browser by setting <a class="indexterm" name="id355189"></a>domain master = yes in <code class="filename">smb.conf</code>. By default it will not be a domain master browser. +</p><p> +<a class="indexterm" name="id355206"></a> +<a class="indexterm" name="id355213"></a> +Do not set Samba to be the domain master for a workgroup that has the same name as an NT/200x domain. If +Samba is configured to be the domain master for a workgroup that is present on the same network as a Windows +NT/200x domain that has the same name, network browsing problems will certainly be experienced. +</p><p> +When Samba is the domain master and the master browser, it will listen for master announcements (made roughly +every 12 minutes) from LMBs on other subnets and then contact them to synchronize browse lists. +</p><p> +<a class="indexterm" name="id355231"></a> +<a class="indexterm" name="id355237"></a> +If you want Samba to be the domain master, you should also set the <a class="indexterm" name="id355245"></a>os level high +enough to make sure it wins elections, and set <a class="indexterm" name="id355252"></a>preferred master to +<code class="constant">yes</code>, to get Samba to force an election on startup. +</p><p> +<a class="indexterm" name="id355266"></a> +<a class="indexterm" name="id355273"></a> +All servers (including Samba) and clients should be using a WINS server to resolve NetBIOS names. If your +clients are only using broadcasting to resolve NetBIOS names, then two things will occur: +</p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id355294"></a> +<a class="indexterm" name="id355300"></a> + LMBs will be unable to find a DMB because they will be looking only on the local subnet. + </p></li><li><p> +<a class="indexterm" name="id355314"></a> + If a client happens to get hold of a domain-wide browse list and a user attempts to access a + host in that list, it will be unable to resolve the NetBIOS name of that host. + </p></li></ol></div><p> +<a class="indexterm" name="id355328"></a> +If, however, both Samba and your clients are using a WINS server, then: +</p><div class="orderedlist"><ol type="1"><li><p> + LMBs will contact the WINS server and, as long as Samba has registered that it is a DMB with the WINS + server, the LMB will receive Samba's IP address as its DMB. + </p></li><li><p> + When a client receives a domain-wide browse list and a user attempts to access a host in that list, it will + contact the WINS server to resolve the NetBIOS name of that host. As long as that host has registered its + NetBIOS name with the same WINS server, the user will be able to see that host.. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355362"></a>Note about Broadcast Addresses</h3></div></div></div><p> +<a class="indexterm" name="id355370"></a> +If your network uses a zero-based broadcast address (for example, if it ends in a 0), then you will strike +problems. Windows for Workgroups does not seem to support a zeros broadcast, and you will probably find that +browsing and name lookups will not work. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355381"></a>Multiple Interfaces</h3></div></div></div><p> +<a class="indexterm" name="id355389"></a> +Samba supports machines with multiple network interfaces. If you have multiple interfaces, you will +need to use the <a class="indexterm" name="id355397"></a>interfaces option in <code class="filename">smb.conf</code> to configure them. For example, the +machine you are working with has 4 network interfaces; <code class="literal">eth0</code>, <code class="literal">eth1</code>, +<code class="literal">eth2</code>, <code class="literal">eth3</code> and only interfaces <code class="literal">eth1</code> and +<code class="literal">eth4</code> should be used by Samba. In this case, the following <code class="filename">smb.conf</code> file entries would +permit that intent: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id355458"></a><em class="parameter"><code>interfaces = eth1, eth4</code></em></td></tr><tr><td><a class="indexterm" name="id355470"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr></table><p> +<a class="indexterm" name="id355483"></a> +<a class="indexterm" name="id355490"></a> +<a class="indexterm" name="id355497"></a> +<a class="indexterm" name="id355504"></a> +<a class="indexterm" name="id355510"></a> +<a class="indexterm" name="id355517"></a> +<a class="indexterm" name="id355524"></a> +The <a class="indexterm" name="id355530"></a>bind interfaces only = Yes is necessary to exclude TCP/IP session +services (ports 135, 139, and 445) over the interfaces that are not specified. Please be aware that +<code class="literal">nmbd</code> will listen for incoming UDP port 137 packets on the unlisted interfaces, but it will +not answer them. It will, however, send its broadcast packets over the unlisted interfaces. Total isolation of +ethernet interface requires the use of a firewall to block ports 137 and 138 (UDP), and ports 135, 139, and +445 (TCP) on all network interfaces that must not be able to access the Samba server. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355550"></a>Use of the Remote Announce Parameter</h3></div></div></div><p> +The <a class="indexterm" name="id355558"></a>remote announce parameter of <code class="filename">smb.conf</code> can be used to forcibly ensure that all +the NetBIOS names on a network get announced to a remote network. The syntax of the <a class="indexterm" name="id355572"></a>remote announce parameter is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id355585"></a><em class="parameter"><code>remote announce = 192.168.12.23 [172.16.21.255] ...</code></em></td></tr></table><p> +<span class="emphasis"><em>or</em></span> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id355606"></a><em class="parameter"><code>remote announce = 192.168.12.23/MIDEARTH [172.16.21.255/ELVINDORF] ...</code></em></td></tr></table><p> + +where: +</p><div class="variablelist"><dl><dt><span class="term"><em class="replaceable"><code>192.168.12.23</code></em> and <em class="replaceable"><code>172.16.21.255</code></em></span></dt><dd><p> +<a class="indexterm" name="id355634"></a> +<a class="indexterm" name="id355643"></a> + is either the LMB IP address or the broadcast address of the remote network. + That is, the LMB is at 192.168.1.23, or the address could be given as 172.16.21.255 where the netmask + is assumed to be 24 bits (255.255.255.0). When the remote announcement is made to the broadcast + address of the remote network, every host will receive our announcements. This is noisy and therefore + undesirable but may be necessary if we do not know the IP address of the remote LMB. + </p></dd><dt><span class="term"><em class="replaceable"><code>WORKGROUP</code></em></span></dt><dd><p>is optional and can be either our own workgroup or that of the remote network. If you use the + workgroup name of the remote network, our NetBIOS machine names will end up looking like + they belong to that workgroup. This may cause name resolution problems and should be avoided. + </p></dd></dl></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355674"></a>Use of the Remote Browse Sync Parameter</h3></div></div></div><p> +<a class="indexterm" name="id355682"></a> +<a class="indexterm" name="id355688"></a> +The <a class="indexterm" name="id355696"></a>remote browse sync parameter of <code class="filename">smb.conf</code> is used to announce to another LMB that +it must synchronize its NetBIOS name list with our Samba LMB. This works only if the Samba server that has +this option is simultaneously the LMB on its network segment. +</p><p> +The syntax of the <a class="indexterm" name="id355714"></a>remote browse sync parameter is: + +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id355726"></a><em class="parameter"><code>remote browse sync</code></em></td></tr></table><p> +<a class="indexterm" name="id355739"></a> +<a class="indexterm" name="id355746"></a> +where <em class="replaceable"><code>192.168.10.40</code></em> is either the IP address of the +remote LMB or the network broadcast address of the remote segment. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id355760"></a>WINS: The Windows Internetworking Name Server</h2></div></div></div><p> +<a class="indexterm" name="id355768"></a> +<a class="indexterm" name="id355775"></a> +<a class="indexterm" name="id355782"></a> +Use of WINS (either Samba WINS or MS Windows NT Server WINS) is highly +recommended. Every NetBIOS machine registers its name together with a +name_type value for each of several types of service it has available. +It registers its name directly as a unique (the type 0x03) name. +It also registers its name if it is running the LanManager-compatible +server service (used to make shares and printers available to other users) +by registering the server (the type 0x20) name. +</p><p> +<a class="indexterm" name="id355796"></a> +<a class="indexterm" name="id355803"></a> +All NetBIOS names are up to 15 characters in length. The name_type variable +is added to the end of the name, thus creating a 16 character name. Any +name that is shorter than 15 characters is padded with spaces to the 15th +character. Thus, all NetBIOS names are 16 characters long (including the +name_type information). +</p><p> +<a class="indexterm" name="id355815"></a> +<a class="indexterm" name="id355822"></a> +<a class="indexterm" name="id355829"></a> +<a class="indexterm" name="id355836"></a> +WINS can store these 16-character names as they get registered. A client +that wants to log onto the network can ask the WINS server for a list +of all names that have registered the NetLogon service name_type. This saves +broadcast traffic and greatly expedites logon processing. Since broadcast +name resolution cannot be used across network segments, this type of +information can only be provided via WINS or via a statically configured +<code class="filename">lmhosts</code> file that must reside on all clients in the +absence of WINS. +</p><p> +<a class="indexterm" name="id355856"></a> +<a class="indexterm" name="id355863"></a> +<a class="indexterm" name="id355869"></a> +<a class="indexterm" name="id355876"></a> +<a class="indexterm" name="id355883"></a> +WINS also forces browse list synchronization by all LMBs. LMBs must synchronize their browse list with the +DMB, and WINS helps the LMB to identify its DMB. By definition this will work only within a single workgroup. +Note that the DMB has nothing to do with what is referred to as an MS Windows NT domain. The latter is a +reference to a security environment, while the DMB refers to the master controller for browse list information +only. +</p><p> +<a class="indexterm" name="id355896"></a> +<a class="indexterm" name="id355903"></a> +<a class="indexterm" name="id355910"></a> +<a class="indexterm" name="id355917"></a> +WINS will work correctly only if every client TCP/IP protocol stack +is configured to use the WINS servers. Any client that is not +configured to use the WINS server will continue to use only broadcast-based +name registration, so WINS may never get to know about it. In any case, +machines that have not registered with a WINS server will fail name-to-address +lookup attempts by other clients and will therefore cause workstation access +errors. +</p><p> +To configure Samba as a WINS server, just add +<a class="indexterm" name="id355931"></a>wins support = yes to the <code class="filename">smb.conf</code> +file [global] section. +</p><p> +To configure Samba to register with a WINS server, just add <a class="indexterm" name="id355948"></a>wins server = 10.0.0.18 to your <code class="filename">smb.conf</code> file <em class="parameter"><code>[global]</code></em> section. +</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> +Never use <a class="indexterm" name="id355972"></a>wins support = yes together with <a class="indexterm" name="id355979"></a>wins server = 10.0.0.18 particularly not using its own IP address. Specifying both will cause <span class="application">nmbd</span> +to refuse to start! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id355994"></a>WINS Server Configuration</h3></div></div></div><p> +<a class="indexterm" name="id356002"></a> +Either a Samba server or a Windows NT server machine may be set up +as a WINS server. To configure a Samba server to be a WINS server, you must +add to the <code class="filename">smb.conf</code> file on the selected Server the following line to +the <em class="parameter"><code>[global]</code></em> section: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id356031"></a><em class="parameter"><code>wins support = yes</code></em></td></tr></table><p> +</p><p> +<a class="indexterm" name="id356047"></a> +Versions of Samba prior to 1.9.17 had this parameter default to +yes. If you have any older versions of Samba on your network, it is +strongly suggested you upgrade to a recent version, or at the very +least set the parameter to “<span class="quote">no</span>” on all these machines. +</p><p> +Machines configured with <a class="indexterm" name="id356063"></a>wins support = yes will keep a list of +all NetBIOS names registered with them, acting as a DNS for NetBIOS names. +</p><p> +<a class="indexterm" name="id356074"></a> +It is strongly recommended to set up only one WINS server. Do not set the <a class="indexterm" name="id356082"></a>wins support = yes option on more than one Samba server on a network. +</p><p> +<a class="indexterm" name="id356092"></a> +<a class="indexterm" name="id356102"></a> +<a class="indexterm" name="id356108"></a> +<a class="indexterm" name="id356115"></a> +<a class="indexterm" name="id356122"></a> +To configure Windows NT/200x Server as a WINS server, install and configure the WINS service. See the Windows +NT/200x documentation for details. Windows NT/200x WINS servers can replicate to each other, allowing more +than one to be set up in a complex subnet environment. Because Microsoft refuses to document the replication +protocols, Samba cannot currently participate in these replications. It is possible that a Samba-to-Samba WINS +replication protocol may be defined in the future, in which case more than one Samba machine could be set up +as a WINS server. Currently only one Samba server should have the <a class="indexterm" name="id356134"></a>wins support = yes parameter set. +</p><p> +<a class="indexterm" name="id356144"></a> +<a class="indexterm" name="id356151"></a> +After the WINS server has been configured, you must ensure that all machines participating on the network are +configured with the address of this WINS server. If your WINS server is a Samba machine, fill in the Samba +machine IP address in the <span class="guilabel">Primary WINS Server</span> field of the <span class="guilabel">Control +Panel->Network->Protocols->TCP->WINS Server</span> dialogs in Windows 9x/Me or Windows NT/200x. To tell a +Samba server the IP address of the WINS server, add the following line to the <em class="parameter"><code>[global]</code></em> section of all <code class="filename">smb.conf</code> files: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id356191"></a><em class="parameter"><code>wins server = <name or IP address></code></em></td></tr></table><p> +where <name or IP address> is either the DNS name of the WINS server +machine or its IP address. +</p><p> +This line must not be set in the <code class="filename">smb.conf</code> file of the Samba +server acting as the WINS server itself. If you set both the +<a class="indexterm" name="id356217"></a>wins support = yes option and the +<a class="indexterm" name="id356224"></a>wins server = <name> option then +<code class="literal">nmbd</code> will fail to start. +</p><p> +<a class="indexterm" name="id356241"></a> +<a class="indexterm" name="id356248"></a> +<a class="indexterm" name="id356255"></a> +<a class="indexterm" name="id356261"></a> +There are two possible scenarios for setting up cross-subnet browsing. +The first details setting up cross-subnet browsing on a network containing +Windows 9x/Me, Samba, and Windows NT/200x machines that are not configured as +part of a Windows NT domain. The second details setting up cross-subnet +browsing on networks that contain NT domains. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356273"></a>WINS Replication</h3></div></div></div><p> +<a class="indexterm" name="id356281"></a> +<a class="indexterm" name="id356290"></a> +Samba-3 does not support native WINS replication. There was an approach to implement it, called +<code class="filename">wrepld</code>, but it was never ready for action and the development is now discontinued. +</p><p> +Meanwhile, there is a project named <code class="filename">samba4WINS</code>, which makes it possible to +run the Samba-4 WINS server parallel to Samba-3 since version 3.0.21. More information about +<code class="filename">samba4WINS</code> are available at http://ftp.sernet.de/pub/samba4WINS. + +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356324"></a>Static WINS Entries</h3></div></div></div><p> +<a class="indexterm" name="id356331"></a> +<a class="indexterm" name="id356338"></a> +<a class="indexterm" name="id356345"></a> +<a class="indexterm" name="id356352"></a> +Adding static entries to your Samba WINS server is actually fairly easy. All you have to do is add a line to +<code class="filename">wins.dat</code>, typically located in <code class="filename">/usr/local/samba/var/locks</code> or <code class="filename">/var/run/samba</code>. +</p><p> +Entries in <code class="filename">wins.dat</code> take the form of: +</p><pre class="programlisting"> +"NAME#TYPE" TTL ADDRESS+ FLAGS +</pre><p> +<a class="indexterm" name="id356395"></a> +<a class="indexterm" name="id356402"></a> +where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the time-to-live as an absolute time in +seconds, ADDRESS+ is one or more addresses corresponding to the registration, and FLAGS are the NetBIOS flags +for the registration. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +A change that has been made to the <code class="filename">wins.dat</code> will not take effect until <span class="application">nmbd</span> has been +restarted. It should be noted that since the <code class="filename">wins.dat</code> file changes dynamically, <span class="application">nmbd</span> +should be stopped before editting this file. Do not forget to restart <span class="application">nmbd</span> when this file has been editted. +</p></div><p> +A typical dynamic entry looks like this: +</p><pre class="programlisting"> +"MADMAN#03" 1155298378 192.168.1.2 66R +</pre><p> +To make a NetBIOS name static (permanent), simply set the TTL to 0, like this: +</p><pre class="programlisting"> +"MADMAN#03" 0 192.168.1.2 66R +</pre><p> +</p><p> +<a class="indexterm" name="id356468"></a> +<a class="indexterm" name="id356475"></a> +<a class="indexterm" name="id356482"></a> +<a class="indexterm" name="id356488"></a> +<a class="indexterm" name="id356495"></a> +<a class="indexterm" name="id356502"></a> +<a class="indexterm" name="id356509"></a> +The NetBIOS flags may be interpreted as additive hexadecimal values: 00 - Broadcast node registration, 20 - +Peer node registration, 40 - Meta node registration, 60 - Hybrid node registration, 02 - Permanent name, 04 - +Active name, 80 - Group name. The 'R' indicates this is a registration record. Thus 66R means: Hybrid node +active and permanent NetBIOS name. These values may be found in the <code class="filename">nameserv.h</code> header +file from the Samba source code repository. These are the values for the NB flags. +</p><p> +<a class="indexterm" name="id356529"></a> +Though this method works with early Samba-3 versions, there is a possibility that it may change in future +versions if WINS replication is added. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id356540"></a>Helpful Hints</h2></div></div></div><p> +The following hints should be carefully considered because they are stumbling points +for many new network administrators. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356550"></a>Windows Networking Protocols</h3></div></div></div><p> +<a class="indexterm" name="id356558"></a> +<a class="indexterm" name="id356565"></a> +A common cause of browsing problems results from the installation of more than one protocol on an MS Windows +machine. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Do not use more than one protocol on MS Windows clients. +</p></div><p> +<a class="indexterm" name="id356581"></a> +<a class="indexterm" name="id356588"></a> +Every NetBIOS machine takes part in a process of electing the LMB (and DMB) +every 15 minutes. A set of election criteria is used to determine the order +of precedence for winning this election process. A machine running Samba or +Windows NT will be biased, so the most suitable machine will predictably +win and thus retain its role. +</p><p> +<a class="indexterm" name="id356600"></a> +<a class="indexterm" name="id356607"></a> +<a class="indexterm" name="id356614"></a> +<a class="indexterm" name="id356620"></a> +<a class="indexterm" name="id356627"></a> +<a class="indexterm" name="id356634"></a> +The election process is <span class="emphasis"><em>fought out, so to speak</em></span> over every NetBIOS network interface. In +the case of a Windows 9x/Me machine that has both TCP/IP and IPX installed and has NetBIOS enabled over both +protocols, the election will be decided over both protocols. As often happens, if the Windows 9x/Me machine is +the only one with both protocols, then the LMB may be won on the NetBIOS interface over the IPX protocol. +Samba will then lose the LMB role because Windows 9x/Me will insist it knows who the LMB is. Samba will then +cease to function as an LMB, and browse list operation on all TCP/IP-only machines will therefore fail. +</p><p> +<a class="indexterm" name="id356653"></a> +<a class="indexterm" name="id356659"></a> +Windows 95, 98, 98se, and Me are referred to generically as Windows 9x/Me. The Windows NT4, 200x, and XP use +common protocols. These are roughly referred to as the Windows NT family, but it should be recognized that +2000 and XP/2003 introduce new protocol extensions that cause them to behave differently from MS Windows NT4. +Generally, where a server does not support the newer or extended protocol, these will fall back to the NT4 +protocols. +</p><p> +The safest rule of all to follow is: Use only one protocol! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356676"></a>Name Resolution Order</h3></div></div></div><p> +<a class="indexterm" name="id356684"></a> +<a class="indexterm" name="id356691"></a> +Resolution of NetBIOS names to IP addresses can take place using a number +of methods. The only ones that can provide NetBIOS name_type information +are: +</p><div class="itemizedlist"><ul type="disc"><li><p>WINS the best tool.</p></li><li><p>LMHOSTS static and hard to maintain.</p></li><li><p>Broadcast uses UDP and cannot resolve names across remote segments.</p></li></ul></div><p> +Alternative means of name resolution include: +</p><div class="itemizedlist"><ul type="disc"><li><p>Static <code class="filename">/etc/hosts</code> hard to maintain and lacks name_type info.</p></li><li><p>DNS is a good choice but lacks essential NetBIOS name_type information.</p></li></ul></div><p> +<a class="indexterm" name="id356756"></a> +<a class="indexterm" name="id356762"></a> +Many sites want to restrict DNS lookups and avoid broadcast name +resolution traffic. The <em class="parameter"><code>name resolve order</code></em> parameter is of great help here. +The syntax of the <em class="parameter"><code>name resolve order</code></em> parameter is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id356788"></a><em class="parameter"><code>name resolve order = wins lmhosts bcast host</code></em></td></tr></table><p> +<span class="emphasis"><em>or</em></span> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id356809"></a><em class="parameter"><code>name resolve order = wins lmhosts (eliminates bcast and host)</code></em></td></tr></table><p> +The default is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id356828"></a><em class="parameter"><code>name resolve order = host lmhost wins bcast</code></em></td></tr></table><p> +<a class="indexterm" name="id356841"></a> +where “<span class="quote">host</span>” refers to the native methods used by the UNIX system to implement the +gethostbyname() function call. This is normally controlled by <code class="filename">/etc/host.conf</code>, +<code class="filename">/etc/nsswitch.conf</code> and <code class="filename">/etc/resolv.conf</code>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id356873"></a>Technical Overview of Browsing</h2></div></div></div><p> +<a class="indexterm" name="id356881"></a> +SMB networking provides a mechanism by which clients can access a list +of machines in a network called <a class="indexterm" name="id356889"></a>browse list. This list +contains machines that are ready to offer file and/or print services +to other machines within the network. It therefore does not include +machines that aren't currently able to do server tasks. The browse +list is heavily used by all SMB clients. Configuration of SMB +browsing has been problematic for some Samba users, hence this +document. +</p><p> +<a class="indexterm" name="id356902"></a> +<a class="indexterm" name="id356909"></a> +<a class="indexterm" name="id356915"></a> +MS Windows 2000 and later versions, as with Samba-3 and later versions, can be +configured to not use NetBIOS over TCP/IP. When configured this way, +it is imperative that name resolution (using DNS/LDAP/ADS) be correctly +configured and operative. Browsing will not work if name resolution +from SMB machine names to IP addresses does not function correctly. +</p><p> +<a class="indexterm" name="id356928"></a> +<a class="indexterm" name="id356935"></a> +Where NetBIOS over TCP/IP is enabled, use of a WINS server is highly +recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. +WINS allows remote segment clients to obtain NetBIOS name_type information +that cannot be provided by any other means of name resolution. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id356946"></a>Browsing Support in Samba</h3></div></div></div><p> +<a class="indexterm" name="id356954"></a> +<a class="indexterm" name="id356960"></a> +<a class="indexterm" name="id356967"></a> +<a class="indexterm" name="id356974"></a> +Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span> +and is also controlled by options in the <code class="filename">smb.conf</code> file. +Samba can act as an LMB for a workgroup, and the ability +to support domain logons and scripts is now available. +</p><p> +<a class="indexterm" name="id356997"></a> +<a class="indexterm" name="id357004"></a> +<a class="indexterm" name="id357011"></a> +Samba can also act as a DMB for a workgroup. This +means that it will collate lists from LMBs into a +wide-area network server list. In order for browse clients to +resolve the names they may find in this list, it is recommended that +both Samba and your clients use a WINS server. +</p><p> +<a class="indexterm" name="id357023"></a> +Do not set Samba to be the domain master for a workgroup that has the same +name as an NT Domain. On each wide-area network, you must only ever have one +DMB per workgroup, regardless of whether it is NT, Samba, +or any other type of domain master that is providing this service. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id357037"></a> +<a class="indexterm" name="id357043"></a> +<code class="literal">nmbd</code> can be configured as a WINS server, but it is not +necessary to specifically use Samba as your WINS server. MS Windows +NT4, Server or Advanced Server 200x can be configured as +your WINS server. In a mixed NT/200x server and Samba environment on +a WAN, it is recommended that you use the Microsoft +WINS server capabilities. In a Samba-only environment, it is +recommended that you use one and only one Samba server as the WINS server. +</p></div><p> +<a class="indexterm" name="id357063"></a> +To get browsing to work, you need to run <code class="literal">nmbd</code> as usual, but must +use the <a class="indexterm" name="id357076"></a>workgroup option in <code class="filename">smb.conf</code> +to control what workgroup Samba becomes a part of. +</p><p> +<a class="indexterm" name="id357093"></a> +Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is +recommended that this option is used only for “<span class="quote">unusual</span>” purposes: announcements over the +Internet, for example. See <a class="indexterm" name="id357105"></a>remote announce in the <code class="filename">smb.conf</code> man page. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id357120"></a>Problem Resolution</h3></div></div></div><p> +<a class="indexterm" name="id357128"></a> +<a class="indexterm" name="id357135"></a> +If something does not work, the <code class="filename">log.nmbd</code> file will help +to track down the problem. Try a <a class="indexterm" name="id357148"></a>log level of 2 or 3 for finding +problems. Also note that the current browse list usually gets stored +in text form in a file called <code class="filename">browse.dat</code>. +</p><p> +<a class="indexterm" name="id357165"></a> +<a class="indexterm" name="id357172"></a> +If it does not work, you should still be able to +type the server name as <code class="filename">\\SERVER</code> in <code class="literal">filemanager</code>, then +press enter, and <code class="literal">filemanager</code> should display the list of available shares. +</p><p> +<a class="indexterm" name="id357201"></a> +<a class="indexterm" name="id357208"></a> +Some people find browsing fails because they do not have the global +<a class="indexterm" name="id357216"></a>guest account set to a valid account. Remember that the +IPC$ connection that lists the shares is done as guest and so you must have a valid guest account. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id357228"></a> +<a class="indexterm" name="id357235"></a> +<a class="indexterm" name="id357242"></a> +<a class="indexterm" name="id357248"></a> +<a class="indexterm" name="id357255"></a> +The <code class="literal">IPC$</code> share is used by all SMB/CIFS clients to obtain the list of resources that is +available on the server. This is the source of the list of shares and printers when browsing an SMB/CIFS +server (also Windows machines) using the Windows Explorer to browse resources through the Windows Network +Neighborhood (also called My Network Places) through to a Windows server. At this point, the client has opened +a connection to the <code class="literal">\\server\IPC4</code> resource. Clicking on a share will then open up a +connection to the <code class="literal">\\server\share</code>. +</p></div><p> +<a class="indexterm" name="id357287"></a> +<a class="indexterm" name="id357294"></a> +<a class="indexterm" name="id357301"></a> +<a class="indexterm" name="id357307"></a> +MS Windows 2000 and later (as with Samba) can be configured to disallow +anonymous (i.e., guest account) access to the IPC$ share. In that case, the +MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the +name of the currently logged-in user to query the IPC$ share. MS Windows +9x/Me clients are not able to do this and thus will not be able to browse +server resources. +</p><p> +<a class="indexterm" name="id357321"></a> +The other big problem people have is that their broadcast address, +netmask, or IP address is wrong (specified with the <a class="indexterm" name="id357329"></a>interfaces option +in <code class="filename">smb.conf</code>) +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id357344"></a>Cross-Subnet Browsing</h3></div></div></div><p> +<a class="indexterm" name="id357351"></a> +<a class="indexterm" name="id357361"></a> +Since the release of Samba 1.9.17 (alpha1), Samba has supported the replication of browse lists across subnet +boundaries. This section describes how to set this feature up in different settings. +</p><p> +<a class="indexterm" name="id357372"></a> +<a class="indexterm" name="id357379"></a> +<a class="indexterm" name="id357386"></a> +<a class="indexterm" name="id357392"></a> +<a class="indexterm" name="id357399"></a> +<a class="indexterm" name="id357406"></a> +To see browse lists that span TCP/IP subnets (i.e., networks separated by routers that do not pass broadcast +traffic), you must set up at least one WINS server. The WINS server acts as a DNS for NetBIOS names. This will +allow NetBIOS name-to-IP address translation to be completed by a direct query of the WINS server. This is +done via a directed UDP packet on port 137 to the WINS server machine. The WINS server avoids the necessity of +default NetBIOS name-to-IP address translation, which is done using UDP broadcasts from the querying machine. +This means that machines on one subnet will not be able to resolve the names of machines on another subnet +without using a WINS server. The Samba hacks, <em class="parameter"><code>remote browse sync</code></em>, and <em class="parameter"><code>remote +announce</code></em> are designed to get around the natural limitations that prevent UDP broadcast +propagation. The hacks are not a universal solution and they should not be used in place of WINS, they are +considered last resort methods. +</p><p> +<a class="indexterm" name="id357436"></a> +<a class="indexterm" name="id357443"></a> +<a class="indexterm" name="id357449"></a> +<a class="indexterm" name="id357456"></a> +Remember, for browsing across subnets to work correctly, all machines, be they Windows 95, Windows NT, or +Samba servers, must have the IP address of a WINS server given to them by a DHCP server or by manual +configuration: for Windows 9x/Me and Windows NT/200x/XP, this is in the TCP/IP Properties, under Network +settings; for Samba, this is in the <code class="filename">smb.conf</code> file. +</p><p> +<a class="indexterm" name="id357475"></a> +<a class="indexterm" name="id357482"></a> +<a class="indexterm" name="id357489"></a> +It is possible to operate Samba-3 without NetBIOS over TCP/IP. If you do this, be warned that if used outside +of MS ADS, this will forgo network browsing support. ADS permits network browsing support through DNS, +providing appropriate DNS records are inserted for all Samba servers. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id357499"></a>Behavior of Cross-Subnet Browsing</h4></div></div></div><p> +<a class="indexterm" name="id357507"></a> +<a class="indexterm" name="id357513"></a> +Cross-subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several +years to get the code that correctly achieves this, and Samba lags behind in some areas. Samba is capable of +cross-subnet browsing when configured correctly. +</p><p> +Consider a network set up as in <a href="NetworkBrowsing.html#browsing1" title="Figure 10.1. Cross-Subnet Browsing Example.">Cross-Subnet Browsing Example</a>. +</p><div class="figure"><a name="browsing1"></a><p class="title"><b>Figure 10.1. Cross-Subnet Browsing Example.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/browsing1.png" width="216" alt="Cross-Subnet Browsing Example."></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="id357577"></a> +<a class="indexterm" name="id357584"></a> +<a class="indexterm" name="id357590"></a> +This consists of three subnets (1, 2, 3) connected by two routers (R1, R2), which do not pass broadcasts. +Subnet 1 has five machines on it, subnet 2 has four machines, and subnet 3 has four machines. Assume for the +moment that all machines are configured to be in the same workgroup (for simplicity's sake). Machine N1_C on +subnet 1 is configured as the DMB (i.e., it will collate the browse lists for the workgroup). Machine N2_D is +configured as a WINS server, and all the other machines are configured to register their NetBIOS names with +it. +</p><p> +<a class="indexterm" name="id357605"></a> +<a class="indexterm" name="id357612"></a> +<a class="indexterm" name="id357618"></a> +As these machines are booted up, elections for master browsers +take place on each of the three subnets. Assume that machine +N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on +subnet 3. These machines are known as LMBs for +their particular subnet. N1_C has an advantage in winning as the +LMB on subnet 1 because it is set up as DMB. +</p><p> +<a class="indexterm" name="id357631"></a> +<a class="indexterm" name="id357638"></a> +On each of the three networks, machines that are configured to offer sharing services will broadcast that they +are offering these services. The LMB on each subnet will receive these broadcasts and keep a record of the +fact that the machine is offering a service. This list of records is the basis of the browse list. For this +case, assume that all the machines are configured to offer services, so all machines will be on the browse +list. +</p><p> +<a class="indexterm" name="id357651"></a> +<a class="indexterm" name="id357658"></a> +<a class="indexterm" name="id357665"></a> +<a class="indexterm" name="id357672"></a> +<a class="indexterm" name="id357678"></a> +For each network, the LMB on that network is +considered <span class="emphasis"><em>authoritative</em></span> for all the names it receives via +local broadcast. This is because a machine seen by the LMB +via a local broadcast must be on the same network as the +Local Master Browser and thus is a <span class="emphasis"><em>trusted</em></span> +and <span class="emphasis"><em>verifiable</em></span> resource. Machines on other networks that +the LMBs learn about when collating their +browse lists have not been directly seen. These records are +called <span class="emphasis"><em>non-authoritative.</em></span> +</p><p> +<a class="indexterm" name="id357706"></a> +At this point the browse lists appear as shown in <a href="NetworkBrowsing.html#browsubnet" title="Table 10.1. Browse Subnet Example 1">Browse Subnet Example 1</a> +(these are the machines you would see in your network neighborhood if you looked in it on a particular network +right now). +</p><p> +</p><div class="table"><a name="browsubnet"></a><p class="title"><b>Table 10.1. Browse Subnet Example 1</b></p><div class="table-contents"><table summary="Browse Subnet Example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div></div><p><br class="table-break"> +</p><p> +At this point all the subnets are separate, and no machine is seen across any of the subnets. +</p><p> +<a class="indexterm" name="id357796"></a> +<a class="indexterm" name="id357803"></a> +<a class="indexterm" name="id357810"></a> +<a class="indexterm" name="id357816"></a> +Now examine subnet 2 in <a href="NetworkBrowsing.html#brsbex" title="Table 10.2. Browse Subnet Example 2">Browse Subnet Example 2</a>. As soon as N2_B has become the +LMB, it looks for a DMB with which to synchronize its browse list. It does this by querying the WINS server +(N2_D) for the IP address associated with the NetBIOS name WORKGROUP<1B>. This name was registered by +the DMB (N1_C) with the WINS server as soon as it was started. +</p><p> +<a class="indexterm" name="id357838"></a> +<a class="indexterm" name="id357845"></a> +<a class="indexterm" name="id357851"></a> +<a class="indexterm" name="id357858"></a> +Once N2_B knows the address of the DMB, it tells it that is the LMB for subnet 2 by sending a +<span class="emphasis"><em>MasterAnnouncement</em></span> packet as a UDP port 138 packet. It then synchronizes with it by +doing a <span class="emphasis"><em>NetServerEnum2</em></span> call. This tells the DMB to send it all the server names it knows +about. Once the DMB receives the <span class="emphasis"><em>MasterAnnouncement</em></span> packet, it schedules a +synchronization request to the sender of that packet. After both synchronizations are complete, the browse +lists look like those in <a href="NetworkBrowsing.html#brsbex" title="Table 10.2. Browse Subnet Example 2">Browse Subnet Example 2</a> +</p><div class="table"><a name="brsbex"></a><p class="title"><b>Table 10.2. Browse Subnet Example 2</b></p><div class="table-contents"><table summary="Browse Subnet Example 2" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, +N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), +N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id357966"></a> +Servers with an (*) after them are non-authoritative names. +</p><p> +<a class="indexterm" name="id357977"></a> +At this point users looking in their Network Neighborhood on subnets 1 or 2 will see all the servers on both; +users on subnet 3 will still see only the servers on their own subnet. +</p><p> +<a class="indexterm" name="id357988"></a> +The same sequence of events that occurred for N2_B now occurs for the LMB on subnet 3 (N3_D). When it +synchronizes browse lists with the DMB (N1_A) it gets both the server entries on subnet 1 and those on subnet +2. After N3_D has synchronized with N1_C and vica versa, the browse lists will appear as shown in <a href="NetworkBrowsing.html#brsex2" title="Table 10.3. Browse Subnet Example 3">Browse Subnet Example 3</a> +</p><div class="table"><a name="brsex2"></a><p class="title"><b>Table 10.3. Browse Subnet Example 3</b></p><div class="table-contents"><table summary="Browse Subnet Example 3" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, +N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), +N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*), +N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div></div><br class="table-break"><p> +Servers with an (*) after them are non-authoritative names. +</p><p> +At this point, users looking in their Network Neighborhood on +subnets 1 or 3 will see all the servers on all subnets, while users on +subnet 2 will still see only the servers on subnets 1 and 2, but not 3. +</p><p> +<a class="indexterm" name="id358097"></a> +<a class="indexterm" name="id358104"></a> +<a class="indexterm" name="id358110"></a> +Finally, the LMB for subnet 2 (N2_B) will sync again +with the DMB (N1_C) and will receive the missing +server entries. Finally, as when a steady state (if no machines +are removed or shut off) has been achieved, the browse lists will appear +as shown in <a href="NetworkBrowsing.html#brsex3" title="Table 10.4. Browse Subnet Example 4">Browse Subnet Example 4</a>. +</p><div class="table"><a name="brsex3"></a><p class="title"><b>Table 10.4. Browse Subnet Example 4</b></p><div class="table-contents"><table summary="Browse Subnet Example 4" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, +N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), +N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), +N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), +N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*), +N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), +N2_C(*), N2_D(*)</td></tr></tbody></table></div></div><br class="table-break"><p> +Servers with an (*) after them are non-authoritative names. +</p><p> +Synchronizations between the DMB and LMBs +will continue to occur, but this should remain a +steady-state operation. +</p><p> +If either router R1 or R2 fails, the following will occur: +</p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id358232"></a> + Names of computers on each side of the inaccessible network fragments + will be maintained for as long as 36 minutes in the Network Neighborhood + lists. + </p></li><li><p> + Attempts to connect to these inaccessible computers will fail, but the + names will not be removed from the Network Neighborhood lists. + </p></li><li><p> +<a class="indexterm" name="id358254"></a> +<a class="indexterm" name="id358261"></a> +<a class="indexterm" name="id358268"></a> + If one of the fragments is cut off from the WINS server, it will only + be able to access servers on its local subnet using subnet-isolated + broadcast NetBIOS name resolution. The effect is similar to that of + losing access to a DNS server. + </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id358283"></a>Common Errors</h2></div></div></div><p> +<a class="indexterm" name="id358291"></a> +<a class="indexterm" name="id358298"></a> +Many questions are asked on the mailing lists regarding browsing. The majority of browsing +problems originate from incorrect configuration of NetBIOS name resolution. Some are of +particular note. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id358308"></a>Flushing the Samba NetBIOS Name Cache</h3></div></div></div><p> +How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba? +</p><p> +<a class="indexterm" name="id358319"></a> +<a class="indexterm" name="id358326"></a> +<a class="indexterm" name="id358333"></a> +<a class="indexterm" name="id358340"></a> +Samba's <code class="literal">nmbd</code> process controls all browse list handling. Under normal circumstances it is +safe to restart <code class="literal">nmbd</code>. This will effectively flush the Samba NetBIOS name cache and cause it +to be rebuilt. This does not make certain that a rogue machine name will not reappear +in the browse list. When <code class="literal">nmbd</code> is taken out of service, another machine on the network will +become the browse master. This new list may still have the rogue entry in it. If you really +want to clear a rogue machine from the list, every machine on the network must be +shut down and restarted after all machines are down. Failing a complete restart, the only +other thing you can do is wait until the entry times out and is then flushed from the list. +This may take a long time on some networks (perhaps months). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id358373"></a>Server Resources Cannot Be Listed</h3></div></div></div><p>“<span class="quote">My Client Reports "‘<span class="quote">This server is not configured to list shared resources."</span>’</span>”</p><p> +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in <code class="literal">smbd</code>. Check that your guest account is +valid. +</p><p>Also see <a class="indexterm" name="id358399"></a>guest account in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id358414"></a>I Get an "<span class="errorname">Unable to browse the network</span>" Error</h3></div></div></div><p>This error can have multiple causes: +<a class="indexterm" name="id358426"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>There is no LMB. Configure <span class="application">nmbd</span> + or any other machine to serve as LMB.</p></li><li><p>You cannot log onto the machine that is the LMB. + Can you log on to it as a guest user? </p></li><li><p>There is no IP connectivity to the LMB. + Can you reach it by broadcast?</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id358459"></a>Browsing of Shares and Directories is Very Slow</h3></div></div></div><p>“<span class="quote"> +<a class="indexterm" name="id358468"></a> +There are only two machines on a test network. One is a Samba server, the other a Windows XP machine. +Authentication and logons work perfectly, but when I try to explore shares on the Samba server, the +Windows XP client becomes unresponsive. Sometimes it does not respond for some minutes. Eventually, +Windows Explorer will respond and displays files and directories without problem. +</span>” +</p><p>“<span class="quote"> +<a class="indexterm" name="id358484"></a> +But, the share is immediately available from a command shell (<code class="literal">cmd</code>, followed by +exploration with DOS command. Is this a Samba problem, or is it a Windows problem? How can I solve this? +</span>”</p><p> +Here are a few possibilities: +</p><div class="variablelist"><dl><dt><span class="term">Bad Networking Hardware</span></dt><dd><p> +<a class="indexterm" name="id358513"></a> +<a class="indexterm" name="id358520"></a> +<a class="indexterm" name="id358527"></a> +<a class="indexterm" name="id358534"></a> +<a class="indexterm" name="id358541"></a> + Most common defective hardware problems center around low cost or defective hubs, routers, + network interface controllers (NICs), and bad wiring. If one piece of hardware is defective, + the whole network may suffer. Bad networking hardware can cause data corruption. Most bad + networking hardware problems are accompanied by an increase in apparent network traffic, + but not all. + </p></dd><dt><span class="term">The Windows XP WebClient</span></dt><dd><p> +<a class="indexterm" name="id358562"></a> + A number of sites have reported similar slow network browsing problems and found that when + the WebClient service is turned off, the problem disappears. This is certainly something + that should be explored because it is a simple solution if it works. + </p></dd><dt><span class="term">Inconsistent WINS Configuration</span></dt><dd><p> +<a class="indexterm" name="id358585"></a> +<a class="indexterm" name="id358591"></a> + This type of problem is common when one client is configured to use a WINS server (that is + a TCP/IP configuration setting) and there is no WINS server on the network. Alternatively, + this will happen if there is a WINS server and Samba is not configured to use it. The use of + WINS is highly recommended if the network is using NetBIOS over TCP/IP protocols. If use + of NetBIOS over TCP/IP is disabled on all clients, Samba should not be configured as a WINS + server, nor should it be configured to use one. + </p></dd><dt><span class="term">Incorrect DNS Configuration</span></dt><dd><p> +<a class="indexterm" name="id358614"></a> +<a class="indexterm" name="id358620"></a> + If use of NetBIOS over TCP/IP is disabled, Active Directory is in use and the DNS server + has been incorrectly configured. For further information refer to + <a href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id358640"></a>Invalid Cached Share References Affects Network Browsing</h3></div></div></div><p> +<a class="indexterm" name="id358648"></a> +<a class="indexterm" name="id358655"></a> +Cached references on your MS Windows client (workstation or server) to shares or servers that no longer exist +can cause MS Windows Explorer to appear unresponsive as it tries to connect to these shares. After a delay +(can take a long time) it times out and browsing will appear to be mostly normal again. +</p><p> +To eliminate the problem the stale cached references should be removed. This does not happen automatically and +requires manual intervention. This is a design feature of MS Windows and not anything that Samba can change. +To remove the stale shortcuts found in <span class="emphasis"><em>My Network Places</em></span> which refer to what are now +invalid shares or servers it is necessary to edit the Windows Registry under +<code class="literal">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\</code>. Edit the entry +<code class="literal">MountPoints2</code> (on Windows XP and later, or <code class="literal">MountPoints</code> on Windows 2000 +and earlier). Remove all keys named <code class="literal">\\server\share</code> (where 'server' and 'share' refer to a +non-existent server or share). +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Removal of stale network links needs to be done on a per-user basis. Alternately, you can delete the +shortcuts from the MS Windows Explorer in <code class="literal">My Network Places</code> just by right-clicking them and +selecting <span class="emphasis"><em>Delete.</em></span> +</p></div><p> +<a class="indexterm" name="id358718"></a> +Samba users have reported that these stale references negatively affect network browsing with Windows, Samba, +and Novell servers. It is suspected to be a universal problem not directly related to the Samba +server. Samba users may experience this more often due to Samba being somewhat viewed as an experimenter's +toolkit. This results from the fact that a user might go through several reconfigurations and incarnations of +their Samba server, by different names, with different shares, increasing the chances for having stale +(invalid) cached share references. Windows clients do not expire these references thus necessitating manual +removal. +</p><p> +It is common for <span class="emphasis"><em>Open</em></span> dialog boxes (for example; in Word and Excel) to respond very +slowly, as they attempt to locate all of the cached references, even if they are not in the current directory +being accessed. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ChangeNotes.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. Important and Critical Change Notes for the Samba 3.x Series </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Other-Clients.html b/docs/htmldocs/Samba3-HOWTO/Other-Clients.html new file mode 100644 index 0000000000..b118058469 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/Other-Clients.html @@ -0,0 +1,151 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 43. Samba and Other CIFS Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Portability.html" title="Chapter 42. Portability"><link rel="next" href="speed.html" title="Chapter 44. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 43. Samba and Other CIFS Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 43. Samba and Other CIFS Clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><span class="contrib">OS/2</span> <div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><code class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></code></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Other-Clients.html#id452041">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452117">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452122">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452233">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452283">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452362">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452368">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452446">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452468">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452517">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452542">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452594">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452657">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452850">Windows NT 3.1</a></span></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452041"></a>Macintosh Clients</h2></div></div></div><p> +<a class="indexterm" name="id452049"></a> +Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> has a CIFS client/server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>. They test it against Windows 95, Windows +NT/200x/XP, and Samba for compatibility issues. At the time of this writing, DAVE was at version 5.1. Please +refer to Thursby's Web site for more information regarding this product. +</p><p> +<a class="indexterm" name="id452074"></a> +<a class="indexterm" name="id452080"></a> +Alternatives include two free implementations of AppleTalk for several kinds of UNIX machines and several more +commercial ones. These products allow you to run file services and print services natively to Macintosh +users, with no additional support required on the Macintosh. The two free implementations are <a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a> and <a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>. What Samba offers MS Windows users, these +packages offer to Macs. For more info on these packages, Samba, and Linux (and other UNIX-based systems), see +<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html.</a> +</p><p>Newer versions of the Macintosh (Mac OS X) include Samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452117"></a>OS2 Client</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452122"></a>Configuring OS/2 Warp Connect or OS/2 Warp 4</h3></div></div></div><p>Basically, you need three components:</p><div class="itemizedlist"><ul type="disc"><li><p>The File and Print Client (IBM peer)</p></li><li><p>TCP/IP (Internet support) </p></li><li><p>The “<span class="quote">NetBIOS over TCP/IP</span>” driver (TCPBEUI)</p></li></ul></div><p>Installing the first two together with the base operating + system on a blank system is explained in the Warp manual. If Warp + has already been installed, but you now want to install the + networking support, use the “<span class="quote">Selective Install for Networking</span>” + object in the “<span class="quote">System Setup</span>” folder.</p><p>Adding the “<span class="quote">NetBIOS over TCP/IP</span>” driver is not described + in the manual and just barely in the online documentation. Start + <code class="literal">MPTS.EXE</code>, click on <span class="guiicon">OK</span>, click on <span class="guimenu">Configure LAPS</span>, and click + on <span class="guimenu">IBM OS/2 NETBIOS OVER TCP/IP</span> in <span class="guilabel">Protocols</span>. This line + is then moved to <span class="guilabel">Current Configuration</span>. Select that line, + click on <span class="guimenuitem">Change number</span>, and increase it from 0 to 1. Save this + configuration.</p><p>If the Samba server is not on your local subnet, you + can optionally add IP names and addresses of these servers + to the <span class="guimenu">Names List</span> or specify a WINS server (NetBIOS + Nameserver in IBM and RFC terminology). For Warp Connect, you + may need to download an update for <code class="constant">IBM Peer</code> to bring it on + the same level as Warp 4. See the IBM OS/2 Warp Web page</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452233"></a>Configuring Other Versions of OS/2</h3></div></div></div><p>This sections deals with configuring OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x.</p><p>You can use the free Microsoft LAN Manager 2.2c Client for OS/2 that is + available from + <a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top"> + ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>. In a nutshell, edit + the file <code class="filename">\OS2VER</code> in the root directory of the OS/2 boot partition and add the lines:</p><pre class="programlisting"> + 20=setup.exe + 20=netwksta.sys + 20=netvdd.sys + </pre><p>before you install the client. Also, do not use the included NE2000 driver because it is buggy. + Try the NE2000 or NS2000 driver from <a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top"> + ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452283"></a>Printer Driver Download for OS/2 Clients</h3></div></div></div><p>Create a share called <em class="parameter"><code>[PRINTDRV]</code></em> that is + world-readable. Copy your OS/2 driver files there. The <code class="filename">.EA_</code> + files must still be separate, so you will need to use the original install files + and not copy an installed driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then, add to your <code class="filename">smb.conf</code> a parameter, + <a class="indexterm" name="id452314"></a>os2 driver map. + Next, in the file specified by <em class="replaceable"><code>filename</code></em>, map the + name of the NT driver name to the OS/2 driver name as follows:</p><p><em class="parameter"><code><em class="replaceable"><code>nt driver name</code></em> = <em class="replaceable"><code>os2 driver name</code></em>.<em class="replaceable"><code>device name</code></em></code></em>, e.g.,</p><p><em class="parameter"><code> + HP LaserJet 5L = LASERJET.HP LaserJet 5L</code></em></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the + device name, the first attempt to download the driver will + actually download the files, but the OS/2 client will tell + you the driver is not available. On the second attempt, it + will work. This is fixed simply by adding the device name + to the mapping, after which it will work on the first attempt. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452362"></a>Windows for Workgroups</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452368"></a>Latest TCP/IP Stack from Microsoft</h3></div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows +for Workgroups. The early TCP/IP stacks had lots of bugs.</p><p> +Microsoft has released an incremental upgrade to its TCP/IP 32-bit VxD drivers. The latest release can be +found at ftp.microsoft.com, located in <code class="filename">/Softlib/MSLFILES/TCP32B.EXE</code>. There is an +update.txt file there that describes the problems that were fixed. New files include +<code class="filename">WINSOCK.DLL</code>, <code class="filename">TELNET.EXE</code>, <code class="filename">WSOCK.386</code>, +<code class="filename">VNBT.386</code>, <code class="filename">WSTCP.386</code>, <code class="filename">TRACERT.EXE</code>, +<code class="filename">NETSTAT.EXE</code>, and <code class="filename">NBTSTAT.EXE</code>. +</p><p> +More information about this patch is available in <a href="http://support.microsoft.com/kb/q99891/" target="_top">Knowledge Base article 99891</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452446"></a>Delete .pwl Files After Password Change</h3></div></div></div><p> +Windows for Workgroups does a lousy job with passwords. When you change passwords on either +the UNIX box or the PC, the safest thing to do is delete the .pwl files in the Windows +directory. The PC will complain about not finding the files, but will soon get over it, +allowing you to enter the new password. +</p><p> +If you do not do this, you may find that Windows for Workgroups remembers and uses the old +password, even if you told it a new one. +</p><p> +Often Windows for Workgroups will totally ignore a password you give it in a dialog box. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452468"></a>Configuring Windows for Workgroups Password Handling</h3></div></div></div><p> +<a class="indexterm" name="id452476"></a> +There is a program call <code class="filename">admincfg.exe</code> on the last disk (disk 8) of the WFW 3.11 disk set. +To install it, type <strong class="userinput"><code>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</code></strong>. Then add an icon +for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> menu. This program allows +you to control how WFW handles passwords, Disable Password Caching and so on, for use with <a class="indexterm" name="id452508"></a>security = user. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452517"></a>Password Case Sensitivity</h3></div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. +UNIX passwords can be case-sensitive though. Check the <code class="filename">smb.conf</code> information on +<a class="indexterm" name="id452532"></a>password level to specify what characters +Samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452542"></a>Use TCP/IP as Default Protocol</h3></div></div></div><p>To support print queue reporting, you may find +that you have to use TCP/IP as the default protocol under +Windows for Workgroups. For some reason, if you leave NetBEUI as the default, +it may break the print queue reporting on some systems. +It is presumably a Windows for Workgroups bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="speedimpr"></a>Speed Improvement</h3></div></div></div><p> +Note that some people have found that setting <em class="parameter"><code>DefaultRcvWindow</code></em> in +the <em class="parameter"><code>[MSTCP]</code></em> section of the +<code class="filename">SYSTEM.INI</code> file under Windows for Workgroups to 3072 gives a +big improvement. +</p><p> +My own experience with DefaultRcvWindow is that I get a much better +performance with a large value (16384 or larger). Other people have +reported that anything over 3072 slows things down enormously. One +person even reported a speed drop of a factor of 30 when he went from +3072 to 8192. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452594"></a>Windows 95/98</h2></div></div></div><p> +When using Windows 95 OEM SR2, the following updates are recommended where Samba +is being used. Please note that the changes documented in +<a href="Other-Clients.html#speedimpr" title="Speed Improvement">Speed Improvement</a> will affect you once these +updates have been installed. +</p><p> +There are more updates than the ones mentioned here. Refer to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p> +Also, if using <span class="application">MS Outlook,</span> it is desirable to +install the <code class="literal">OLEUPD.EXE</code> fix. This +fix may stop your machine from hanging for an extended period when exiting +Outlook, and you may notice a significant speedup when accessing network +neighborhood services. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id452657"></a>Speed Improvement</h3></div></div></div><p> +Configure the Windows 95 TCP/IP registry settings to give better +performance. I use a program called <code class="literal">MTUSPEED.exe</code> that I got off the +Internet. There are various other utilities of this type freely available. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452675"></a>Windows 2000 Service Pack 2</h2></div></div></div><p> +There are several annoyances with Windows 2000 SP2, one of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +most likely occur if it is not. +</p><p> +In order to serve profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have +<a class="indexterm" name="id452690"></a>nt acl support = no +added to the file share that houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, and so on). See the <code class="filename">smb.conf</code> man page +for more details on this option. Also note that the +<a class="indexterm" name="id452706"></a>nt acl support parameter was formally a global parameter in +releases prior to Samba 2.2.2. +</p><p> +<a href="Other-Clients.html#minimalprofile" title="Example 43.1. Minimal Profile Share">Following example</a> provides a minimal profile share. +</p><div class="example"><a name="minimalprofile"></a><p class="title"><b>Example 43.1. Minimal Profile Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[profile]</code></em></td></tr><tr><td><a class="indexterm" name="id452750"></a><em class="parameter"><code>path = /export/profile</code></em></td></tr><tr><td><a class="indexterm" name="id452762"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id452775"></a><em class="parameter"><code>directory mask = 0700</code></em></td></tr><tr><td><a class="indexterm" name="id452787"></a><em class="parameter"><code>nt acl support = no</code></em></td></tr><tr><td><a class="indexterm" name="id452800"></a><em class="parameter"><code>read only = no</code></em></td></tr></table></div></div><br class="example-break"><p> +The reason for this bug is that the Windows 200x SP2 client copies +the security descriptor for the profile that contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different from the one assigned to DOMAIN\user; hence, +<span class="errorname">access denied</span> message. +</p><p> +When the <a class="indexterm" name="id452825"></a>nt acl support parameter is disabled, Samba will send +the Windows 200x client a response to the QuerySecurityDescriptor trans2 call, which causes the client +to set a default ACL for the profile. This default ACL includes: +</p><p><span class="emphasis"><em>DOMAIN\user “<span class="quote">Full Control</span>”</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using Winbind to +create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452850"></a>Windows NT 3.1</h2></div></div></div><p>If you have problems communicating across routers with Windows +NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;Q103765" target="_top">this Microsoft Knowledge Base article:</a>. + +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 42. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 44. Samba Performance Tuning</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html b/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html new file mode 100644 index 0000000000..10d9ba5b01 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html @@ -0,0 +1,385 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 26. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 26. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id424107">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425313">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425400">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425437">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425500">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425652">Policy Does Not Work</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id424096"></a> +This chapter summarizes the current state of knowledge derived from personal +practice and knowledge from Samba mailing list subscribers. Before reproduction +of posted information, every effort has been made to validate the information given. +Where additional information was uncovered through this validation, it is provided +also. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id424107"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id424115"></a> +<a class="indexterm" name="id424122"></a> +<a class="indexterm" name="id424128"></a> +When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement +Group Policies for users and groups. Then along came MS Windows NT4 and a few sites +started to adopt this capability. How do we know that? By the number of “<span class="quote">boo-boos</span>” +(or mistakes) administrators made and then requested help to resolve. +</p><p> +<a class="indexterm" name="id424145"></a> +<a class="indexterm" name="id424152"></a> +<a class="indexterm" name="id424160"></a> +<a class="indexterm" name="id424167"></a> +<a class="indexterm" name="id424174"></a> +By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually make happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was obvious from the Samba +mailing list back in 2000 and 2001 when there were few postings regarding GPOs and +how to replicate them in a Samba environment. +</p><p> +<a class="indexterm" name="id424191"></a> +Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id424202"></a>Creating and Managing System Policies</h2></div></div></div><p> +<a class="indexterm" name="id424210"></a> +<a class="indexterm" name="id424217"></a> +<a class="indexterm" name="id424224"></a> +<a class="indexterm" name="id424230"></a> +Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95, it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network, +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines. +</p><p> +<a class="indexterm" name="id424244"></a> +<a class="indexterm" name="id424251"></a> +<a class="indexterm" name="id424258"></a> +For MS Windows 9x/Me, this file must be called <code class="filename">Config.POL</code> and may +be generated using a tool called <code class="filename">poledit.exe</code>, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but +disappeared again with the introduction of MS Windows Me. From +comments of MS Windows network administrators, it would appear that this tool became +a part of the MS Windows Me Resource Kit. +</p><p> +<a class="indexterm" name="id424283"></a> +MS Windows NT4 server products include the <span class="emphasis"><em>System Policy Editor</em></span> +under <span class="guimenu">Start -> Programs -> Administrative Tools</span>. +For MS Windows NT4 and later clients, this file must be called <code class="filename">NTConfig.POL</code>. +</p><p> +<a class="indexterm" name="id424310"></a> +New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever-changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to make the old rules obsolete and introduces newer and more +complex tools and methods. To Microsoft's credit, the MMC does appear to +be a step forward, but improved functionality comes at a great price. +</p><p> +<a class="indexterm" name="id424324"></a> +<a class="indexterm" name="id424330"></a> +<a class="indexterm" name="id424337"></a> +<a class="indexterm" name="id424344"></a> +Before embarking on the configuration of network and system policies, it is highly +advisable to read the documentation available from Microsoft's Web site regarding +<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp" target="_top"> +Implementing Profiles and Policies in Windows NT 4.0</a>. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft Web site for “<span class="quote">Group Policies</span>”. +</p><p> +What follows is a brief discussion with some helpful notes. The information provided +here is incomplete you are warned. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id424372"></a>Windows 9x/ME Policies</h3></div></div></div><p> +<a class="indexterm" name="id424380"></a> +<a class="indexterm" name="id424386"></a> + You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me. + It can be found on the original full-product Windows 98 installation CD-ROM under + <code class="filename">tools\reskit\netadmin\poledit</code>. Install this using the + Add/Remove Programs facility, and then click on <span class="guiicon">Have Disk</span>. + </p><p> +<a class="indexterm" name="id424411"></a> +<a class="indexterm" name="id424417"></a> + Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or <code class="filename">My Documents</code>, and so on. Then save these + settings in a file called <code class="filename">Config.POL</code> that needs to be placed in the + root of the <em class="parameter"><code>[NETLOGON]</code></em> share. If Windows 98 is configured to log onto + the Samba domain, it will automatically read this file and update the Windows 9x/Me registry + of the machine as it logs on. + </p><p> + Further details are covered in the Windows 98 Resource Kit documentation. + </p><p> +<a class="indexterm" name="id424452"></a> + If you do not take the correct steps, then every so often Windows 9x/Me will check the + integrity of the registry and restore its settings from the backup + copy of the registry it stores on each Windows 9x/Me machine. So, you will + occasionally notice things changing back to the original settings. + </p><p> +<a class="indexterm" name="id424465"></a> +<a class="indexterm" name="id424472"></a> + Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the + Windows 98 CD-ROM in <code class="filename">\tools\reskit\netadmin\poledit</code>. + Install Group Policies on a Windows 9x/Me client by double-clicking on + <code class="filename">grouppol.inf</code>. Log off and on again a couple of times and see + if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every + Windows 9x/Me machine that uses Group Policies. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id424496"></a>Windows NT4-Style Policy Files</h3></div></div></div><p> +<a class="indexterm" name="id424504"></a> +<a class="indexterm" name="id424511"></a> +<a class="indexterm" name="id424518"></a> +<a class="indexterm" name="id424524"></a> + To create or edit <code class="filename">ntconfig.pol</code>, you must use the NT Server + Policy Editor, <code class="literal">poledit.exe</code>, which is included with NT4 Server + but not with NT workstation. There is a Policy Editor on an NT4 + Workstation but it is not suitable for creating domain policies. + Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 + workstation/server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 workstation. + </p><p> +<a class="indexterm" name="id424550"></a> +<a class="indexterm" name="id424557"></a> +<a class="indexterm" name="id424564"></a> +<a class="indexterm" name="id424570"></a> + You need <code class="filename">poledit.exe</code>, <code class="filename">common.adm</code>, and <code class="filename">winnt.adm</code>. + It is convenient to put the two <code class="filename">*.adm</code> files in the <code class="filename">c:\winnt\inf</code> + directory, which is where the binary will look for them unless told otherwise. This + directory is normally “<span class="quote">hidden.</span>” + </p><p> +<a class="indexterm" name="id424615"></a> +<a class="indexterm" name="id424622"></a> +<a class="indexterm" name="id424628"></a> +<a class="indexterm" name="id424635"></a> + The Windows NT Policy Editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <code class="literal">servicepackname /x</code> + that's <code class="literal">Nt4sp6ai.exe /x</code> for Service Pack 6a. The Policy Editor, + <code class="literal">poledit.exe</code>, and the associated template files (*.adm) should + be extracted as well. It is also possible to download the policy template + files for Office97 and get a copy of the Policy Editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id424667"></a>Registry Spoiling</h4></div></div></div><p> +<a class="indexterm" name="id424675"></a> +<a class="indexterm" name="id424682"></a> + With NT4-style registry-based policy changes, a large number of settings are not + automatically reversed as the user logs off. The settings that were in the + <code class="filename">NTConfig.POL</code> file were applied to the client machine registry and apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences downstream, and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id424702"></a>MS Windows 200x/XP Professional Policies</h3></div></div></div><p> +<a class="indexterm" name="id424710"></a> + Windows NT4 system policies allow the setting of registry parameters specific to + users, groups, and computers (client workstations) that are members of the NT4-style + domain. Such policy files will work with MS Windows 200x/XP clients also. + </p><p> + New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers + a superset of capabilities compared with NT4-style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much improved. + </p><p> + <a class="indexterm" name="id424728"></a> +<a class="indexterm" name="id424734"></a> + The older NT4-style registry-based policies are known as <span class="emphasis"><em>Administrative Templates</em></span> + in MS Windows 2000/XP GPOs. The latter includes the ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users desktop (including the location of <code class="filename">My Documents</code> files, as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. + </p><p> +<a class="indexterm" name="id424759"></a> +<a class="indexterm" name="id424765"></a> +<a class="indexterm" name="id424772"></a> + Remember, NT4 policy files are named <code class="filename">NTConfig.POL</code> and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password + and selects the domain name to which the logon will attempt to take place. During the logon process, + the client machine reads the <code class="filename">NTConfig.POL</code> file from the NETLOGON share on + the authenticating server and modifies the local registry values according to the settings in this file. + </p><p> +<a class="indexterm" name="id424798"></a> +<a class="indexterm" name="id424804"></a> +<a class="indexterm" name="id424811"></a> +<a class="indexterm" name="id424818"></a> +<a class="indexterm" name="id424825"></a> +<a class="indexterm" name="id424831"></a> +<a class="indexterm" name="id424840"></a> +<a class="indexterm" name="id424850"></a> + Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the Group Policy Template (GPT). + </p><p> +<a class="indexterm" name="id424864"></a> + With NT4 clients, the policy file is read and executed only as each user logs onto the network. + MS Windows 200x policies are much more complex GPOs are processed and applied at client machine + startup (machine specific part), and when the user logs onto the network, the user-specific part + is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject + to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4-style policy files. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id424881"></a>Administration of Windows 200x/XP Policies</h4></div></div></div><p> + <a class="indexterm" name="id424888"></a> + <a class="indexterm" name="id424895"></a> +<a class="indexterm" name="id424902"></a> +<a class="indexterm" name="id424908"></a> +<a class="indexterm" name="id424915"></a> + Instead of using the tool called <span class="application">the System Policy Editor</span>, commonly called Poledit (from the + executable name <code class="literal">poledit.exe</code>), <acronym class="acronym">GPOs</acronym> are created and managed using a + <span class="application">Microsoft Management Console</span> <acronym class="acronym">(MMC)</acronym> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p> + Go to the Windows 200x/XP menu <span class="guimenu">Start->Programs->Administrative Tools</span> + and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span> + </p></li><li><p> +<a class="indexterm" name="id424976"></a> + Select the domain or organizational unit (OU) that you wish to manage, then right-click + to open the context menu for that object, and select the <span class="guibutton">Properties</span>. + </p></li><li><p> + Left-click on the <span class="guilabel">Group Policy</span> tab, then + left-click on the New tab. Type a name + for the new policy you will create. + </p></li><li><p> + Left-click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO. + </p></li></ol></div><p> + All policy configuration options are controlled through the use of policy administrative + templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. + Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. + The latter introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files; for that, + refer to the Microsoft Windows Resource Kit for your particular + version of MS Windows. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id425038"></a> +<a class="indexterm" name="id425045"></a> +<a class="indexterm" name="id425052"></a> + The MS Windows 2000 Resource Kit contains a tool called <code class="literal">gpolmig.exe</code>. This tool can be used + to migrate an NT4 <code class="filename">NTConfig.POL</code> file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id425076"></a>Custom System Policy Templates</h4></div></div></div><p> + Over the past year, there has been a bit of talk regarding the creation of customized + templates for the Windows Sytem Policy Editor. A recent announcement on the Samba mailing + list is worthy of mention. + </p><p> + Mike Petersen has announced the availability of a template file he has created. This custom System Policy + Editor Template will allow you to successfully control Microsoft Windows workstations from an SMB server, such + as Samba. This template has been tested on a few networks, although if you find any problems with any of these + policies, or have any ideas for additional policies, let me know at mailto:mgpeter@pcc-services.com. This + Template includes many policies for Windows XP to allow it to behave better in a professional environment. + </p><p> + For further information please see the <a href="http://www.pcc-services.com/custom_poledit.html" target="_top">Petersen</a> Computer Consulting web site. There is + a download link for the template file. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425108"></a>Managing Account/User Policies</h2></div></div></div><p> +<a class="indexterm" name="id425116"></a> +<a class="indexterm" name="id425123"></a> +<a class="indexterm" name="id425130"></a> +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not necessary. +</p><p> +<a class="indexterm" name="id425142"></a> +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file <code class="filename">NTConfig.POL</code>. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, it must be made individually to each workstation. +</p><p> +<a class="indexterm" name="id425163"></a> +<a class="indexterm" name="id425170"></a> +When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on +the authenticating domain controller for the presence of the <code class="filename">NTConfig.POL</code> file. If one exists, it is +downloaded, parsed, and then applied to the user's part of the registry. +</p><p> +<a class="indexterm" name="id425188"></a> +<a class="indexterm" name="id425195"></a> +<a class="indexterm" name="id425202"></a> +<a class="indexterm" name="id425208"></a> +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally +acquire policy settings through GPOs that are defined and stored in Active Directory +itself. The key benefit of using AD GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect. +This has considerable advantage compared with the use of <code class="filename">NTConfig.POL</code> (NT4) style policy updates. +</p><p> +<a class="indexterm" name="id425231"></a> +<a class="indexterm" name="id425238"></a> +In addition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied. +Common restrictions that are frequently used include: +</p><p> +<a class="indexterm" name="id425251"></a> +</p><div class="itemizedlist"><ul type="disc"><li><p>Logon hours</p></li><li><p>Password aging</p></li><li><p>Permitted logon from certain machines only</p></li><li><p>Account type (local or global)</p></li><li><p>User rights</p></li></ul></div><p> +</p><p> +<a class="indexterm" name="id425287"></a> +<a class="indexterm" name="id425294"></a> +Samba-3.0.20 does not yet implement all account controls that are common to MS Windows NT4/200x/XP. +While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password +expiry is functional today. Most of the remaining controls at this time have only stub routines +that may eventually be completed to provide actual control. Do not be misled by the fact that a +parameter can be set using the NT4 Domain User Manager or in the <code class="filename">NTConfig.POL</code>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425313"></a>Management Tools</h2></div></div></div><p> +Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools. +The following sections describe a few key tools that will help you to create a low-maintenance user +environment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id425324"></a>Samba Editreg Toolset</h3></div></div></div><p> + <a class="indexterm" name="id425331"></a> + <a class="indexterm" name="id425338"></a> + <a class="indexterm" name="id425345"></a> + A new tool called <code class="literal">editreg</code> is under development. This tool can be used + to edit registry files (called <code class="filename">NTUser.DAT</code>) that are stored in user + and group profiles. <code class="filename">NTConfig.POL</code> files have the same structure as the + <code class="filename">NTUser.DAT</code> file and can be edited using this tool. <code class="literal">editreg</code> + is being built with the intent to enable <code class="filename">NTConfig.POL</code> files to be saved in text format and to + permit the building of new <code class="filename">NTConfig.POL</code> files with extended capabilities. It is proving difficult + to realize this capability, so do not be surprised if this feature does not materialize. Formal + capabilities will be announced at the time that this tool is released for production use. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id425400"></a>Windows NT4/200x</h3></div></div></div><p> +<a class="indexterm" name="id425408"></a> +<a class="indexterm" name="id425415"></a> +<a class="indexterm" name="id425421"></a> + The tools that may be used to configure these types of controls from the MS Windows environment are + the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe). + Under MS Windows 200x/XP, this is done using the MMC with appropriate + “<span class="quote">snap-ins,</span>” the registry editor, and potentially also the NT4 System and Group Policy Editor. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id425437"></a>Samba PDC</h3></div></div></div><p> +<a class="indexterm" name="id425445"></a> +<a class="indexterm" name="id425451"></a> +<a class="indexterm" name="id425458"></a> +<a class="indexterm" name="id425465"></a> + With a Samba domain controller, the new tools for managing user account and policy information include: + <code class="literal">smbpasswd</code>, <code class="literal">pdbedit</code>, <code class="literal">net</code>, and <code class="literal">rpcclient</code>. + The administrator should read the man pages for these tools and become familiar with their use. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425500"></a>System Startup and Logon Processing Overview</h2></div></div></div><p> +The following attempts to document the order of processing the system and user policies following a system +reboot and as part of the user logon: +</p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id425520"></a> +<a class="indexterm" name="id425530"></a> + Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming + convention provider (MUP) start. + </p></li><li><p> +<a class="indexterm" name="id425544"></a> +<a class="indexterm" name="id425551"></a> + Where Active Directory is involved, an ordered list of GPOs is downloaded + and applied. The list may include GPOs that: +</p><div class="itemizedlist"><ul type="disc"><li><p>Apply to the location of machines in a directory.</p></li><li><p>Apply only when settings have changed.</p></li><li><p>Depend on configuration of the scope of applicability: local, + site, domain, organizational unit, and so on.</p></li></ul></div><p> + No desktop user interface is presented until the above have been processed. + </p></li><li><p> + Execution of startup scripts (hidden and synchronous by default). + </p></li><li><p> + A keyboard action to effect start of logon (Ctrl-Alt-Del). + </p></li><li><p> + User credentials are validated, user profile is loaded (depends on policy settings). + </p></li><li><p> + An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of: + +</p><div class="itemizedlist"><ul type="disc"><li><p>Is the user a domain member, thus subject to particular policies?</p></li><li><p>Loopback enablement, and the state of the loopback policy (merge or replace).</p></li><li><p>Location of the Active Directory itself.</p></li><li><p>Has the list of GPOs changed? No processing is needed if not changed.</p></li></ul></div><p> + </p></li><li><p> + User policies are applied from Active Directory. Note: There are several types. + </p></li><li><p> + Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs + (hidden and executed synchronously). NT4-style logon scripts are then run in a normal + window. + </p></li><li><p> + The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 + domain), machine (system) policies are applied at startup; user policies are applied at logon. + </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425641"></a>Common Errors</h2></div></div></div><p> +Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following +collection demonstrates only basic issues. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id425652"></a>Policy Does Not Work</h3></div></div></div><p> +“<span class="quote">We have created the <code class="filename">Config.POL</code> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share. +It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not +work any longer since we upgraded to Win XP Pro. Any hints?</span>” +</p><p> +Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to +use the NT4 Group Policy Editor to create a file called <code class="filename">NTConfig.POL</code> so it is in the +correct format for your MS Windows XP Pro clients. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 25. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 27. Desktop Profile Management</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Portability.html b/docs/htmldocs/Samba3-HOWTO/Portability.html new file mode 100644 index 0000000000..4cb32c4495 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/Portability.html @@ -0,0 +1,153 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 42. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="compiling.html" title="Chapter 41. How to Compile Samba"><link rel="next" href="Other-Clients.html" title="Chapter 43. Samba and Other CIFS Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 42. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 42. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Portability.html#id451523">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451618">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451650">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451779">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451818">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451872">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451878">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id451507"></a> +<a class="indexterm" name="id451513"></a> +Samba works on a wide range of platforms, but the interface all the +platforms provide is not always compatible. This chapter contains +platform-specific information about compiling and using Samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451523"></a>HPUX</h2></div></div></div><p> +<a class="indexterm" name="id451531"></a> +<a class="indexterm" name="id451537"></a> +Hewlett-Packard's implementation of supplementary groups is nonstandard (for +historical reasons). There are two group files, <code class="filename">/etc/group</code> and +<code class="filename">/etc/logingroup</code>; the system maps UIDs to numbers using the former, but +initgroups() reads the latter. Most system admins who know the ropes +symlink <code class="filename">/etc/group</code> to <code class="filename">/etc/logingroup</code> +(hard-link does not work for reasons too obtuse to go into here). initgroups() will complain if one of the +groups you're in, in <code class="filename">/etc/logingroup</code>, has what it considers to be an invalid +ID, which means outside the range <code class="constant">[0..UID_MAX]</code>, where <code class="constant">UID_MAX</code> is +60000 currently on HP-UX. This precludes -2 and 65534, the usual <code class="constant">nobody</code> +GIDs. +</p><p> +If you encounter this problem, make sure the programs that are failing +to initgroups() are run as users, not in any groups with GIDs outside the +allowed range. +</p><p> +This is documented in the HP manual pages under setgroups(2) and passwd(4). +</p><p> +<a class="indexterm" name="id451601"></a> +<a class="indexterm" name="id451608"></a> +On HP-UX you must use gcc or the HP ANSI compiler. The free compiler +that comes with HP-UX is not ANSI compliant and cannot compile Samba. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451618"></a>SCO UNIX</h2></div></div></div><p> +If you run an old version of SCO UNIX, you may need to get important +TCP/IP patches for Samba to work correctly. Without the patch, you may +encounter corrupt data transfers using Samba. +</p><p> +The patch you need is UOD385 Connection Drivers SLS. It is available from +SCO <a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS, +files uod385a.Z and uod385a.ltr.Z). +</p><p> +The information provided here refers to an old version of SCO UNIX. If you require +binaries for more recent SCO UNIX products, please contact SCO to obtain packages that are +ready to install. You should also verify with SCO that your platform is up to date for the +binary packages you will install. This is important if you wish to avoid data corruption +problems with your installation. To build Samba for SCO UNIX products may +require significant patching of Samba source code. It is much easier to obtain binary +packages directly from SCO. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451650"></a>DNIX</h2></div></div></div><p> +DNIX has a problem with seteuid() and setegid(). These routines are +needed for Samba to work correctly, but they were left out of the DNIX +C library for some reason. +</p><p> +For this reason Samba by default defines the macro NO_EID in the DNIX +section of includes.h. This works around the problem in a limited way, +but it is far from ideal, and some things still will not work right. +</p><p> +To fix the problem properly, you need to assemble the following two +functions and then either add them to your C library or link them into +Samba. Put the following in the file <code class="filename">setegid.s</code>: +</p><pre class="programlisting"> + .globl _setegid +_setegid: + moveq #47,d0 + movl #100,a0 + moveq #1,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts +</pre><p> +Put this in the file <code class="filename">seteuid.s</code>: +</p><pre class="programlisting"> + .globl _seteuid +_seteuid: + moveq #47,d0 + movl #100,a0 + moveq #0,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts +</pre><p> +After creating the files, you then assemble them using +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>as seteuid.s</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>as setegid.s</code></strong> +</pre><p> +which should produce the files <code class="filename">seteuid.o</code> and +<code class="filename">setegid.o</code>. +</p><p> +Next you need to add these to the LIBSM line in the DNIX section of +the Samba Makefile. Your LIBSM line will look something like this: +</p><pre class="programlisting"> +LIBSM = setegid.o seteuid.o -ln +</pre><p> +You should then remove the line: +</p><pre class="programlisting"> +#define NO_EID +</pre><p>from the DNIX section of <code class="filename">includes.h</code>.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451779"></a>Red Hat Linux</h2></div></div></div><p> +By default during installation, some versions of Red Hat Linux add an +entry to <code class="filename">/etc/hosts</code> as follows: +</p><pre class="programlisting"> +127.0.0.1 loopback "hostname"."domainname" +</pre><p> +</p><p> +<a class="indexterm" name="id451803"></a> +This causes Samba to loop back onto the loopback interface. +The result is that Samba fails to communicate correctly with +the world and therefore may fail to correctly negotiate who +is the master browse list holder and who is the master browser. +</p><p> +Corrective action: Delete the entry after the word "loopback" +in the line starting 127.0.0.1. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451818"></a>AIX: Sequential Read Ahead</h2></div></div></div><p> +Disabling sequential read ahead can improve Samba performance significantly +when there is a relatively high level of multiprogramming (many smbd processes +or mixed with another workload), not an abundance of physical memory or slower +disk technology. These can cause AIX to have a higher WAIT values. Disabling +sequential read-ahead can also have an adverse affect on other workloads in the +system so you will need to evaluate other applications for impact. +</p><p> +It is recommended to use the defaults provided by IBM, but if you experience a +high amount of wait time, try disabling read-ahead with the following commands: +</p><p> +For AIX 5.1 and earlier: <strong class="userinput"><code>vmtune -r 0</code></strong> +</p><p> +For AIX 5.2 and later jfs filesystems: <strong class="userinput"><code>ioo -o minpgahead=0</code></strong> +</p><p> +For AIX 5.2 and later jfs2 filesystems: <strong class="userinput"><code>ioo -o j2_minPageReadAhead=0</code></strong> +</p><p> +If you have a mix of jfs and jfs2 filesystems on the same host, simply use both +ioo commands. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451872"></a>Solaris</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id451878"></a>Locking Improvements</h3></div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl +when running Samba on Solaris. The built-in file-locking mechanism was +not scalable. Performance would degrade to the point where processes would +get into loops of trying to lock a file. It would try a lock, then fail, +then try again. The lock attempt was failing before the grant was +occurring. The visible manifestation of this was a handful of +processes stealing all of the CPU, and when they were trussed, they would +be stuck in F_SETLKW64 loops. +</p><p> +Please check with Sun support for current patches needed to fix this bug. +The patch revision for 2.6 is 105181-34, for 8 is 108528-19, and for 9 is 112233-04. +After the installation of these patches, it is recommended to reconfigure +and rebuild Samba. +</p><p>Thanks to Joe Meslovich for reporting this.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div></div><p> +Nsswitch on Solaris 9 refuses to use the Winbind NSS module. This behavior +is fixed by Sun in patch <a href="http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=112960;rev=14&toDocument=yes" target="_top">112960-14</a>. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. How to Compile Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 43. Samba and Other CIFS Clients</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html b/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html new file mode 100644 index 0000000000..1a5e47470e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html @@ -0,0 +1,644 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 27. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 27. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id425731">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id425774">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id425822">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426376">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427615">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427726">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428249">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id429398">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id429408">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429461">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429610">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429770">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425731"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id425739"></a> +Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for +some administrators. +</p><p> +<a class="indexterm" name="id425750"></a> +Roaming profiles allow an administrator to make available a consistent user desktop +as the user moves from one machine to another. This chapter provides much information +regarding how to configure and manage roaming profiles. +</p><p> +<a class="indexterm" name="id425762"></a> +While roaming profiles might sound like nirvana to some, they are a real and tangible +problem to others. In particular, users of mobile computing tools, where often there may not +be a sustained network connection, are often better served by purely local profiles. +This chapter provides information to help the Samba administrator deal with those +situations. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id425774"></a>Roaming Profiles</h2></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x. +</p></div><p> +Before discussing how to configure roaming profiles, it is useful to see how +Windows 9x/Me and Windows NT4/200x clients implement these features. +</p><p> +<a class="indexterm" name="id425793"></a> +Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Windows 9x/Me +profiles are restricted to being stored in the user's home directory. +</p><p> +<a class="indexterm" name="id425806"></a> +<a class="indexterm" name="id425813"></a> +Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields +including a separate field for the location of the user's profiles. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id425822"></a>Samba Configuration for Profile Handling</h3></div></div></div><p> +This section documents how to configure Samba for MS Windows client profile support. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id425832"></a>NT4/200x User Profiles</h4></div></div></div><p> +For example, to support Windows NT4/200x clients, set the following in the [global] section of the <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id425853"></a><em class="parameter"><code>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</code></em></td></tr></table><p> +This is typically implemented like: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id425874"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr></table><p> +where “<span class="quote">%L</span>” translates to the name of the Samba server and “<span class="quote">%U</span>” translates to the username. +</p><p> +The default for this option is <code class="filename">\\%N\%U\profile</code>, namely, <code class="filename">\\sambaserver\username\profile</code>. +The <code class="filename">\\%N\%U</code> service is created automatically by the [homes] service. If you are using +a Samba server for the profiles, you must make the share that is specified in the logon path +browseable. Please refer to the man page for <code class="filename">smb.conf</code> regarding the different +semantics of “<span class="quote">%L</span>” and “<span class="quote">%N</span>”, as well as “<span class="quote">%U</span>” and “<span class="quote">%u</span>”. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id425942"></a> +<a class="indexterm" name="id425948"></a> +MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended +to not use the <em class="parameter"><code>homes</code></em> metaservice name as part of the profile share path. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id425965"></a>Windows 9x/Me User Profiles</h4></div></div></div><p> +<a class="indexterm" name="id425973"></a> +<a class="indexterm" name="id425979"></a> +To support Windows 9x/Me clients, you must use the <a class="indexterm" name="id425987"></a>logon home +parameter. Samba has been fixed so <strong class="userinput"><code>net use /home</code></strong> now works as well and it, too, relies +on the <em class="parameter"><code>logon home</code></em> parameter. +</p><p> +<a class="indexterm" name="id426010"></a> +<a class="indexterm" name="id426016"></a> +<a class="indexterm" name="id426023"></a> +By using the <em class="parameter"><code>logon home</code></em> parameter, you are restricted to putting Windows 9x/Me profiles +in the user's home directory. But wait! There is a trick you can use. If you set the following in the +<em class="parameter"><code>[global]</code></em> section of your <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id426055"></a><em class="parameter"><code>logon home = \\%L\%U\.profiles</code></em></td></tr></table><p> +then your Windows 9x/Me clients will dutifully put their clients in a subdirectory +of your home directory called <code class="filename">.profiles</code> (making them hidden). +</p><p> +<a class="indexterm" name="id426078"></a> +Not only that, but <strong class="userinput"><code>net use /home</code></strong> will also work because of a feature in +Windows 9x/Me. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified <code class="filename">\\%L\%U</code> for <a class="indexterm" name="id426099"></a>logon home. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id426108"></a>Mixed Windows Windows 9x/Me and NT4/200x User Profiles</h4></div></div></div><p> +You can support profiles for Windows 9x and Windows NT clients by setting both the +<a class="indexterm" name="id426117"></a>logon home and <a class="indexterm" name="id426124"></a>logon path parameters. For example, +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id426138"></a><em class="parameter"><code>logon home = \\%L\%U\.profiles</code></em></td></tr><tr><td><a class="indexterm" name="id426151"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr></table><p> +<a class="indexterm" name="id426166"></a> +Windows 9x/Me and NT4 and later profiles should not be stored in the same location because +Windows NT4 and later will experience problems with mixed profile environments. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id426176"></a>Disabling Roaming Profile Support</h4></div></div></div><p> +<a class="indexterm" name="id426184"></a> +The question often asked is, “<span class="quote">How may I enforce use of local profiles?</span>” or +“<span class="quote">How do I disable roaming profiles?</span>” +</p><p> +<a class="indexterm" name="id426202"></a> +There are three ways of doing this: +</p><a class="indexterm" name="id426211"></a><div class="variablelist"><dl><dt><span class="term">In <code class="filename">smb.conf</code></span></dt><dd><p> + Affect the following settings and ALL clients will be forced to use a local profile: + <a class="indexterm" name="id426237"></a>logon home = and <a class="indexterm" name="id426244"></a>logon path = + </p><p> + The arguments to these parameters must be left blank. It is necessary to include the <code class="constant">=</code> sign + to specifically assign the empty value. + </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p> +<a class="indexterm" name="id426270"></a> +<a class="indexterm" name="id426276"></a> + Use the Microsoft Management Console (MMC) <code class="literal">gpedit.msc</code> to instruct your MS Windows XP + machine to use only a local profile. This, of course, modifies registry settings. The full + path to the option is: +</p><pre class="screen"> +Local Computer Policy\ + Computer Configuration\ + Administrative Templates\ + System\ + User Profiles\ + +Disable: Only Allow Local User Profiles +Disable: Prevent Roaming Profile Change from Propagating to the Server +</pre><p> + </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>From the start menu right-click on the <span class="guiicon">My Computer</span> icon, + select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span> + tab, select the profile you wish to change from + <span class="guimenu">Roaming</span> type to <span class="guimenu">Local</span>, and click on + <span class="guibutton">Change Type</span>. + </p></dd></dl></div><p> +Consult the MS Windows registry guide for your particular MS Windows version for more information +about which registry keys to change to enforce use of only local user profiles. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id426364"></a> +The specifics of how to convert a local profile to a roaming profile, or a roaming profile +to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS +Windows Resource Kit for your version of Windows for specific information. +</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id426376"></a>Windows Client Profile Configuration Information</h3></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id426382"></a>Windows 9x/Me Profile Setup</h4></div></div></div><p> +When a user first logs in on Windows 9x, the file user.DAT is created, as are folders <code class="filename">Start +Menu</code>, <code class="filename">Desktop</code>, <code class="filename">Programs</code>, and +<code class="filename">Nethood</code>. These directories and their contents will be merged with the local versions +stored in <code class="filename">c:\windows\profiles\username</code> on subsequent logins, taking the most recent from +each. You will need to use the <em class="parameter"><code>[global]</code></em> options <a class="indexterm" name="id426427"></a>preserve case = yes, <a class="indexterm" name="id426434"></a>short preserve case = yes, and <a class="indexterm" name="id426442"></a>case sensitive = no in order to maintain capital letters in shortcuts in any of the +profile folders. +</p><p> +<a class="indexterm" name="id426452"></a> +<a class="indexterm" name="id426459"></a> +The <code class="filename">user.DAT</code> file contains all the user's preferences. If you wish to enforce a set of preferences, +rename their <code class="filename">user.DAT</code> file to <code class="filename">user.MAN</code>, and deny them write access to this file. +</p><div class="orderedlist"><ol type="1"><li><p> + On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -> + <span class="guimenuitem">Passwords</span> and select the <span class="guilabel">User Profiles</span> tab. + Select the required level of roaming preferences. Press <span class="guibutton">OK</span>, but do not + allow the computer to reboot. + </p></li><li><p> + On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -> + <span class="guimenuitem">Network</span> -> <span class="guimenuitem">Client for Microsoft Networks</span> + -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to NT Domain</span>. Then, + ensure that the Primary Logon is <span class="guilabel">Client for Microsoft Networks</span>. Press + <span class="guibutton">OK</span>, and this time allow the computer to reboot. + </p></li></ol></div><p> +<a class="indexterm" name="id426577"></a> +<a class="indexterm" name="id426584"></a> +<a class="indexterm" name="id426590"></a> +<a class="indexterm" name="id426597"></a> +Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon +as “<span class="quote">Client for Novell Networks</span>”, then the profiles and logon script will be downloaded from +your Novell server. If you have the Primary Logon as “<span class="quote">Windows Logon</span>”, then the profiles will +be loaded from the local machine a bit against the concept of roaming profiles, it would seem! +</p><p> +<a class="indexterm" name="id426620"></a> +You will now find that the Microsoft Networks Login box contains <code class="constant">[user, password, domain]</code> instead +of just <code class="constant">[user, password]</code>. Type in the Samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this domain and profiles downloaded from it +if that domain logon server supports it), user name and user's password. +</p><p> +Once the user has been successfully validated, the Windows 9x/Me machine informs you that +<code class="computeroutput">The user has not logged on before</code> and asks <code class="computeroutput">Do you +wish to save the user's preferences?</code> Select <span class="guibutton">Yes</span>. +</p><p> +Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the +contents of the directory specified in the <a class="indexterm" name="id426664"></a>logon path on +the Samba server and verify that the <code class="filename">Desktop</code>, <code class="filename">Start Menu</code>, +<code class="filename">Programs</code>, and <code class="filename">Nethood</code> folders have been created. +</p><p> +<a class="indexterm" name="id426698"></a> +<a class="indexterm" name="id426704"></a> +<a class="indexterm" name="id426711"></a> +These folders will be cached locally on the client and updated when the user logs off (if +you haven't made them read-only by then). You will find that if the user creates further folders or +shortcuts, the client will merge the profile contents downloaded with the contents of the profile +directory already on the local client, taking the newest folders and shortcut from each set. +</p><p> +<a class="indexterm" name="id426725"></a> +<a class="indexterm" name="id426731"></a> +<a class="indexterm" name="id426738"></a> +<a class="indexterm" name="id426745"></a> +If you have made the folders/files read-only on the Samba server, then you will get errors from +the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. +Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions +and ownership rights on the profile directory contents, on the Samba server. +</p><p> +<a class="indexterm" name="id426758"></a> +<a class="indexterm" name="id426765"></a> +<a class="indexterm" name="id426772"></a> +<a class="indexterm" name="id426779"></a> +<a class="indexterm" name="id426786"></a> +If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. +When this user next logs in, the user will be told that he/she is logging in “<span class="quote">for the first +time</span>”. +</p><div class="orderedlist"><ol type="1"><li><p> + Instead of logging in under the [user, password, domain] dialog, press <span class="guibutton">escape</span>. + </p></li><li><p> + Run the <code class="literal">regedit.exe</code> program, and look in: + </p><p> + <code class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</code> + </p><p> + You will find an entry for each user of ProfilePath. Note the contents of this key + (likely to be <code class="filename">c:\windows\profiles\username</code>), then delete the key + <em class="parameter"><code>ProfilePath</code></em> for the required user. + </p></li><li><p> + Exit the registry editor. + </p></li><li><p> + Search for the user's .PWL password-caching file in the <code class="filename">c:\windows</code> directory, and delete it. + </p></li><li><p> + Log off the Windows 9x/Me client. + </p></li><li><p> + Check the contents of the profile path (see <a class="indexterm" name="id426880"></a>logon path + described above) and delete the <code class="filename">user.DAT</code> or <code class="filename">user.MAN</code> + file for the user, making a backup if required. + </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="id426905"></a> +Before deleting the contents of the directory listed in the <em class="parameter"><code>ProfilePath</code></em> +(this is likely to be <code class="filename">c:\windows\profiles\username)</code>, ask whether the owner has +any important files stored on his or her desktop or start menu. Delete the contents of the +directory <em class="parameter"><code>ProfilePath</code></em> (making a backup if any of the files are needed). +</p><p> +This will have the effect of removing the local (read-only hidden system file) <code class="filename">user.DAT</code> +in their profile directory, as well as the local “<span class="quote">desktop,</span>” “<span class="quote">nethood,</span>” +“<span class="quote">start menu,</span>” and “<span class="quote">programs</span>” folders. +</p></div><p> +<a class="indexterm" name="id426960"></a> +<a class="indexterm" name="id426967"></a> +<a class="indexterm" name="id426974"></a> +<a class="indexterm" name="id426980"></a> +If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet +sniffer program such as ethereal or <code class="literal">netmon.exe</code>, and look for error messages. +</p><p> +<a class="indexterm" name="id426998"></a> +<a class="indexterm" name="id427004"></a> +If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or +netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces +provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id427016"></a>Windows NT4 Workstation</h4></div></div></div><p> +When a user first logs in to a Windows NT workstation, the profile NTuser.DAT is created. The profile +location can be now specified through the <a class="indexterm" name="id427025"></a>logon path parameter. +</p><p> +There is a parameter that is now available for use with NT Profiles: <a class="indexterm" name="id427036"></a>logon drive. +This should be set to <code class="filename">H:</code> or any other drive, and should be used in conjunction with +the new <a class="indexterm" name="id427049"></a>logon home parameter. +</p><p> +<a class="indexterm" name="id427060"></a> +<a class="indexterm" name="id427066"></a> +The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a +directory is also created with a .PDS extension. The user, while logging in, must have write permission +to create the full profile path (and the folder with the .PDS extension for those situations where it +might be created). +</p><p> +<a class="indexterm" name="id427079"></a> +In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates +<code class="filename">Application Data</code> and others, as well as <code class="filename">Desktop</code>, +<code class="filename">Nethood</code>, <code class="filename">Start Menu,</code> and <code class="filename">Programs</code>. +The profile itself is stored in a file <code class="filename">NTuser.DAT</code>. Nothing appears to be stored +in the .PDS directory, and its purpose is currently unknown. +</p><p> +<a class="indexterm" name="id427127"></a> +<a class="indexterm" name="id427134"></a> +You can use the <span class="application">System Control Panel</span> to copy a local profile onto +a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the +<span class="application">System Control Panel</span> for you). The NT help file also mentions that renaming +<code class="filename">NTuser.DAT</code> to <code class="filename">NTuser.MAN</code> turns a profile into a mandatory one. +</p><p> +The case of the profile is significant. The file must be called <code class="filename">NTuser.DAT</code> +or, for a mandatory profile, <code class="filename">NTuser.MAN</code>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id427184"></a>Windows 2000/XP Professional</h4></div></div></div><p> +You must first convert the profile from a local profile to a domain profile on the MS Windows +workstation as follows: </p><div class="procedure"><ol type="1"><li><p> Log on as the <span class="emphasis"><em>local</em></span> workstation administrator. </p></li><li><p> Right-click on the <span class="guiicon">My Computer</span> icon, and select + <span class="guimenuitem">Properties</span>.</p></li><li><p> Click on the <span class="guilabel">User Profiles</span> tab.</p></li><li><p> Select the profile you wish to convert (click it once).</p></li><li><p> Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p> In the <span class="guilabel">Permitted to use</span> box, click on the + <span class="guibutton">Change</span> button. </p></li><li><p> Click on the <span class="guilabel">Look in</span> area that lists the machine name. When you click here, it will + open up a selection box. Click on the domain to which the profile must be accessible. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. + For example, connect as <em class="replaceable"><code>DOMAIN</code></em>\root, password: + <em class="replaceable"><code>mypassword</code></em>.</p></div></li><li><p> To make the profile capable of being used by anyone, select “<span class="quote">Everyone</span>”. </p></li><li><p> Click on <span class="guibutton">OK</span> and the Selection box will close. </p></li><li><p> Now click on <span class="guibutton">OK</span> to create the profile in the path + you nominated. </p></li></ol></div><p> +Done. You now have a profile that can be edited using the Samba <code class="literal">profiles</code> tool. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail +data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable. +</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id427357"></a>Windows XP Service Pack 1</h5></div></div></div><p> + There is a security check new to Windows XP (or maybe only Windows XP service pack 1). + It can be disabled via a group policy in the Active Directory. The policy is called: +</p><pre class="screen"> +Computer Configuration\Administrative Templates\System\User Profiles\ + Do not check for user ownership of Roaming Profile Folders +</pre><p> + </p><p> + This should be set to <code class="constant">Enabled</code>. + </p><p> + Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this. + </p><p>If you cannot set group policies in Samba, then you may be able to set the policy locally on + each machine. If you want to try this, then do the following: + </p><div class="procedure"><ol type="1"><li><p>On the XP workstation, log in with an administrative account.</p></li><li><p>Click on <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>.</p></li><li><p>Type <code class="literal">mmc</code>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click on <span class="guimenu">File</span> -> <span class="guimenuitem">Add/Remove Snap-in</span> -> <span class="guimenuitem">Add</span>.</p></li><li><p>Double-click on <span class="guiicon">Group Policy</span>.</p></li><li><p>Click on <span class="guibutton">Finish</span> -> <span class="guibutton">Close</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>In the “<span class="quote">Console Root</span>” window expand <span class="guiicon">Local Computer Policy</span> -> + <span class="guiicon">Computer Configuration</span> -> <span class="guiicon">Administrative Templates</span> -> + <span class="guiicon">System</span> -> <span class="guiicon">User Profiles</span>.</p></li><li><p>Double-click on <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span>.</p></li><li><p>Select <span class="guilabel">Enabled</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>Close the whole console. You do not need to save the settings (this refers to the + console settings rather than the policies you have changed).</p></li><li><p>Reboot.</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id427615"></a>User Profile Hive Cleanup Service</h3></div></div></div><p> +There are certain situations that cause a cached local copy of roaming profile not to be deleted on exit, even if +the policy to force such deletion is set. To deal with that situation, a special service was created. The application +<code class="literal">UPHClean</code> (User Profile Hive Cleanup) can be installed as a service on Windows NT4/2000/XP Professional +and Windows 2003. +</p><p> +The UPHClean software package can be downloaded from the User Profile Hive Cleanup +Service<sup>[<a name="id427636" href="#ftn.id427636">7</a>]</sup> +web site. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id427643"></a>Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</h3></div></div></div><p> +<a class="indexterm" name="id427651"></a> +<a class="indexterm" name="id427658"></a> +Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an +evolving phenomenon, and profiles for later versions of MS Windows clients add features that may interfere +with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is +that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite +information that belongs to the newer version, resulting in loss of profile information content when that +user logs on again with the newer version of MS Windows. +</p><p> +If you then want to share the same Start Menu and Desktop with Windows 9x/Me, you must specify a common +location for the profiles. The <code class="filename">smb.conf</code> parameters that need to be common are +<a class="indexterm" name="id427680"></a>logon path and <a class="indexterm" name="id427688"></a>logon home. +</p><p> +<a class="indexterm" name="id427698"></a> +<a class="indexterm" name="id427705"></a> +If you have this set up correctly, you will find separate <code class="filename">user.DAT</code> and +<code class="filename">NTuser.DAT</code> files in the same profile directory. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id427726"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div></div><p> +<a class="indexterm" name="id427734"></a> +There is nothing to stop you from specifying any path that you like for the location of users' profiles. +Therefore, you could specify that the profile be stored on a Samba server or any other SMB server, +as long as that SMB server supports encrypted passwords. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="profilemigrn"></a>Windows NT4 Profile Management Tools</h4></div></div></div><p> +<a class="indexterm" name="id427756"></a> +Unfortunately, the resource kit information is specific to the version of MS Windows NT4/200x. The +correct resource kit is required for each platform. +</p><p>Here is a quick guide:</p><div class="procedure"><a name="id427768"></a><p class="title"><b>Procedure 27.1. Profile Migration Procedure</b></p><ol type="1"><li><p> On your NT4 domain controller, right-click on <span class="guiicon">My Computer</span>, then select + <span class="guilabel">Properties</span>, then the tab labeled <span class="guilabel">User Profiles</span>. </p></li><li><p> Select a user profile you want to migrate and click on it. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term “<span class="quote">migrate</span>” loosely. You can copy a profile to create a group + profile. You can give the user <em class="parameter"><code>Everyone</code></em> rights to the profile you copy this to. That + is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4 + PDC.</p></div></li><li><p>Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labeled <span class="guilabel">Copy Profile to</span> add your new path, such as, + <code class="filename">c:\temp\foobar</code></p></li><li><p>Click on <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group “<span class="quote">Everyone</span>”, click on <span class="guibutton">OK</span>. This + closes the “<span class="quote">choose user</span>” box.</p></li><li><p>Now click on <span class="guibutton">OK</span>.</p></li></ol></div><p> +Follow these steps for every profile you need to migrate. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id427910"></a>Side Bar Notes</h4></div></div></div><p> +<a class="indexterm" name="id427917"></a> +<a class="indexterm" name="id427924"></a> +You should obtain the SID of your NT4 domain. You can use the <code class="literal">net rpc info</code> to do this. +See <a href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">The Net Command Chapter</a>, <a href="NetCommand.html#netmisc1" title="Other Miscellaneous Operations">Other Miscellaneous Operations</a> for more information. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id427959"></a>moveuser.exe</h4></div></div></div><p> +<a class="indexterm" name="id427966"></a> +The Windows 200x professional resource kit has <code class="literal">moveuser.exe</code>. +<code class="literal">moveuser.exe</code> changes the security of a profile from one user to another. This allows the +account domain to change and/or the username to change. +</p><p> +This command is like the Samba <code class="literal">profiles</code> tool. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id427998"></a>Get SID</h4></div></div></div><p> +<a class="indexterm" name="id428006"></a> +<a class="indexterm" name="id428012"></a> +You can identify the SID by using <code class="literal">GetSID.exe</code> from the Windows NT Server 4.0 Resource Kit. +</p><p> +Windows NT 4.0 stores the local profile information in the registry under the following key: +<code class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</code> +</p><p> +Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged +on to this computer. (To find the profile information for the user whose locally cached profile you want +to move, find the SID for the user with the <code class="literal">GetSID.exe</code> utility.) Inside the appropriate user's subkey, +you will see a string value named <em class="parameter"><code>ProfileImagePath</code></em>. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id428058"></a>Mandatory Profiles</h2></div></div></div><p> +<a class="indexterm" name="id428066"></a> +A mandatory profile is a profile that the user does not have the ability to overwrite. During the +user's session, it may be possible to change the desktop environment; however, as the user logs out, all changes +made will be lost. If it is desired to not allow the user any ability to change the desktop environment, +then this must be done through policy settings. See <a href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account +Policies</a>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id428087"></a> +<a class="indexterm" name="id428094"></a> +<a class="indexterm" name="id428101"></a> +Under NO circumstances should the profile directory (or its contents) be made read-only because this may +render the profile unusable. Where it is essential to make a profile read-only within the UNIX file system, +this can be done, but then you absolutely must use the <code class="literal">fake-permissions</code> VFS module to +instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <a href="VFS.html#fakeperms" title="fake_perms">fake_perms VFS module</a>. +</p></div><p> +<a class="indexterm" name="id428127"></a> +<a class="indexterm" name="id428134"></a> +For MS Windows NT4/200x/XP, the procedure shown in <a href="ProfileMgmt.html#profilemigrn" title="Windows NT4 Profile Management Tools">Profile Migration from Windows +NT4/200x Server to Samba</a> can also be used to create mandatory profiles. To convert a group profile into +a mandatory profile, simply locate the <code class="filename">NTUser.DAT</code> file in the copied profile and rename +it to <code class="filename">NTUser.MAN</code>. +</p><p> +<a class="indexterm" name="id428165"></a> +For MS Windows 9x/Me, it is the <code class="filename">User.DAT</code> file that must be renamed to +<code class="filename">User.MAN</code> to effect a mandatory profile. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id428186"></a>Creating and Managing Group Profiles</h2></div></div></div><p> +<a class="indexterm" name="id428194"></a> +<a class="indexterm" name="id428201"></a> +<a class="indexterm" name="id428208"></a> +<a class="indexterm" name="id428215"></a> +Most organizations are arranged into departments. There is a nice benefit in this fact, since usually +most users in a department require the same desktop applications and the same desktop layout. MS +Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created +first using a template (example) user. Then using the profile migration tool (see above), the profile is +assigned access rights for the user group that needs to be given access to the group profile. +</p><p> +<a class="indexterm" name="id428229"></a> +The next step is rather important. Instead of assigning a group profile to users (Using User Manager) +on a “<span class="quote">per-user</span>” basis, the group itself is assigned the now modified profile. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Be careful with group profiles. If the user who is a member of a group also has a personal +profile, then the result will be a fusion (merge) of the two. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id428249"></a>Default Profile for Windows Users</h2></div></div></div><p> +<a class="indexterm" name="id428257"></a> +<a class="indexterm" name="id428264"></a> +MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile +does not already exist. Armed with a knowledge of where the default profile is located on the Windows +workstation, and knowing which registry keys affect the path from which the default profile is created, +it is possible to modify the default profile to one that has been optimized for the site. This has +significant administrative advantages. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id428275"></a>MS Windows 9x/Me</h3></div></div></div><p> +<a class="indexterm" name="id428283"></a> +<a class="indexterm" name="id428290"></a> +To enable default per-use profiles in Windows 9x/Me, you can either use the <span class="application">Windows +98 System Policy Editor</span> or change the registry directly. +</p><p> +To enable default per-user profiles in Windows 9x/Me, launch the <span class="application">System Policy +Editor</span>, then select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>. +Next click on the <span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>, +select <span class="guilabel">User Profiles</span>, and click on the enable box. Remember to save the registry +changes. +</p><p> +<a class="indexterm" name="id428347"></a> +To modify the registry directly, launch the <span class="application">Registry Editor</span> +(<code class="literal">regedit.exe</code>) and select the hive <code class="filename">HKEY_LOCAL_MACHINE\Network\Logon</code>. +Now add a DWORD type key with the name “<span class="quote">User Profiles.</span>” To enable user profiles to set the value +to 1; to disable user profiles set it to 0. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id428378"></a>User Profile Handling with Windows 9x/Me</h4></div></div></div><p> +When a user logs on to a Windows 9x/Me machine, the local profile path, +<code class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</code>, is checked +for an existing entry for that user. +</p><p> +If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached +version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified +directory if the location has been modified) on the server for the user profile. If a profile exists +in both locations, the newer of the two is used. If the user profile exists on the server but does not +exist on the local machine, the profile on the server is downloaded and used. If the user profile only +exists on the local machine, that copy is used. +</p><p> +If a user profile is not found in either location, the default user profile from the Windows +9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming profile, +the changes are written to the user's profile on the server. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id428411"></a>MS Windows NT4 Workstation</h3></div></div></div><p> +On MS Windows NT4, the default user profile is obtained from the location +<code class="filename">%SystemRoot%\Profiles</code>, which in a default installation will translate to +<code class="filename">C:\Windows NT\Profiles</code>. Under this directory on a clean install, there will be three +directories: <code class="filename">Administrator</code>, <code class="filename">All +Users,</code> and <code class="filename">Default +User</code>. +</p><p> +The <code class="filename">All Users</code> directory contains menu settings that are common across all +system users. The <code class="filename">Default User</code> directory contains menu entries that are customizable +per user depending on the profile settings chosen/created. +</p><p> +When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: +</p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings.</p></li><li><p>Default User settings (contains the default <code class="filename">NTUser.DAT</code> file).</p></li></ul></div><p> +<a class="indexterm" name="id428492"></a> +When a user logs on to an MS Windows NT4 machine that is a member of a Microsoft security domain, +the following steps are followed for profile handling: +</p><div class="procedure"><ol type="1"><li><p> The user's account information that is obtained during the logon process + contains the location of the user's desktop profile. The profile path may be local to + the machine or it may be located on a network share. If there exists a profile at the + location of the path from the user account, then this profile is copied to the location + <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code>. This profile then inherits the settings + in the <code class="filename">All Users</code> profile in the <code class="filename">%SystemRoot%\Profiles</code> + location. </p></li><li><p> If the user account has a profile path, but at its location a profile does not + exist, then a new profile is created in the <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code> + directory from reading the <code class="filename">Default User</code> profile. </p></li><li><p> +<a class="indexterm" name="id428562"></a> +<a class="indexterm" name="id428569"></a> +<a class="indexterm" name="id428576"></a> +<a class="indexterm" name="id428583"></a> +<a class="indexterm" name="id428590"></a> + If the NETLOGON share on the authenticating server (logon server) contains + a policy file (<code class="filename">NTConfig.POL</code>), then its contents are applied to the + <code class="filename">NTUser.DAT</code>, which is applied to the <code class="filename">HKEY_CURRENT_USER</code> + part of the registry. + </p></li><li><p> When the user logs out, if the profile is set to be a roaming profile, it will be + written out to the location of the profile. The <code class="filename">NTuser.DAT</code> file is then + re-created from the contents of the <code class="filename">HKEY_CURRENT_USER</code> contents. Thus, + should there not exist in the NETLOGON share an <code class="filename">NTConfig.POL</code> at the next + logon, the effect of the previous <code class="filename">NTConfig.POL</code> will still be held in the + profile. The effect of this is known as tattooing. + </p></li></ol></div><p> +MS Windows NT4 profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. A local +profile is stored in the <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code> location. A roaming +profile will also remain stored in the same way, unless the following registry key is created: +</p><pre class="screen"> +HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ +winlogon\"DeleteRoamingCache"=dword:0000000 +</pre><p> +In this case, the local copy (in <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code>) will be deleted +on logout. +</p><p> +<a class="indexterm" name="id428688"></a> +Under MS Windows NT4, default locations for common resources like <code class="filename">My Documents</code> +may be redirected to a network share by modifying the following registry keys. These changes may be +made via use of the System Policy Editor. To do so may require that you create your own template +extension for the Policy Editor to allow this to be done through the GUI. Another way to do this is by +first creating a default user profile, then while logged in as that user, running <code class="literal">regedt32</code> to edit +the key settings. +</p><p> +The Registry Hive key that affects the behavior of folders that are part of the default user +profile are controlled by entries on Windows NT4 is: +</p><pre class="screen"> +HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders +</pre><p> +<a class="indexterm" name="id428722"></a> +</p><p> The above hive key contains a list of automatically managed +folders. The default entries are shown in <a href="ProfileMgmt.html#ProfileLocs" title="Table 27.1. User Shell Folder Registry Keys Default Values">the next table</a>. +</p><div class="table"><a name="ProfileLocs"></a><p class="title"><b>Table 27.1. User Shell Folder Registry Keys Default Values</b></p><div class="table-contents"><table summary="User Shell Folder Registry Keys Default Values" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu </td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><br class="table-break"><p> The registry key that contains the location of the default profile settings is: +</p><pre class="screen"> +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ +User Shell Folders +</pre><p> +</p><p> +The default entries are shown in <a href="ProfileMgmt.html#regkeys" title="Table 27.2. Defaults of Profile Settings Registry Keys">Defaults of Profile Settings Registry Keys</a>. +</p><div class="table"><a name="regkeys"></a><p class="title"><b>Table 27.2. Defaults of Profile Settings Registry Keys</b></p><div class="table-contents"><table summary="Defaults of Profile Settings Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><tbody><tr><td align="left">Common Desktop</td><td align="left">%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td align="left">Common Programs</td><td align="left">%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td align="left">Common Start Menu</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td align="left">Common Startup</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id428936"></a>MS Windows 200x/XP</h3></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id428945"></a> +<a class="indexterm" name="id428952"></a> +<a class="indexterm" name="id428959"></a> +<a class="indexterm" name="id428965"></a> +MS Windows XP Home Edition does use default per-user profiles, but cannot participate +in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only +from itself. While there are benefits in doing this, the beauty of those MS Windows clients that +can participate in domain logon processes is that they allow the administrator to create a global default +profile and enforce it through the use of Group Policy Objects (GPOs). +</p></div><p> +<a class="indexterm" name="id428979"></a> +When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from +<code class="filename">C:\Documents and Settings\Default User</code>. The administrator can modify or change the +contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement, +since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. +</p><p> +<a class="indexterm" name="id428998"></a> +When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not +found, then the client will search for a default profile in the NETLOGON share of the authenticating server. +In MS Windows parlance, it is <code class="filename">%LOGONSERVER%\NETLOGON\Default User,</code> +and if one exists there, it will copy this to the workstation in the <code class="filename">C:\Documents and +Settings\</code> under the Windows login name of the use. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> This path translates, in Samba parlance, to the <code class="filename">smb.conf</code> +<em class="parameter"><code>[NETLOGON]</code></em> share. The directory should be created at the root +of this share and must be called <code class="filename">Default User</code>. +</p></div><p> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local +default profile. </p><p> On logging out, the user's desktop profile is stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created or passed to the client +during the login process (as Samba does automatically), then the user's profile is written to the +local machine only under the path <code class="filename">C:\Documents and Settings\%USERNAME%</code>. </p><p> Those wishing to modify the default behavior can do so through these three methods: </p><div class="itemizedlist"><ul type="disc"><li><p> Modify the registry keys on the local machine manually and place the new + default profile in the NETLOGON share root. This is not recommended because it is maintenance intensive. + </p></li><li><p> Create an NT4-style NTConfig.POL file that specifies this behavior and locate + this file in the root of the NETLOGON share along with the new default profile. </p></li><li><p> Create a GPO that enforces this through Active Directory, and place the new + default profile in the NETLOGON share. </p></li></ul></div><p>The registry hive key that affects the behavior of folders that are part of the default user +profile are controlled by entries on Windows 200x/XP is: </p><p> <code class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell +Folders\</code> </p><p> +This hive key contains a list of automatically managed folders. The default entries are shown +in <a href="ProfileMgmt.html#defregpthkeys" title="Table 27.3. Defaults of Default User Profile Paths Registry Keys">the next table</a> +<a class="indexterm" name="id429118"></a> +</p><div class="table"><a name="defregpthkeys"></a><p class="title"><b>Table 27.3. Defaults of Default User Profile Paths Registry Keys</b></p><div class="table-contents"><table summary="Defaults of Default User Profile Paths Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Cache</td><td align="left">%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td align="left">Cookies</td><td align="left">%USERPROFILE%\Cookies</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">History</td><td align="left">%USERPROFILE%\Local Settings\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td align="left">Local Settings</td><td align="left">%USERPROFILE%\Local Settings</td></tr><tr><td align="left">My Pictures</td><td align="left">%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">Personal</td><td align="left">%USERPROFILE%\My Documents</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu</td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td align="left">Templates</td><td align="left">%USERPROFILE%\Templates</td></tr></tbody></table></div></div><br class="table-break"><p> There is also an entry called “<span class="quote">Default</span>” that has no value set. The default entry is +of type <code class="constant">REG_SZ</code>; all the others are of type <code class="constant">REG_EXPAND_SZ</code>. </p><p> It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will not be necessary to write +the Outlook PST file over the network for every login and logout. </p><p> +To set this to a network location, you could use the following examples: +</p><pre class="screen"> +%LOGONSERVER%\%USERNAME%\Default Folders +</pre><p> +This stores the folders in the user's home directory under a directory called <code class="filename">Default +Folders</code>. You could also use: +</p><pre class="screen"> +\\<em class="replaceable"><code>SambaServer</code></em>\<em class="replaceable"><code>FolderShare</code></em>\%USERNAME% +</pre><p> +</p><p> +in which case the default folders are stored in the server named <em class="replaceable"><code>SambaServer</code></em> +in the share called <em class="replaceable"><code>FolderShare</code></em> under a directory that has the name of the +MS Windows user as seen by the Linux/UNIX file system. </p><p> Please note that once you have created a default profile share, you <span class="emphasis"><em>must</em></span> migrate a user's profile +(default or custom) to it. </p><p> MS Windows 200x/XP profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. + A roaming profile is cached locally unless the following registry key is created: + +<a class="indexterm" name="id429375"></a> +</p><p> </p><pre class="programlisting"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ + winlogon\"DeleteRoamingCache"=dword:00000001</pre><p> +In this case, the local cache copy is deleted on logout. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id429398"></a>Common Errors</h2></div></div></div><p> +The following are some typical errors, problems, and questions that have been asked on the Samba mailing lists. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id429408"></a>Configuring Roaming Profiles for a Few Users or Groups</h3></div></div></div><p> +With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a +global-only setting. The default is to have roaming profiles, and the default path will locate them in +the user's home directory. +</p><p> +If disabled globally, then no one will have roaming profile ability. If enabled and you want it +to apply only to certain machines, then on those machines on which roaming profile support is not wanted, +it is necessary to disable roaming profile handling in the registry of each such machine. +</p><p> +With Samba-3, you can have a global profile setting in <code class="filename">smb.conf</code>, and you can override this by +per-user settings using the Domain User Manager (as with MS Windows NT4/200x). </p><p> In any case, you can configure only one profile per user. That profile can be either: </p><div class="itemizedlist"><ul type="disc"><li><p>A profile unique to that user.</p></li><li><p>A mandatory profile (one the user cannot change).</p></li><li><p>A group profile (really should be mandatory that is, unchangable).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id429461"></a>Cannot Use Roaming Profiles</h3></div></div></div><p> A user requested the following: “<span class="quote"> I do not want roaming profiles to be implemented. I want +to give users a local profile alone. I am totally lost with this error. For the past +two days I tried everything, I googled around but found no useful pointers. Please help me. </span>”</p><p> The choices are: </p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p> I know of no registry keys that will allow + autodeletion of LOCAL profiles on log out.</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p> As a user logs onto the network, a centrally + stored profile is copied to the workstation to form a local profile. This local profile + will persist (remain on the workstation disk) unless a registry key is changed that will + cause this profile to be automatically deleted on logout. </p></dd></dl></div><p>The roaming profile choices are: </p><div class="variablelist"><dl><dt><span class="term">Personal roaming profiles</span></dt><dd><p> These are typically stored in + a profile share on a central (or conveniently located local) server. </p><p> Workstations cache (store) a local copy of the profile. This cached + copy is used when the profile cannot be downloaded at next logon. </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile + server.</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p> Mandatory profiles can be created for + a user as well as for any group that a user is a member of. Mandatory profiles cannot be + changed by ordinary users. Only the administrator can change or reconfigure a mandatory + profile. </p></dd></dl></div><p> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are +most often part of the profile and can be many gigabytes in size. On average (in a well controlled environment), +roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined +environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a +workstation, but they harvest the fruits of folly (and ignorance). </p><p> The point of this discussion is to show that roaming profiles and good controls of how they can be +changed as well as good discipline make for a problem-free site. </p><p> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This +removes the need for a PST file. </p><p>Local profiles mean: </p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used by many users, then much local disk storage is needed + for local profiles.</p></li><li><p>Every workstation the user logs into has + its own profile; these can be very different from machine to machine.</p></li></ul></div><p> On the other hand, use of roaming profiles means: </p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drastically reduces network management overheads.</p></li><li><p>In the long run, users will experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id429610"></a>Changing the Default Profile</h3></div></div></div><p>“<span class="quote">When the client logs onto the domain controller, it searches +for a profile to download. Where do I put this default profile?</span>”</p><p> +<a class="indexterm" name="id429624"></a> +First, the Samba server needs to be configured as a domain controller. This can be done by +setting in <code class="filename">smb.conf</code>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id429644"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id429656"></a><em class="parameter"><code>os level = 32 (or more)</code></em></td></tr><tr><td><a class="indexterm" name="id429669"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr></table><p> There must be a <em class="parameter"><code>[netlogon]</code></em> share that is world readable. It is +a good idea to add a logon script to preset printer and drive connections. There is also a facility +for automatically synchronizing the workstation time clock with that of the logon server (another good +thing to do). </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> To invoke autodeletion of roaming profiles from the local workstation cache (disk storage), use +the <span class="application">Group Policy Editor</span> to create a file called <code class="filename">NTConfig.POL</code> +with the appropriate entries. This file needs to be located in the <em class="parameter"><code>netlogon</code></em> +share root directory.</p></div><p> Windows clients need to be members of the domain. Workgroup machines do not use network logons, +so they do not interoperate with domain profiles. </p><p> For roaming profiles, add to <code class="filename">smb.conf</code>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id429736"></a><em class="parameter"><code>logon path = \\%N\profiles\%U</code></em></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><a class="indexterm" name="id429752"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id429770"></a>Debugging Roaming Profiles and NT4-style Domain Policies</h3></div></div></div><p> +Roaming profiles and domain policies are implemented via <code class="literal">USERENV.DLL</code>. +Microsoft Knowledge Base articles <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;221833" target="_top">221833</a> and +<a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;154120" target="_top">154120</a> + describe how to instruct that DLL to debug the login process. +</p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 26. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 28. PAM-Based Distributed Authentication</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/SWAT.html b/docs/htmldocs/Samba3-HOWTO/SWAT.html new file mode 100644 index 0000000000..b91f3765e1 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/SWAT.html @@ -0,0 +1,399 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. SWAT: The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. SWAT: The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 37. SWAT: The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="SWAT.html#id444620">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id444732">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444749">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445330">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id445656">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id445667">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445720">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445817">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445869">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445921">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445978">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446016">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446034">The Password Change Page</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id444588"></a> +<a class="indexterm" name="id444595"></a> +<a class="indexterm" name="id444602"></a> +There are many and varied opinions regarding the usefulness of SWAT. No matter how hard one tries to produce +the perfect configuration tool, it remains an object of personal taste. SWAT is a tool that allows Web-based +configuration of Samba. It has a wizard that may help to get Samba configured quickly, it has +context-sensitive help on each <code class="filename">smb.conf</code> parameter, it provides for monitoring of current state of connection +information, and it allows networkwide MS Windows network password management. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id444620"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id444627"></a> +SWAT is a facility that is part of the Samba suite. The main executable is called +<code class="literal">swat</code> and is invoked by the internetworking super daemon. +See <a href="SWAT.html#xinetd" title="Enabling SWAT for Use">appropriate section</a> for details. +</p><p> +<a class="indexterm" name="id444653"></a> +SWAT uses integral Samba components to locate parameters supported by the particular +version of Samba. Unlike tools and utilities that are external to Samba, SWAT is always +up to date as known Samba parameters change. SWAT provides context-sensitive help for each +configuration parameter, directly from <code class="literal">man</code> page entries. +</p><p> +<a class="indexterm" name="id444671"></a> +<a class="indexterm" name="id444678"></a> +<a class="indexterm" name="id444685"></a> +Some network administrators believe that it is a good idea to write systems +documentation inside configuration files, and for them SWAT will always be a nasty tool. SWAT +does not store the configuration file in any intermediate form; rather, it stores only the +parameter settings, so when SWAT writes the <code class="filename">smb.conf</code> file to disk, it writes only +those parameters that are at other than the default settings. The result is that all comments, +as well as parameters that are no longer supported, will be lost from the <code class="filename">smb.conf</code> file. +Additionally, the parameters will be written back in internal ordering. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id444712"></a> +Before using SWAT, please be warned SWAT will completely replace your <code class="filename">smb.conf</code> with +a fully optimized file that has been stripped of all comments you might have placed there +and only nondefault settings will be written to the file. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id444732"></a>Guidelines and Technical Tips</h2></div></div></div><p> +<a class="indexterm" name="id444740"></a> +This section aims to unlock the dark secrets behind how SWAT may be made to work, +how it can be made more secure, and how to solve internationalization support problems. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id444749"></a>Validate SWAT Installation</h3></div></div></div><p> +<a class="indexterm" name="id444757"></a> +The very first step that should be taken before attempting to configure a host +system for SWAT operation is to check that it is installed. This may seem a trivial +point to some, but several Linux distributions do not install SWAT by default, +even though they do ship an installable binary support package containing SWAT +on the distribution media. +</p><p> +<a class="indexterm" name="id444770"></a> +When you have confirmed that SWAT is installed, it is necessary to validate +that the installation includes the binary <code class="literal">swat</code> file as well +as all the supporting text and Web files. A number of operating system distributions +in the past have failed to include the necessary support files, even though the +<code class="literal">swat</code> binary executable file was installed. +</p><p> +<a class="indexterm" name="id444795"></a> +<a class="indexterm" name="id444802"></a> +Finally, when you are sure that SWAT has been fully installed, please check that SWAT +is enabled in the control file for the internetworking super-daemon (inetd or xinetd) +that is used on your operating system platform. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id444812"></a>Locating the <code class="literal">SWAT</code> File</h4></div></div></div><p> +<a class="indexterm" name="id444825"></a> +<a class="indexterm" name="id444832"></a> +<a class="indexterm" name="id444839"></a> +To validate that SWAT is installed, first locate the <code class="literal">swat</code> binary +file on the system. It may be found under the following directories:</p><table class="simplelist" border="0" summary="Simple list"><tr><td><code class="filename">/usr/local/samba/bin</code> the default Samba location</td></tr><tr><td><code class="filename">/usr/sbin</code> the default location on most Linux systems</td></tr><tr><td><code class="filename">/opt/samba/bin</code></td></tr></table><p> +</p><p> +The actual location is much dependent on the choice of the operating system vendor or as determined +by the administrator who compiled and installed Samba. +</p><p> +There are a number of methods that may be used to locate the <code class="literal">swat</code> binary file. +The following methods may be helpful. +</p><p> +<a class="indexterm" name="id444907"></a> +<a class="indexterm" name="id444914"></a> +<a class="indexterm" name="id444920"></a> +If <code class="literal">swat</code> is in your current operating system search path, it will be easy to +find it. You can ask what are the command-line options for <code class="literal">swat</code> as shown here: +</p><pre class="screen"> +frodo:~ # swat -? +Usage: swat [OPTION...] + -a, --disable-authentication Disable authentication (demo mode) + +Help options: + -?, --help Show this help message + --usage Display brief usage message + +Common samba options: + -d, --debuglevel=DEBUGLEVEL Set debug level + -s, --configfile=CONFIGFILE Use alternative configuration file + -l, --log-basename=LOGFILEBASE Basename for log/debug files + -V, --version Print version +</pre><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id444953"></a>Locating the SWAT Support Files</h4></div></div></div><p> +Now that you have found that <code class="literal">swat</code> is in the search path, it is easy +to identify where the file is located. Here is another simple way this may be done: +</p><pre class="screen"> +frodo:~ # whereis swat +swat: /usr/sbin/swat /usr/share/man/man8/swat.8.gz +</pre><p> +</p><p> +If the above measures fail to locate the <code class="literal">swat</code> binary, another approach +is needed. The following may be used: +</p><pre class="screen"> +frodo:/ # find / -name swat -print +/etc/xinetd.d/swat +/usr/sbin/swat +/usr/share/samba/swat +frodo:/ # +</pre><p> +</p><p> +This list shows that there is a control file for <code class="literal">xinetd</code>, the internetwork +super-daemon that is installed on this server. The location of the SWAT binary file is +<code class="filename">/usr/sbin/swat</code>, and the support files for it are located under the +directory <code class="filename">/usr/share/samba/swat</code>. +</p><p> +We must now check where <code class="literal">swat</code> expects to find its support files. This can +be done as follows: +</p><pre class="screen"> +frodo:/ # strings /usr/sbin/swat | grep "/swat" +/swat/ +... +/usr/share/samba/swat +frodo:/ # +</pre><p> +</p><p> +The <code class="filename">/usr/share/samba/swat/</code> entry shown in this listing is the location of the +support files. You should verify that the support files exist under this directory. A sample +list is as shown: +</p><pre class="screen"> +jht@frodo:/> find /usr/share/samba/swat -print +/usr/share/samba/swat +/usr/share/samba/swat/help +/usr/share/samba/swat/lang +/usr/share/samba/swat/lang/ja +/usr/share/samba/swat/lang/ja/help +/usr/share/samba/swat/lang/ja/help/welcome.html +/usr/share/samba/swat/lang/ja/images +/usr/share/samba/swat/lang/ja/images/home.gif +... +/usr/share/samba/swat/lang/ja/include +/usr/share/samba/swat/lang/ja/include/header.nocss.html +... +/usr/share/samba/swat/lang/tr +/usr/share/samba/swat/lang/tr/help +/usr/share/samba/swat/lang/tr/help/welcome.html +/usr/share/samba/swat/lang/tr/images +/usr/share/samba/swat/lang/tr/images/home.gif +... +/usr/share/samba/swat/lang/tr/include +/usr/share/samba/swat/lang/tr/include/header.html +/usr/share/samba/swat/using_samba +... +/usr/share/samba/swat/images +/usr/share/samba/swat/images/home.gif +... +/usr/share/samba/swat/include +/usr/share/samba/swat/include/footer.html +/usr/share/samba/swat/include/header.html +jht@frodo:/> +</pre><p> +</p><p> +If the files needed are not available, it is necessary to obtain and install them +before SWAT can be used. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="xinetd"></a>Enabling SWAT for Use</h3></div></div></div><p> +SWAT should be installed to run via the network super-daemon. Depending on which system +your UNIX/Linux system has, you will have either an <code class="literal">inetd</code>- or +<code class="literal">xinetd</code>-based system. +</p><p> +The nature and location of the network super-daemon varies with the operating system +implementation. The control file (or files) can be located in the file +<code class="filename">/etc/inetd.conf</code> or in the directory <code class="filename">/etc/[x]inet[d].d</code> +or in a similar location. +</p><p> +The control entry for the older style file might be: +<a class="indexterm" name="id445122"></a> +</p><pre class="programlisting"> + # swat is the Samba Web Administration Tool + swat stream tcp nowait.400 root /usr/sbin/swat swat +</pre><p> +A control file for the newer style xinetd could be: +</p><p> +</p><pre class="programlisting"> +# default: off +# description: SWAT is the Samba Web Admin Tool. Use swat \ +# to configure your Samba server. To use SWAT, \ +# connect to port 901 with your favorite web browser. +service swat +{ + port = 901 + socket_type = stream + wait = no + only_from = localhost + user = root + server = /usr/sbin/swat + log_on_failure += USERID + disable = no +} +</pre><p> +In the above, the default setting for <em class="parameter"><code>disable</code></em> is <code class="constant">yes</code>. +This means that SWAT is disabled. To enable use of SWAT, set this parameter to <code class="constant">no</code> +as shown. +</p><p> +<a class="indexterm" name="id445171"></a> +<a class="indexterm" name="id445178"></a> +<a class="indexterm" name="id445185"></a> +<a class="indexterm" name="id445191"></a> +Both of the previous examples assume that the <code class="literal">swat</code> binary has been +located in the <code class="filename">/usr/sbin</code> directory. In addition to the above, +SWAT will use a directory access point from which it will load its Help files +as well as other control information. The default location for this on most Linux +systems is in the directory <code class="filename">/usr/share/samba/swat</code>. The default +location using Samba defaults will be <code class="filename">/usr/local/samba/swat</code>. +</p><p> +<a class="indexterm" name="id445228"></a> +<a class="indexterm" name="id445235"></a> +Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user, +the only permission allowed is to view certain aspects of configuration as well as +access to the password change facility. The buttons that will be exposed to the non-root +user are <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, and +<span class="guibutton">PASSWORD</span>. The only page that allows +change capability in this case is <span class="guibutton">PASSWORD</span>. +</p><p> +As long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span>, you should obtain +full change and commit ability. The buttons that will be exposed include +<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>, +<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, and <span class="guibutton">PASSWORD</span>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445330"></a>Securing SWAT through SSL</h3></div></div></div><p> +<a class="indexterm" name="id445338"></a> +<a class="indexterm" name="id445344"></a> +Many people have asked about how to set up SWAT with SSL to allow for secure remote +administration of Samba. Here is a method that works, courtesy of Markus Krieger. +</p><p> +Modifications to the SWAT setup are as follows: +</p><div class="procedure"><ol type="1"><li><p> +<a class="indexterm" name="id445367"></a> + Install OpenSSL. + </p></li><li><p> +<a class="indexterm" name="id445381"></a> +<a class="indexterm" name="id445388"></a> + Generate certificate and private key. +<a class="indexterm" name="id445395"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \ + /usr/share/doc/packages/stunnel/stunnel.cnf \ + -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</code></strong> +</pre></li><li><p> + Remove SWAT entry from [x]inetd. + </p></li><li><p> +<a class="indexterm" name="id445432"></a> + Start <code class="literal">stunnel</code>. + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>stunnel -p /etc/stunnel/stunnel.pem -d 901 \ + -l /usr/local/samba/bin/swat swat </code></strong> +</pre></li></ol></div><p> +Afterward, simply connect to SWAT by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate, and the SSL connection is up. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445475"></a>Enabling SWAT Internationalization Support</h3></div></div></div><p> +SWAT can be configured to display its messages to match the settings of +the language configurations of your Web browser. It will be passed to SWAT +in the Accept-Language header of the HTTP request. +</p><p> +To enable this feature: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Install the proper <code class="literal">msg</code> files from the Samba + <code class="filename">source/po</code> directory into $LIBDIR. + </p></li><li><p> + Set your browsers language setting. + </p></li></ul></div><p> +<a class="indexterm" name="id445516"></a> +<a class="indexterm" name="id445523"></a> +<a class="indexterm" name="id445530"></a> +<a class="indexterm" name="id445536"></a> +The name of the <code class="literal">msg</code> file is the same as the language ID sent by the browser. For +example, <span class="emphasis"><em>en</em></span> means English, <span class="emphasis"><em>ja</em></span> means Japanese, <span class="emphasis"><em>fr</em></span> means French. +</p><p> +<a class="indexterm" name="id445563"></a> +If you do not like some of messages, or there are no <code class="literal">msg</code> files for +your locale, you can create them simply by copying the <code class="literal">en.msg</code> files +to the directory for “<span class="quote">your language ID.msg</span>” and filling in proper strings +to each “<span class="quote">msgstr</span>”. For example, in <code class="filename">it.msg</code>, the +<code class="literal">msg</code> file for the Italian locale, just set: +</p><pre class="screen"> +msgid "Set Default" +msgstr "Imposta Default" +</pre><p> +<a class="indexterm" name="id445609"></a> +and so on. If you find a mistake or create a new <code class="literal">msg</code> file, please email it +to us so we will consider it in the next release of Samba. The <code class="literal">msg</code> file should be encoded in UTF-8. +</p><p> +<a class="indexterm" name="id445631"></a> +Note that if you enable this feature and the <a class="indexterm" name="id445638"></a>display charset is not +matched to your browser's setting, the SWAT display may be corrupted. In a future version of +Samba, SWAT will always display messages with UTF-8 encoding. You will then not need to set +this <code class="filename">smb.conf</code> file parameter. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id445656"></a>Overview and Quick Tour</h2></div></div></div><p> +SWAT is a tool that may be used to configure Samba or just to obtain useful links +to important reference materials such as the contents of this book as well as other +documents that have been found useful for solving Windows networking problems. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445667"></a>The SWAT Home Page</h3></div></div></div><p> +The SWAT title page provides access to the latest Samba documentation. The manual page for +each Samba component is accessible from this page, as are the Samba3-HOWTO (this +document) as well as the O'Reilly book “<span class="quote">Using Samba.</span>” +</p><p> +Administrators who wish to validate their Samba configuration may obtain useful information +from the man pages for the diagnostic utilities. These are available from the SWAT home page +also. One diagnostic tool that is not mentioned on this page but that is particularly +useful is <a href="http://www.ethereal.com/" target="_top"><code class="literal">ethereal</code></a>. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is not recommended +because it runs SWAT without authentication and with full administrative ability. It allows +changes to <code class="filename">smb.conf</code> as well as general operation with root privileges. The option that +creates this ability is the <code class="option">-a</code> flag to SWAT. <span class="emphasis"><em>Do not use this in a +production environment.</em></span> +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445720"></a>Global Settings</h3></div></div></div><p> +The <span class="guibutton">GLOBALS</span> button exposes a page that allows configuration of the global parameters +in <code class="filename">smb.conf</code>. There are two levels of exposure of the parameters: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <span class="guibutton">Basic</span> exposes common configuration options. + </p></li><li><p> + <span class="guibutton">Advanced</span> exposes configuration options needed in more + complex environments. + </p></li></ul></div><p> +To switch to other than <span class="guibutton">Basic</span> editing ability, click on <span class="guibutton">Advanced</span>. +You may also do this by clicking on the radio button, then click on the <span class="guibutton">Commit Changes</span> button. +</p><p> +After making any changes to configuration parameters, make sure that +you click on the +<span class="guibutton">Commit Changes</span> button before moving to another area; otherwise, +your changes will be lost. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +SWAT has context-sensitive help. To find out what each parameter is +for, simply click on the +<span class="guibutton">Help</span> link to the left of the configuration parameter. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445817"></a>Share Settings</h3></div></div></div><p> +To affect a currently configured share, simply click on the pull-down button between the +<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons and +select the share you wish to operate on. To edit the settings, +click on the +<span class="guibutton">Choose Share</span> button. To delete the share, simply press the +<span class="guibutton">Delete Share</span> button. +</p><p> +To create a new share, next to the button labeled <span class="guibutton">Create Share</span>, enter +into the text field the name of the share to be created, then click on the +<span class="guibutton">Create Share</span> button. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445869"></a>Printers Settings</h3></div></div></div><p> +To affect a currently configured printer, simply click on the pull-down button between the +<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons and +select the printer you wish to operate on. To edit the settings, +click on the +<span class="guibutton">Choose Printer</span> button. To delete the share, simply press the +<span class="guibutton">Delete Printer</span> button. +</p><p> +To create a new printer, next to the button labeled <span class="guibutton">Create Printer</span>, enter +into the text field the name of the share to be created, then click on the +<span class="guibutton">Create Printer</span> button. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445921"></a>The SWAT Wizard</h3></div></div></div><p> +The purpose of the SWAT Wizard is to help the Microsoft-knowledgeable network administrator +to configure Samba with a minimum of effort. +</p><p> +The Wizard page provides a tool for rewriting the <code class="filename">smb.conf</code> file in fully optimized format. +This will also happen if you press the <span class="guibutton">Commit</span> button. The two differ +because the <span class="guibutton">Rewrite</span> button ignores any changes that may have been made, +while the <span class="guibutton">Commit</span> button causes all changes to be affected. +</p><p> +The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of +options that may be necessary to create a working Samba server. +</p><p> +Finally, there are a limited set of options that determine what type of server Samba +will be configured for, whether it will be a WINS server, participate as a WINS client, or +operate with no WINS support. By clicking one button, you can elect to expose (or not) user +home directories. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id445978"></a>The Status Page</h3></div></div></div><p> +The status page serves a limited purpose. First, it allows control of the Samba daemons. +The key daemons that create the Samba server environment are <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span>. +</p><p> +The daemons may be controlled individually or as a total group. Additionally, you may set +an automatic screen refresh timing. As MS Windows clients interact with Samba, new smbd processes +are continually spawned. The auto-refresh facility allows you to track the changing +conditions with minimal effort. +</p><p> +Finally, the status page may be used to terminate specific smbd client connections in order to +free files that may be locked. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id446016"></a>The View Page</h3></div></div></div><p> +The view page allows you to view the optimized <code class="filename">smb.conf</code> file and, if you are +particularly masochistic, permits you also to see all possible global configuration +parameters and their settings. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id446034"></a>The Password Change Page</h3></div></div></div><p> +The password change page is a popular tool that allows the creation, deletion, deactivation, +and reactivation of MS Windows networking users on the local machine. You can also use +this tool to change a local password for a user account. +</p><p> +When logged in as a non-root account, the user must provide the old password as well as +the new password (twice). When logged in as <span class="emphasis"><em>root</em></span>, only the new password is +required. +</p><p> +One popular use for this tool is to change user passwords across a range of remote MS Windows +servers. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/SambaHA.html b/docs/htmldocs/Samba3-HOWTO/SambaHA.html new file mode 100644 index 0000000000..e33194f756 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/SambaHA.html @@ -0,0 +1,271 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. High Availability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="Backup.html" title="Chapter 31. Backup Techniques"><link rel="next" href="largefile.html" title="Chapter 33. Handling Large Directories"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. High Availability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="largefile.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 32. High Availability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="SambaHA.html#id436084">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id436191">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id436222">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id436345">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437009">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437081">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437210">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437243">Conclusions</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id436084"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id436092"></a> +<a class="indexterm" name="id436098"></a> +<a class="indexterm" name="id436105"></a> +Network administrators are often concerned about the availability of file and print +services. Network users are inclined toward intolerance of the services they depend +on to perform vital task responsibilities. +</p><p> +A sign in a computer room served to remind staff of their responsibilities. It read: +</p><div class="blockquote"><blockquote class="blockquote"><p> +<a class="indexterm" name="id436123"></a> +<a class="indexterm" name="id436130"></a> +<a class="indexterm" name="id436137"></a> +<a class="indexterm" name="id436144"></a> +All humans fail, in both great and small ways we fail continually. Machines fail too. +Computers are machines that are managed by humans, the fallout from failure +can be spectacular. Your responsibility is to deal with failure, to anticipate it +and to eliminate it as far as is humanly and economically wise to achieve. +Are your actions part of the problem or part of the solution? +</p></blockquote></div><p> +If we are to deal with failure in a planned and productive manner, then first we must +understand the problem. That is the purpose of this chapter. +</p><p> +<a class="indexterm" name="id436162"></a> +<a class="indexterm" name="id436169"></a> +<a class="indexterm" name="id436176"></a> +Parenthetically, in the following discussion there are seeds of information on how to +provision a network infrastructure against failure. Our purpose here is not to provide +a lengthy dissertation on the subject of high availability. Additionally, we have made +a conscious decision to not provide detailed working examples of high availability +solutions; instead we present an overview of the issues in the hope that someone will +rise to the challenge of providing a detailed document that is focused purely on +presentation of the current state of knowledge and practice in high availability as it +applies to the deployment of Samba and other CIFS/SMB technologies. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id436191"></a>Technical Discussion</h2></div></div></div><p> +<a class="indexterm" name="id436198"></a> +<a class="indexterm" name="id436205"></a> +<a class="indexterm" name="id436212"></a> +The following summary was part of a presentation by Jeremy Allison at the SambaXP 2003 +conference that was held at Goettingen, Germany, in April 2003. Material has been added +from other sources, but it was Jeremy who inspired the structure that follows. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id436222"></a>The Ultimate Goal</h3></div></div></div><p> +<a class="indexterm" name="id436230"></a> +<a class="indexterm" name="id436237"></a> +<a class="indexterm" name="id436244"></a> + All clustering technologies aim to achieve one or more of the following: + </p><div class="itemizedlist"><ul type="disc"><li><p>Obtain the maximum affordable computational power.</p></li><li><p>Obtain faster program execution.</p></li><li><p>Deliver unstoppable services.</p></li><li><p>Avert points of failure.</p></li><li><p>Exact most effective utilization of resources.</p></li></ul></div><p> + A clustered file server ideally has the following properties: +<a class="indexterm" name="id436282"></a> +<a class="indexterm" name="id436289"></a> +<a class="indexterm" name="id436295"></a> +<a class="indexterm" name="id436302"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>All clients can connect transparently to any server.</p></li><li><p>A server can fail and clients are transparently reconnected to another server.</p></li><li><p>All servers serve out the same set of files.</p></li><li><p>All file changes are immediately seen on all servers.</p><div class="itemizedlist"><ul type="circle"><li><p>Requires a distributed file system.</p></li></ul></div></li><li><p>Infinite ability to scale by adding more servers or disks.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id436345"></a>Why Is This So Hard?</h3></div></div></div><p> + In short, the problem is one of <span class="emphasis"><em>state</em></span>. + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id436364"></a> + All TCP/IP connections are dependent on state information. + </p><p> +<a class="indexterm" name="id436374"></a> + The TCP connection involves a packet sequence number. This + sequence number would need to be dynamically updated on all + machines in the cluster to effect seamless TCP failover. + </p></li><li><p> +<a class="indexterm" name="id436389"></a> +<a class="indexterm" name="id436396"></a> + CIFS/SMB (the Windows networking protocols) uses TCP connections. + </p><p> + This means that from a basic design perspective, failover is not + seriously considered. + </p><div class="itemizedlist"><ul type="circle"><li><p> + All current SMB clusters are failover solutions + they rely on the clients to reconnect. They provide server + failover, but clients can lose information due to a server failure. +<a class="indexterm" name="id436418"></a> + </p></li></ul></div><p> + </p></li><li><p> + Servers keep state information about client connections. + </p><div class="itemizedlist"><a class="indexterm" name="id436435"></a><ul type="circle"><li><p>CIFS/SMB involves a lot of state.</p></li><li><p>Every file open must be compared with other open files + to check share modes.</p></li></ul></div><p> + </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436456"></a>The Front-End Challenge</h4></div></div></div><p> +<a class="indexterm" name="id436464"></a> +<a class="indexterm" name="id436471"></a> +<a class="indexterm" name="id436477"></a> +<a class="indexterm" name="id436484"></a> +<a class="indexterm" name="id436491"></a> +<a class="indexterm" name="id436498"></a> +<a class="indexterm" name="id436505"></a> + To make it possible for a cluster of file servers to appear as a single server that has one + name and one IP address, the incoming TCP data streams from clients must be processed by the + front-end virtual server. This server must de-multiplex the incoming packets at the SMB protocol + layer level and then feed the SMB packet to different servers in the cluster. + </p><p> +<a class="indexterm" name="id436518"></a> +<a class="indexterm" name="id436524"></a> + One could split all IPC$ connections and RPC calls to one server to handle printing and user + lookup requirements. RPC printing handles are shared between different IPC4 sessions it is + hard to split this across clustered servers! + </p><p> + Conceptually speaking, all other servers would then provide only file services. This is a simpler + problem to concentrate on. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436543"></a>Demultiplexing SMB Requests</h4></div></div></div><p> +<a class="indexterm" name="id436551"></a> +<a class="indexterm" name="id436557"></a> +<a class="indexterm" name="id436564"></a> +<a class="indexterm" name="id436571"></a> + De-multiplexing of SMB requests requires knowledge of SMB state information, + all of which must be held by the front-end <span class="emphasis"><em>virtual</em></span> server. + This is a perplexing and complicated problem to solve. + </p><p> +<a class="indexterm" name="id436586"></a> +<a class="indexterm" name="id436593"></a> +<a class="indexterm" name="id436600"></a> + Windows XP and later have changed semantics so state information (vuid, tid, fid) + must match for a successful operation. This makes things simpler than before and is a + positive step forward. + </p><p> +<a class="indexterm" name="id436612"></a> +<a class="indexterm" name="id436618"></a> + SMB requests are sent by vuid to their associated server. No code exists today to + effect this solution. This problem is conceptually similar to the problem of + correctly handling requests from multiple requests from Windows 2000 + Terminal Server in Samba. + </p><p> +<a class="indexterm" name="id436631"></a> + One possibility is to start by exposing the server pool to clients directly. + This could eliminate the de-multiplexing step. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436641"></a>The Distributed File System Challenge</h4></div></div></div><p> +<a class="indexterm" name="id436649"></a> + There exists many distributed file systems for UNIX and Linux. + </p><p> +<a class="indexterm" name="id436660"></a> +<a class="indexterm" name="id436666"></a> +<a class="indexterm" name="id436673"></a> +<a class="indexterm" name="id436680"></a> +<a class="indexterm" name="id436687"></a> +<a class="indexterm" name="id436694"></a> + Many could be adopted to backend our cluster, so long as awareness of SMB + semantics is kept in mind (share modes, locking, and oplock issues in particular). + Common free distributed file systems include: +<a class="indexterm" name="id436702"></a> +<a class="indexterm" name="id436709"></a> +<a class="indexterm" name="id436716"></a> +<a class="indexterm" name="id436723"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>NFS</p></li><li><p>AFS</p></li><li><p>OpenGFS</p></li><li><p>Lustre</p></li></ul></div><p> +<a class="indexterm" name="id436753"></a> + The server pool (cluster) can use any distributed file system backend if all SMB + semantics are performed within this pool. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436764"></a>Restrictive Constraints on Distributed File Systems</h4></div></div></div><p> +<a class="indexterm" name="id436772"></a> +<a class="indexterm" name="id436778"></a> +<a class="indexterm" name="id436785"></a> +<a class="indexterm" name="id436792"></a> + Where a clustered server provides purely SMB services, oplock handling + may be done within the server pool without imposing a need for this to + be passed to the backend file system pool. + </p><p> +<a class="indexterm" name="id436804"></a> +<a class="indexterm" name="id436810"></a> + On the other hand, where the server pool also provides NFS or other file services, + it will be essential that the implementation be oplock-aware so it can + interoperate with SMB services. This is a significant challenge today. A failure + to provide this interoperability will result in a significant loss of performance that will be + sorely noted by users of Microsoft Windows clients. + </p><p> + Last, all state information must be shared across the server pool. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436827"></a>Server Pool Communications</h4></div></div></div><p> +<a class="indexterm" name="id436835"></a> +<a class="indexterm" name="id436841"></a> +<a class="indexterm" name="id436848"></a> +<a class="indexterm" name="id436855"></a> + Most backend file systems support POSIX file semantics. This makes it difficult + to push SMB semantics back into the file system. POSIX locks have different properties + and semantics from SMB locks. + </p><p> +<a class="indexterm" name="id436867"></a> +<a class="indexterm" name="id436873"></a> +<a class="indexterm" name="id436880"></a> + All <code class="literal">smbd</code> processes in the server pool must of necessity communicate + very quickly. For this, the current <em class="parameter"><code>tdb</code></em> file structure that Samba + uses is not suitable for use across a network. Clustered <code class="literal">smbd</code>s must use something else. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436908"></a>Server Pool Communications Demands</h4></div></div></div><p> + High-speed interserver communications in the server pool is a design prerequisite + for a fully functional system. Possibilities for this include: + </p><div class="itemizedlist"><a class="indexterm" name="id436921"></a><a class="indexterm" name="id436928"></a><ul type="disc"><li><p> + Proprietary shared memory bus (example: Myrinet or SCI [scalable coherent interface]). + These are high-cost items. + </p></li><li><p> + Gigabit Ethernet (now quite affordable). + </p></li><li><p> + Raw Ethernet framing (to bypass TCP and UDP overheads). + </p></li></ul></div><p> + We have yet to identify metrics for performance demands to enable this to happen + effectively. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id436958"></a>Required Modifications to Samba</h4></div></div></div><p> + Samba needs to be significantly modified to work with a high-speed server interconnect + system to permit transparent failover clustering. + </p><p> + Particular functions inside Samba that will be affected include: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The locking database, oplock notifications, + and the share mode database. + </p></li><li><p> +<a class="indexterm" name="id436983"></a> +<a class="indexterm" name="id436989"></a> + Failure semantics need to be defined. Samba behaves the same way as Windows. + When oplock messages fail, a file open request is allowed, but this is + potentially dangerous in a clustered environment. So how should interserver + pool failure semantics function, and how should such functionality be implemented? + </p></li><li><p> + Should this be implemented using a point-to-point lock manager, or can this + be done using multicast techniques? + </p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id437009"></a>A Simple Solution</h3></div></div></div><p> +<a class="indexterm" name="id437016"></a> +<a class="indexterm" name="id437023"></a> +<a class="indexterm" name="id437030"></a> + Allowing failover servers to handle different functions within the exported file system + removes the problem of requiring a distributed locking protocol. + </p><p> +<a class="indexterm" name="id437042"></a> +<a class="indexterm" name="id437049"></a> + If only one server is active in a pair, the need for high-speed server interconnect is avoided. + This allows the use of existing high-availability solutions, instead of inventing a new one. + This simpler solution comes at a price the cost of which is the need to manage a more + complex file name space. Since there is now not a single file system, administrators + must remember where all services are located a complexity not easily dealt with. + </p><p> +<a class="indexterm" name="id437068"></a> + The <span class="emphasis"><em>virtual server</em></span> is still needed to redirect requests to backend + servers. Backend file space integrity is the responsibility of the administrator. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id437081"></a>High-Availability Server Products</h3></div></div></div><p> +<a class="indexterm" name="id437089"></a> +<a class="indexterm" name="id437096"></a> +<a class="indexterm" name="id437103"></a> +<a class="indexterm" name="id437110"></a> +<a class="indexterm" name="id437116"></a> + Failover servers must communicate in order to handle resource failover. This is essential + for high-availability services. The use of a dedicated heartbeat is a common technique to + introduce some intelligence into the failover process. This is often done over a dedicated + link (LAN or serial). + </p><p> +<a class="indexterm" name="id437129"></a> +<a class="indexterm" name="id437136"></a> +<a class="indexterm" name="id437143"></a> +<a class="indexterm" name="id437149"></a> +<a class="indexterm" name="id437156"></a> + Many failover solutions (like Red Hat Cluster Manager and Microsoft Wolfpack) + can use a shared SCSI of Fiber Channel disk storage array for failover communication. + Information regarding Red Hat high availability solutions for Samba may be obtained from + <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-AS-2.1-Manual/cluster-manager/s1-service-samba.html" target="_top">www.redhat.com</a>. + </p><p> +<a class="indexterm" name="id437175"></a> + The Linux High Availability project is a resource worthy of consultation if your desire is + to build a highly available Samba file server solution. Please consult the home page at + <a href="http://www.linux-ha.org/" target="_top">www.linux-ha.org/</a>. + </p><p> +<a class="indexterm" name="id437192"></a> +<a class="indexterm" name="id437199"></a> + Front-end server complexity remains a challenge for high availability because it must deal + gracefully with backend failures, while at the same time providing continuity of service + to all network clients. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id437210"></a>MS-DFS: The Poor Man's Cluster</h3></div></div></div><p> +<a class="indexterm" name="id437218"></a> +<a class="indexterm" name="id437225"></a> + MS-DFS links can be used to redirect clients to disparate backend servers. This pushes + complexity back to the network client, something already included by Microsoft. + MS-DFS creates the illusion of a simple, continuous file system name space that works even + at the file level. + </p><p> + Above all, at the cost of complexity of management, a distributed system (pseudo-cluster) can + be created using existing Samba functionality. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id437243"></a>Conclusions</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Transparent SMB clustering is hard to do!</p></li><li><p>Client failover is the best we can do today.</p></li><li><p>Much more work is needed before a practical and manageable high-availability transparent cluster solution will be possible.</p></li><li><p>MS-DFS can be used to create the illusion of a single transparent cluster.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="largefile.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. Handling Large Directories</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ServerType.html b/docs/htmldocs/Samba3-HOWTO/ServerType.html new file mode 100644 index 0000000000..fe82c2aa9e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ServerType.html @@ -0,0 +1,471 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 4. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 3. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ServerType.html#id332909">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333060">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333211">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id333359">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333519">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334332">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id334587">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id334759">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id334776">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334805">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334843">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334868">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334909">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id332876"></a> +<a class="indexterm" name="id332883"></a> +This chapter provides information regarding the types of server that Samba may be configured to be. A +Microsoft network administrator who wishes to migrate to or use Samba will want to know the meaning, within a +Samba context, of terms familiar to the MS Windows administrator. This means that it is essential also to +define how critical security modes function before we get into the details of how to configure the server +itself. +</p><p> +This chapter provides an overview of the security modes of which Samba is capable and how they relate to MS +Windows servers and clients. +</p><p> +A question often asked is, “<span class="quote">Why would I want to use Samba?</span>” Most chapters contain a section that +highlights features and benefits. We hope that the information provided will help to answer this question. Be +warned though, we want to be fair and reasonable, so not all features are positive toward Samba. The benefit +may be on the side of our competition. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332909"></a>Features and Benefits</h2></div></div></div><p> +Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It +hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion +and fury befitting his anguish. The other looked at the stone and said, “<span class="quote">This is a garnet. +I can turn that into a precious gem and some day it will make a princess very happy!</span>” +</p><p> +The moral of this tale: Two men, two very different perspectives regarding the same stone. +Like it or not, Samba is like that stone. Treat it the right way and it can bring great +pleasure, but if you are forced to use it and have no time for its secrets, then it can be +a source of discomfort. +</p><p> +<a class="indexterm" name="id332932"></a> +<a class="indexterm" name="id332941"></a> +Samba started out as a project that sought to provide interoperability for MS Windows 3.x +clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides +features and functionality fit for large-scale deployment. It also has some warts. In sections +like this one, we tell of both. +</p><p> +So, what are the benefits of the features mentioned in this chapter? +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id332961"></a> + Samba-3 can replace an MS Windows NT4 domain controller. + </p></li><li><p> + <a class="indexterm" name="id332975"></a> + Samba-3 offers excellent interoperability with MS Windows NT4-style + domains as well as natively with Microsoft Active Directory domains. + </p></li><li><p> + <a class="indexterm" name="id332988"></a> + Samba-3 permits full NT4-style interdomain trusts. + </p></li><li><p> + <a class="indexterm" name="id333002"></a> + <a class="indexterm" name="id333008"></a> + Samba has security modes that permit more flexible authentication + than is possible with MS Windows NT4 domain controllers. + </p></li><li><p> + <a class="indexterm" name="id333023"></a> + <a class="indexterm" name="id333035"></a> + Samba-3 permits use of multiple concurrent account database backends. + (Encrypted passwords that are stored in the account database are in + formats that are unique to Windows networking). + </p></li><li><p> + <a class="indexterm" name="id333048"></a> + The account database backends can be distributed + and replicated using multiple methods. This gives Samba-3 + greater flexibility than MS Windows NT4 and in many cases a + significantly higher utility than Active Directory domains + with MS Windows 200x. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333060"></a>Server Types</h2></div></div></div><p> +<a class="indexterm" name="id333068"></a> +Administrators of Microsoft networks often refer to three different types of servers: +</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><div class="itemizedlist"><ul type="circle"><li><p>Primary Domain Controller (PDC)</p></li><li><p>Backup Domain Controller (BDC)</p></li><li><p>ADS Domain Controller</p></li></ul></div></li><li><p>Domain Member Server</p><div class="itemizedlist"><ul type="circle"><li><p>Active Directory Domain Server</p></li><li><p>NT4 Style Domain Domain Server</p></li></ul></div></li><li><p>Standalone Server</p></li></ul></div><p> +<a class="indexterm" name="id333127"></a> +<a class="indexterm" name="id333136"></a> +<a class="indexterm" name="id333145"></a> +<a class="indexterm" name="id333154"></a> +The chapters covering domain control (<a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>), +backup domain control (<a href="samba-bdc.html" title="Chapter 5. Backup Domain Control">Backup Domain Control</a>), and +domain membership (<a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>) provide +pertinent information regarding Samba configuration for each of these server roles. +You are strongly encouraged to become intimately familiar with these chapters because +they lay the foundation for deployment of Samba domain security. +</p><p> +<a class="indexterm" name="id333190"></a> +A Standalone server is autonomous in respect of the source of its account backend. +Refer to <a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">Standalone Servers</a> to gain a wider appreciation +of what is meant by a server being configured as a <span class="emphasis"><em>standalone</em></span> server. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333211"></a>Samba Security Modes</h2></div></div></div><p> +<a class="indexterm" name="id333219"></a> +<a class="indexterm" name="id333226"></a> +In this section, the function and purpose of Samba's security modes are described. An accurate understanding of +how Samba implements each security mode as well as how to configure MS Windows clients for each mode will +significantly reduce user complaints and administrator heartache. +</p><p> +<a class="indexterm" name="id333238"></a> +<a class="indexterm" name="id333247"></a> +Microsoft Windows networking uses a protocol that was originally called the Server Message Block (SMB) +protocol. Since some time around 1996 the protocol has been better known as the Common Internet Filesystem +(CIFS) protocol. +</p><p> +<a class="indexterm" name="id333262"></a> +<a class="indexterm" name="id333269"></a> +<a class="indexterm" name="id333275"></a> +<a class="indexterm" name="id333282"></a> +In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>user-level</em></span> and +<span class="emphasis"><em>share level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In +implementing these two security levels, Samba provides flexibilities that are not available with MS Windows +NT4/200x servers. In fact, Samba implements <span class="emphasis"><em>share-level</em></span> security only one way, but has +four ways of implementing <span class="emphasis"><em>user-level</em></span> security. Collectively, we call the Samba +implementations of the security levels <span class="emphasis"><em>security modes</em></span>. They are known as +<span class="emphasis"><em>share</em></span>, <span class="emphasis"><em>user</em></span>, <span class="emphasis"><em>domain</em></span>, <span class="emphasis"><em>ADS</em></span>, +and <span class="emphasis"><em>server</em></span> modes. They are documented in this chapter. +</p><p> +An SMB server informs the client, at the time of a session setup, the security level the server is running. +There are two options: share-level and user-level. Which of these two the client receives affects the way the +client then tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba +server does security. This may sound strange, but it fits in with the client/server approach of SMB. In SMB +everything is initiated and controlled by the client, and the server can only tell the client what is +available and whether an action is allowed. +</p><p> +The term <code class="literal">client</code> refers to all agents whether it is a Windows workstation, a Windows server, +another Samba server, or any vanilla SMB or CIFS client application (e.g., <code class="literal">smbclient</code>) that +make use of services provided by an SMB/CIFS server. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333359"></a>User Level Security</h3></div></div></div><p> +<a class="indexterm" name="id333366"></a> +We describe user-level security first because its simpler. In user-level security, the client sends a session +setup request directly following protocol negotiation. This request provides a username and password. The +server can either accept or reject that username/password combination. At this stage the server has no idea +what share the client will eventually try to connect to, so it can't base the +<span class="emphasis"><em>accept/reject</em></span> on anything other than: +</p><div class="orderedlist"><ol type="1"><li><p>the username/password.</p></li><li><p>the name of the client machine.</p></li></ol></div><p> +<a class="indexterm" name="id333401"></a> +If the server accepts the username/password credentials, the client expects to be able to mount shares (using +a <span class="emphasis"><em>tree connection</em></span>) without further specifying a password. It expects that all access +rights will be as the username/password credentials set that was specified in the initial <span class="emphasis"><em>session +setup</em></span>. +</p><p> +<a class="indexterm" name="id333420"></a> +It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span> +requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use +as an authentication tag for that username/password. The client can maintain multiple +authentication contexts in this way (WinDD is an example of an application that does this). +</p><p> +<a class="indexterm" name="id333440"></a> +<a class="indexterm" name="id333447"></a> +<a class="indexterm" name="id333454"></a> +<a class="indexterm" name="id333460"></a> +<a class="indexterm" name="id333467"></a> +Windows networking user account names are case-insensitive, meaning that upper-case and lower-case characters +in the account name are considered equivalent. They are said to be case-preserving, but not case significant. +Windows and LanManager systems previous to Windows NT version 3.10 have case-insensitive passwords that were +not necessarilty case-preserving. All Windows NT family systems treat passwords as case-preserving and +case-sensitive. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id333479"></a>Example Configuration</h4></div></div></div><p> +The <code class="filename">smb.conf</code> parameter that sets user-level security is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id333501"></a><em class="parameter"><code>security = user</code></em></td></tr></table><p> +This is the default setting since Samba-2.2.x. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333519"></a>Share-Level Security</h3></div></div></div><p> +<a class="indexterm" name="id333527"></a> +<a class="indexterm" name="id333534"></a> +In share-level security, the client authenticates itself separately for each share. It sends a password along +with each tree connection request (share mount), but it does not explicitly send a username with this +operation. The client expects a password to be associated with each share, independent of the user. This means +that Samba has to work out what username the client probably wants to use, the SMB server is not explicitly +sent the username. Some commercial SMB servers such as NT actually associate passwords directly with shares +in share-level security, but Samba always uses the UNIX authentication scheme where it is a username/password +pair that is authenticated, not a share/password pair. +</p><p> +To understand the MS Windows networking parallels, think in terms of MS Windows 9x/Me where you can create a +shared folder that provides read-only or full access, with or without a password. +</p><p> +Many clients send a session setup request even if the server is in share-level security. They normally send a valid +username but no password. Samba records this username in a list of possible usernames. When the client then +issues a tree connection request, it also adds to this list the name of the share they try to connect to (useful for +home directories) and any users listed in the <a class="indexterm" name="id333558"></a>user parameter in the <code class="filename">smb.conf</code> file. +The password is then checked in turn against these possible usernames. If a match is found, then the client is +authenticated as that user. +</p><p> +<a class="indexterm" name="id333575"></a> +<a class="indexterm" name="id333584"></a> +<a class="indexterm" name="id333591"></a> +Where the list of possible user names is not provided, Samba makes a UNIX system call to find the user +account that has a password that matches the one provided from the standard account database. On a system that +has no name service switch (NSS) facility, such lookups will be from the <code class="filename">/etc/passwd</code> +database. On NSS enabled systems, the lookup will go to the libraries that have been specified in the +<code class="filename">nsswitch.conf</code> file. The entries in that file in which the libraries are specified are: +</p><pre class="screen"> +passwd: files nis ldap +shadow: files nis ldap +group: files nis ldap +</pre><p> +<a class="indexterm" name="id333620"></a> +<a class="indexterm" name="id333627"></a> +<a class="indexterm" name="id333633"></a> +In the example shown here (not likely to be used in practice) the lookup will check +<code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>, if not found it will check NIS, then +LDAP. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id333654"></a>Example Configuration</h4></div></div></div><p> +The <code class="filename">smb.conf</code> parameter that sets share-level security is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id333676"></a><em class="parameter"><code>security = share</code></em></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id333691"></a>Domain Security Mode (User-Level Security)</h3></div></div></div><p> +<a class="indexterm" name="id333699"></a> +<a class="indexterm" name="id333708"></a> +<a class="indexterm" name="id333717"></a> +<a class="indexterm" name="id333724"></a> +<a class="indexterm" name="id333730"></a> +<a class="indexterm" name="id333737"></a> +Domain security provides a mechanism for storing all user and group accounts in a central, shared, account +repository. The centralized account repository is shared between domain (security) controllers. Servers that +act as domain controllers provide authentication and validation services to all machines that participate in +the security context for the domain. A primary domain controller (PDC) is a server that is responsible for +maintaining the integrity of the security account database. Backup domain controllers (BDCs) provide only domain +logon and authentication services. Usually, BDCs will answer network logon requests more responsively than +will a PDC. +</p><p> +<a class="indexterm" name="id333753"></a> +<a class="indexterm" name="id333760"></a> +<a class="indexterm" name="id333766"></a> +<a class="indexterm" name="id333776"></a> +<a class="indexterm" name="id333785"></a> +When Samba is operating in <a class="indexterm" name="id333794"></a>security = domain mode, the Samba server has a +domain security trust account (a machine account) and causes all authentication requests to be passed through +to the domain controllers. In other words, this configuration makes the Samba server a domain member server, +even when it is in fact acting as a domain controller. All machines that participate in domain security must +have a machine account in the security database. +</p><p> +<a class="indexterm" name="id333812"></a> +<a class="indexterm" name="id333821"></a> +<a class="indexterm" name="id333830"></a> +<a class="indexterm" name="id333839"></a> +Within the domain security environment, the underlying security architecture uses user-level security. Even +machines that are domain members must authenticate on startup. The machine account consists of an account +entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password +is randomly generated and known to both the domain controllers and the member machine. If the machine account +cannot be validated during startup, users will not be able to log on to the domain using this machine because +it cannot be trusted. The machine account is referred to as a machine trust account. +</p><p> +There are three possible domain member configurations: +</p><div class="orderedlist"><ol type="1"><li><p>Primary domain controller (PDC) - of which there is one per domain.</p></li><li><p>Backup domain controller (BDC) - of which there can be any number per domain.</p></li><li><p>Domain member server (DMS) - of which there can be any number per domain.</p></li></ol></div><p> +<a class="indexterm" name="id333881"></a> +We will discuss each of these in separate chapters. For now, we are most interested in basic DMS +configuration. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id333890"></a>Example Configuration</h4></div></div></div><p><span class="emphasis"><em> +Samba as a Domain Member Server +</em></span></p><p> +<a class="indexterm" name="id333902"></a> +This method involves addition of the following parameters in the <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id333924"></a><em class="parameter"><code>security = domain</code></em></td></tr><tr><td><a class="indexterm" name="id333936"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p> +</p><p> +In order for this method to work, the Samba server needs to join the MS Windows NT +security domain. This is done as follows: +<a class="indexterm" name="id333953"></a> +<a class="indexterm" name="id333962"></a> +</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT domain controller, using + the Server Manager, add a machine account for the Samba server. + </p></li><li><p>On the UNIX/Linux system execute:</p><pre class="screen"><code class="prompt">root# </code><strong class="userinput"><code>net rpc join -U administrator%password</code></strong></pre></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id334009"></a> +Samba-2.2.4 and later Samba 2.2.x series releases can autojoin a Windows NT4-style domain just by executing: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -j <em class="replaceable"><code>DOMAIN_NAME</code></em> -r <em class="replaceable"><code>PDC_NAME</code></em> \ + -U Administrator%<em class="replaceable"><code>password</code></em></code></strong> +</pre><p> +<a class="indexterm" name="id334043"></a> +Samba-3 can do the same by executing: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -U Administrator%<em class="replaceable"><code>password</code></em></code></strong> +</pre><p> +It is not necessary with Samba-3 to specify the <em class="replaceable"><code>DOMAIN_NAME</code></em> or the +<em class="replaceable"><code>PDC_NAME</code></em>, as it figures this out from the <code class="filename">smb.conf</code> file settings. +</p></div><p> +<a class="indexterm" name="id334090"></a> +<a class="indexterm" name="id334097"></a> +<a class="indexterm" name="id334104"></a> +Use of this mode of authentication requires there to be a standard UNIX account for each user in order to +assign a UID once the account has been authenticated by the Windows domain controller. This account can be +blocked to prevent logons by clients other than MS Windows through means such as setting an invalid shell in +the <code class="filename">/etc/passwd</code> entry. The best way to allocate an invalid shell to a user account is to +set the shell to the file <code class="filename">/bin/false</code>. +</p><p> +<a class="indexterm" name="id334129"></a> +<a class="indexterm" name="id334136"></a> +Domain controllers can be located anywhere that is convenient. The best advice is to have a BDC on every +physical network segment, and if the PDC is on a remote network segment the use of WINS (see <a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a> for more information) is almost essential. +</p><p> +An alternative to assigning UIDs to Windows users on a Samba member server is presented in <a href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind</a>, <a href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>. +</p><p> +For more information regarding domain membership, <a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334182"></a>ADS Security Mode (User-Level Security)</h3></div></div></div><p> +<a class="indexterm" name="id334190"></a> +<a class="indexterm" name="id334197"></a> +Both Samba-2.2, and Samba-3 can join an Active Directory domain using NT4 style RPC based security. This is +possible if the domain is run in native mode. Active Directory in native mode perfectly allows NT4-style +domain members. This is contrary to popular belief. +</p><p> +If you are using Active Directory, starting with Samba-3 you can join as a native AD member. Why would you +want to do that? Your security policy might prohibit the use of NT-compatible authentication protocols. All +your machines are running Windows 2000 and above and all use Kerberos. In this case, Samba, as an NT4-style +domain, would still require NT-compatible authentication data. Samba in AD-member mode can accept Kerberos +tickets. +</p><p> +<a class="indexterm" name="id334216"></a> +<a class="indexterm" name="id334223"></a> +Sites that use Microsoft Windows active directory services (ADS) should be aware of the significance of the +terms: <code class="literal">native mode</code> and <code class="literal">mixed mode</code> ADS operation. The term +<code class="literal">realm</code> is used to describe a Kerberos-based security architecture (such as is used by +Microsoft ADS). +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id334251"></a>Example Configuration</h4></div></div></div><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id334263"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id334275"></a><em class="parameter"><code>security = ADS</code></em></td></tr></table><p> +The following parameter may be required: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id334298"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p> +Please refer to <a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, and <a href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Samba +ADS Domain Membership</a> for more information regarding this configuration option. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334332"></a>Server Security (User Level Security)</h3></div></div></div><p> +Server security mode is left over from the time when Samba was not capable of acting +as a domain member server. It is highly recommended not to use this feature. Server +security mode has many drawbacks that include: +</p><div class="itemizedlist"><ul type="disc"><li><p>Potential account lockout on MS Windows NT4/200x password servers.</p></li><li><p>Lack of assurance that the password server is the one specified.</p></li><li><p>Does not work with Winbind, which is particularly needed when storing profiles remotely.</p></li><li><p>This mode may open connections to the password server and keep them open for extended periods.</p></li><li><p>Security on the Samba server breaks badly when the remote password server suddenly shuts down.</p></li><li><p>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</p></li></ul></div><p> +<a class="indexterm" name="id334380"></a> +<a class="indexterm" name="id334386"></a> +In server security mode the Samba server reports to the client that it is in user-level security. The client +then does a session setup as described earlier. The Samba server takes the username/password that the client +sends and attempts to log into the <a class="indexterm" name="id334395"></a>password server by sending exactly the same +username/password that it got from the client. If that server is in user-level security and accepts the +password, then Samba accepts the client's connection. This parameter allows the Samba server to use another +SMB server as the <a class="indexterm" name="id334404"></a>password server. +</p><p> +<a class="indexterm" name="id334414"></a> +<a class="indexterm" name="id334421"></a> +You should also note that at the start of all this, when the server tells the client +what security level it is in, it also tells the client if it supports encryption. If it +does, it supplies the client with a random cryptkey. The client will then send all +passwords in encrypted form. Samba supports this type of encryption by default. +</p><p> +The parameter <a class="indexterm" name="id334434"></a>security = server means that Samba reports to clients that +it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication requests to another +user mode server. This requires an additional parameter <a class="indexterm" name="id334447"></a>password server that points to +the real authentication server. The real authentication server can be another Samba server, or it can be a +Windows NT server, the latter being natively capable of encrypted password support. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id334460"></a> +<a class="indexterm" name="id334466"></a> +When Samba is running in <span class="emphasis"><em>server security mode</em></span>, it is essential that the parameter +<span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine name of the target authentication +server. Samba cannot determine this from NetBIOS name lookups because the choice of the target authentication +server is arbitrary and cannot be determined from a domain name. In essence, a Samba server that is in +<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as workgroup mode. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id334489"></a>Example Configuration</h4></div></div></div><p><span class="emphasis"><em> +Using MS Windows NT as an Authentication Server +</em></span></p><p> +This method involves the additions of the following parameters in the <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id334516"></a><em class="parameter"><code>encrypt passwords = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334528"></a><em class="parameter"><code>security = server</code></em></td></tr><tr><td><a class="indexterm" name="id334541"></a><em class="parameter"><code>password server = "NetBIOS_name_of_a_DC"</code></em></td></tr></table><p> +There are two ways of identifying whether or not a username and password pair is valid. +One uses the reply information provided as part of the authentication messaging +process, the other uses just an error code. +</p><p> +<a class="indexterm" name="id334561"></a> +<a class="indexterm" name="id334567"></a> +The downside of this mode of configuration is that for security reasons Samba +will send the password server a bogus username and a bogus password, and if the remote +server fails to reject the bogus username and password pair, then an alternative mode of +identification or validation is used. Where a site uses password lockout, after a +certain number of failed authentication attempts, this will result in user lockouts. +</p><p> +Use of this mode of authentication requires a standard UNIX account for the user. +This account can be blocked to prevent logons by non-SMB/CIFS clients. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334587"></a>Password Checking</h2></div></div></div><p> +MS Windows clients may use encrypted passwords as part of a challenge/response +authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple +password-based authentication. It should be realized that with the SMB protocol, +the password is passed over the network either in plaintext or encrypted, but +not both in the same authentication request. +</p><p> +<a class="indexterm" name="id334601"></a> +<a class="indexterm" name="id334608"></a> +When encrypted passwords are used, a password that has been entered by the user +is encrypted in two ways: +</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the unicode of the password + string. This is known as the NT hash. + </p></li><li><p>The password is converted to uppercase, + and then padded or truncated to 14 bytes. This string is + then appended with 5 bytes of NULL characters and split to + form two 56-bit DES keys to encrypt a "magic" 8-byte value. + The resulting 16 bytes form the LanMan hash. + </p></li></ul></div><p> +<a class="indexterm" name="id334634"></a> +MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use +either mode of password authentication. All versions of MS Windows that follow these versions no longer +support plain-text passwords by default. +</p><p> +<a class="indexterm" name="id334649"></a> +MS Windows clients have a habit of dropping network mappings that have been idle +for 10 minutes or longer. When the user attempts to use the mapped drive +connection that has been dropped, the client re-establishes the connection using +a cached copy of the password. +</p><p> +When Microsoft changed the default password mode, support was dropped for caching +of the plaintext password. This means that when the registry parameter is changed +to re-enable use of plaintext passwords, it appears to work, but when a dropped +service connection mapping attempts to revalidate, this will fail if the remote +authentication server does not support encrypted passwords. It is definitely not +a good idea to re-enable plaintext password support in such clients. +</p><p> +The following parameters can be used to work around the issue of Windows 9x/Me clients +uppercasing usernames and passwords before transmitting them to the SMB server +when using clear-text authentication: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id334682"></a><em class="parameter"><code>password level</code></em></td></tr><tr><td><a class="indexterm" name="id334694"></a><em class="parameter"><code>username level</code></em></td></tr></table><p> +By default Samba will convert to lowercase the username before attempting to lookup the user +in the database of local system accounts. Because UNIX usernames conventionally +only contain lowercase characters, the <a class="indexterm" name="id334711"></a>username-level parameter +is rarely needed. +</p><p> +<a class="indexterm" name="id334721"></a> +However, passwords on UNIX systems often make use of mixed-case characters. This means that in order for a +user on a Windows 9x/Me client to connect to a Samba server using clear-text authentication, the +<a class="indexterm" name="id334730"></a>password level must be set to the maximum number of uppercase letters that +<span class="emphasis"><em>could</em></span> appear in a password. Note that if the Server OS uses the traditional DES version +of crypt(), a <a class="indexterm" name="id334742"></a>password level of 8 will result in case-insensitive passwords as seen +from Windows users. This will also result in longer login times because Samba has to compute the permutations +of the password string and try them one by one until a match is located (or all combinations fail). +</p><p> +The best option to adopt is to enable support for encrypted passwords wherever +Samba is used. Most attempts to apply the registry change to re-enable plaintext +passwords will eventually lead to user complaints and unhappiness. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334759"></a>Common Errors</h2></div></div></div><p> +We all make mistakes. It is okay to make mistakes, as long as they are made in the right places +and at the right time. A mistake that causes lost productivity is seldom tolerated; however, a mistake +made in a developmental test lab is expected. +</p><p> +Here we look at common mistakes and misapprehensions that have been the subject of discussions +on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting +a Samba implementation. Some are the result of a misunderstanding of the English language, +which has many phrases that are potentially vague and may be highly confusing +to those for whom English is not their native tongue. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334776"></a>What Makes Samba a Server?</h3></div></div></div><p> +To some, the nature of the Samba security mode is obvious, but entirely +wrong all the same. It is assumed that <a class="indexterm" name="id334785"></a>security = server means that Samba +will act as a server. Not so! This setting means that Samba will <span class="emphasis"><em>try</em></span> +to use another SMB server as its source for user authentication alone. +</p><p> +Samba is a server regardless of which security mode is chosen. When Samba is used outside of a domain security +context, it is best to leave the security mode at the default setting. By default Samba-3 uses user-mode +security. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334805"></a>What Makes Samba a Domain Controller?</h3></div></div></div><p> +<a class="indexterm" name="id334812"></a> +The <code class="filename">smb.conf</code> parameter <a class="indexterm" name="id334826"></a>security = domain does not really make Samba behave +as a domain controller. This setting means we want Samba to be a domain member. See <a href="samba-pdc.html" title="Chapter 4. Domain Control">Samba as a PDC</a> for more information. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334843"></a>What Makes Samba a Domain Member?</h3></div></div></div><p> +Guess! So many others do. But whatever you do, do not think that <a class="indexterm" name="id334851"></a>security = user +makes Samba act as a domain member. Read the manufacturer's manual before the warranty expires. See +<a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, for more information. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334868"></a>Constantly Losing Connections to Password Server</h3></div></div></div><p>“<span class="quote"> +Why does server_validate() simply give up rather than re-establish its connection to the +password server? Though I am not fluent in the SMB protocol, perhaps the cluster server +process passes along to its client workstation the session key it receives from the password +server, which means the password hashes submitted by the client would not work on a subsequent +connection whose session key would be different. So server_validate() must give up. +</span>”</p><p> +Indeed. That's why <a class="indexterm" name="id334885"></a>security = server +is at best a nasty hack. Please use <a class="indexterm" name="id334892"></a>security = domain; +<a class="indexterm" name="id334899"></a>security = server mode is also known as pass-through authentication. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id334909"></a>Stand-alone Server is converted to Domain Controller Now User accounts don't work</h3></div></div></div><p>“<span class="quote"> +When I try to log in to the DOMAIN, the eventlog shows <span class="emphasis"><em>tried credentials DOMAIN/username; effective +credentials SERVER/username</em></span> +</span>”</p><p> +Usually this is due to a user or machine account being created before the Samba server is configured to be a +domain controller. Accounts created before the server becomes a domain controller will be +<span class="emphasis"><em>local</em></span> accounts and authenticated as what looks like a member in the SERVER domain, much +like local user accounts in Windows 2000 and later. Accounts created after the Samba server becomes a domain +controller will be <span class="emphasis"><em>domain</em></span> accounts and will be authenticated as a member of the DOMAIN +domain. +</p><p> +This can be verified by issuing the command <code class="literal">pdbedit -L -v username</code>. If this reports DOMAIN +then the account is a domain account, if it reports SERVER then the account is a local account. +</p><p> +The easiest way to resolve this is to remove and recreate the account; however this may cause problems with +established user profiles. You can also use <code class="literal">pdbedit -u username -I DOMAIN</code>. You may also +need to change the User SID and Primary Group SID to match the domain. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Domain Control</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html b/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html new file mode 100644 index 0000000000..89cac2c37e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html @@ -0,0 +1,201 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Standalone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="domain-member.html" title="Chapter 6. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Standalone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 7. Standalone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="StandAloneServer.html#id347049">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347134">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347312">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id348271">Common Errors</a></span></dt></dl></div><p> +<a class="indexterm" name="id347024"></a> +<a class="indexterm" name="id347031"></a> +<a class="indexterm" name="id347038"></a> +Standalone servers are independent of domain controllers on the network. +They are not domain members and function more like workgroup servers. In many +cases a standalone server is configured with a minimum of security control +with the intent that all data served will be readily accessible to all users. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347049"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id347056"></a> +<a class="indexterm" name="id347063"></a> +Standalone servers can be as secure or as insecure as needs dictate. They can +have simple or complex configurations. Above all, despite the hoopla about +domain security, they remain a common installation. +</p><p> +<a class="indexterm" name="id347075"></a> +<a class="indexterm" name="id347082"></a> +<a class="indexterm" name="id347089"></a> +<a class="indexterm" name="id347096"></a> +If all that is needed is a server for read-only files, or for +printers alone, it may not make sense to effect a complex installation. +For example, a drafting office needs to store old drawings and reference +standards. Noone can write files to the server because it is legislatively +important that all documents remain unaltered. A share-mode read-only standalone +server is an ideal solution. +</p><p> +<a class="indexterm" name="id347109"></a> +<a class="indexterm" name="id347116"></a> +<a class="indexterm" name="id347123"></a> +Another situation that warrants simplicity is an office that has many printers +that are queued off a single central server. Everyone needs to be able to print +to the printers, there is no need to effect any access controls, and no files will +be served from the print server. Again, a share-mode standalone server makes +a great solution. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347134"></a>Background</h2></div></div></div><p> +<a class="indexterm" name="id347142"></a> +<a class="indexterm" name="id347149"></a> +<a class="indexterm" name="id347156"></a> +The term <span class="emphasis"><em>standalone server</em></span> means that it will provide local authentication and access +control for all resources that are available from it. In general this means that there will be a local user +database. In more technical terms, it means resources on the machine will be made available in either +<span class="emphasis"><em>share</em></span> mode or in <span class="emphasis"><em>user</em></span> mode. +</p><p> +<a class="indexterm" name="id347179"></a> +<a class="indexterm" name="id347186"></a> +<a class="indexterm" name="id347193"></a> +No special action is needed other than to create user accounts. Standalone +servers do not provide network logon services. This means that machines that +use this server do not perform a domain logon to it. Whatever logon facility +the workstations are subject to is independent of this machine. It is, however, +necessary to accommodate any network user so the logon name he or she uses will +be translated (mapped) locally on the standalone server to a locally known +user name. There are several ways this can be done. +</p><p> +<a class="indexterm" name="id347208"></a> +<a class="indexterm" name="id347214"></a> +<a class="indexterm" name="id347221"></a> +Samba tends to blur the distinction a little in defining +a standalone server. This is because the authentication database may be +local or on a remote server, even if from the SMB protocol perspective +the Samba server is not a member of a domain security context. +</p><p> +<a class="indexterm" name="id347233"></a> +<a class="indexterm" name="id347240"></a> +<a class="indexterm" name="id347246"></a> +<a class="indexterm" name="id347253"></a> +<a class="indexterm" name="id347260"></a> +<a class="indexterm" name="id347267"></a> +<a class="indexterm" name="id347274"></a> +<a class="indexterm" name="id347280"></a> +Through the use of Pluggable Authentication Modules (PAM) (see <a href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">the chapter on PAM</a>) +and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may +reside on another server. We would be inclined to call this the authentication server. This means that the +Samba server may use the local UNIX/Linux system password database (<code class="filename">/etc/passwd</code> or +<code class="filename">/etc/shadow</code>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM +and Winbind another CIFS/SMB server for authentication. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347312"></a>Example Configuration</h2></div></div></div><p> +<a class="indexterm" name="id347320"></a> +<a class="indexterm" name="id347326"></a> +<a href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">The example Reference Documentation Server</a> and <a href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">Central Print Serving</a> are designed to inspire simplicity. It is too easy to +attempt a high level of creativity and to introduce too much complexity in server and network design. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="RefDocServer"></a>Reference Documentation Server</h3></div></div></div><p> +<a class="indexterm" name="id347362"></a> +<a class="indexterm" name="id347368"></a> +<a class="indexterm" name="id347375"></a> +<a class="indexterm" name="id347382"></a> +Configuration of a read-only data server that everyone can access is very simple. By default, all shares are +read-only, unless set otherwise in the <code class="filename">smb.conf</code> file. <a href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">The example - Reference +Documentation Server</a> is the <code class="filename">smb.conf</code> file that will do this. Assume that all the reference documents +are stored in the directory <code class="filename">/export</code>, and the documents are owned by a user other than +nobody. No home directories are shared, and there are no users in the <code class="filename">/etc/passwd</code> UNIX +system database. This is a simple system to administer. +</p><div class="example"><a name="simplynice"></a><p class="title"><b>Example 7.1. smb.conf for Reference Documentation Server</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id347451"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id347464"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id347476"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id347489"></a><em class="parameter"><code>passdb backend = guest</code></em></td></tr><tr><td><a class="indexterm" name="id347501"></a><em class="parameter"><code>wins server = 192.168.1.1</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id347523"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id347535"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id347548"></a><em class="parameter"><code>guest only = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> +I would have spoken more briefly, if I'd had more time to prepare. +</p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Mark Twain</span></td></tr></table></div><p> +<a class="indexterm" name="id347574"></a> +<a class="indexterm" name="id347581"></a> +<a class="indexterm" name="id347588"></a> +<a class="indexterm" name="id347595"></a> +In <a href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">this example</a>, the machine name is set to GANDALF, and the +workgroup is set to the name of the local workgroup (MIDEARTH) so the machine will appear together +with systems with which users are familiar. The only password backend required is the “<span class="quote">guest</span>” +backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we +of course make use of it. +</p><p> +A US Air Force Colonel was renowned for saying: “<span class="quote">Better is the enemy of good enough!</span>” There are often +sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately, +many network administrators still need to learn the art of doing just enough to keep out of trouble. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="SimplePrintServer"></a>Central Print Serving</h3></div></div></div><p> +<a class="indexterm" name="id347637"></a> +<a class="indexterm" name="id347644"></a> +Configuration of a simple print server is easy if you have all the right tools on your system. +</p><div class="orderedlist"><p class="title"><b> Assumptions</b></p><ol type="1"><li><p> + The print server must require no administration. + </p></li><li><p> + The print spooling and processing system on our print server will be CUPS. + (Please refer to <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>, for more information). + </p></li><li><p> + The print server will service only network printers. The network administrator + will correctly configure the CUPS environment to support the printers. + </p></li><li><p> + All workstations will use only PostScript drivers. The printer driver + of choice is the one shipped with the Windows OS for the Apple Color LaserWriter. + </p></li></ol></div><p> +<a class="indexterm" name="id347695"></a> +<a class="indexterm" name="id347702"></a> +<a class="indexterm" name="id347708"></a> +In this example our print server will spool all incoming print jobs to +<code class="filename">/var/spool/samba</code> until the job is ready to be submitted by +Samba to the CUPS print processor. Since all incoming connections will be as +the anonymous (guest) user, two things will be required to enable anonymous printing. +</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p> +<a class="indexterm" name="id347734"></a> +<a class="indexterm" name="id347740"></a> +<a class="indexterm" name="id347747"></a> + The UNIX/Linux system must have a <code class="literal">guest</code> account. + The default for this is usually the account <code class="literal">nobody</code>. + To find the correct name to use for your version of Samba, do the + following: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>testparm -s -v | grep "guest account"</code></strong> +</pre><p> +<a class="indexterm" name="id347783"></a> + Make sure that this account exists in your system password + database (<code class="filename">/etc/passwd</code>). + </p><p> +<a class="indexterm" name="id347800"></a> +<a class="indexterm" name="id347807"></a> +<a class="indexterm" name="id347813"></a> + It is a good idea either to set a password on this account, or else to lock it + from UNIX use. Assuming that the guest account is called <code class="literal">pcguest</code>, + it can be locked by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> passwd -l pcguest +</pre><p> + The exact command may vary depending on your UNIX/Linux distribution. + </p></li><li><p> +<a class="indexterm" name="id347844"></a> +<a class="indexterm" name="id347851"></a> +<a class="indexterm" name="id347858"></a> +<a class="indexterm" name="id347865"></a> +<a class="indexterm" name="id347871"></a> +<a class="indexterm" name="id347878"></a> + The directory into which Samba will spool the file must have write + access for the guest account. The following commands will ensure that + this directory is available for use: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>mkdir /var/spool/samba</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown nobody.nobody /var/spool/samba</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chmod a+rwt /var/spool/samba</code></strong> +</pre><p> + </p></li></ul></div><p> +The contents of the <code class="filename">smb.conf</code> file is shown in <a href="StandAloneServer.html#AnonPtrSvr" title="Example 7.2. smb.conf for Anonymous Printing">the Anonymous Printing example</a>. +</p><div class="example"><a name="AnonPtrSvr"></a><p class="title"><b>Example 7.2. <code class="filename">smb.conf</code> for Anonymous Printing</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id347974"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id347986"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id347999"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id348011"></a><em class="parameter"><code>passdb backend = guest</code></em></td></tr><tr><td><a class="indexterm" name="id348024"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id348036"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id348058"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id348070"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id348083"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id348095"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348108"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348120"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348133"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id348150"></a> +<a class="indexterm" name="id348159"></a> +<a class="indexterm" name="id348166"></a> +<a class="indexterm" name="id348172"></a> +<a class="indexterm" name="id348179"></a> +On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate +processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to +configure a raw printing device. It is also necessary to enable the raw mime handler in the +<code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code> files. Refer to <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>, <a href="CUPS-printing.html#cups-raw" title="Explicitly Enable “raw” Printing for application/octet-stream">Explicitly Enable raw Printing +for application/octet-stream</a>. +</p></div><p> +<a class="indexterm" name="id348218"></a> +<a class="indexterm" name="id348224"></a> +<a class="indexterm" name="id348231"></a> +<a class="indexterm" name="id348238"></a> +The example in <a href="StandAloneServer.html#AnonPtrSvr" title="Example 7.2. smb.conf for Anonymous Printing">the Anonymous Printing example</a> uses CUPS for direct printing +via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to +configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special +type of printer (for example, a PDF filter) the <em class="parameter"><code>printcap name = cups</code></em> can be replaced +with the entry <em class="parameter"><code>printcap name = /etc/samba/myprintcap</code></em>. In this case the file specified +should contain a list of the printer names that should be exposed to Windows network users. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348271"></a>Common Errors</h2></div></div></div><p> +<a class="indexterm" name="id348278"></a> +<a class="indexterm" name="id348285"></a> +The greatest mistake so often made is to make a network configuration too complex. +It pays to use the simplest solution that will meet the needs of the moment. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. MS Windows Network Configuration Guide</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html b/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html new file mode 100644 index 0000000000..1b91d37a7c --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html @@ -0,0 +1,50 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Preface</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="pr03.html" title="Foreword"><link rel="next" href="IntroSMB.html" title="Introduction"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Preface</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="TOSHpreface"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="TOSHpreface.html#id325110">Conventions Used</a></span></dt></dl></div><p> +The editors wish to thank you for your decision to purchase this book. +The Official Samba-3 HOWTO and Reference Guide is the result of many years +of accumulation of information, feedback, tips, hints, and happy solutions. +</p><p> +Please note that this book is a living document, the contents of which are +constantly being updated. We encourage you to contribute your tips, techniques, +helpful hints, and your special insight into the Windows networking world to +help make the next generation of this book even more valuable to Samba users. +</p><p> +We have made a concerted effort to document more comprehensively than has been +done previously the information that may help you to better deploy Samba and to +gain more contented network users. +</p><p> +This book provides example configurations, it documents key aspects of Microsoft +Windows networking, provides in-depth insight into the important configuration of +Samba-3, and helps to put all of these into a useful framework. +</p><p> +The most recent electronic versions of this document can be found at +<a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> +on the “<span class="quote">Documentation</span>” page. +</p><p> +Updates, patches and corrections are most welcome. Please email your contributions +to any one of the following: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="mailto:jelmer@samba.org" target="_top">Jelmer Vernooij (jelmer@samba.org)</a></td></tr><tr><td><a href="mailto:jht@samba.org" target="_top">John H. Terpstra (jht@samba.org)</a></td></tr><tr><td><a href="mailto:jerry@samba.org" target="_top">Gerald (Jerry) Carter (jerry@samba.org)</a></td></tr></table><p> +</p><p> +We wish to advise that only original and unencumbered material can be published. Please do not submit +content that is not your own work unless proof of consent from the copyright holder accompanies your +submission. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325110"></a>Conventions Used</h2></div></div></div><p> + The following notation conventions are used throughout this book: + </p><div class="itemizedlist"><ul type="disc"><li><p> + TOSHARG2 is used as an abbreviation for the book, “<span class="quote">The Official Samba-3 + HOWTO and Reference Guide, Second Edition</span>” Editors: John H. Terpstra and Jelmer R. Vernooij, + Publisher: Prentice Hall, ISBN: 0131882228. + </p></li><li><p> + S3bE2 is used as an abbreviation for the book, “<span class="quote">Samba-3 by Example, Second Edition</span>” + Editors: John H. Terpstra, Publisher: Prentice Hall, ISBN: 013188221X. + </p></li><li><p> + Directories and filenames appear in mono-font. For example, + <code class="filename">/etc/pam.conf</code>. + </p></li><li><p> + Executable names are bolded. For example, <code class="literal">smbd</code>. + </p></li><li><p> + Menu items and buttons appear in bold. For example, click <span class="guibutton">Next</span>. + </p></li><li><p> + Selecting a menu item is indicated as: + <span class="guimenu">Start</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Active Directory Users and Computers</span> + </p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Foreword </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Introduction</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/VFS.html b/docs/htmldocs/Samba3-HOWTO/VFS.html new file mode 100644 index 0000000000..dc5b263949 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/VFS.html @@ -0,0 +1,531 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support"><link rel="next" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 23. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tpot@samba.org">tpot@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Ed</span> <span class="surname">Riddle</span></h3><span class="contrib">original shadow_copy docs</span> </div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="VFS.html#id416378">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416413">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416800">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416806">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416845">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417334">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417705">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417753">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id418589">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id418611">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418663">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418700">vscan-clamav</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416378"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id416385"></a> +<a class="indexterm" name="id416394"></a> +<a class="indexterm" name="id416401"></a> +Stackable VFS (Virtual File System) modules support was new to Samba-3 and has proven quite popular. Samba +passes each request to access the UNIX file system through the loaded VFS modules. This chapter covers the +modules that come with the Samba source and provides references to some external modules. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416413"></a>Discussion</h2></div></div></div><p> +<a class="indexterm" name="id416420"></a> +<a class="indexterm" name="id416427"></a> +If not supplied with your platform distribution binary Samba package, you may have problems compiling these +modules, as shared libraries are compiled and linked in different ways on different systems. They currently +have been tested against GNU/Linux and IRIX. +</p><p> +<a class="indexterm" name="id416440"></a> +<a class="indexterm" name="id416446"></a> +<a class="indexterm" name="id416453"></a> +To use the VFS modules, create a share similar to the one below. The important parameter is the <a class="indexterm" name="id416461"></a>vfs objects parameter where you can list one or more VFS modules by name. For example, to log all +access to files and put deleted files in a recycle bin, see <a href="VFS.html#vfsrecyc" title="Example 23.1. smb.conf with VFS modules">the smb.conf with VFS +modules example</a>: +</p><div class="example"><a name="vfsrecyc"></a><p class="title"><b>Example 23.1. smb.conf with VFS modules</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[audit]</code></em></td></tr><tr><td><a class="indexterm" name="id416502"></a><em class="parameter"><code>comment = Audited /data directory</code></em></td></tr><tr><td><a class="indexterm" name="id416515"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id416527"></a><em class="parameter"><code>vfs objects = audit recycle</code></em></td></tr><tr><td><a class="indexterm" name="id416540"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id416552"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id416568"></a> +<a class="indexterm" name="id416575"></a> +<a class="indexterm" name="id416582"></a> +The modules are used in the order in which they are specified. Let's say that you want to both have a virus +scanner module and a recycle bin module. It is wise to put the virus scanner module as the first one so that +it is the first to get run and may detect a virus immediately, before any action is performed on that file. +<a class="indexterm" name="id416591"></a>vfs objects = vscan-clamav recycle +</p><p> +<a class="indexterm" name="id416602"></a> +<a class="indexterm" name="id416609"></a> +Samba will attempt to load modules from the <code class="filename">/lib</code> directory in the root directory of the +Samba installation (usually <code class="filename">/usr/lib/samba/vfs</code> or +<code class="filename">/usr/local/samba/lib/vfs</code>). +</p><p> +<a class="indexterm" name="id416638"></a> +<a class="indexterm" name="id416644"></a> +<a class="indexterm" name="id416651"></a> +<a class="indexterm" name="id416658"></a> +Some modules can be used twice for the same share. This can be done using a configuration similar to the one +shown in <a href="VFS.html#multimodule" title="Example 23.2. smb.conf with multiple VFS modules">the smb.conf with multiple VFS modules</a>. + +</p><div class="example"><a name="multimodule"></a><p class="title"><b>Example 23.2. smb.conf with multiple VFS modules</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[test]</code></em></td></tr><tr><td><a class="indexterm" name="id416696"></a><em class="parameter"><code>comment = VFS TEST</code></em></td></tr><tr><td><a class="indexterm" name="id416709"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id416722"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id416734"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id416747"></a><em class="parameter"><code>vfs objects = example:example1 example example:test</code></em></td></tr><tr><td><a class="indexterm" name="id416759"></a><em class="parameter"><code>example1: parameter = 1</code></em></td></tr><tr><td><a class="indexterm" name="id416772"></a><em class="parameter"><code>example: parameter = 5</code></em></td></tr><tr><td><a class="indexterm" name="id416784"></a><em class="parameter"><code>test: parameter = 7</code></em></td></tr></table></div></div><p><br class="example-break"> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416800"></a>Included Modules</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id416806"></a>audit</h3></div></div></div><p> +<a class="indexterm" name="id416814"></a> + A simple module to audit file access to the syslog facility. The following operations are logged: + </p><div class="itemizedlist"><ul type="disc"><li><p>share</p></li><li><p>connect/disconnect</p></li><li><p>directory opens/create/remove</p></li><li><p>file open/close/rename/unlink/chmod</p></li></ul></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id416845"></a>default_quota</h3></div></div></div><p> + This module allows the default quota values, in the windows explorer GUI, to be stored on a Samba-3 server. + The challenge is that linux filesystems only store quotas for users and groups, but no default quotas. + </p><p> + Samba returns NO_LIMIT as the default quotas by default and refuses to update them. With this module you + can store the default quotas that are reported to a windows client, in the quota record of a user. By + default the root user is taken because quota limits for root are typically not enforced. + </p><p> + This module takes 2 parametric entries in the <code class="filename">smb.conf</code> file. The default prefix for each is the + “<span class="quote">default_quota</span>”. This can be overwrittem when you load the module in the <span class="emphasis"><em>vfs + modules</em></span> parameter like this: +</p><pre class="screen"> +vfs objects = default_quota:myprefix +</pre><p> + </p><p> + The parametric entries that may be specified for the default_quotas module are: + </p><div class="variablelist"><dl><dt><span class="term">myprefix:uid</span></dt><dd><p> + This parameter takes a integer argument that specifies the uid of the quota record that will be + used for storing the default user quotas. + </p><p> + The default value is 0 (for root user). An example of use is: +</p><pre class="screen"> +vfs objects = default_quota +default_quota: uid = 65534 +</pre><p> + The above demonstrates the case where the <code class="constant">myprefix</code> was omitted, thus the + default prefix is the name of the module. When a <code class="constant">myprefix</code> parameter is + specified the above can be re-written like this: +</p><pre class="screen"> +vfs objects = default_quota:myprefix +myprefix: uid = 65534 +</pre><p> + </p></dd><dt><span class="term">myprefix:uid nolimit</span></dt><dd><p> + This parameter takes a boolean argument that specifies if the stored default quota values also be + reported for the user record, or if the value <code class="constant">NO_LIMIT</code> should be reported to + the windows client for the user specified by the <em class="parameter"><code>prefix:uid</code></em> parameter. + </p><p> + The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use + is shown here: +</p><pre class="screen"> +vfs objects = default_quota:myprefix +myprefix: uid nolimit = no +</pre><p> + </p></dd><dt><span class="term">myprefix:gid</span></dt><dd><p> + This parameter takes an integer argument, it's just like the <em class="parameter"><code>prefix>:uid</code></em> but + for group quotas. NOTE: group quotas are not supported from the windows explorer. + </p><p> + The default value is 0 (for root group). An example of use is shown here: +</p><pre class="screen"> +vfs objects = default_quota +default_quota: gid = 65534 +</pre><p> + </p></dd><dt><span class="term">myprefix:gid nolimit</span></dt><dd><p> + This parameter takes a boolean argument, just like the <em class="parameter"><code>prefix>:uid nolimit</code></em> + but for group quotas. NOTE: group quotas are not supported from the windows explorer. + </p><p> + The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use + is shown here: +</p><pre class="screen"> +vfs objects = default_quota +default_quota: uid nolimit = no +</pre><p> + </p></dd></dl></div><p> + An example of use of multiple parametric specifications is shown here: +</p><pre class="screen"> +... +vfs objects = default_quota:quotasettings +quotasettings: uid nolimit = no +quotasettings: gid = 65534 +quotasettings: gid nolimit = no +... +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id417038"></a>extd_audit</h3></div></div></div><p> +<a class="indexterm" name="id417046"></a> +<a class="indexterm" name="id417053"></a> +<a class="indexterm" name="id417060"></a> + This module is identical with the <code class="literal">audit</code> module above except + that it sends audit logs to both syslog as well as the <code class="literal">smbd</code> log files. The + <a class="indexterm" name="id417079"></a>log level for this module is set in the <code class="filename">smb.conf</code> file. + </p><p> + Valid settings and the information that will be recorded are shown in <a href="VFS.html#xtdaudit" title="Table 23.1. Extended Auditing Log Information">the next table</a>. + </p><div class="table"><a name="xtdaudit"></a><p class="title"><b>Table 23.1. Extended Auditing Log Information</b></p><div class="table-contents"><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Make Directory, Remove Directory, Unlink</td></tr><tr><td align="center">1</td><td align="left">Open Directory, Rename File, Change Permissions/ACLs</td></tr><tr><td align="center">2</td><td align="left">Open & Close File</td></tr><tr><td align="center">10</td><td align="left">Maximum Debug Level</td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id417186"></a>Configuration of Auditing</h4></div></div></div><p> +<a class="indexterm" name="id417194"></a> + This auditing tool is more felxible than most people readily will recognize. There are a number of ways + by which useful logging information can be recorded. + </p><div class="itemizedlist"><ul type="disc"><li><p>Syslog can be used to record all transaction. This can be disabled by setting + in the <code class="filename">smb.conf</code> file <em class="parameter"><code>syslog = 0</code></em>.</p></li><li><p>Logging can take place to the default log file (<code class="filename">log.smbd</code>) + for all loaded VFS modules just by setting in the <code class="filename">smb.conf</code> file + <em class="parameter"><code>log level = 0 vfs:x</code></em>, where x is the log level. + This will disable general logging while activating all logging of VFS + module activity at the log level specified.</p></li><li><p>Detailed logging can be obtained per user, per client machine, etc. + This requires the above together with the creative use of the + <em class="parameter"><code>log file</code></em> settings.</p><p>An example of detailed per-user and per-machine logging can + be obtained by setting + <a class="indexterm" name="id417262"></a>log file = /var/log/samba/%U.%m.log. + </p></li></ul></div><p> + Auditing information often must be preserved for a long time. So that the log files do not get rotated + it is essential that the <a class="indexterm" name="id417274"></a>max log size = 0 be set + in the <code class="filename">smb.conf</code> file. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="fakeperms"></a>fake_perms</h3></div></div></div><p> +<a class="indexterm" name="id417302"></a> +<a class="indexterm" name="id417309"></a> +<a class="indexterm" name="id417315"></a> +<a class="indexterm" name="id417322"></a> + This module was created to allow Roaming Profile files and directories to be set (on the Samba server + under UNIX) as read only. This module will, if installed on the Profiles share, report to the client + that the Profile files and directories are writeable. This satisfies the client even though the files + will never be overwritten as the client logs out or shuts down. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id417334"></a>recycle</h3></div></div></div><p> +<a class="indexterm" name="id417342"></a> +<a class="indexterm" name="id417349"></a> +<a class="indexterm" name="id417356"></a> + A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved + to the recycle directory instead of being deleted. This gives the same effect as the + <span class="guiicon">Recycle Bin</span> on Windows computers. + </p><p> +<a class="indexterm" name="id417374"></a> +<a class="indexterm" name="id417380"></a> +<a class="indexterm" name="id417387"></a> +<a class="indexterm" name="id417394"></a> + The <span class="guiicon">Recycle Bin</span> will not appear in + <span class="application">Windows Explorer</span> views of the network + file system (share) nor on any mapped drive. Instead, a directory + called <code class="filename">.recycle</code> will be automatically created + when the first file is deleted and <em class="parameter"><code>recycle:repository</code></em> + is not configured. + If <em class="parameter"><code>recycle:repository</code></em> is configured, the name + of the created directory depends on <em class="parameter"><code>recycle:repository</code></em>. + Users can recover files from the recycle bin. If the + <em class="parameter"><code>recycle:keeptree</code></em> has been specified, deleted + files will be found in a path identical with that from which the + file was deleted. + </p><p>Supported options for the <code class="literal">recycle</code> module are as follow: + </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p> +<a class="indexterm" name="id417466"></a> + Path of the directory where deleted files should be moved. + </p></dd><dt><span class="term">recycle:directory_mode</span></dt><dd><p> +<a class="indexterm" name="id417485"></a> + Set it to the octal mode you want for the recycle directory. With + this mode the recycle directory will be created if it not + exists and the first file is deleted. + If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, these + mode also apply to sub directories. + If <em class="parameter"><code>directory_mode</code></em> not exists, the default + mode 0700 is used. + </p></dd><dt><span class="term">recycle:subdir_mode</span></dt><dd><p> +<a class="indexterm" name="id417517"></a> + Set it to the octal mode you want for the sub directories of + the recycle directory. With this mode the sub directories will + be created. + If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, the + sub directories will be created with the mode from + <em class="parameter"><code>directory_mode</code></em>. + </p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p> +<a class="indexterm" name="id417549"></a> + Specifies whether the directory structure should be kept or if the files in the directory that is being + deleted should be kept separately in the recycle bin. + </p></dd><dt><span class="term">recycle:versions</span></dt><dd><p> +<a class="indexterm" name="id417568"></a> + If this option is set, two files + with the same name that are deleted will both + be kept in the recycle bin. Newer deleted versions + of a file will be called “<span class="quote">Copy #x of <em class="replaceable"><code>filename</code></em></span>”. + </p></dd><dt><span class="term">recycle:touch</span></dt><dd><p> +<a class="indexterm" name="id417594"></a> + Specifies whether a file's access date should be touched when the file is moved to the recycle bin. + </p></dd><dt><span class="term">recycle:touch_mtime</span></dt><dd><p> +<a class="indexterm" name="id417612"></a> + Specifies whether a file's last modify date date should be touched when the file is moved to the recycle bin. + </p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p> +<a class="indexterm" name="id417631"></a> + Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin. + </p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p> +<a class="indexterm" name="id417650"></a> + List of files that should not be put into the recycle bin when deleted, but deleted in the regular way. + </p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p> +<a class="indexterm" name="id417669"></a> + Contains a list of directories. When files from these directories are + deleted, they are not put into the + recycle bin but are deleted in the + regular way. + </p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p> +<a class="indexterm" name="id417688"></a> + Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning + should be used. Only useful when <span class="emphasis"><em>recycle:versions</em></span> is enabled. + </p></dd></dl></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id417705"></a>netatalk</h3></div></div></div><p> +<a class="indexterm" name="id417713"></a> + A netatalk module will ease co-existence of Samba and netatalk file sharing services. + </p><p>Advantages compared to the old netatalk module: + </p><div class="itemizedlist"><a class="indexterm" name="id417727"></a><ul type="disc"><li><p>Does not care about creating .AppleDouble forks, just keeps them in sync.</p></li><li><p>If a share in <code class="filename">smb.conf</code> does not contain .AppleDouble item in hide or veto list, it will be added automatically.</p></li></ul></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id417753"></a>shadow_copy</h3></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="id417762"></a> + <span class="emphasis"><em>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL SOLUTION!</em></span> + </p><p> +<a class="indexterm" name="id417776"></a> + With Samba or Windows servers, shadow_copy is designed to be an end-user tool only. It does not replace or + enhance your backup and archival solutions and should in no way be considered as such. Additionally, if you + need version control, implement a version control system. You have been warned. + </p></div><p> + The shadow_copy module allows you to setup functionality that is similar to MS shadow copy services. When + setup properly, this module allows Microsoft shadow copy clients to browse "shadow copies" on Samba shares. + You will need to install the shadow copy client. You can get the MS shadow copy client <a href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">here.</a>. Note the + additional requirements for pre-Windows XP clients. I did not test this functionality with any pre-Windows XP + clients. You should be able to get more information about MS Shadow Copy <a href="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx" target="_top">from the Microsoft's site</a>. + </p><p> +<a class="indexterm" name="id417812"></a> +<a class="indexterm" name="id417819"></a> +<a class="indexterm" name="id417826"></a> +<a class="indexterm" name="id417833"></a> +<a class="indexterm" name="id417839"></a> +<a class="indexterm" name="id417846"></a> + The shadow_copy VFS module requires some underlying file system setup with some sort of Logical Volume Manager + (LVM) such as LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of this document; however, we will + outline the steps we took to test this functionality for <span class="emphasis"><em>example purposes only.</em></span> You need + to make sure the LVM implementation you choose to deploy is ready for production. Make sure you do plenty of + tests. + </p><p> + Here are some common resources for LVM and EVMS: + </p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www.sistina.com/products_lvm_download.htm" target="_top">Sistina's + LVM1 and LVM2</a></p></li><li><p><a href="http://evms.sourceforge.net/" target="_top">Enterprise Volume Management System (EVMS)</a></p></li><li><p><a href="http://tldp.org/HOWTO/LVM-HOWTO/" target="_top">The LVM HOWTO</a></p></li><li><p> + See <a href="http://www-106.ibm.com/developerworks/linux/library/l-lvm/" target="_top">Learning + Linux LVM, Part 1</a> and <a href="http://www-106.ibm.com/developerworks/library/l-lvm2.html" target="_top">Learning + Linux LWM, Part 2</a> for Daniel Robbins' well-written, two part tutorial on Linux and LVM using LVM + source code and reiserfs.</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id417924"></a>Shadow Copy Setup</h4></div></div></div><p> +<a class="indexterm" name="id417931"></a> +<a class="indexterm" name="id417938"></a> + At the time of this writing, not much testing has been done. I tested the shadow copy VFS module with a + specific scenario which was not deployed in a production environment, but more as a proof of concept. The + scenario involved a Samba-3 file server on Debian Sarge with an XFS file system and LVM1. I do NOT recommend + you use this as a solution without doing your own due diligence with regard to all the components presented + here. That said, following is an basic outline of how I got things going. + </p><div class="orderedlist"><ol type="1"><li><p><b>Installed Operating System . </b> + In my tests, I used <a href="http://www.debian.org/devel/debian-installer/" target="_top">Debian + Sarge</a> (i.e., testing) on an XFS file system. Setting up the OS is a bit beyond the scope of this + document. It is assumed that you have a working OS capable of running Samba. + </p></li><li><p><b>Install & Configure Samba. </b> + See the <a href="introduction.html" title="Part I. General Installation">installation section</a> of this HOWTO for more detail on this. + It doesn't matter if it is a Domain Controller or Member File Server, but it is assumed that you have a + working Samba 3.0.3 or later server running. + </p></li><li><p><b>Install & Configure LVM. </b> +<a class="indexterm" name="id418006"></a> +<a class="indexterm" name="id418013"></a> + Before you can make shadow copies available to the client, you have to create the shadow copies. This is + done by taking some sort of file system snapshot. Snapshots are a typical feature of Logical Volume + Managers such as LVM, so we first need to have that setup. + </p><div class="itemizedlist"><p> + The following is provided as an example and will be most helpful for Debian users. Again, this was tested + using the "testing" or "Sarge" distribution. + </p><ul type="disc"><li><p> +<a class="indexterm" name="id418034"></a> +<a class="indexterm" name="id418041"></a> +<a class="indexterm" name="id418048"></a> +<a class="indexterm" name="id418055"></a> +<a class="indexterm" name="id418062"></a> + Install lvm10 and devfsd packages if you have not done so already. On Debian systems, you are warned of the + interaction of devfs and lvm1 which requires the use of devfs filenames. Running <code class="literal">apt-get update + && apt-get install lvm10 devfsd xfsprogs</code> should do the trick for this example. + </p></li><li><p> +<a class="indexterm" name="id418082"></a> +<a class="indexterm" name="id418089"></a> +<a class="indexterm" name="id418096"></a> +<a class="indexterm" name="id418102"></a> +<a class="indexterm" name="id418109"></a> + Now you need to create a volume. You will need to create a partition (or partitions) to add to your volume. + Use your favorite partitioning tool (e.g., Linux fdisk, cfdisk, etc.). The partition type should be set to + 0x8e for "Linux LVM." In this example, we will use /dev/hdb1. + </p><p> +<a class="indexterm" name="id418122"></a> +<a class="indexterm" name="id418128"></a> +<a class="indexterm" name="id418135"></a> + Once you have the Linux LVM partition (type 0x8e), you can run a series of commands to create the LVM volume. + You can use several disks and/or partitions, but we will use only one in this example. You may also need to + load the kernel module with something like <code class="literal">modprobe lvm-mod</code> and set your system up to load + it on reboot by adding it to (<code class="filename">/etc/modules</code>). + </p></li><li><p> +<a class="indexterm" name="id418161"></a> + Create the physical volume with <code class="literal">pvcreate /dev/hdb1</code> + </p></li><li><p> +<a class="indexterm" name="id418178"></a> +<a class="indexterm" name="id418185"></a> + Create the volume group and add /dev/hda1 to it with <code class="literal">vgcreate shadowvol /dev/hdb1</code> + </p><p> +<a class="indexterm" name="id418202"></a> + You can use <code class="literal">vgdisplay</code> to review information about the volume group. + </p></li><li><p> +<a class="indexterm" name="id418219"></a> + Now you can create the logical volume with something like <code class="literal">lvcreate -L400M -nsh_test shadowvol</code> + </p><p> +<a class="indexterm" name="id418236"></a> + This creates the logical volume of 400 MBs named "sh_test" in the volume group we created called shadowvol. + If everything is working so far, you should see them in <code class="filename">/dev/shadowvol</code>. + </p></li><li><p> +<a class="indexterm" name="id418254"></a> + Now we should be ready to format the logical volume we named sh_test with <code class="literal">mkfs.xfs + /dev/shadowvol/sh_test</code> + </p><p> +<a class="indexterm" name="id418271"></a> +<a class="indexterm" name="id418278"></a> +<a class="indexterm" name="id418284"></a> +<a class="indexterm" name="id418291"></a> +<a class="indexterm" name="id418298"></a> + You can format the logical volume with any file system you choose, but make sure to use one that allows you to + take advantage of the additional features of LVM such as freezing, resizing, and growing your file systems. + </p><p> +<a class="indexterm" name="id418310"></a> +<a class="indexterm" name="id418317"></a> +<a class="indexterm" name="id418324"></a> + Now we have an LVM volume where we can play with the shadow_copy VFS module. + </p></li><li><p> +<a class="indexterm" name="id418336"></a> +<a class="indexterm" name="id418342"></a> +<a class="indexterm" name="id418349"></a> + Now we need to prepare the directory with something like +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/shadow_share +</pre><p> + or whatever you want to name your shadow copy-enabled Samba share. Make sure you set the permissions so that + you can use it. If in doubt, use <code class="literal">chmod 777 /data/shadow_share</code> and tighten the permissions + once you get things working. + </p></li><li><p> +<a class="indexterm" name="id418380"></a> + Mount the LVM volume using something like <code class="literal">mount /dev/shadowvol/sh_test /data/shadow_share</code> + </p><p> +<a class="indexterm" name="id418397"></a> + You may also want to edit your <code class="filename">/etc/fstab</code> so that this partition mounts during the system boot. + </p></li></ul></div></li><li><p><b>Install & Configure the shadow_copy VFS Module. </b> + Finally we get to the actual shadow_copy VFS module. The shadow_copy VFS module should be available in Samba + 3.0.3 and higher. The smb.conf configuration is pretty standard. Here is our example of a share configured + with the shadow_copy VFS module: + </p><div class="example"><a name="vfsshadow"></a><p class="title"><b>Example 23.3. Share With shadow_copy VFS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[shadow_share]</code></em></td></tr><tr><td><a class="indexterm" name="id418450"></a><em class="parameter"><code>comment = Shadow Copy Enabled Share</code></em></td></tr><tr><td><a class="indexterm" name="id418463"></a><em class="parameter"><code>path = /data/shadow_share</code></em></td></tr><tr><td><a class="indexterm" name="id418475"></a><em class="parameter"><code>vfs objects = shadow_copy</code></em></td></tr><tr><td><a class="indexterm" name="id418488"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id418501"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"></li><li><p><b>Create Snapshots and Make Them Available to shadow_copy.so. </b> +<a class="indexterm" name="id418524"></a> +<a class="indexterm" name="id418531"></a> +<a class="indexterm" name="id418538"></a> + Before you can browse the shadow copies, you must create them and mount them. This will most likely be done + with a script that runs as a cron job. With this particular solution, the shadow_copy VFS module is used to + browse LVM snapshots. Those snapshots are not created by the module. They are not made available by the + module either. This module allows the shadow copy-enabled client to browse the snapshots you take and make + available. + </p><p> + Here is a simple script used to create and mount the snapshots: +</p><pre class="screen"> +#!/bin/bash +# This is a test, this is only a test +SNAPNAME=`date +%Y.%m.%d-%H.%M.%S` +xfs_freeze -f /data/shadow_share/ +lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test +xfs_freeze -u /data/shadow_share/ +mkdir /data/shadow_share/@GMT-$SNAPNAME +mount /dev/shadowvol/$SNAPNAME \ + /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro +</pre><p> + Note that the script does not handle other things like remounting snapshots on reboot. + </p></li><li><p><b>Test From Client. </b> + To test, you will need to install the shadow copy client which you can obtain from the <a href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">Microsoft web site.</a> I + only tested this with an XP client so your results may vary with other pre-XP clients. Once installed, with + your XP client you can right-click on specific files or in the empty space of the shadow_share and view the + "properties." If anything has changed, then you will see it on the "Previous Versions" tab of the properties + window. + </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id418589"></a>VFS Modules Available Elsewhere</h2></div></div></div><p> +<a class="indexterm" name="id418596"></a> +This section contains a listing of various other VFS modules that have been posted but do not currently reside +in the Samba CVS tree for one reason or another (e.g., it is easy for the maintainer to have his or her own +CVS tree). +</p><p> +No statements about the stability or functionality of any module should be implied due to its presence here. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id418611"></a>DatabaseFS</h3></div></div></div><p> +<a class="indexterm" name="id418618"></a> +URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top"> +Taylors University DatabaeFS</a> +</p><p>By <a href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer.</a></p><p> +I have created a VFS module that implements a fairly complete read-only filesystem. It presents information +from a database as a filesystem in a modular and generic way to allow different databases to be used. +(Originally designed for organizing MP3s under directories such as “<span class="quote">Artists,</span>” “<span class="quote">Song +Keywords,</span>” and so on. I have since easily applied it to a student roster database.) The directory +structure is stored in the database itself and the module makes no assumptions about the database structure +beyond the table it requires to run. +</p><p> +Any feedback would be appreciated: comments, suggestions, patches, and so on. If nothing else, it +might prove useful for someone else who wishes to create a virtual filesystem. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id418663"></a>vscan</h3></div></div></div><a class="indexterm" name="id418669"></a><p>URL: <a href="http://www.openantivirus.org/projects.php#samba-vscan" target="_top"> +Open Anti-Virus vscan</a> +</p><p> +<a class="indexterm" name="id418689"></a> +samba-vscan is a proof-of-concept module for Samba, which provides on-access anti-virus support for files +shared using Samba. samba-vscan supports various virus scanners and is maintained by Rainer Link. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id418700"></a>vscan-clamav</h3></div></div></div><p> +Samba users have been using the RPMS from SerNet without a problem. +OpenSUSE Linux users have also used the vscan scanner for quite some time +with excellent results. It does impact overall write performance though. +</p><p> +The following share stanza is a good guide for those wanting to configure vscan-clamav: +</p><pre class="screen"> +[share] +vfs objects = vscan-clamav +vscan-clamav: config-file = /etc/samba/vscan-clamav.conf +</pre><p> +The following example of the <code class="filename">vscan-clamav.conf</code> file may help to get this +fully operational: +</p><pre class="screen"> +<font color="red"><title>VFS: Vscan ClamAV Control File</title></font> +# +# /etc/samba/vscan-clamav.conf +# + +[samba-vscan] +; run-time configuration for vscan-samba using +; clamd +; all options are set to default values + +; do not scan files larger than X bytes. If set to 0 (default), +; this feature is disable (i.e. all files are scanned) +max file size = 10485760 + +; log all file access (yes/no). If set to yes, every access will +; be logged. If set to no (default), only access to infected files +; will be logged +verbose file logging = no + +; if set to yes (default), a file will be scanned while opening +scan on open = yes +; if set to yes, a file will be scanned while closing (default is yes) +scan on close = yes + +; if communication to clamd fails, should access to file denied? +; (default: yes) +deny access on error = no + +; if daemon failes with a minor error (corruption, etc.), +; should access to file denied? +; (default: yes) +deny access on minor error = no + +; send a warning message via Windows Messenger service +; when virus is found? +; (default: yes) +send warning message = yes + +; what to do with an infected file +; quarantine: try to move to quantine directory +; delete: delete infected file +; nothing: do nothing (default) +infected file action = quarantine + +; where to put infected files - you really want to change this! +quarantine directory = /opt/clamav/quarantine +; prefix for files in quarantine +quarantine prefix = vir- + +; as Windows tries to open a file multiple time in a (very) short time +; of period, samba-vscan use a last recently used file mechanism to avoid +; multiple scans of a file. This setting specified the maximum number of +; elements of the last recently used file list. (default: 100) +max lru files entries = 100 + +; an entry is invalidad after lru file entry lifetime (in seconds). +; (Default: 5) +lru file entry lifetime = 5 + +; exclude files from being scanned based on the MIME-type! Semi-colon +; seperated list (default: empty list). Use this with care! +exclude file types = + +; socket name of clamd (default: /var/run/clamd). Setting will be ignored if +; libclamav is used +clamd socket name = /tmp/clamd + +; limits, if vscan-clamav was build for using the clamav library (libclamav) +; instead of clamd + +; maximum number of files in archive (default: 1000) +libclamav max files in archive = 1000 + +; maximum archived file size, in bytes (default: 10 MB) +libclamav max archived file size = 5242880 + +; maximum recursion level (default: 5) +libclamav max recursion level = 5 +</pre><p> +Obviously, a running clam daemon is necessary for this to work. This is a working example for me using ClamAV. +The ClamAV documentation should provide additional configuration examples. On your system these may be located +under the <code class="filename">/usr/share/doc/</code> directory. Some examples may also target other virus scanners, +any of which can be used. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. CUPS Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Winbind: Use of Domain Accounts</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/apa.html b/docs/htmldocs/Samba3-HOWTO/apa.html new file mode 100644 index 0000000000..88f5aecee3 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/apa.html @@ -0,0 +1,719 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix A. GNU General Public License version 3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="DNSDHCP.html" title="Chapter 47. DNS and DHCP Configuration Guide"><link rel="next" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id455338"></a>Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="bridgehead"><a href="apa.html#id455364">A. + Preamble + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455473">A. + TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455477">A. + 0. Definitions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455541">A. + 1. Source Code. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455603">A. + 2. Basic Permissions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455630">A. + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455654">A. + 4. Conveying Verbatim Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455674">A. + 5. Conveying Modified Source Versions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455746">A. + 6. Conveying Non-Source Forms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455878">A. + 7. Additional Terms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455983">A. + 8. Termination. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456015">A. + 9. Acceptance Not Required for Having Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456029">A. + 10. Automatic Licensing of Downstream Recipients. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456062">A. + 11. Patents. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456151">A. + 12. No Surrender of Others’ Freedom. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456167">A. + 13. Use with the ???TITLE??? Affero General Public License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456190">A. + 14. Revised Versions of this License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456238">A. + 15. Disclaimer of Warranty. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456255">A. + 16. Limitation of Liability. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456270">A. + 17. Interpretation of Sections 15 and 16. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456282">A. + END OF TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456286">A. + How to Apply These Terms to Your New Programs + </a></span></dt></dl></div><p> + Version 3, 29 June 2007 + </p><p> + Copyright © 2007 Free Software Foundation, Inc. + <a href="http://fsf.org/" target="_top">http://fsf.org/</a> + </p><p> + Everyone is permitted to copy and distribute verbatim copies of this license + document, but changing it is not allowed. + </p><h2><a name="id455364"></a> + Preamble + </h2><p> + The <acronym class="acronym">GNU</acronym> General Public License is a free, copyleft + license for software and other kinds of works. + </p><p> + The licenses for most software and other practical works are designed to + take away your freedom to share and change the works. By contrast, the + <acronym class="acronym">GNU</acronym> General Public License is intended to guarantee your + freedom to share and change all versions of a program—to make sure it + remains free software for all its users. We, the Free Software Foundation, + use the <acronym class="acronym">GNU</acronym> General Public License for most of our + software; it applies also to any other work released this way by its + authors. You can apply it to your programs, too. + </p><p> + When we speak of free software, we are referring to freedom, not price. Our + General Public Licenses are designed to make sure that you have the freedom + to distribute copies of free software (and charge for them if you wish), + that you receive source code or can get it if you want it, that you can + change the software or use pieces of it in new free programs, and that you + know you can do these things. + </p><p> + To protect your rights, we need to prevent others from denying you these + rights or asking you to surrender the rights. Therefore, you have certain + responsibilities if you distribute copies of the software, or if you modify + it: responsibilities to respect the freedom of others. + </p><p> + For example, if you distribute copies of such a program, whether gratis or + for a fee, you must pass on to the recipients the same freedoms that you + received. You must make sure that they, too, receive or can get the source + code. And you must show them these terms so they know their rights. + </p><p> + Developers that use the <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym> + protect your rights with two steps: (1) assert copyright on the software, + and (2) offer you this License giving you legal permission to copy, + distribute and/or modify it. + </p><p> + For the developers’ and authors’ protection, the + <acronym class="acronym">GPL</acronym> clearly explains that there is no warranty for this + free software. For both users’ and authors’ sake, the + <acronym class="acronym">GPL</acronym> requires that modified versions be marked as changed, + so that their problems will not be attributed erroneously to authors of + previous versions. + </p><p> + Some devices are designed to deny users access to install or run modified + versions of the software inside them, although the manufacturer can do so. + This is fundamentally incompatible with the aim of protecting users’ + freedom to change the software. The systematic pattern of such abuse occurs + in the area of products for individuals to use, which is precisely where it + is most unacceptable. Therefore, we have designed this version of the + <acronym class="acronym">GPL</acronym> to prohibit the practice for those products. If such + problems arise substantially in other domains, we stand ready to extend this + provision to those domains in future versions of the <acronym class="acronym">GPL</acronym>, + as needed to protect the freedom of users. + </p><p> + Finally, every program is threatened constantly by software patents. States + should not allow patents to restrict development and use of software on + general-purpose computers, but in those that do, we wish to avoid the + special danger that patents applied to a free program could make it + effectively proprietary. To prevent this, the <acronym class="acronym">GPL</acronym> + assures that patents cannot be used to render the program non-free. + </p><p> + The precise terms and conditions for copying, distribution and modification + follow. + </p><h2><a name="id455473"></a> + TERMS AND CONDITIONS + </h2><h2><a name="id455477"></a> + 0. Definitions. + </h2><p> + “This License” refers to version 3 of the <acronym class="acronym">GNU</acronym> + General Public License. + </p><p> + “Copyright” also means copyright-like laws that apply to other + kinds of works, such as semiconductor masks. + </p><p> + “The Program” refers to any copyrightable work licensed under + this License. Each licensee is addressed as “you”. + “Licensees” and “recipients” may be individuals or + organizations. + </p><p> + To “modify” a work means to copy from or adapt all or part of + the work in a fashion requiring copyright permission, other than the making + of an exact copy. The resulting work is called a “modified + version” of the earlier work or a work “based on” the + earlier work. + </p><p> + A “covered work” means either the unmodified Program or a work + based on the Program. + </p><p> + To “propagate” a work means to do anything with it that, without + permission, would make you directly or secondarily liable for infringement + under applicable copyright law, except executing it on a computer or + modifying a private copy. Propagation includes copying, distribution (with + or without modification), making available to the public, and in some + countries other activities as well. + </p><p> + To “convey” a work means any kind of propagation that enables + other parties to make or receive copies. Mere interaction with a user + through a computer network, with no transfer of a copy, is not conveying. + </p><p> + An interactive user interface displays “Appropriate Legal + Notices” to the extent that it includes a convenient and prominently + visible feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the extent + that warranties are provided), that licensees may convey the work under this + License, and how to view a copy of this License. If the interface presents + a list of user commands or options, such as a menu, a prominent item in the + list meets this criterion. + </p><h2><a name="id455541"></a> + 1. Source Code. + </h2><p> + The “source code” for a work means the preferred form of the + work for making modifications to it. “Object code” means any + non-source form of a work. + </p><p> + A “Standard Interface” means an interface that either is an + official standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that is + widely used among developers working in that language. + </p><p> + The “System Libraries” of an executable work include anything, + other than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major Component, + and (b) serves only to enable use of the work with that Major Component, or + to implement a Standard Interface for which an implementation is available + to the public in source code form. A “Major Component”, in this + context, means a major essential component (kernel, window system, and so + on) of the specific operating system (if any) on which the executable work + runs, or a compiler used to produce the work, or an object code interpreter + used to run it. + </p><p> + The “Corresponding Source” for a work in object code form means + all the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work’s + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but which + are not part of the work. For example, Corresponding Source includes + interface definition files associated with source files for the work, and + the source code for shared libraries and dynamically linked subprograms that + the work is specifically designed to require, such as by intimate data + communication or control flow between those subprograms and other parts of + the work. + </p><p> + The Corresponding Source need not include anything that users can regenerate + automatically from other parts of the Corresponding Source. + </p><p> + The Corresponding Source for a work in source code form is that same work. + </p><h2><a name="id455603"></a> + 2. Basic Permissions. + </h2><p> + All rights granted under this License are granted for the term of copyright + on the Program, and are irrevocable provided the stated conditions are met. + This License explicitly affirms your unlimited permission to run the + unmodified Program. The output from running a covered work is covered by + this License only if the output, given its content, constitutes a covered + work. This License acknowledges your rights of fair use or other + equivalent, as provided by copyright law. + </p><p> + You may make, run and propagate covered works that you do not convey, + without conditions so long as your license otherwise remains in force. You + may convey covered works to others for the sole purpose of having them make + modifications exclusively for you, or provide you with facilities for + running those works, provided that you comply with the terms of this License + in conveying all material for which you do not control copyright. Those + thus making or running the covered works for you must do so exclusively on + your behalf, under your direction and control, on terms that prohibit them + from making any copies of your copyrighted material outside their + relationship with you. + </p><p> + Conveying under any other circumstances is permitted solely under the + conditions stated below. Sublicensing is not allowed; section 10 makes it + unnecessary. + </p><h2><a name="id455630"></a> + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </h2><p> + No covered work shall be deemed part of an effective technological measure + under any applicable law fulfilling obligations under article 11 of the WIPO + copyright treaty adopted on 20 December 1996, or similar laws prohibiting or + restricting circumvention of such measures. + </p><p> + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention is + effected by exercising rights under this License with respect to the covered + work, and you disclaim any intention to limit operation or modification of + the work as a means of enforcing, against the work’s users, your or + third parties’ legal rights to forbid circumvention of technological + measures. + </p><h2><a name="id455654"></a> + 4. Conveying Verbatim Copies. + </h2><p> + You may convey verbatim copies of the Program’s source code as you + receive it, in any medium, provided that you conspicuously and appropriately + publish on each copy an appropriate copyright notice; keep intact all + notices stating that this License and any non-permissive terms added in + accord with section 7 apply to the code; keep intact all notices of the + absence of any warranty; and give all recipients a copy of this License + along with the Program. + </p><p> + You may charge any price or no price for each copy that you convey, and you + may offer support or warranty protection for a fee. + </p><h2><a name="id455674"></a> + 5. Conveying Modified Source Versions. + </h2><p> + You may convey a work based on the Program, or the modifications to produce + it from the Program, in the form of source code under the terms of section + 4, provided that you also meet all of these conditions: + </p><div class="orderedlist"><ol type="a"><li><p> + The work must carry prominent notices stating that you modified it, and + giving a relevant date. + </p></li><li><p> + The work must carry prominent notices stating that it is released under + this License and any conditions added under section 7. This requirement + modifies the requirement in section 4 to “keep intact all + notices”. + </p></li><li><p> + You must license the entire work, as a whole, under this License to + anyone who comes into possession of a copy. This License will therefore + apply, along with any applicable section 7 additional terms, to the + whole of the work, and all its parts, regardless of how they are + packaged. This License gives no permission to license the work in any + other way, but it does not invalidate such permission if you have + separately received it. + </p></li><li><p> + If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your work need + not make them do so. + </p></li></ol></div><p> + A compilation of a covered work with other separate and independent works, + which are not by their nature extensions of the covered work, and which are + not combined with it such as to form a larger program, in or on a volume of + a storage or distribution medium, is called an “aggregate” if + the compilation and its resulting copyright are not used to limit the access + or legal rights of the compilation’s users beyond what the individual works + permit. Inclusion of a covered work in an aggregate does not cause + this License to apply to the other parts of the aggregate. + </p><h2><a name="id455746"></a> + 6. Conveying Non-Source Forms. + </h2><p> + You may convey a covered work in object code form under the terms of + sections 4 and 5, provided that you also convey the machine-readable + Corresponding Source under the terms of this License, in one of these ways: + </p><div class="orderedlist"><ol type="a"><li><p> + Convey the object code in, or embodied in, a physical product (including + a physical distribution medium), accompanied by the Corresponding Source + fixed on a durable physical medium customarily used for software + interchange. + </p></li><li><p> + Convey the object code in, or embodied in, a physical product (including + a physical distribution medium), accompanied by a written offer, valid + for at least three years and valid for as long as you offer spare parts + or customer support for that product model, to give anyone who possesses + the object code either (1) a copy of the Corresponding Source for all + the software in the product that is covered by this License, on a + durable physical medium customarily used for software interchange, for a + price no more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the Corresponding Source from + a network server at no charge. + </p></li><li><p> + Convey individual copies of the object code with a copy of the written + offer to provide the Corresponding Source. This alternative is allowed + only occasionally and noncommercially, and only if you received the + object code with such an offer, in accord with subsection 6b. + </p></li><li><p> + Convey the object code by offering access from a designated place + (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to copy + the object code is a network server, the Corresponding Source may be on + a different server (operated by you or a third party) that supports + equivalent copying facilities, provided you maintain clear directions + next to the object code saying where to find the Corresponding Source. + Regardless of what server hosts the Corresponding Source, you remain + obligated to ensure that it is available for as long as needed to + satisfy these requirements. + </p></li><li><p> + Convey the object code using peer-to-peer transmission, provided you + inform other peers where the object code and Corresponding Source of the + work are being offered to the general public at no charge under + subsection 6d. + </p></li></ol></div><p> + A separable portion of the object code, whose source code is excluded from + the Corresponding Source as a System Library, need not be included in + conveying the object code work. + </p><p> + A “User Product” is either (1) a “consumer product”, + which means any tangible personal property which is normally used for + personal, family, or household purposes, or (2) anything designed or sold + for incorporation into a dwelling. In determining whether a product is a + consumer product, doubtful cases shall be resolved in favor of coverage. + For a particular product received by a particular user, “normally + used” refers to a typical or common use of that class of product, + regardless of the status of the particular user or of the way in which the + particular user actually uses, or expects or is expected to use, the + product. A product is a consumer product regardless of whether the product + has substantial commercial, industrial or non-consumer uses, unless such + uses represent the only significant mode of use of the product. + </p><p> + “Installation Information” for a User Product means any methods, + procedures, authorization keys, or other information required to install and + execute modified versions of a covered work in that User Product from a + modified version of its Corresponding Source. The information must suffice + to ensure that the continued functioning of the modified object code is in + no case prevented or interfered with solely because modification has been + made. + </p><p> + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as part of + a transaction in which the right of possession and use of the User Product + is transferred to the recipient in perpetuity or for a fixed term + (regardless of how the transaction is characterized), the Corresponding + Source conveyed under this section must be accompanied by the Installation + Information. But this requirement does not apply if neither you nor any + third party retains the ability to install modified object code on the User + Product (for example, the work has been installed in + <acronym class="acronym">ROM</acronym>). + </p><p> + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates for + a work that has been modified or installed by the recipient, or for the User + Product in which it has been modified or installed. Access to a network may + be denied when the modification itself materially and adversely affects the + operation of the network or violates the rules and protocols for + communication across the network. + </p><p> + Corresponding Source conveyed, and Installation Information provided, in + accord with this section must be in a format that is publicly documented + (and with an implementation available to the public in source code form), + and must require no special password or key for unpacking, reading or + copying. + </p><h2><a name="id455878"></a> + 7. Additional Terms. + </h2><p> + “Additional permissions” are terms that supplement the terms of + this License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall be + treated as though they were included in this License, to the extent that + they are valid under applicable law. If additional permissions apply only + to part of the Program, that part may be used separately under those + permissions, but the entire Program remains governed by this License + without regard to the additional permissions. + </p><p> + When you convey a copy of a covered work, you may at your option remove any + additional permissions from that copy, or from any part of it. (Additional + permissions may be written to require their own removal in certain cases + when you modify the work.) You may place additional permissions on + material, added by you to a covered work, for which you have or can give + appropriate copyright permission. + </p><p> + Notwithstanding any other provision of this License, for material you add + to a covered work, you may (if authorized by the copyright holders of that + material) supplement the terms of this License with terms: + </p><div class="orderedlist"><ol type="a"><li><p> + Disclaiming warranty or limiting liability differently from the terms + of sections 15 and 16 of this License; or + </p></li><li><p> + Requiring preservation of specified reasonable legal notices or author + attributions in that material or in the Appropriate Legal Notices + displayed by works containing it; or + </p></li><li><p> + Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + </p></li><li><p> + Limiting the use for publicity purposes of names of licensors or + authors of the material; or + </p></li><li><p> + Declining to grant rights under trademark law for use of some trade + names, trademarks, or service marks; or + </p></li><li><p> + Requiring indemnification of licensors and authors of that material by + anyone who conveys the material (or modified versions of it) with + contractual assumptions of liability to the recipient, for any + liability that these contractual assumptions directly impose on those + licensors and authors. + </p></li></ol></div><p> + All other non-permissive additional terms are considered “further + restrictions” within the meaning of section 10. If the Program as + you received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further restriction, + you may remove that term. If a license document contains a further + restriction but permits relicensing or conveying under this License, you + may add to a covered work material governed by the terms of that license + document, provided that the further restriction does not survive such + relicensing or conveying. + </p><p> + If you add terms to a covered work in accord with this section, you must + place, in the relevant source files, a statement of the additional terms + that apply to those files, or a notice indicating where to find the + applicable terms. + </p><p> + Additional terms, permissive or non-permissive, may be stated in the form + of a separately written license, or stated as exceptions; the above + requirements apply either way. + </p><h2><a name="id455983"></a> + 8. Termination. + </h2><p> + You may not propagate or modify a covered work except as expressly provided + under this License. Any attempt otherwise to propagate or modify it is + void, and will automatically terminate your rights under this License + (including any patent licenses granted under the third paragraph of section + 11). + </p><p> + However, if you cease all violation of this License, then your license from + a particular copyright holder is reinstated (a) provisionally, unless and + until the copyright holder explicitly and finally terminates your license, + and (b) permanently, if the copyright holder fails to notify you of the + violation by some reasonable means prior to 60 days after the cessation. + </p><p> + Moreover, your license from a particular copyright holder is reinstated + permanently if the copyright holder notifies you of the violation by some + reasonable means, this is the first time you have received notice of + violation of this License (for any work) from that copyright holder, and + you cure the violation prior to 30 days after your receipt of the notice. + </p><p> + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under this + License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + </p><h2><a name="id456015"></a> + 9. Acceptance Not Required for Having Copies. + </h2><p> + You are not required to accept this License in order to receive or run a + copy of the Program. Ancillary propagation of a covered work occurring + solely as a consequence of using peer-to-peer transmission to receive a + copy likewise does not require acceptance. However, nothing other than + this License grants you permission to propagate or modify any covered work. + These actions infringe copyright if you do not accept this License. + Therefore, by modifying or propagating a covered work, you indicate your + acceptance of this License to do so. + </p><h2><a name="id456029"></a> + 10. Automatic Licensing of Downstream Recipients. + </h2><p> + Each time you convey a covered work, the recipient automatically receives a + license from the original licensors, to run, modify and propagate that + work, subject to this License. You are not responsible for enforcing + compliance by third parties with this License. + </p><p> + An “entity transaction” is a transaction transferring control + of an organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered work + results from an entity transaction, each party to that transaction who + receives a copy of the work also receives whatever licenses to the work the + party’s predecessor in interest had or could give under the previous + paragraph, plus a right to possession of the Corresponding Source of the + work from the predecessor in interest, if the predecessor has it or can get + it with reasonable efforts. + </p><p> + You may not impose any further restrictions on the exercise of the rights + granted or affirmed under this License. For example, you may not impose a + license fee, royalty, or other charge for exercise of rights granted under + this License, and you may not initiate litigation (including a cross-claim + or counterclaim in a lawsuit) alleging that any patent claim is infringed + by making, using, selling, offering for sale, or importing the Program or + any portion of it. + </p><h2><a name="id456062"></a> + 11. Patents. + </h2><p> + A “contributor” is a copyright holder who authorizes use under + this License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor’s “contributor + version”. + </p><p> + A contributor’s “essential patent claims” are all patent + claims owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted by + this License, of making, using, or selling its contributor version, but do + not include claims that would be infringed only as a consequence of further + modification of the contributor version. For purposes of this definition, + “control” includes the right to grant patent sublicenses in a + manner consistent with the requirements of this License. + </p><p> + Each contributor grants you a non-exclusive, worldwide, royalty-free patent + license under the contributor’s essential patent claims, to make, use, + sell, offer for sale, import and otherwise run, modify and propagate the + contents of its contributor version. + </p><p> + In the following three paragraphs, a “patent license” is any + express agreement or commitment, however denominated, not to enforce a + patent (such as an express permission to practice a patent or covenant not + to sue for patent infringement). To “grant” such a patent + license to a party means to make such an agreement or commitment not to + enforce a patent against the party. + </p><p> + If you convey a covered work, knowingly relying on a patent license, and the + Corresponding Source of the work is not available for anyone to copy, free + of charge and under the terms of this License, through a publicly available + network server or other readily accessible means, then you must either (1) + cause the Corresponding Source to be so available, or (2) arrange to deprive + yourself of the benefit of the patent license for this particular work, or + (3) arrange, in a manner consistent with the requirements of this License, + to extend the patent license to downstream recipients. “Knowingly + relying” means you have actual knowledge that, but for the patent + license, your conveying the covered work in a country, or your + recipient’s use of the covered work in a country, would infringe one + or more identifiable patents in that country that you have reason to believe + are valid. + </p><p> + If, pursuant to or in connection with a single transaction or arrangement, + you convey, or propagate by procuring conveyance of, a covered work, and + grant a patent license to some of the parties receiving the covered work + authorizing them to use, propagate, modify or convey a specific copy of the + covered work, then the patent license you grant is automatically extended to + all recipients of the covered work and works based on it. + </p><p> + A patent license is “discriminatory” if it does not include + within the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered work + if you are a party to an arrangement with a third party that is in the + business of distributing software, under which you make payment to the third + party based on the extent of your activity of conveying the work, and under + which the third party grants, to any of the parties who would receive the + covered work from you, a discriminatory patent license (a) in connection + with copies of the covered work conveyed by you (or copies made from those + copies), or (b) primarily for and in connection with specific products or + compilations that contain the covered work, unless you entered into that + arrangement, or that patent license was granted, prior to 28 March 2007. + </p><p> + Nothing in this License shall be construed as excluding or limiting any + implied license or other defenses to infringement that may otherwise be + available to you under applicable patent law. + </p><h2><a name="id456151"></a> + 12. No Surrender of Others’ Freedom. + </h2><p> + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey the + Program, the only way you could satisfy both those terms and this License + would be to refrain entirely from conveying the Program. + </p><h2><a name="id456167"></a> + 13. Use with the <acronym class="acronym">GNU</acronym> Affero General Public License. + </h2><p> + Notwithstanding any other provision of this License, you have permission to + link or combine any covered work with a work licensed under version 3 of the + <acronym class="acronym">GNU</acronym> Affero General Public License into a single combined + work, and to convey the resulting work. The terms of this License will + continue to apply to the part which is the covered work, but the special + requirements of the <acronym class="acronym">GNU</acronym> Affero General Public License, + section 13, concerning interaction through a network will apply to the + combination as such. + </p><h2><a name="id456190"></a> + 14. Revised Versions of this License. + </h2><p> + The Free Software Foundation may publish revised and/or new versions of the + <acronym class="acronym">GNU</acronym> General Public License from time to time. Such new + versions will be similar in spirit to the present version, but may differ in + detail to address new problems or concerns. + </p><p> + Each version is given a distinguishing version number. If the Program + specifies that a certain numbered version of the <acronym class="acronym">GNU</acronym> + General Public License “or any later version” applies to it, you + have the option of following the terms and conditions either of that + numbered version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + <acronym class="acronym">GNU</acronym> General Public License, you may choose any version + ever published by the Free Software Foundation. + </p><p> + If the Program specifies that a proxy can decide which future versions of + the <acronym class="acronym">GNU</acronym> General Public License can be used, that + proxy’s public statement of acceptance of a version permanently + authorizes you to choose that version for the Program. + </p><p> + Later license versions may give you additional or different permissions. + However, no additional obligations are imposed on any author or copyright + holder as a result of your choosing to follow a later version. + </p><h2><a name="id456238"></a> + 15. Disclaimer of Warranty. + </h2><p> + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE + LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR + OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF + ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH + YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + </p><h2><a name="id456255"></a> + 16. Limitation of Liability. + </h2><p> + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL + ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE + PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE + OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA + OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. + </p><h2><a name="id456270"></a> + 17. Interpretation of Sections 15 and 16. + </h2><p> + If the disclaimer of warranty and limitation of liability provided above + cannot be given local legal effect according to their terms, reviewing + courts shall apply local law that most closely approximates an absolute + waiver of all civil liability in connection with the Program, unless a + warranty or assumption of liability accompanies a copy of the Program in + return for a fee. + </p><h2><a name="id456282"></a> + END OF TERMS AND CONDITIONS + </h2><h2><a name="id456286"></a> + How to Apply These Terms to Your New Programs + </h2><p> + If you develop a new program, and you want it to be of the greatest possible + use to the public, the best way to achieve this is to make it free software + which everyone can redistribute and change under these terms. + </p><p> + To do so, attach the following notices to the program. It is safest to + attach them to the start of each source file to most effectively state the + exclusion of warranty; and each file should have at least the + “copyright” line and a pointer to where the full notice is + found. + </p><pre class="screen"> +<em class="replaceable"><code>one line to give the program’s name and a brief idea of what it does.</code></em> +Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> + +This program is free software: you can redistribute it and/or modify +it under the terms of the <acronym class="acronym">GNU</acronym> General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +<acronym class="acronym">GNU</acronym> General Public License for more details. + +You should have received a copy of the <acronym class="acronym">GNU</acronym> General Public License +along with this program. If not, see <a href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. + </pre><p> + Also add information on how to contact you by electronic and paper mail. + </p><p> + If the program does terminal interaction, make it output a short notice like + this when it starts in an interactive mode: + </p><pre class="screen"> +<em class="replaceable"><code>program</code></em> Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> +This program comes with ABSOLUTELY NO WARRANTY; for details type ‘<code class="literal">show w</code>’. +This is free software, and you are welcome to redistribute it +under certain conditions; type ‘<code class="literal">show c</code>’ for details. + </pre><p> + The hypothetical commands ‘<code class="literal">show w</code>’ and + ‘<code class="literal">show c</code>’ should show the appropriate parts of + the General Public License. Of course, your program’s commands might be + different; for a GUI interface, you would use an “about box”. + </p><p> + You should also get your employer (if you work as a programmer) or school, + if any, to sign a “copyright disclaimer” for the program, if + necessary. For more information on this, and how to apply and follow the + <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym>, see <a href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. + </p><p> + The <acronym class="acronym">GNU</acronym> General Public License does not permit + incorporating your program into proprietary programs. If your program is a + subroutine library, you may consider it more useful to permit linking + proprietary applications with the library. If this is what you want to do, + use the <acronym class="acronym">GNU</acronym> Lesser General Public License instead of this + License. But first, please read <a href="http://www.gnu.org/philosophy/why-not-lgpl.html" target="_top">http://www.gnu.org/philosophy/why-not-lgpl.html</a>. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 47. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Glossary</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/bugreport.html b/docs/htmldocs/Samba3-HOWTO/bugreport.html new file mode 100644 index 0000000000..ae55cbe3c9 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/bugreport.html @@ -0,0 +1,159 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. Reporting Bugs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems"><link rel="next" href="Appendix.html" title="Part VI. Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. Reporting Bugs</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="Appendix.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 40. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="bugreport.html#id449187">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449267">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id449471">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id449670">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449791">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449906">Patches</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449187"></a>Introduction</h2></div></div></div><p> +<a class="indexterm" name="id449195"></a> +<a class="indexterm" name="id449202"></a> +Please report bugs using Samba's <a href="https://bugzilla.samba.org/" target="_top">Bugzilla</a> facilities and take +the time to read this file before you submit a bug report. Also, check to see if it has changed between +releases, as we may be changing the bug reporting mechanism at some point. +</p><p> +Please do as much as you can yourself to help track down the +bug. Samba is maintained by a dedicated group of people who volunteer +their time, skills, and efforts. We receive far more mail than +we can possibly answer, so you have a much higher chance of a response +and a fix if you send us a “<span class="quote">developer-friendly</span>” bug report that lets +us fix it fast. +</p><p> +<a class="indexterm" name="id449230"></a> +<a class="indexterm" name="id449236"></a> +<a class="indexterm" name="id449243"></a> +If you post the bug to the comp.protocols.smb +newsgroup or the mailing list, do not assume that we will read it. If you suspect that your +problem is not a bug but a configuration problem, it is better to send +it to the Samba mailing list, as there are thousands of other users on +that list who may be able to help you. +</p><p> +You may also like to look though the recent mailing list archives, +which are conveniently accessible on the Samba Web pages +at <a href="http://samba.org/samba/" target="_top">http://samba.org/samba/</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449267"></a>General Information</h2></div></div></div><p> +Before submitting a bug report, check your config for silly +errors. Look in your log files for obvious messages that tell +you've misconfigured something. Run testparm to check your config +file for correct syntax. +</p><p> +Have you looked through <a href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a>? This is extremely important. +</p><p> +If you include part of a log file with your bug report, then be sure to +annotate it with exactly what you were doing on the client at the +time and exactly what the results were. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="dbglvl"></a>Debug Levels</h2></div></div></div><p> +If the bug has anything to do with Samba behaving incorrectly as a +server (like refusing to open a file), then the log files will probably +be quite useful. Depending on the problem, a log level of between 3 and +10 showing the problem may be appropriate. A higher level gives more +detail but may use too much disk space. +</p><p> +<a class="indexterm" name="id449312"></a> +<a class="indexterm" name="id449318"></a> +To set the debug level, use the <a class="indexterm" name="id449326"></a>log level in your +<code class="filename">smb.conf</code>. You may also find it useful to set the log +level higher for just one machine and keep separate logs for each machine. +To do this, add the following lines to your main <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id449353"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id449365"></a><em class="parameter"><code>log file = /usr/local/samba/lib/log.%m</code></em></td></tr><tr><td><a class="indexterm" name="id449378"></a><em class="parameter"><code>include = /usr/local/samba/lib/smb.conf.%m</code></em></td></tr></table><p> +and create a file <code class="filename">/usr/local/samba/lib/smb.conf.<em class="replaceable"><code>machine</code></em></code> where +<em class="replaceable"><code>machine</code></em> is the name of the client you wish to debug. In that file put any +<code class="filename">smb.conf</code> commands you want; for example, <a class="indexterm" name="id449412"></a>log level may be useful. This also allows +you to experiment with different security systems, protocol levels, and so on, on just one machine. +</p><p> +The <code class="filename">smb.conf</code> entry <a class="indexterm" name="id449429"></a>log level is synonymous with the parameter <a class="indexterm" name="id449437"></a>debuglevel that has been used in older versions of Samba and is being retained for backward +compatibility of <code class="filename">smb.conf</code> files. +</p><p> +As the <a class="indexterm" name="id449454"></a>log level value is increased, you will record a significantly greater level of +debugging information. For most debugging operations, you may not need a setting higher than +<code class="constant">3</code>. Nearly all bugs can be tracked at a setting of <code class="constant">10</code>, but be +prepared for a large volume of log data. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id449471"></a>Debugging-Specific Operations</h3></div></div></div><p> +<a class="indexterm" name="id449479"></a> +<a class="indexterm" name="id449486"></a> +<a class="indexterm" name="id449492"></a> +<a class="indexterm" name="id449499"></a> + Samba-3.x permits debugging (logging) of specific functional components without unnecessarily + cluttering the log files with detailed logs for all operations. An example configuration to + achieve this is shown in: + </p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id449517"></a><em class="parameter"><code>log level = 0 tdb:3 passdb:5 auth:4 vfs:2</code></em></td></tr><tr><td><a class="indexterm" name="id449530"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id449542"></a><em class="parameter"><code>log file = /var/log/samba/%U.%m.log</code></em></td></tr></table><p> +</p><p> + This will cause the level of detail to be expanded to the debug class (log level) passed to + each functional area per the value shown above. The first value passed to the <em class="parameter"><code>log level</code></em> + of <code class="constant">0</code> means turn off all unnecessary debugging except the debug classes set for + the functional areas as specified. The table shown in <a href="bugreport.html#dbgclass" title="Table 40.1. Debuggable Functions">Debuggable Functions</a> + may be used to attain very precise analysis of each SMB operation Samba is conducting. + </p><div class="table"><a name="dbgclass"></a><p class="title"><b>Table 40.1. Debuggable Functions</b></p><div class="table-contents"><table summary="Debuggable Functions" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Function Name</th><th align="center">Function Name</th></tr></thead><tbody><tr><td align="center">all</td><td align="center">passdb</td></tr><tr><td align="center">tdb</td><td align="center">sam</td></tr><tr><td align="center">printdrivers</td><td align="center">auth</td></tr><tr><td align="center">lanman</td><td align="center">winbind</td></tr><tr><td align="center">smb</td><td align="center">vfs</td></tr><tr><td align="center">rpc_parse</td><td align="center">idmap</td></tr><tr><td align="center">rpc_srv</td><td align="center">quota</td></tr><tr><td align="center">rpc_cli</td><td align="center">acls</td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449670"></a>Internal Errors</h2></div></div></div><p> +If you get the message “<span class="quote"><span class="errorname">INTERNAL ERROR</span></span>” in your log files, +it means that Samba got an unexpected signal while running. It is probably a +segmentation fault and almost certainly means a bug in Samba (unless +you have faulty hardware or system software). +</p><p> +If the message came from smbd, it will probably be accompanied by +a message that details the last SMB message received by smbd. This +information is often useful in tracking down the problem, so please +include it in your bug report. +</p><p> +You should also detail how to reproduce the problem, if +possible. Please make this reasonably detailed. +</p><p> +<a class="indexterm" name="id449697"></a> +You may also find that a core file appeared in a <code class="filename">corefiles</code> +subdirectory of the directory where you keep your Samba log +files. This file is the most useful tool for tracking down the bug. To +use it, you do this: +<a class="indexterm" name="id449711"></a> +<a class="indexterm" name="id449718"></a> +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>gdb smbd core</code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id449744"></a> +<a class="indexterm" name="id449750"></a> +adding appropriate paths to smbd and core so gdb can find them. If you +do not have gdb, try <strong class="userinput"><code>dbx</code></strong>. Then within the debugger, +use the command <code class="literal">where</code> to give a stack trace of where the +problem occurred. Include this in your report. +</p><p> +<a class="indexterm" name="id449774"></a> +If you know any assembly language, do a <code class="literal">disass</code> of the routine +where the problem occurred (if it's in a library routine, then +disassemble the routine that called it) and try to work out exactly +where the problem is by looking at the surrounding code. Even if you +do not know assembly, including this information in the bug report can be +useful. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449791"></a>Attaching to a Running Process</h2></div></div></div><p> +<a class="indexterm" name="id449799"></a> +<a class="indexterm" name="id449806"></a> +<a class="indexterm" name="id449812"></a> +Unfortunately, some UNIXes (in particular some recent Linux kernels) +refuse to dump a core file if the task has changed UID (which smbd +does often). To debug with this sort of system, you could try to attach +to the running process using +<strong class="userinput"><code>gdb smbd <em class="replaceable"><code>PID</code></em></code></strong>, where you get +<em class="replaceable"><code>PID</code></em> from <span class="application">smbstatus</span>. +Then use <code class="literal">c</code> to continue and try to cause the core dump +using the client. The debugger should catch the fault and tell you +where it occurred. +</p><p> +Sometimes it is necessary to build Samba binary files that have debugging +symbols so as to make it possible to capture enough information from a crashed +operation to permit the Samba Team to fix the problem. +</p><p> +Compile with <code class="constant">-g</code> to ensure you have symbols in place. +Add the following line to the <code class="filename">smb.conf</code> file global section: +</p><pre class="screen"> +panic action = "/bin/sleep 90000" +</pre><p> +to catch any panics. If <code class="literal">smbd</code> seems to be frozen, look for any sleep +processes. If it is not, and appears to be spinning, find the PID +of the spinning process and type: +</p><pre class="screen"> +<code class="prompt">root# </code> gdb /usr/local/samba/sbin/smbd +</pre><p> +<a class="indexterm" name="id449889"></a> +then “<span class="quote">attach `pid'</span>” (of the spinning process), then type “<span class="quote">bt</span>” to +get a backtrace to see where the smbd is in the call path. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449906"></a>Patches</h2></div></div></div><p> +<a class="indexterm" name="id449914"></a> +<a class="indexterm" name="id449921"></a> +The best sort of bug report is one that includes a fix! If you send us +patches, please use <strong class="userinput"><code>diff -u</code></strong> format if your version of +diff supports it; otherwise, use <strong class="userinput"><code>diff -c4</code></strong>. Make sure +you do the diff against a clean version of the source and let me know +exactly what version you used. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Appendix.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Analyzing and Solving Samba Problems </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part VI. Reference Section</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html b/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html new file mode 100644 index 0000000000..e7c7b06741 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html @@ -0,0 +1,180 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Advanced Configuration Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="largefile.html" title="Chapter 33. Handling Large Directories"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Advanced Configuration Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="largefile.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="cfgsmarts"></a>Chapter 34. Advanced Configuration Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 30, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="cfgsmarts.html#id437826">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id437692"></a> +<a class="indexterm" name="id437699"></a> +Since the release of the first edition of this book there have been repeated requests to better document +configuration techniques that may help a network administrator to get more out of Samba. Some users have asked +for documentation regarding the use of the <a class="indexterm" name="id437708"></a>include = file-name parameter. +</p><p> +<a class="indexterm" name="id437718"></a> +<a class="indexterm" name="id437725"></a> +Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on +one machine. There has also been an interest in the hosting of multiple Samba server personalities on one +server. +</p><p> +<a class="indexterm" name="id437737"></a> +<a class="indexterm" name="id437744"></a> +Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an +answer the questions that have to date not been adequately addressed. Additional user input is welcome as +it will help this chapter to mature. What is presented here is just a small beginning. +</p><p> +<a class="indexterm" name="id437757"></a> +<a class="indexterm" name="id437764"></a> +<a class="indexterm" name="id437770"></a> +There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server +hosting makes it possible to host multiple domain controllers on one machine. Each such machine is +independent, and each can be stopped or started without affecting another. +</p><p> +<a class="indexterm" name="id437783"></a> +<a class="indexterm" name="id437790"></a> +<a class="indexterm" name="id437796"></a> +Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single +UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case, +only domain member machines and domain users can access the DMS, but even guest users can access the generic +print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server +is to host a CDROM server. +</p><p> +<a class="indexterm" name="id437810"></a> +<a class="indexterm" name="id437817"></a> +Some environments dictate the need to have separate servers, each with their own resources, each of which are +accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba +can replace many physical Windows servers in one Samba installation. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id437826"></a>Implementation</h2></div></div></div><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id437835"></a>Multiple Server Hosting</h3></div></div></div><p> +<a class="indexterm" name="id437843"></a> +<a class="indexterm" name="id437849"></a> +<a class="indexterm" name="id437856"></a> +<a class="indexterm" name="id437863"></a> +<a class="indexterm" name="id437870"></a> +<a class="indexterm" name="id437877"></a> +<a class="indexterm" name="id437883"></a> +The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own +configuration file. This method is complicated by the fact that each instance of <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> +must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by +<span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> can be enabled either by recompiling Samba for each server hosted so each has its +own default TDB directories, or by configuring these in the <code class="filename">smb.conf</code> file, in which case each instance of +<span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> must be told to start up with its own <code class="filename">smb.conf</code> configuration file. +</p><p> +<a class="indexterm" name="id437962"></a> +<a class="indexterm" name="id437969"></a> +<a class="indexterm" name="id437976"></a> +<a class="indexterm" name="id437983"></a> +Each instance should operate on its own IP address (that independent IP address can be an IP Alias). +Each instance of <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> should listen only on its own IP socket. This can be secured +using the <a class="indexterm" name="id438008"></a>socket address parameter. Each instance of the Samba server will have its +own SID also, this means that the servers are discrete and independent of each other. +</p><p> +<a class="indexterm" name="id438020"></a> +<a class="indexterm" name="id438027"></a> +<a class="indexterm" name="id438034"></a> +<a class="indexterm" name="id438040"></a> +<a class="indexterm" name="id438047"></a> +<a class="indexterm" name="id438054"></a> +<a class="indexterm" name="id438061"></a> +<a class="indexterm" name="id438068"></a> +<a class="indexterm" name="id438074"></a> +The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of +process management and start up. The <code class="filename">smb.conf</code> parameters that must be carefully configured includes: +<a class="indexterm" name="id438089"></a>private dir, <a class="indexterm" name="id438096"></a>pid directory,<a class="indexterm" name="id438103"></a>lock directory, <a class="indexterm" name="id438110"></a>interfaces, <a class="indexterm" name="id438117"></a>bind interfaces only, <a class="indexterm" name="id438124"></a>netbios name, <a class="indexterm" name="id438131"></a>workgroup, <a class="indexterm" name="id438138"></a>socket address. +</p><p> +<a class="indexterm" name="id438149"></a> +<a class="indexterm" name="id438155"></a> +<a class="indexterm" name="id438162"></a> +Those who elect to create multiple Samba servers should have the ability to read and follow +the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of +this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and +if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting +of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id438180"></a>Multiple Virtual Server Personalities</h3></div></div></div><p> +<a class="indexterm" name="id438188"></a> +<a class="indexterm" name="id438195"></a> +<a class="indexterm" name="id438202"></a> +Samba has the ability to host multiple virtual servers, each of which have their own personality. This is +achieved by configuring an <code class="filename">smb.conf</code> file that is common to all personalities hosted. Each server +personality is hosted using its own <a class="indexterm" name="id438216"></a>netbios alias name, and each has its own distinct +<a class="indexterm" name="id438224"></a>[global] section. Each server may have its own stanzas for services and meta-services. +</p><p> +<a class="indexterm" name="id438235"></a> +<a class="indexterm" name="id438241"></a> +<a class="indexterm" name="id438248"></a> +When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup. +Only the primary server can be a domain member or a domain controller. The personality is defined by the +combination of the <a class="indexterm" name="id438257"></a>security mode it is operating in, the <a class="indexterm" name="id438264"></a>netbios aliases it has, and the <a class="indexterm" name="id438272"></a>workgroup that is defined for it. +</p><p> +<a class="indexterm" name="id438282"></a> +<a class="indexterm" name="id438289"></a> +<a class="indexterm" name="id438296"></a> +<a class="indexterm" name="id438302"></a> +<a class="indexterm" name="id438309"></a> +<a class="indexterm" name="id438316"></a> +This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services. +If run using NetBIOS mode (the most common method) it is important that the parameter <a class="indexterm" name="id438324"></a>smb ports = 139 should be specified in the primary <code class="filename">smb.conf</code> file. Failure to do this will result +in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain +the functionality that is specified in the primary <code class="filename">smb.conf</code> file. The use of NetBIOS over TCP/IP using only +TCP port 139 means that the use of the <code class="literal">%L</code> macro is fully enabled. If the <a class="indexterm" name="id438352"></a>smb ports = 139 is not specified (the default is <em class="parameter"><code>445 139</code></em>, or if +the value of this parameter is set at <em class="parameter"><code>139 445</code></em> then the <code class="literal">%L</code> macro +is not serviceable. +</p><p> +<a class="indexterm" name="id438380"></a> +<a class="indexterm" name="id438387"></a> +<a class="indexterm" name="id438394"></a> +<a class="indexterm" name="id438401"></a> +It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB +port), in which case the <code class="literal">%i</code> macro can be used to provide separate server identities (by +IP Address). Each can have its own <a class="indexterm" name="id438415"></a>security mode. It will be necessary to use the +<a class="indexterm" name="id438423"></a>interfaces, <a class="indexterm" name="id438430"></a>bind interfaces only and IP aliases in addition to +the <a class="indexterm" name="id438437"></a>netbios name parameters to create the virtual servers. This method is considerably +more complex than that using NetBIOS names only using TCP port 139. +</p><p> +<a class="indexterm" name="id438448"></a> +Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only +Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it +is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here +are some parameters: +</p><p> +The Samba server is called <code class="literal">ELASTIC</code>, its workgroup name is <code class="literal">ROBINSNEST</code>. +The CDROM server is called <code class="literal">CDSERVER</code> and its workgroup is <code class="literal">ARTSDEPT</code>. A +possible implementation is shown here: +</p><p> +<a class="indexterm" name="id438490"></a> +<a class="indexterm" name="id438496"></a> +<a class="indexterm" name="id438503"></a> +<a class="indexterm" name="id438510"></a> +The <code class="filename">smb.conf</code> file for the master server is shown in <a href="cfgsmarts.html#elastic" title="Example 34.1. Elastic smb.conf File">Elastic smb.conf File</a>. +This file is placed in the <code class="filename">/etc/samba</code> directory. Only the <span class="application">nmbd</span> and the <span class="application">smbd</span> daemons +are needed. When started the server will appear in Windows Network Neighborhood as the machine +<code class="literal">ELASTIC</code> under the workgroup <code class="literal">ROBINSNEST</code>. It is helpful if the Windows +clients that must access this server are also in the workgroup <code class="literal">ROBINSNEST</code> as this will make +browsing much more reliable. +</p><div class="example"><a name="elastic"></a><p class="title"><b>Example 34.1. Elastic smb.conf File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id438596"></a><em class="parameter"><code>workgroup = ROBINSNEST</code></em></td></tr><tr><td><a class="indexterm" name="id438609"></a><em class="parameter"><code>netbios name = ELASTIC</code></em></td></tr><tr><td><a class="indexterm" name="id438622"></a><em class="parameter"><code>netbios aliases = CDSERVER</code></em></td></tr><tr><td><a class="indexterm" name="id438634"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id438647"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id438659"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438672"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id438684"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id438697"></a><em class="parameter"><code>include = /etc/samba/smb-%L.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id438719"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id438731"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id438744"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id438756"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id438778"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id438790"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id438803"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id438824"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id438837"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id438849"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id438862"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438874"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438887"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438900"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id438915"></a> +The configuration file for the CDROM server is listed in <a href="cfgsmarts.html#cdserver" title="Example 34.2. CDROM Server smb-cdserver.conf file">CDROM Server +smb-cdserver.conf file</a>. This file is called <code class="filename">smb-cdserver.conf</code> and it should be +located in the <code class="filename">/etc/samba</code> directory. Machines that are in the workgroup +<code class="literal">ARTSDEPT</code> will be able to browse this server freely. +</p><div class="example"><a name="cdserver"></a><p class="title"><b>Example 34.2. CDROM Server smb-cdserver.conf file</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id438978"></a><em class="parameter"><code>workgroup = ARTSDEPT</code></em></td></tr><tr><td><a class="indexterm" name="id438991"></a><em class="parameter"><code>netbios name = CDSERVER</code></em></td></tr><tr><td><a class="indexterm" name="id439003"></a><em class="parameter"><code>map to guest = Bad User</code></em></td></tr><tr><td><a class="indexterm" name="id439016"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[carousel]</code></em></td></tr><tr><td><a class="indexterm" name="id439037"></a><em class="parameter"><code>comment = CDROM Share</code></em></td></tr><tr><td><a class="indexterm" name="id439050"></a><em class="parameter"><code>path = /export/cddata</code></em></td></tr><tr><td><a class="indexterm" name="id439062"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439075"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id439090"></a> +<a class="indexterm" name="id439097"></a> +<a class="indexterm" name="id439104"></a> +<a class="indexterm" name="id439111"></a> +The two servers have different resources and are in separate workgroups. The server <code class="literal">ELASTIC</code> +can only be accessed by uses who have an appropriate account on the host server. All users will be able to +access the CDROM data that is stored in the <code class="filename">/export/cddata</code> directory. File system +permissions should set so that the <code class="literal">others</code> user has read-only access to the directory and its +contents. The files can be owned by root (any user other than the nobody account). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id439141"></a>Multiple Virtual Server Hosting</h3></div></div></div><p> +<a class="indexterm" name="id439149"></a> +<a class="indexterm" name="id439156"></a> +<a class="indexterm" name="id439163"></a> +In this example, the requirement is for a primary domain controller for the domain called +<code class="literal">MIDEARTH</code>. The PDC will be called <code class="literal">MERLIN</code>. An extra machine called +<code class="literal">SAURON</code> is required. Each machine will have only its own shares. Both machines belong to the +same domain/workgroup. +</p><p> +<a class="indexterm" name="id439193"></a> +<a class="indexterm" name="id439200"></a> +<a class="indexterm" name="id439206"></a> +The master <code class="filename">smb.conf</code> file is shown in <a href="cfgsmarts.html#mastersmbc" title="Example 34.3. Master smb.conf File Global Section">the Master smb.conf File Global Section</a>. +The two files that specify the share information for each server are shown in <a href="cfgsmarts.html#merlinsmbc" title="Example 34.4. MERLIN smb-merlin.conf File Share Section">the +smb-merlin.conf File Share Section</a>, and <a href="cfgsmarts.html#sauronsmbc" title="Example 34.5. SAURON smb-sauron.conf File Share Section">the smb-sauron.conf File Share +Section</a>. All three files are locate in the <code class="filename">/etc/samba</code> directory. +</p><div class="example"><a name="mastersmbc"></a><p class="title"><b>Example 34.3. Master smb.conf File Global Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id439277"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id439290"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id439302"></a><em class="parameter"><code>netbios aliases = SAURON</code></em></td></tr><tr><td><a class="indexterm" name="id439315"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id439327"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id439340"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id439352"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id439365"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id439378"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id439390"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id439403"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id439416"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id439429"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id439442"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id439455"></a><em class="parameter"><code>logon script = scripts\login.bat</code></em></td></tr><tr><td><a class="indexterm" name="id439468"></a><em class="parameter"><code>logon path = </code></em></td></tr><tr><td><a class="indexterm" name="id439480"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id439493"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439505"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439518"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439530"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id439543"></a><em class="parameter"><code>include = /etc/samba/smb-%L.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="merlinsmbc"></a><p class="title"><b>Example 34.4. MERLIN smb-merlin.conf File Share Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id439584"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id439596"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id439618"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id439631"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id439643"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id439656"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id439677"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id439690"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id439702"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id439724"></a><em class="parameter"><code>comment = NETLOGON</code></em></td></tr><tr><td><a class="indexterm" name="id439736"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id439749"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439761"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id439783"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id439795"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id439808"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439820"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id439833"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sauronsmbc"></a><p class="title"><b>Example 34.5. SAURON smb-sauron.conf File Share Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id439874"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id439886"></a><em class="parameter"><code>netbios name = SAURON</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[www]</code></em></td></tr><tr><td><a class="indexterm" name="id439908"></a><em class="parameter"><code>comment = Web Pages</code></em></td></tr><tr><td><a class="indexterm" name="id439920"></a><em class="parameter"><code>path = /srv/www/htdocs</code></em></td></tr><tr><td><a class="indexterm" name="id439933"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="largefile.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 33. Handling Large Directories </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html b/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html new file mode 100644 index 0000000000..99419a254c --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html @@ -0,0 +1,287 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 45. LDAP and Transport Layer Security</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="speed.html" title="Chapter 44. Samba Performance Tuning"><link rel="next" href="ch46.html" title="Chapter 46. Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 45. LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch46.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter 45. LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p> + <a class="indexterm" name="id453565"></a> +<a class="indexterm" name="id453574"></a> + Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™, + with some advanced features such as ACLs. This does not however, deal with the fact that the network + transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em> + comes in. + </p><p> +<a class="indexterm" name="id453596"></a> + <span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS) + framework to provide integrity and confidentiality protections in accordance with <a href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3): + Extension for Transport Layer Security.</em></span> + </p><p> +<a class="indexterm" name="id453623"></a> + TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates + are optional. We will only be discussing server certificates. + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="id453635"></a> +<a class="indexterm" name="id453642"></a> +<a class="indexterm" name="id453648"></a> + The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the + server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the + <code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>. + </p></div><p> + We will discuss this more in the next sections. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p> + <a class="indexterm" name="id453685"></a> + Now on to the good bit. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p> +<a class="indexterm" name="id453708"></a> + In order to create the relevant certificates, we need to become our own Certificate Authority (CA). + <sup>[<a name="id453717" href="#ftn.id453717">8</a>]</sup> This is necessary, so we can sign the server certificate. + </p><p> +<a class="indexterm" name="id453744"></a> + We will be using the <a href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id453757" href="#ftn.id453757">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>® distribution. + </p><p> + TLS is used for many types of servers, but the instructions<sup>[<a name="id453773" href="#ftn.id453773">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be + the fully qualified domain name (FQDN) of your ldap server. + </p></div><p> + First we need to generate the CA: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> mkdir myCA +</code> +</pre><p> + Move into that directory: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> cd myCA +</code> +</pre><p> + Now generate the CA:<sup>[<a name="id453845" href="#ftn.id453845">11</a>]</sup> +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca +CA certificate filename (or enter to create) + +Making CA certificate ... +Generating a 1024 bit RSA private key +.......................++++++ +.............................++++++ +writing new private key to './demoCA/private/cakey.pem' +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase: +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:AU +State or Province Name (full name) [Some-State]:NSW +Locality Name (eg, city) []:Sydney +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas +Organizational Unit Name (eg, section) []:IT +Common Name (eg, YOUR name) []:ldap.abmas.biz +Email Address []:support@abmas.biz +</code> +</pre><p> + </p><p> + There are some things to note here. + </p><div class="orderedlist"><ol type="1"><li><p> + You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need + it to sign the server certificate.. + </p></li><li><p> + The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the + fully qualified domain name (FQDN) of your ldap server. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p> + Now we need to generate the server certificate: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem +Generating a 1024 bit RSA private key +.............++++++ +........................................................++++++ +writing new private key to 'newreq.pem' +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:AU +State or Province Name (full name) [Some-State]:NSW +Locality Name (eg, city) []:Sydney +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas +Organizational Unit Name (eg, section) []:IT +Common Name (eg, YOUR name) []:ldap.abmas.biz +Email Address []:support@abmas.biz + +Please enter the following 'extra' attributes +to be sent with your certificate request +A challenge password []: +An optional company name []: +</code> +</pre><p> + </p><p> + Again, there are some things to note here. + </p><div class="orderedlist"><ol type="1"><li><p> + You should <span class="emphasis"><em>NOT</em></span> enter a password. + </p></li><li><p> + The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be + the fully qualified domain name (FQDN) of your ldap server. + </p></li></ol></div><p> + Now we sign the certificate with the new CA: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign +Using configuration from /etc/ssl/openssl.cnf +Enter pass phrase for ./demoCA/private/cakey.pem: +Check that the request matches the signature +Signature ok +Certificate Details: +Serial Number: 1 (0x1) +Validity + Not Before: Mar 6 18:22:26 2005 EDT + Not After : Mar 6 18:22:26 2006 EDT +Subject: + countryName = AU + stateOrProvinceName = NSW + localityName = Sydney + organizationName = Abmas + organizationalUnitName = IT + commonName = ldap.abmas.biz + emailAddress = support@abmas.biz +X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE + X509v3 Authority Key Identifier: + keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC + DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/ + CN=ldap.abmas.biz/emailAddress=support@abmas.biz + serial:00 + +Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated +Signed certificate is in newcert.pem +</code> +</pre><p> + </p><p> + That completes the server certificate generation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p> + Now we need to copy the certificates to the right configuration directories, + rename them at the same time (for convenience), change the ownership and + finally the permissions: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/ +<code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem +<code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem +<code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem +<code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem; +<code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem +</code> +</pre><p> + </p><p> + Now we just need to add these locations to <code class="filename">slapd.conf</code>, + anywhere before the <code class="option">database</code> declaration as shown here: +</p><pre class="screen"> +<code class="computeroutput"> +TLSCertificateFile /etc/openldap/servercrt.pem +TLSCertificateKeyFile /etc/openldap/serverkey.pem +TLSCACertificateFile /etc/openldap/cacert.pem +</code> +</pre><p> + </p><p> + Here is the declaration and <code class="filename">ldap.conf</code>: +<code class="filename">ldap.conf</code> +</p><pre class="screen"> +<code class="computeroutput"> +TLS_CACERT /etc/openldap/cacert.pem +</code> +</pre><p> + </p><p> + That's all there is to it. Now on to <a href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p> +<a class="indexterm" name="id454217"></a> +This is the easy part. Restart the server: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> /etc/init.d/ldap restart +Stopping slapd: [ OK ] +Checking configuration files for slapd: config file testing succeeded +Starting slapd: [ OK ] +</code> +</pre><p> + Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the + <code class="option">-ZZ</code><sup>[<a name="id454256" href="#ftn.id454256">12</a>]</sup> option: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ + -H 'ldap://ldap.abmas.biz:389' -ZZ +</code> +</pre><p> + Your results should be the same as before you restarted the server, for example: +</p><pre class="screen"> +<code class="computeroutput"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ + -H 'ldap://ldap.abmas.biz:389' -ZZ + +# extended LDIF +# +# LDAPv3 +# base <> with scope sub +# filter: (objectclass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=ldap,dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +o: Abmas +dc: abmas + +# Manager, ldap.abmas.biz +dn: cn=Manager,dc=ldap,dc=abmas,dc=biz +objectClass: organizationalRole +cn: Manager + +# ABMAS, abmas.biz +dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz +sambaDomainName: ABMAS +sambaSID: S-1-5-21-238355452-1056757430-1592208922 +sambaAlgorithmicRidBase: 1000 +objectClass: sambaDomain +sambaNextUserRid: 67109862 +sambaNextGroupRid: 67109863 +</code> +</pre><p> + If you have any problems, please read <a href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p> +<a class="indexterm" name="id454338"></a> +The most common error when configuring TLS, as I have already mentioned numerous times, is that the +<span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is +<span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server. +</p><p> +Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that +your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code> +files. They should be set with <code class="literal">chmod 640</code>, as per <a href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>. +</p><p> +For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list. +</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id453717" href="#id453717">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a href="http://www.thawte.com/" target="_top">Thawte</a> and <a href="http://www.verisign.com/" target="_top">VeriSign</a>, which + you pay for, or the free ones, via <a href="http://www.cacert.org/" target="_top">CAcert</a> + </p></div><div class="footnote"><p><sup>[<a name="ftn.id453757" href="#id453757">9</a>] </sup>The downside to + making our own CA, is that the certificate is not automatically recognized by clients, like the commercial + ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id453773" href="#id453773">10</a>] </sup>For information straight from the + horse's mouth, please visit <a href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL + site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id453845" href="#id453845">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be + in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e., + <code class="literal">locate CA.pl</code>. If the command complains about the database being too old, run + <code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id454256" href="#id454256">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch46.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 44. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 46. Samba Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ch46.html b/docs/htmldocs/Samba3-HOWTO/ch46.html new file mode 100644 index 0000000000..a358726885 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ch46.html @@ -0,0 +1,106 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 46. Samba Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="ch-ldap-tls.html" title="Chapter 45. LDAP and Transport Layer Security"><link rel="next" href="DNSDHCP.html" title="Chapter 47. DNS and DHCP Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 46. Samba Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch-ldap-tls.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id454414"></a>Chapter 46. Samba Support</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch46.html#id454529">Free Support</a></span></dt><dt><span class="sect1"><a href="ch46.html#id454727">Commercial Support</a></span></dt></dl></div><p> +<a class="indexterm" name="id454423"></a> +One of the most difficult to answer questions in the information technology industry is, “<span class="quote">What is +support?</span>”. That question irritates some folks, as much as common answers may annoy others. +</p><p> +<a class="indexterm" name="id454438"></a> +The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to +an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: +“<span class="quote">Oh, Linux? We do not support Linux!</span>”. It has happened to me, and similar situations happen +through-out the IT industry. Answers like that are designed to inform us that there are some customers +that a business just does not want to deal with, and well may we feel the anguish of the rejection that +is dished out. +</p><p> +One way to consider support is to view it as consisting of the right answer, in the right place, +at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, +inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk. +</p><p> +<a class="indexterm" name="id454462"></a> +<a class="indexterm" name="id454468"></a> +<a class="indexterm" name="id454475"></a> +One of the forces that has become a driving force for the adoption of open source software is the fact that +many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or +that have been found wanting for other reasons. +</p><p> +<a class="indexterm" name="id454488"></a> +<a class="indexterm" name="id454494"></a> +In recognition of the need for needs satisfaction as the primary experience an information technology user or +consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience +in respect of problem resolution. +</p><p> +<a class="indexterm" name="id454507"></a> +<a class="indexterm" name="id454513"></a> +<a class="indexterm" name="id454520"></a> +In the open source software arena there are two support options: free support and paid-for (commercial) +support. +</p><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454529"></a>Free Support</h2></div></div></div><p> +<a class="indexterm" name="id454537"></a> +<a class="indexterm" name="id454544"></a> +<a class="indexterm" name="id454550"></a> +<a class="indexterm" name="id454557"></a> +<a class="indexterm" name="id454564"></a> +<a class="indexterm" name="id454571"></a> + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help + facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user + supported mutual assistance. + </p><p> +<a class="indexterm" name="id454583"></a> +<a class="indexterm" name="id454590"></a> +<a class="indexterm" name="id454597"></a> +<a class="indexterm" name="id454603"></a> +<a class="indexterm" name="id454610"></a> + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. + Information regarding subscription to the Samba mailing list can be found on the Samba <a href="https://lists.samba.org/mailman/" target="_top">web</a> site. The public mailing list that can be used to obtain + free, user contributed, support is called the <code class="literal">samba</code> list. The email address for this list + is at <code class="literal">mail:samba@samba.org</code>. Information regarding the Samba IRC channels may be found on + the Samba <a href="http://www.samba.org/samba.irc.html" target="_top">IRC</a> web page. + </p><p> +<a class="indexterm" name="id454647"></a> +<a class="indexterm" name="id454654"></a> +<a class="indexterm" name="id454661"></a> +<a class="indexterm" name="id454667"></a> + As a general rule, it is considered poor net behavior to contact a Samba Team member directly + for free support. Most active members of the Samba Team work exceptionally long hours to assist + users who have demonstrated a qualified problem. Some team members may respond to direct email + or telephone contact, with requests for assistance, by requesting payment. A few of the Samba + Team members actually provide professional paid-for Samba support and it is therefore wise + to show appropriate discretion and reservation in all direct contact. + </p><p> +<a class="indexterm" name="id454682"></a> +<a class="indexterm" name="id454689"></a> +<a class="indexterm" name="id454696"></a> + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting + a bug <a href="https://bugzilla.samba.org/" target="_top">report</a>. All such reports are mailed to + the responsible code maintainer for action. The better the report, and the more serious it is, + the sooner it will be dealt with. On the other hand, if the responsible person can not duplicate + the reported bug it is likely to be rejected. It is up to you to provide sufficient information + that will permit the problem to be reproduced. + </p><p> +<a class="indexterm" name="id454716"></a> + We all recognize that sometimes free support does not provide the answer that is sought within + the time-frame required. At other times the problem is elusive and you may lack the experience + necessary to isolate the problem and thus to resolve it. This is a situation where is may be + prudent to purchase paid-for support. + </p></div><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454727"></a>Commercial Support</h2></div></div></div><p> + There are six basic support oriented services that are most commonly sought by Samba sites: + </p><div class="itemizedlist"><ul type="disc"><li><p>Assistance with network design</p></li><li><p>Staff Training</p></li><li><p>Assistance with Samba network deployment and installation</p></li><li><p>Priority telephone or email Samba configuration assistance</p></li><li><p>Trouble-shooting and diagnostic assistance</p></li><li><p>Provision of quality assured ready-to-install Samba binary packages</p></li></ul></div><p> +<a class="indexterm" name="id454771"></a> +<a class="indexterm" name="id454778"></a> + Information regarding companies that provide professional Samba support can be obtained by performing a Google + search, as well as by reference to the Samba <a href="http://www.samba.org/samba/support.html" target="_top">Support</a> web page. Companies who notify the Samba Team + that they provide commercial support are given a free listing that is sorted by the country of origin. + Multiple listings are permitted, however no guarantee is offered. It is left to you to qualify a support + provider and to satisfy yourself that both the company and its staff are able to deliver what is required of + them. + </p><p> +<a class="indexterm" name="id454799"></a> + The policy within the Samba Team is to treat all commercial support providers equally and to show no + preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. + You are encouraged to obtain the services needed from a company in your local area. The open source movement + is pro-community; so do what you can to help a local business to prosper. + </p><p> +<a class="indexterm" name="id454812"></a> + Open source software support can be found in any quality, at any price and in any place you can + to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for + suffering in the mistaken belief that Samba is unsupported software it is supported. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch-ldap-tls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 45. LDAP and Transport Layer Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 47. DNS and DHCP Configuration Guide</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/classicalprinting.html b/docs/htmldocs/Samba3-HOWTO/classicalprinting.html new file mode 100644 index 0000000000..d5c7974166 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/classicalprinting.html @@ -0,0 +1,2049 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Classical Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"><link rel="next" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Classical Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="classicalprinting"></a>Chapter 21. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH<br></span><div class="address"><p><code class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="classicalprinting.html#id390934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id391142">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391282">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id391430">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391698">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id392225">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id392691">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395308">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395788">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395912">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396001">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397714">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id397729">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398228">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398340">Always Make First Client Connection as root or “<span class="quote">printer admin</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398491">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398507">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398839">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399282">Error Message: “<span class="quote">Cannot connect under a different Name</span>”</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399380">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399581">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399675">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399708">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id399746">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399776">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399789">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399802">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399919">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400158">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400192">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400323">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400350">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id400355">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id400392">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390934"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id390942"></a> +Printing is often a mission-critical service for the users. Samba can provide this service reliably and +seamlessly for a client network consisting of Windows workstations. +</p><p> +<a class="indexterm" name="id390954"></a> +<a class="indexterm" name="id390960"></a> +<a class="indexterm" name="id390967"></a> +<a class="indexterm" name="id390974"></a> +<a class="indexterm" name="id390981"></a> +<a class="indexterm" name="id390988"></a> +<a class="indexterm" name="id390994"></a> +<a class="indexterm" name="id391001"></a> +<a class="indexterm" name="id391008"></a> +<a class="indexterm" name="id391015"></a> +<a class="indexterm" name="id391022"></a> +<a class="indexterm" name="id391028"></a> +<a class="indexterm" name="id391035"></a> +<a class="indexterm" name="id391042"></a> +A Samba print service may be run on a standalone or domain member server, side by side with file serving +functions, or on a dedicated print server. It can be made as tightly or as loosely secured as needs dictate. +Configurations may be simple or complex. Available authentication schemes are essentially the same as +described for file services in previous chapters. Overall, Samba's printing support is now able to replace an +NT or Windows 2000 print server full-square, with additional benefits in many cases. Clients may download and +install drivers and printers through their familiar <code class="literal">Point'n'Print</code> mechanism. Printer +installations executed by <code class="literal">Logon Scripts</code> are no problem. Administrators can upload and manage +drivers to be used by clients through the familiar <code class="literal">Add Printer Wizard</code>. As an additional +benefit, driver and printer management may be run from the command line or through scripts, making it more +efficient in case of large numbers of printers. If a central accounting of print jobs (tracking every single +page and supplying the raw data for all sorts of statistical reports) is required, this function is best +supported by the newer Common UNIX Printing System (CUPS) as the print subsystem underneath the Samba hood. +</p><p> +<a class="indexterm" name="id391087"></a> +<a class="indexterm" name="id391094"></a> +This chapter outlines the fundamentals of Samba printing as implemented by the more traditional UNIX +BSD- and System V-style printing systems. Much of the information in this chapter applies also to CUPS. If +you use CUPS, you may be tempted to jump to the next chapter, but you will certainly miss a few things if you +do. For further information refer to <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id391116"></a> +<a class="indexterm" name="id391122"></a> +<a class="indexterm" name="id391129"></a> +Most of the following examples have been verified on Windows XP Professional clients. Where this document +describes the responses to commands given, bear in mind that Windows 200x/XP clients are quite similar but may +differ in minor details. Windows NT4 is somewhat different again. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id391142"></a>Technical Introduction</h2></div></div></div><p> +<a class="indexterm" name="id391150"></a> +<a class="indexterm" name="id391156"></a> +<a class="indexterm" name="id391163"></a> +Samba's printing support always relies on the installed print subsystem of the UNIX OS it runs on. Samba is a +<code class="literal">middleman.</code> It takes print files from Windows (or other SMB) clients and passes them to the real +printing system for further processing; therefore, it needs to communicate with both sides: the Windows print +clients and the UNIX printing system. Hence, we must differentiate between the various client OS types, each +of which behave differently, as well as the various UNIX print subsystems, which themselves have different +features and are accessed differently. +</p><p> +<a class="indexterm" name="id391184"></a> +<a class="indexterm" name="id391191"></a> +This chapter deals with the traditional way of UNIX printing. The next chapter covers in great detail the more +modern CUPS. +</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> +<a class="indexterm" name="id391203"></a> +CUPS users, be warned: do not just jump on to the next chapter. You might miss important information only found here! +</p></div><p> +<a class="indexterm" name="id391214"></a> +<a class="indexterm" name="id391221"></a> +<a class="indexterm" name="id391228"></a> +<a class="indexterm" name="id391234"></a> +It is apparent from postings on the Samba mailing list that print configuration is one of the most problematic +aspects of Samba administration today. Many new Samba administrators have the impression that Samba performs +some sort of print processing. Rest assured, Samba does not perform any type of print processing. It does not +do any form of print filtering. +</p><p> +<a class="indexterm" name="id391250"></a> +<a class="indexterm" name="id391257"></a> +<a class="indexterm" name="id391264"></a> +<a class="indexterm" name="id391271"></a> +Samba obtains from its clients a data stream (print job) that it spools to a local spool area. When the entire +print job has been received, Samba invokes a local UNIX/Linux print command and passes the spooled file to it. +It is up to the local system printing subsystems to correctly process the print job and to submit it to the +printer. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391282"></a>Client to Samba Print Job Processing</h3></div></div></div><p> +Successful printing from a Windows client via a Samba print server to a UNIX +printer involves six (potentially seven) stages: +</p><div class="orderedlist"><ol type="1"><li><p>Windows opens a connection to the printer share.</p></li><li><p>Samba must authenticate the user.</p></li><li><p>Windows sends a copy of the print file over the network + into Samba's spooling area.</p></li><li><p>Windows closes the connection.</p></li><li><p>Samba invokes the print command to hand the file over + to the UNIX print subsystem's spooling area.</p></li><li><p>The UNIX print subsystem processes the print job.</p></li><li><p>The print file may need to be explicitly deleted + from the Samba spooling area. This item depends on your print spooler + configuration settings.</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391335"></a>Printing-Related Configuration Parameters</h3></div></div></div><p> +<a class="indexterm" name="id391343"></a> +<a class="indexterm" name="id391350"></a> +<a class="indexterm" name="id391357"></a> +There are a number of configuration parameters to control Samba's printing behavior. Please refer to the man +page for <code class="filename">smb.conf</code> for an overview of these. As with other parameters, there are global-level (tagged with a +<span class="emphasis"><em>G</em></span> in the listings) and service-level (<span class="emphasis"><em>S</em></span>) parameters. +</p><div class="variablelist"><dl><dt><span class="term">Global Parameters</span></dt><dd><p> These <span class="emphasis"><em>may not</em></span> go into + individual share definitions. If they go in by error, + the <code class="literal">testparm</code> utility can discover this + (if you run it) and tell you so. + </p></dd><dt><span class="term">Service-Level Parameters</span></dt><dd><p> These may be specified in the + <em class="parameter"><code>[global]</code></em> section of <code class="filename">smb.conf</code>. + In this case they define the default behavior of all individual + or service-level shares (provided they do not have a different + setting defined for the same parameter, thus overriding the + global default). + </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id391430"></a>Simple Print Configuration</h2></div></div></div><p> +<a class="indexterm" name="id391438"></a> +<a class="indexterm" name="id391444"></a> +<a class="indexterm" name="id391451"></a> +<a class="indexterm" name="id391458"></a> +<a href="classicalprinting.html#simpleprc" title="Example 21.1. Simple Configuration with BSD Printing">Simple Configuration with BSD Printing</a> shows a simple printing configuration. +If you compare this with your own, you may find additional parameters that have been preconfigured by your OS +vendor. Following is a discussion and explanation of the parameters. This example does not use many +parameters. However, in many environments these are enough to provide a valid <code class="filename">smb.conf</code> file that enables +all clients to print. +</p><div class="example"><a name="simpleprc"></a><p class="title"><b>Example 21.1. Simple Configuration with BSD Printing</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id391508"></a><em class="parameter"><code>printing = bsd</code></em></td></tr><tr><td><a class="indexterm" name="id391521"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id391542"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id391555"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id391568"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id391580"></a><em class="parameter"><code>writable = no</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id391596"></a> +<a class="indexterm" name="id391603"></a> +<a class="indexterm" name="id391609"></a> +This is only an example configuration. Samba assigns default values to all configuration parameters. The +defaults are conservative and sensible. When a parameter is specified in the <code class="filename">smb.conf</code> file, this overwrites +the default value. The <code class="literal">testparm</code> utility when run as root is capable of reporting all +settings, both default as well as <code class="filename">smb.conf</code> file settings. <code class="literal">Testparm</code> gives warnings for all +misconfigured settings. The complete output is easily 360 lines and more, so you may want to pipe it through a +pager program. +</p><p> +<a class="indexterm" name="id391647"></a> +<a class="indexterm" name="id391654"></a> +<a class="indexterm" name="id391661"></a> +The syntax for the configuration file is easy to grasp. You should know that is not very picky about its +syntax. As has been explained elsewhere in this book, Samba tolerates some spelling errors (such as +<a class="indexterm" name="id391669"></a>browseable instead of <a class="indexterm" name="id391676"></a>browsable), and spelling is +case-insensitive. It is permissible to use <em class="parameter"><code>Yes/No</code></em> or <em class="parameter"><code>True/False</code></em> +for Boolean settings. Lists of names may be separated by commas, spaces, or tabs. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391698"></a>Verifying Configuration with <code class="literal">testparm</code></h3></div></div></div><p> +<a class="indexterm" name="id391710"></a> +<a class="indexterm" name="id391717"></a> +<a class="indexterm" name="id391724"></a> +<a class="indexterm" name="id391731"></a> +<a class="indexterm" name="id391737"></a> +<a class="indexterm" name="id391744"></a> +<a class="indexterm" name="id391751"></a> +<a class="indexterm" name="id391758"></a> +<a class="indexterm" name="id391765"></a> +<a class="indexterm" name="id391771"></a> +<a class="indexterm" name="id391778"></a> +To see all (or at least most) printing-related settings in Samba, including the implicitly used ones, try the +command outlined below. This command greps for all occurrences of <code class="constant">lp</code>, +<code class="constant">print</code>, <code class="constant">spool</code>, <code class="constant">driver</code>, +<code class="constant">ports</code>, and <code class="constant">[</code> in <code class="literal">testparm</code>'s output. This provides +a convenient overview of the running <code class="literal">smbd</code> print configuration. This command does not show +individually created printer shares or the spooling paths they may use. Here is the output of my Samba setup, +with settings shown in <a href="classicalprinting.html#simpleprc" title="Example 21.1. Simple Configuration with BSD Printing">the example above</a>: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>testparm -s -v | egrep "(lp|print|spool|driver|ports|\[)"</code></strong> + Load smb config files from /etc/samba/smb.conf + Processing section "[homes]" + Processing section "[printers]" + + [global] + smb ports = 139 445 + lpq cache time = 10 + load printers = Yes + printcap name = /etc/printcap + disable spoolss = No + enumports command = + addprinter command = + deleteprinter command = + show add printer wizard = Yes + os2 driver map = + printer admin = + min print space = 0 + max print jobs = 1000 + printable = No + printing = bsd + print command = lpr -r -P'%p' %s + lpq command = lpq -P'%p' + lprm command = lprm -P'%p' %j + lppause command = + lpresume command = + printer name = + use client driver = No + + [homes] + + [printers] + path = /var/spool/samba + printable = Yes +</pre><p> +</p><p> +You can easily verify which settings were implicitly added by Samba's default behavior. <span class="emphasis"><em>Remember: it +may be important in your future dealings with Samba.</em></span> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The <code class="literal">testparm</code> in Samba-3 behaves differently from that in 2.2.x: used without the +“<span class="quote">-v</span>” switch, it only shows you the settings actually written into! To see the complete +configuration used, add the “<span class="quote">-v</span>” parameter to testparm. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id391880"></a>Rapid Configuration Validation</h3></div></div></div><p> +<a class="indexterm" name="id391888"></a> +<a class="indexterm" name="id391895"></a> +<a class="indexterm" name="id391902"></a> +<a class="indexterm" name="id391908"></a> +Should you need to troubleshoot at any stage, please always come back to this point first and verify if +<code class="literal">testparm</code> shows the parameters you expect. To give you a warning from personal experience, +try to just comment out the <a class="indexterm" name="id391923"></a>load printers parameter. If your 2.2.x system behaves like +mine, you'll see this: +</p><pre class="screen"> +<code class="prompt">root# </code>grep "load printers" /etc/samba/smb.conf + # load printers = Yes + # This setting is commented out!! + +<code class="prompt">root# </code>testparm -v /etc/samba/smb.conf | egrep "(load printers)" + load printers = Yes +</pre><p> +<a class="indexterm" name="id391954"></a> +<a class="indexterm" name="id391961"></a> +I assumed that commenting out of this setting should prevent Samba from +publishing my printers, but it still did. It took some time to figure out +the reason. But I am no longer fooled ... at least not by this. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>grep -A1 "load printers" /etc/samba/smb.conf</code></strong> + load printers = No + # The above setting is what I want! + # load printers = Yes + # This setting is commented out! + +<code class="prompt">root# </code><strong class="userinput"><code>testparm -s -v smb.conf.simpleprinting | egrep "(load printers)"</code></strong> + load printers = No +</pre><p> +<a class="indexterm" name="id392000"></a> +Only when the parameter is explicitly set to <a class="indexterm" name="id392007"></a>load printers = No would +Samba conform with my intentions. So, my strong advice is: +</p><div class="itemizedlist"><ul type="disc"><li><p>Never rely on commented-out parameters.</p></li><li><p>Always set parameters explicitly as you intend them to + behave.</p></li><li><p>Use <code class="literal">testparm</code> to uncover hidden + settings that might not reflect your intentions.</p></li></ul></div><p> +The following is the most minimal configuration file: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cat /etc/samba/smb.conf-minimal</code></strong> + [printers] +</pre><p> +<a class="indexterm" name="id392061"></a> +<a class="indexterm" name="id392068"></a> +This example should show that you can use <code class="literal">testparm</code> to test any Samba configuration file. +Actually, we encourage you <span class="emphasis"><em>not</em></span> to change your working system (unless you know exactly +what you are doing). Don't rely on the assumption that changes will only take effect after you restart smbd! +This is not the case. Samba rereads it every 60 seconds and on each new client connection. You might have to +face changes for your production clients that you didn't intend to apply. You will now note a few more +interesting things; <code class="literal">testparm</code> is useful to identify what the Samba print configuration would +be if you used this minimalistic configuration. Here is what you can expect to find: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>testparm -v smb.conf-minimal | egrep "(print|lpq|spool|driver|ports|[)"</code></strong> + Processing section "[printers]" + WARNING: [printers] service MUST be printable! + No path in service printers - using /tmp + + lpq cache time = 10 + load printers = Yes + printcap name = /etc/printcap + disable spoolss = No + enumports command = + addprinter command = + deleteprinter command = + show add printer wizard = Yes + os2 driver map = + printer admin = + min print space = 0 + max print jobs = 1000 + printable = No + printing = bsd + print command = lpr -r -P%p %s + lpq command = lpq -P%p + printer name = + use client driver = No + + [printers] + printable = Yes +</pre><p> +<code class="literal">testparm</code> issued two warnings: +</p><div class="itemizedlist"><ul type="disc"><li><p>We did not specify the <em class="parameter"><code>[printers]</code></em> section as printable.</p></li><li><p>We did not tell Samba which spool directory to use.</p></li></ul></div><p> +<a class="indexterm" name="id392147"></a> +<a class="indexterm" name="id392154"></a> +<a class="indexterm" name="id392159"></a> +<a class="indexterm" name="id392165"></a> +However, this was not fatal, and Samba will default to values that will work. Please, do not rely on this and +do not use this example. This was included to encourage you to be careful to design and specify your setup to +do precisely what you require. The outcome on your system may vary for some parameters given, since Samba may +have been built with different compile-time options. <span class="emphasis"><em>Warning:</em></span> do not put a comment sign +<span class="emphasis"><em>at the end</em></span> of a valid line. It will cause the parameter to be ignored (just as if you had +put the comment sign at the front). At first I regarded this as a bug in my Samba versions. But the man page +clearly says: <code class="literal">Internal whitespace in a parameter value is retained verbatim.</code> This means +that a line consisting of, for example, +</p><table class="simplelist" border="0" summary="Simple list"><tr><td># This defines LPRng as the printing system</td></tr><tr><td><a class="indexterm" name="id392199"></a><em class="parameter"><code>printing = lprng</code></em></td></tr></table><p> +</p><p> +will regard the whole of the string after the <code class="literal">=</code> sign as the value you want to define. This +is an invalid value that will be ignored, and a default value will be used in its place. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id392225"></a>Extended Printing Configuration</h2></div></div></div><p> +<a class="indexterm" name="id392233"></a> +<a class="indexterm" name="id392240"></a> +<a class="indexterm" name="id392246"></a> +<a class="indexterm" name="id392253"></a> +<a href="classicalprinting.html#extbsdpr" title="Example 21.2. Extended BSD Printing Configuration">Extended BSD Printing Configuration</a> shows a more verbose configuration for +print-related settings in a BSD-style printing environment. What follows is a discussion and explanation of +the various parameters. We chose to use BSD-style printing here because it is still the most commonly used +system on legacy UNIX/Linux installations. New installations predominantly use CUPS, which is discussed in a +separate chapter. The example explicitly names many parameters that do not need to be specified because they +are set by default. You could use a much leaner <code class="filename">smb.conf</code> file, or you can use <code class="literal">testparm</code> or +<code class="literal">SWAT</code> to optimize the <code class="filename">smb.conf</code> file to remove all parameters that are set at default. +</p><div class="example"><a name="extbsdpr"></a><p class="title"><b>Example 21.2. Extended BSD Printing Configuration</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id392321"></a><em class="parameter"><code>printing = bsd</code></em></td></tr><tr><td><a class="indexterm" name="id392333"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392346"></a><em class="parameter"><code>show add printer wizard = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392358"></a><em class="parameter"><code>printcap name = /etc/printcap</code></em></td></tr><tr><td><a class="indexterm" name="id392371"></a><em class="parameter"><code>printer admin = @ntadmin, root</code></em></td></tr><tr><td><a class="indexterm" name="id392384"></a><em class="parameter"><code>max print jobs = 100</code></em></td></tr><tr><td><a class="indexterm" name="id392396"></a><em class="parameter"><code>lpq cache time = 20</code></em></td></tr><tr><td><a class="indexterm" name="id392409"></a><em class="parameter"><code>use client driver = no</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id392430"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id392443"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392455"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id392468"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td><a class="indexterm" name="id392480"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392493"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392506"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392518"></a><em class="parameter"><code>writable = no </code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[my_printer_name]</code></em></td></tr><tr><td><a class="indexterm" name="id392540"></a><em class="parameter"><code>comment = Printer with Restricted Access</code></em></td></tr><tr><td><a class="indexterm" name="id392552"></a><em class="parameter"><code>path = /var/spool/samba_my_printer</code></em></td></tr><tr><td><a class="indexterm" name="id392565"></a><em class="parameter"><code>printer admin = kurt</code></em></td></tr><tr><td><a class="indexterm" name="id392578"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392590"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id392603"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id392615"></a><em class="parameter"><code>hosts allow = 0.0.0.0</code></em></td></tr><tr><td><a class="indexterm" name="id392628"></a><em class="parameter"><code>hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60</code></em></td></tr><tr><td><a class="indexterm" name="id392640"></a><em class="parameter"><code>guest ok = no</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id392655"></a> +<a class="indexterm" name="id392661"></a> +<a class="indexterm" name="id392666"></a> +This is an example configuration. You may not find all the settings that are in the configuration file that +was provided by the OS vendor. Samba configuration parameters, if not explicitly set, default to a sensible +value. To see all settings, as <code class="constant">root</code> use the <code class="literal">testparm</code> utility. +<code class="literal">testparm</code> gives warnings for misconfigured settings. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id392691"></a>Detailed Explanation Settings</h3></div></div></div><p> +The following is a discussion of the settings from <a href="classicalprinting.html#extbsdpr" title="Example 21.2. Extended BSD Printing Configuration">Extended BSD Printing +Configuration</a> <a href="classicalprinting.html#extbsdpr" title="Example 21.2. Extended BSD Printing Configuration">Extended BSD Printing Configuration</a>. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id392714"></a>The [global] Section</h4></div></div></div><p> +<a class="indexterm" name="id392722"></a> +<a class="indexterm" name="id392728"></a> +<a class="indexterm" name="id392735"></a> +<a class="indexterm" name="id392742"></a> +The <em class="parameter"><code>[global]</code></em> section is one of four special sections (along with <em class="parameter"><code>[homes]</code></em>, <em class="parameter"><code>[printers]</code></em>, and <em class="parameter"><code>[print$]</code></em>). The +<em class="parameter"><code>[global]</code></em> contains all parameters that apply to the server as a whole. It is the place +for parameters that have only a global meaning. It may also contain service-level parameters that define +default settings for all other sections and shares. This way you can simplify the configuration and avoid +setting the same value repeatedly. (Within each individual section or share, you may, however, override these +globally set share settings and specify other values). +</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id392788"></a>printing = bsd </span></dt><dd><p> +<a class="indexterm" name="id392799"></a> +<a class="indexterm" name="id392806"></a> +<a class="indexterm" name="id392813"></a> +<a class="indexterm" name="id392820"></a> +<a class="indexterm" name="id392827"></a> +<a class="indexterm" name="id392833"></a> +<a class="indexterm" name="id392840"></a> +<a class="indexterm" name="id392847"></a> +<a class="indexterm" name="id392854"></a> +<a class="indexterm" name="id392860"></a> +<a class="indexterm" name="id392867"></a> +<a class="indexterm" name="id392874"></a> + Causes Samba to use default print commands applicable for the BSD (also known as RFC 1179 style or LPR/LPD) + printing system. In general, the <em class="parameter"><code>printing</code></em> parameter informs Samba about the print + subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, and PLP. Each of these + systems defaults to a different <a class="indexterm" name="id392889"></a>print command (and other queue control commands). + </p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> +<a class="indexterm" name="id392901"></a> +<a class="indexterm" name="id392908"></a> + The <a class="indexterm" name="id392915"></a>printing parameter is normally a service-level parameter. Since it is included + here in the <em class="parameter"><code>[global]</code></em> section, it will take effect for all printer shares that are not + defined differently. Samba-3 no longer supports the SOFTQ printing system. + </p></div></dd><dt><span class="term"><a class="indexterm" name="id392934"></a>load printers = yes </span></dt><dd><p> +<a class="indexterm" name="id392945"></a> +<a class="indexterm" name="id392952"></a> +<a class="indexterm" name="id392959"></a> +<a class="indexterm" name="id392965"></a> + Tells Samba to create automatically all available printer shares. Available printer shares are discovered by + scanning the printcap file. All created printer shares are also loaded for browsing. If you use this + parameter, you do not need to specify separate shares for each printer. Each automatically created printer + share will clone the configuration options found in the <em class="parameter"><code>[printers]</code></em> section. (The + <em class="parameter"><code>load printers = no</code></em> setting will allow you to specify each UNIX printer you want to + share separately, leaving out some you do not want to be publicly visible and available). + </p></dd><dt><span class="term"><a class="indexterm" name="id392993"></a>show add printer wizard = yes </span></dt><dd><p> +<a class="indexterm" name="id393004"></a> +<a class="indexterm" name="id393011"></a> +<a class="indexterm" name="id393018"></a> +<a class="indexterm" name="id393025"></a> +<a class="indexterm" name="id393032"></a> + Setting is normally enabled by default (even if the parameter is not specified in <code class="filename">smb.conf</code>). It causes the + <span class="guiicon">Add Printer Wizard</span> icon to appear in the <span class="guiicon">Printers</span> folder of the Samba + host's share listing (as shown in <span class="guiicon">Network Neighborhood</span> or by the <code class="literal">net + view</code> command). To disable it, you need to explicitly set it to <code class="constant">no</code> (commenting + it out will not suffice). The <em class="parameter"><code>Add Printer Wizard</code></em> lets you upload a printer driver to + the <em class="parameter"><code>[print$]</code></em> share and associate it with a printer (if the respective queue exists + before the action), or exchange a printer's driver for any other previously uploaded driver. + </p></dd><dt><span class="term"><a class="indexterm" name="id393092"></a>max print jobs = 100 </span></dt><dd><p> +<a class="indexterm" name="id393103"></a> + Sets the upper limit to 100 print jobs being active on the Samba server at any one time. Should a client + submit a job that exceeds this number, a "no more space available on server" type of error message will be + returned by Samba to the client. A setting of zero (the default) means there is <span class="emphasis"><em>no</em></span> limit + at all. + </p></dd><dt><span class="term"><a class="indexterm" name="id393120"></a>printcap name = /etc/printcap </span></dt><dd><p> +<a class="indexterm" name="id393132"></a> +<a class="indexterm" name="id393138"></a> +<a class="indexterm" name="id393145"></a> + Tells Samba where to look for a list of available printer names. Where CUPS is used, make sure that a printcap + file is written. This is controlled by the <code class="constant">Printcap</code> directive in the + <code class="filename">cupsd.conf</code> file. + </p></dd><dt><span class="term"><a class="indexterm" name="id393166"></a>printer admin = @ntadmin </span></dt><dd><p> +<a class="indexterm" name="id393178"></a> +<a class="indexterm" name="id393185"></a> +<a class="indexterm" name="id393192"></a> +<a class="indexterm" name="id393198"></a> + Members of the ntadmin group should be able to add drivers and set printer properties + (<code class="constant">ntadmin</code> is only an example name; it needs to be a valid UNIX group name); root is + implicitly always a <a class="indexterm" name="id393210"></a>printer admin. The <code class="literal">@</code> sign precedes group names + in the <code class="filename">/etc/group</code>. A printer admin can do anything to printers via the remote + administration interfaces offered by MS-RPC (see <a href="classicalprinting.html#cups-msrpc" title="Printing Developments Since Samba-2.2">Printing Developments Since + Samba-2.2</a>). In larger installations, the <a class="indexterm" name="id393239"></a>printer admin parameter is normally a + per-share parameter. This permits different groups to administer each printer share. + </p></dd><dt><span class="term"><a class="indexterm" name="id393250"></a>lpq cache time = 20 </span></dt><dd><p> +<a class="indexterm" name="id393261"></a> +<a class="indexterm" name="id393268"></a> + Controls the cache time for the results of the lpq command. It prevents the lpq command being called too often + and reduces the load on a heavily used print server. + </p></dd><dt><span class="term"><a class="indexterm" name="id393280"></a>use client driver = no </span></dt><dd><p> +<a class="indexterm" name="id393291"></a> + If set to <code class="constant">yes</code>, only takes effect for Windows NT/200x/XP clients (and not for Win + 95/98/ME). Its default value is <code class="constant">No</code> (or <code class="constant">False</code>). It must + <span class="emphasis"><em>not</em></span> be enabled on print shares (with a <code class="constant">yes</code> or + <code class="constant">true</code> setting) that have valid drivers installed on the Samba server. For more detailed + explanations, see the <code class="filename">smb.conf</code> man page. + </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ptrsect"></a>The [printers] Section</h4></div></div></div><p> +<a class="indexterm" name="id393341"></a> +<a class="indexterm" name="id393348"></a> +The printers section is the second special section. If a section with this name appears in the <code class="filename">smb.conf</code>, +users are able to connect to any printer specified in the Samba host's printcap file, because Samba on startup +then creates a printer share for every printer name it finds in the printcap file. You could regard this +section as a convenient shortcut to share all printers with minimal configuration. It is also a container for +settings that should apply as default to all printers. (For more details, see the <code class="filename">smb.conf</code> man page.) +Settings inside this container must be share-level parameters. +</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id393377"></a>comment = All printers </span></dt><dd><p> + The <a class="indexterm" name="id393389"></a>comment is shown next to the share if + a client queries the server, either via <span class="guiicon">Network Neighborhood</span> or with + the <code class="literal">net view</code> command, to list available shares. + </p></dd><dt><span class="term"><a class="indexterm" name="id393413"></a>printable = yes </span></dt><dd><p> + The <em class="parameter"><code>[printers]</code></em> service <span class="emphasis"><em>must</em></span> + be declared as printable. If you specify otherwise, smbd will refuse to load at + startup. This parameter allows connected clients to open, write to, and submit spool files + into the directory specified with the <a class="indexterm" name="id393436"></a>path + parameter for this service. It is used by Samba to differentiate printer shares from + file shares. + </p></dd><dt><span class="term"><a class="indexterm" name="id393448"></a>path = /var/spool/samba </span></dt><dd><p> + Must point to a directory used by Samba to spool incoming print files. <span class="emphasis"><em>It + must not be the same as the spool directory specified in the configuration of your UNIX + print subsystem!</em></span> The path typically points to a directory that is world + writable, with the <span class="emphasis"><em>sticky</em></span> bit set to it. + </p></dd><dt><span class="term"><a class="indexterm" name="id393473"></a>browseable = no </span></dt><dd><p> + Is always set to <code class="constant">no</code> if + <a class="indexterm" name="id393488"></a>printable = yes. It makes + the <em class="parameter"><code>[printer]</code></em> share itself invisible in the list of + available shares in a <code class="literal">net view</code> command or in the Explorer browse + list. (You will of course see the individual printers.) + </p></dd><dt><span class="term"><a class="indexterm" name="id393513"></a>guest ok = yes </span></dt><dd><p> + If this parameter is set to <code class="constant">yes</code>, no password is required to + connect to the printer's service. Access will be granted with the privileges of the + <a class="indexterm" name="id393529"></a>guest account. On many systems the guest + account will map to a user named "nobody." This user will usually be found + in the UNIX passwd file with an empty password, but with no valid UNIX login. On some + systems the guest account might not have the privilege to be able to print. Test this + by logging in as your guest user using <code class="literal">su - guest</code> and run a system + print command like: + </p><p> + <strong class="userinput"><code>lpr -P printername /etc/motd</code></strong> + </p></dd><dt><span class="term"><a class="indexterm" name="id393558"></a>public = yes </span></dt><dd><p> + Is a synonym for <a class="indexterm" name="id393570"></a>guest ok = yes. + Since we have <a class="indexterm" name="id393577"></a>guest ok = yes, it + really does not need to be here. (This leads to the interesting question, “<span class="quote">What if I + by accident have two contradictory settings for the same share?</span>” The answer is that the + last one encountered by Samba wins. <code class="literal">testparm</code> does not complain about different settings + of the same parameter for the same share. You can test this by setting up multiple + lines for the <em class="parameter"><code>guest account</code></em> parameter with different usernames, + and then run testparm to see which one is actually used by Samba.) + </p></dd><dt><span class="term"><a class="indexterm" name="id393607"></a>read only = yes </span></dt><dd><p> + Normally (for other types of shares) prevents users from creating or modifying files + in the service's directory. However, in a <span class="emphasis"><em>printable</em></span> service, it is + <span class="emphasis"><em>always</em></span> allowed to write to the directory (if user privileges allow the + connection), but only via print spooling operations. Normal write operations are not permitted. + </p></dd><dt><span class="term"><a class="indexterm" name="id393633"></a>writable = no </span></dt><dd><p> + Is a synonym for <a class="indexterm" name="id393644"></a>read only = yes. + </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id393656"></a>Any [my_printer_name] Section</h4></div></div></div><p> +<a class="indexterm" name="id393664"></a> +<a class="indexterm" name="id393670"></a> +If a <em class="parameter"><code>[my_printer_name]</code></em> section appears in the <code class="filename">smb.conf</code> file, which includes the +parameter <a class="indexterm" name="id393690"></a>printable = yes Samba will configure it as a printer share. +Windows 9x/Me clients may have problems with connecting or loading printer drivers if the share name has more +than eight characters. Do not name a printer share with a name that may conflict with an existing user or file +share name. On client connection requests, Samba always tries to find file shares with that name first. If it +finds one, it will connect to this and will not connect to a printer with the same name! +</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id393709"></a>comment = Printer with Restricted Access </span></dt><dd><p> + The comment says it all. + </p></dd><dt><span class="term"><a class="indexterm" name="id393725"></a>path = /var/spool/samba_my_printer </span></dt><dd><p> + Sets the spooling area for this printer to a directory other than the default. It is not + necessary to set it differently, but the option is available. + </p></dd><dt><span class="term"><a class="indexterm" name="id393742"></a>printer admin = kurt </span></dt><dd><p> + The printer admin definition is different for this explicitly defined printer share from the general + <em class="parameter"><code>[printers]</code></em> share. It is not a requirement; we did it to show that it is possible. + </p></dd><dt><span class="term"><a class="indexterm" name="id393765"></a>browseable = yes </span></dt><dd><p> + This makes the printer browseable so the clients may conveniently find it when browsing the + <span class="guiicon">Network Neighborhood</span>. + </p></dd><dt><span class="term"><a class="indexterm" name="id393788"></a>printable = yes </span></dt><dd><p> + See <a href="classicalprinting.html#ptrsect" title="The [printers] Section">Section 20.4.1.2</a>. + </p></dd><dt><span class="term"><a class="indexterm" name="id393811"></a>writable = no </span></dt><dd><p> + See <a href="classicalprinting.html#ptrsect" title="The [printers] Section">Section 20.4.1.2</a>. + </p></dd><dt><span class="term"><a class="indexterm" name="id393834"></a>hosts allow = 10.160.50.,10.160.51. </span></dt><dd><p> + Here we exercise a certain degree of access control by using the <a class="indexterm" name="id393846"></a>hosts allow + and <a class="indexterm" name="id393853"></a>hosts deny parameters. This is not by any means a safe bet. It is not a + way to secure your printers. This line accepts all clients from a certain subnet in a first evaluation of + access control. + </p></dd><dt><span class="term"><a class="indexterm" name="id393866"></a>hosts deny = turbo_xp,10.160.50.23,10.160.51.60 </span></dt><dd><p> + All listed hosts are not allowed here (even if they belong to the allowed subnets). As + you can see, you could name IP addresses as well as NetBIOS hostnames here. + </p></dd><dt><span class="term"><a class="indexterm" name="id393883"></a>guest ok = no </span></dt><dd><p> + This printer is not open for the guest account. + </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id393900"></a>Print Commands</h4></div></div></div><p> +<a class="indexterm" name="id393907"></a> +<a class="indexterm" name="id393914"></a> +<a class="indexterm" name="id393921"></a> +<a class="indexterm" name="id393928"></a> +In each section defining a printer (or in the <em class="parameter"><code>[printers]</code></em> section), +a <em class="parameter"><code>print command</code></em> parameter may be defined. It sets a command to process the files +that have been placed into the Samba print spool directory for that printer. (That spool directory was, +if you remember, set up with the <a class="indexterm" name="id393949"></a>path parameter). Typically, +this command will submit the spool file to the Samba host's print subsystem, using the suitable system +print command. But there is no requirement that this needs to be the case. For debugging or +some other reason, you may want to do something completely different than print the file. An example is a +command that just copies the print file to a temporary location for further investigation when you need +to debug printing. If you craft your own print commands (or even develop print command shell scripts), +make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise, +your hard disk may soon suffer from shortage of free space. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id393964"></a>Default UNIX System Printing Commands</h4></div></div></div><p> +<a class="indexterm" name="id393971"></a> +You learned earlier that Samba, in most cases, uses its built-in settings for many parameters if it cannot +find an explicitly stated one in its configuration file. The same is true for the <a class="indexterm" name="id393980"></a>print command. The default print command varies depending on the <a class="indexterm" name="id393987"></a>printing parameter +setting. In the commands listed in <a href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing Settings</a> , you will +notice some parameters of the form <span class="emphasis"><em>%X</em></span> where <span class="emphasis"><em>X</em></span> is <span class="emphasis"><em>p, s, +J</em></span>, and so on. These letters stand for printer name, spool file, and job ID, respectively. They are +explained in more detail in <a href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing Settings</a> presents an overview +of key printing options but excludes the special case of CUPS, is discussed in <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>. +</p><div class="table"><a name="printOptions"></a><p class="title"><b>Table 21.1. Default Printing Settings</b></p><div class="table-contents"><table summary="Default Printing Settings" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Setting</th><th align="left">Default Printing Commands</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id394079"></a>printing = bsd|aix|lprng|plp</td><td align="left">print command is <code class="literal">lpr -r -P%p %s</code></td></tr><tr><td align="left"><a class="indexterm" name="id394099"></a>printing = sysv|hpux</td><td align="left">print command is <code class="literal">lp -c -P%p %s; rm %s</code></td></tr><tr><td align="left"> <a class="indexterm" name="id394121"></a>printing = qnx</td><td align="left">print command is <code class="literal">lp -r -P%p -s %s</code></td></tr><tr><td align="left"><a class="indexterm" name="id394142"></a>printing = bsd|aix|lprng|plp</td><td align="left">lpq command is <code class="literal">lpq -P%p</code></td></tr><tr><td align="left"><a class="indexterm" name="id394162"></a>printing = sysv|hpux</td><td align="left">lpq command is <code class="literal">lpstat -o%p</code></td></tr><tr><td align="left"><a class="indexterm" name="id394183"></a>printing = qnx</td><td align="left">lpq command is <code class="literal">lpq -P%p</code></td></tr><tr><td align="left"><a class="indexterm" name="id394203"></a>printing = bsd|aix|lprng|plp</td><td align="left">lprm command is <code class="literal">lprm -P%p %j</code></td></tr><tr><td align="left"><a class="indexterm" name="id394224"></a>printing = sysv|hpux</td><td align="left">lprm command is <code class="literal">cancel %p-%j</code></td></tr><tr><td align="left"><a class="indexterm" name="id394244"></a>printing = qnx</td><td align="left">lprm command is <code class="literal">cancel %p-%j</code></td></tr><tr><td align="left"><a class="indexterm" name="id394265"></a>printing = bsd|aix|lprng|plp</td><td align="left">lppause command is <code class="literal">lp -i %p-%j -H hold</code></td></tr><tr><td align="left"><a class="indexterm" name="id394286"></a>printing = sysv|hpux</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id394302"></a>printing = qnx</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id394318"></a>printing = bsd|aix|lprng|plp</td><td align="left">lpresume command is <code class="literal">lp -i %p-%j -H resume</code></td></tr><tr><td align="left"><a class="indexterm" name="id394338"></a>printing = sysv|hpux</td><td align="left">lpresume command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id394354"></a>printing = qnx</td><td align="left">lpresume command (...is empty)</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id394372"></a> +<a class="indexterm" name="id394379"></a> +<a class="indexterm" name="id394386"></a> +<a class="indexterm" name="id394393"></a> +For <em class="parameter"><code>printing = CUPS</code></em>, if Samba is compiled against libcups, it uses the CUPS API to +submit jobs. (It is a good idea also to set <a class="indexterm" name="id394407"></a>printcap = cups in case your +<code class="filename">cupsd.conf</code> is set to write its autogenerated printcap file to an unusual place). +Otherwise, Samba maps to the System V printing commands with the -oraw option for printing; that is, it uses +<code class="literal">lp -c -d%p -oraw; rm %s</code>. With <em class="parameter"><code>printing = cups</code></em>, and if Samba is +compiled against libcups, any manually set print command will be ignored! +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id394436"></a>Custom Print Commands</h4></div></div></div><p> +<a class="indexterm" name="id394444"></a> +<a class="indexterm" name="id394451"></a> +After a print job has finished spooling to a service, the <a class="indexterm" name="id394458"></a>print command will be used +by Samba via a system() call to process the spool file. Usually the command specified will submit the spool +file to the host's printing subsystem. But there is no requirement at all that this must be the case. The +print subsystem may not remove the spool file on its own, so whatever command you specify, you should ensure +that the spool file is deleted after it has been processed. +</p><p> +<a class="indexterm" name="id394472"></a> +<a class="indexterm" name="id394478"></a> +<a class="indexterm" name="id394485"></a> +<a class="indexterm" name="id394492"></a> +There is no difficulty with using your own customized print commands with the traditional printing systems. +However, if you do not wish to roll your own, you should be well informed about the default built-in commands +that Samba uses for each printing subsystem (see <a href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing +Settings</a>). In all the commands listed in the last paragraphs, you see parameters of the form +<span class="emphasis"><em>%X</em></span>. These are <span class="emphasis"><em>macros</em></span>, or shortcuts, used as placeholders for the +names of real objects. At the time of running a command with such a placeholder, Samba will insert the +appropriate value automatically. Print commands can handle all Samba macro substitutions. In regard to +printing, the following ones do have special relevance: +</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%s, %f</code></em> the path to the spool file name.</p></li><li><p><em class="parameter"><code>%p</code></em> the appropriate printer name.</p></li><li><p><em class="parameter"><code>%J</code></em> the job name as transmitted by the client.</p></li><li><p><em class="parameter"><code>%c</code></em> the number of printed pages of the spooled job (if known).</p></li><li><p><em class="parameter"><code>%z</code></em> the size of the spooled print job (in bytes).</p></li></ul></div><p> +<a class="indexterm" name="id394584"></a> +The print command must contain at least one occurrence of <em class="parameter"><code>%s</code></em> or +<em class="parameter"><code>%f</code></em>. The <em class="parameter"><code>%p</code></em> is optional. If no printer name is supplied, +the <em class="parameter"><code>%p</code></em> will be silently removed from the print command. In this case, the job is +sent to the default printer. +</p><p> +<a class="indexterm" name="id394618"></a> +<a class="indexterm" name="id394625"></a> +If specified in the <em class="parameter"><code>[global]</code></em> section, the print command given will be +used for any printable service that does not have its own print command specified. If there is neither a +specified print command for a printable service nor a global print command, spool files will be created +but not processed! Most importantly, print files will not be removed, so they will consume disk space. +</p><p> +<a class="indexterm" name="id394644"></a> +<a class="indexterm" name="id394651"></a> +Printing may fail on some UNIX systems when using the <span class="emphasis"><em>nobody</em></span> account. If this happens, create an +alternative guest account and give it the privilege to print. Set up this guest account in the +<em class="parameter"><code>[global]</code></em> section with the <em class="parameter"><code>guest account</code></em> parameter. +</p><p> +<a class="indexterm" name="id394678"></a> +<a class="indexterm" name="id394685"></a> +<a class="indexterm" name="id394692"></a> +You can form quite complex print commands. You need to realize that print commands are just +passed to a UNIX shell. The shell is able to expand the included environment variables as +usual. (The syntax to include a UNIX environment variable <em class="parameter"><code>$variable</code></em> +in the Samba print command is <em class="parameter"><code>%$variable</code></em>.) To give you a working +<a class="indexterm" name="id394713"></a>print command example, the following will log a print job +to <code class="filename">/tmp/print.log</code>, print the file, then remove it. The semicolon (“<span class="quote">;</span>” +is the usual separator for commands in shell scripts: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id394738"></a><em class="parameter"><code>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</code></em></td></tr></table><p> +You may have to vary your own command considerably from this example depending on how you normally print +files on your system. The default for the <a class="indexterm" name="id394755"></a>print command +parameter varies depending on the setting of the <a class="indexterm" name="id394763"></a>printing +parameter. Another example is: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id394778"></a><em class="parameter"><code>print command = /usr/local/samba/bin/myprintscript %p %s</code></em></td></tr></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="cups-msrpc"></a>Printing Developments Since Samba-2.2</h2></div></div></div><p> +<a class="indexterm" name="id394806"></a> +<a class="indexterm" name="id394812"></a> +<a class="indexterm" name="id394819"></a> +Prior to Samba-2.2.x, print server support for Windows clients was limited to <span class="emphasis"><em>LanMan</em></span> +printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers. +Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These +are implemented via <span class="emphasis"><em>MS-RPC</em></span> (Remote Procedure Calls). +MS-RPCs use the <span class="emphasis"><em>SPOOLSS</em></span> named pipe for all printing. +</p><p> +The additional functionality provided by the new SPOOLSS support includes: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id394850"></a> + Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon + demand (<span class="emphasis"><em>Point'n'Print</em></span>). + </p></li><li><p> +<a class="indexterm" name="id394866"></a> + Uploading of printer drivers via the Windows NT <span class="emphasis"><em>Add Printer Wizard</em></span> (APW) + or the <a href="http://imprints.sourceforge.net/" target="_top">Imprints</a> tool set. + </p></li><li><p> +<a class="indexterm" name="id394888"></a> +<a class="indexterm" name="id394894"></a> +<a class="indexterm" name="id394901"></a> +<a class="indexterm" name="id394908"></a> +<a class="indexterm" name="id394915"></a> + Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), and so on. (See the + <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a> for more information on the + Win32 printing API). + </p></li><li><p> +<a class="indexterm" name="id394933"></a> +<a class="indexterm" name="id394940"></a> + Support for NT Access Control Lists (ACL) on printer objects. + </p></li><li><p> +<a class="indexterm" name="id394952"></a> + Improved support for printer queue manipulation through the use of internal databases for spooled + job information (implemented by various <code class="filename">*.tdb</code> files). + </p></li></ul></div><p> +<a class="indexterm" name="id394970"></a> +<a class="indexterm" name="id394976"></a> +A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP). +</p><p> +<a class="indexterm" name="id394987"></a> +A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT +permits the installation of local printers that are not shared. This is an artifact of the fact that +any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all +printers that are made available, either by default or by specific declaration via printer-specific shares. +</p><p> +<a class="indexterm" name="id395001"></a> +<a class="indexterm" name="id395008"></a> +<a class="indexterm" name="id395014"></a> +<a class="indexterm" name="id395021"></a> +<a class="indexterm" name="id395028"></a> +Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can +print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that +the client has the necessary privileges on the remote host that serves the printer resource. The +default permissions assigned by Windows NT to a printer gives the print permissions to the well-known +<span class="emphasis"><em>Everyone</em></span> group. (The older clients of type Windows 9x/Me can only print to shared +printers.) +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395044"></a>Point'n'Print Client Drivers on Samba Servers</h3></div></div></div><p> +<a class="indexterm" name="id395052"></a> +There is much confusion about what all this means. The question is often asked, “<span class="quote">Is it or is +it not necessary for printer drivers to be installed on a Samba host in order to support printing from +Windows clients?</span>” The answer to this is no, it is not necessary. +</p><p> +<a class="indexterm" name="id395067"></a> +<a class="indexterm" name="id395074"></a> +Windows NT/2000 clients can, of course, also run their APW to install drivers <span class="emphasis"><em>locally</em></span> +(which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me +clients. (However, a bug existed in Samba 2.2.0 that made Windows NT/2000 clients +require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1). +</p><p> +<a class="indexterm" name="id395091"></a> +<a class="indexterm" name="id395098"></a> +But it is a new capability to install the printer drivers into the <em class="parameter"><code>[print$]</code></em> +share of the Samba server, and a big convenience, too. Then <span class="emphasis"><em>all</em></span> clients +(including 95/98/ME) get the driver installed when they first connect to this printer share. The +<span class="emphasis"><em>uploading</em></span> or <span class="emphasis"><em>depositing</em></span> of the driver into this +<em class="parameter"><code>[print$]</code></em> share and the following binding of this driver to an existing +Samba printer share can be achieved by different means: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Running the <span class="emphasis"><em>APW</em></span> on an NT/200x/XP Professional client (this does not work from 95/98/ME clients). + </p></li><li><p> + Using the <span class="emphasis"><em>Imprints</em></span> toolset. + </p></li><li><p> + Using the <span class="emphasis"><em>smbclient</em></span> and <span class="emphasis"><em>rpcclient</em></span> command-line tools. + </p></li><li><p> + Using <span class="emphasis"><em>cupsaddsmb</em></span> (only works for the CUPS printing system, not for LPR/LPD, LPRng, and so on). + </p></li></ul></div><p> +<a class="indexterm" name="id395175"></a> +<a class="indexterm" name="id395181"></a> +Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized +entirely by the clients who download and install them via the “<span class="quote">Point'n'Print</span>” mechanism +supported by Samba. The clients use these drivers to generate print files in the format the printer +(or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing +system, which is responsible for all further processing, as needed. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395198"></a>The Obsoleted [printer$] Section</h3></div></div></div><p> +<a class="indexterm" name="id395206"></a> +<a class="indexterm" name="id395213"></a> + Versions of Samba prior to 2.2 made it possible to use a share named <em class="parameter"><code>[printer$]</code></em>. This + name was taken from the same named service created by Windows 9x/Me clients when a printer was shared by them. + Windows 9x/Me printer servers always have a <em class="parameter"><code>[printer$]</code></em> service that provides + read-only access (with no password required) to support printer driver downloads. However, Samba's initial + implementation allowed for a parameter named <em class="parameter"><code>printer driver location</code></em> to be used on a + per-share basis. This specified the location of the driver files associated with that printer. Another + parameter named <em class="parameter"><code>printer driver</code></em> provided a means of defining the printer driver name to + be sent to the client. + </p><p> +<a class="indexterm" name="id395251"></a> +<a class="indexterm" name="id395258"></a> +<a class="indexterm" name="id395265"></a> + These parameters, including the <em class="parameter"><code>printer driver file</code></em> parameter, + are now removed and cannot be used in installations of Samba-3. The share name + <em class="parameter"><code>[print$]</code></em> is now used for the location of downloadable printer + drivers. It is taken from the <em class="parameter"><code>[print$]</code></em> service created + by Windows NT PCs when a printer is shared by them. Windows NT print servers always have a + <em class="parameter"><code>[print$]</code></em> service that provides read-write access (in the context + of its ACLs) to support printer driver downloads and uploads. This does not mean Windows + 9x/Me clients are now thrown aside. They can use Samba's <em class="parameter"><code>[print$]</code></em> + share support just fine. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395308"></a>Creating the [print$] Share</h3></div></div></div><p> +<a class="indexterm" name="id395316"></a> +In order to support the uploading and downloading of printer driver files, you must first configure a +file share named <em class="parameter"><code>[print$]</code></em>. The public name of this share is hard coded +in the MS Windows clients. It cannot be renamed, since Windows clients are programmed to search for a +service of exactly this name if they want to retrieve printer driver files. +</p><p> +You should modify the server's file to add the global parameters and create the +<em class="parameter"><code>[print$]</code></em> file share (of course, some of the parameter values, such +as <a class="indexterm" name="id395342"></a>path, are arbitrary and should be replaced with appropriate values for your +site). See <a href="classicalprinting.html#prtdollar" title="Example 21.3. [print$] Example">[print\$] Example</a>. +</p><div class="example"><a name="prtdollar"></a><p class="title"><b>Example 21.3. [print$] Example</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># members of the ntadmin group should be able to add drivers and set</td></tr><tr><td># printer properties. root is implicitly always a 'printer admin'.</td></tr><tr><td><a class="indexterm" name="id395389"></a><em class="parameter"><code>printer admin = @ntadmin</code></em></td></tr><tr><td># ...</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td># ...</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id395426"></a><em class="parameter"><code>comment = Printer Driver Download Area</code></em></td></tr><tr><td><a class="indexterm" name="id395439"></a><em class="parameter"><code>path = /etc/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id395452"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id395464"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id395477"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id395489"></a><em class="parameter"><code>write list = @ntadmin, root</code></em></td></tr></table></div></div><br class="example-break"><p> +Of course, you also need to ensure that the directory named by the +<a class="indexterm" name="id395506"></a>path parameter exists on the UNIX file system. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395515"></a>[print$] Stanza Parameters</h3></div></div></div><p> +<a class="indexterm" name="id395523"></a> +<a class="indexterm" name="id395530"></a> +<a class="indexterm" name="id395537"></a> +<a class="indexterm" name="id395544"></a> +<a class="indexterm" name="id395550"></a> +The <em class="parameter"><code>[print$]</code></em> is a special section in <code class="filename">smb.conf</code>. It contains settings relevant to +potential printer driver download and is used by Windows clients for local print driver installation. +The following parameters are frequently needed in this share section: +</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id395577"></a>comment = Printer Driver Download Area </span></dt><dd><p> + The comment appears next to the share name if it is listed in a share list (usually Windows + clients will not see it, but it will also appear up in a <code class="literal">smbclient -L sambaserver + </code> output). + </p></dd><dt><span class="term"><a class="indexterm" name="id395600"></a>path = /etc/samba/printers </span></dt><dd><p> + The path to the location of the Windows driver file deposit from the UNIX point of view. + </p></dd><dt><span class="term"><a class="indexterm" name="id395617"></a>browseable = no </span></dt><dd><p> + Makes the <em class="parameter"><code>[print$]</code></em> share invisible to clients from the + <span class="guimenu">Network Neighborhood</span>. By excuting from a <code class="literal">cmd</code> shell: +</p><pre class="screen"> +<code class="prompt">C:\> </code> <code class="literal">net use g:\\sambaserver\print$</code> +</pre><p> + you can still mount it from any client. This can also be done from the + <span class="guimenu">Connect network drive menu></span> from Windows Explorer. + </p></dd><dt><span class="term"><a class="indexterm" name="id395675"></a>guest ok = yes </span></dt><dd><p> + Gives read-only access to this share for all guest users. Access may be granted to + download and install printer drivers on clients. The requirement for <em class="parameter"><code>guest ok + = yes</code></em> depends on how your site is configured. If users will be guaranteed + to have an account on the Samba host, then this is a non-issue. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + If all your Windows NT users are guaranteed to be authenticated by the Samba server + (for example, if Samba authenticates via an NT domain server and the user has already been + validated by the domain controller in order to log on to the Windows NT session), then guest + access is not necessary. Of course, in a workgroup environment where you just want + to print without worrying about silly accounts and security, then configure the share for + guest access. You should consider adding <a class="indexterm" name="id395703"></a>map to guest = Bad User + in the <em class="parameter"><code>[global]</code></em> section as well. Make sure you understand what this + parameter does before using it. + </p></div></dd><dt><span class="term"><a class="indexterm" name="id395722"></a>read only = yes </span></dt><dd><p> + Because we do not want everybody to upload driver files (or even change driver settings), + we tagged this share as not writable. + </p></dd><dt><span class="term"><a class="indexterm" name="id395739"></a>write list = @ntadmin, root </span></dt><dd><p> + The <em class="parameter"><code>[print$]</code></em> was made read-only by the previous + setting so we should create a <em class="parameter"><code>write list</code></em> entry also. UNIX + groups are denoted with a leading “<span class="quote">@</span>” character. Users listed here are allowed + write-access (as an exception to the general public's read-only access), which they need to + update files on the share. Normally, you will want to name only administrative-level user + account in this setting. Check the file system permissions to make sure these accounts + can copy files to the share. If this is a non-root account, then the account should also + be mentioned in the global <a class="indexterm" name="id395770"></a>printer admin + parameter. See the <code class="filename">smb.conf</code> man page for more information on configuring file shares. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395788"></a>The [print$] Share Directory</h3></div></div></div><p> +In order for a Windows NT print server to support the downloading of driver files by multiple client +architectures, you must create several subdirectories within the <em class="parameter"><code>[print$]</code></em> +service (i.e., the UNIX directory named by the <a class="indexterm" name="id395804"></a>path +parameter). These correspond to each of the supported client architectures. Samba follows this model as +well. Just like the name of the <em class="parameter"><code>[print$]</code></em> share itself, the subdirectories +must be exactly the names listed below (you may leave out the subdirectories of architectures you do +not need to support). +</p><p> +Therefore, create a directory tree below the +<em class="parameter"><code>[print$]</code></em> share for each architecture you wish +to support like this: +</p><pre class="programlisting"> +[print$]--+ + |--W32X86 # serves drivers to Windows NT x86 + |--WIN40 # serves drivers to Windows 95/98 + |--W32ALPHA # serves drivers to Windows NT Alpha_AXP + |--W32MIPS # serves drivers to Windows NT R4000 + |--W32PPC # serves drivers to Windows NT PowerPC +</pre><p> +</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Required Permissions</h3><p> + In order to add a new driver to your Samba host, one of two conditions must hold true: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The account used to connect to the Samba host must have a UID of 0 (i.e., a root account). + </p></li><li><p> + The account used to connect to the Samba host must be named in the <span class="emphasis"><em>printer admin</em></span> list. + </p></li></ul></div><p> + Of course, the connected account must still have write access to add files to the subdirectories beneath + <em class="parameter"><code>[print$]</code></em>. Remember that all file shares are set to “<span class="quote">read-only</span>” by default. + </p></div><p> +Once you have created the required <em class="parameter"><code>[print$]</code></em> service and +associated subdirectories, go to a Windows NT 4.0/200x/XP client workstation. Open <span class="guiicon">Network +Neighborhood</span> or <span class="guiicon">My Network Places</span> and browse for the Samba host. Once you +have located the server, navigate to its <span class="guiicon">Printers and Faxes</span> folder. You should see +an initial listing of printers that matches the printer shares defined on your Samba host. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id395912"></a>Installing Drivers into [print$]</h2></div></div></div><p> +Have you successfully created the <em class="parameter"><code>[print$]</code></em> share in <code class="filename">smb.conf</code>, and have you forced +Samba to reread its <code class="filename">smb.conf</code> file? Good. But you are not yet ready to use the new facility. The client +driver files need to be installed into this share. So far, it is still an empty share. Unfortunately, it is +not enough to just copy the driver files over. They need to be correctly installed so that appropriate records +for each driver will exist in the Samba internal databases so it can provide the correct drivers as they are +requested from MS Windows clients. And that is a bit tricky, to say the least. We now discuss two alternative +ways to install the drivers into <em class="parameter"><code>[print$]</code></em>: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Using the Samba command-line utility <code class="literal">rpcclient</code> with its various subcommands (here, + <code class="literal">adddriver</code> and <code class="literal">setdriver</code>) from any UNIX workstation. + </p></li><li><p> + Running a GUI (<span class="guiicon">Printer Properties</span> and <span class="guiicon">Add Printer Wizard</span>) + from any Windows NT/200x/XP client workstation. + </p></li></ul></div><p> +The latter option is probably the easier one (even if the process may seem a little bit weird at first). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id396001"></a>Add Printer Wizard Driver Installation</h3></div></div></div><p> +The printers initially listed in the Samba host's <span class="guiicon">Printers</span> folder accessed from a +client's Explorer will have no real printer driver assigned to them. By default this driver name is set +to a null string. This must be changed now. The local <span class="guiicon">Add Printer Wizard</span> (APW), run from +NT/2000/XP clients, will help us in this task. +</p><p> +Installation of a valid printer driver is not straightforward. You must attempt to view the printer properties +for the printer to which you want the driver assigned. Open Windows Explorer, open <span class="guiicon">Network +Neighborhood</span>, browse to the Samba host, open Samba's <span class="guiicon">Printers</span> folder, right-click +on the printer icon, and select <span class="guimenu">Properties...</span>. You are now trying to view printer and +driver properties for a queue that has this default <code class="constant">NULL</code> driver assigned. This will +result in the following error message: “<span class="quote"> Device settings cannot be displayed. The driver for the +specified printer is not installed, only spooler properties will be displayed. Do you want to install the +driver now?</span>” +</p><p> +Do <span class="emphasis"><em>not</em></span> click on <span class="guibutton">Yes</span>! Instead, click on <span class="guibutton">No</span> +in the error dialog. Now you will be presented with the printer properties window. From here, the way to +assign a driver to a printer is open. You now have the choice of: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Select a driver from the pop-up list of installed drivers. Initially this list will be empty. + </p></li><li><p> + Click on <span class="guibutton">New Driver</span> to install a new printer driver (which will + start up the APW). + </p></li></ul></div><p> +Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we +assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure +your connection is, in fact, set up as a user with <a class="indexterm" name="id396101"></a>printer admin +privileges (if in doubt, use <code class="literal">smbstatus</code> to check for this). If you wish to install +printer drivers for client operating systems other than <span class="application">Windows NT x86</span>, +you will need to use the <span class="guilabel">Sharing</span> tab of the printer properties dialog. +</p><p> +Assuming you have connected with an administrative (or root) account (as named by the +<a class="indexterm" name="id396131"></a>printer admin parameter), you will also be able to modify +other printer properties such as ACLs and default device settings using this dialog. For the default +device settings, please consider the advice given further in <a href="classicalprinting.html#inst-rpc" title="Installing Print Drivers Using rpcclient">Installing +Print Drivers Using <code class="literal">rpcclient</code></a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="inst-rpc"></a>Installing Print Drivers Using <code class="literal">rpcclient</code></h3></div></div></div><p> +The second way to install printer drivers into <em class="parameter"><code>[print$]</code></em> and set them +up in a valid way is to do it from the UNIX command line. This involves four distinct steps: +</p><div class="orderedlist"><ol type="1"><li><p> + Gather information about required driver files and collect the files. + </p></li><li><p> + Deposit the driver files into the <em class="parameter"><code>[print$]</code></em> share's correct subdirectories + (possibly by using <code class="literal">smbclient</code>). + </p></li><li><p> + Run the <code class="literal">rpcclient</code> command-line utility once with the <code class="literal">adddriver</code> + subcommand. + </p></li><li><p> + Run <code class="literal">rpcclient</code> a second time with the <code class="literal">setdriver</code> subcommand. + </p></li></ol></div><p> +We provide detailed hints for each of these steps in the paragraphs that follow. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396246"></a>Identifying Driver Files</h4></div></div></div><p> +<a class="indexterm" name="id396253"></a> +<a class="indexterm" name="id396260"></a> +<a class="indexterm" name="id396267"></a> +To find out about the driver files, you have two options. You can check the contents of the driver +CDROM that came with your printer. Study the <code class="filename">*.inf</code> files located on the CD-ROM. This +may not be possible, since the <code class="filename">*.inf</code> file might be missing. Unfortunately, vendors have now started +to use their own installation programs. These installations packages are often in some Windows platform +archive format. Additionally, the files may be re-named during the installation process. This makes it +extremely difficult to identify the driver files required. +</p><p> +<a class="indexterm" name="id396293"></a> +Then you have the second option. Install the driver locally on a Windows client and +investigate which filenames and paths it uses after they are installed. (You need to repeat +this procedure for every client platform you want to support. We show it here for the +<span class="application">W32X86</span> platform only, a name used by Microsoft for all Windows NT/200x/XP +clients.) +</p><p> +<a class="indexterm" name="id396312"></a> +A good method to recognize the driver files is to print the test page from the driver's +<span class="guilabel">Properties</span> dialog (<span class="guilabel">General</span> tab). Then look at the list of +driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the +<span class="guilabel">Driver File</span>, <span class="guilabel">Data File</span>, <span class="guilabel">Config File</span>, +<span class="guilabel">Help File</span>, and (optionally) <span class="guilabel">Dependent Driver Files</span> +(this may vary slightly for Windows NT). You need to note all filenames for the next steps. +</p><p> +<a class="indexterm" name="id396366"></a> +<a class="indexterm" name="id396373"></a> +<a class="indexterm" name="id396380"></a> +Another method to quickly test the driver filenames and related paths is provided by the +<code class="literal">rpcclient</code> utility. Run it with <code class="literal">enumdrivers</code> or with the +<code class="literal">getdriver</code> subcommand, each at the <code class="filename">3</code> info level. In the following example, +<span class="emphasis"><em>TURBO_XP</em></span> is the name of the Windows PC (in this case it was a Windows XP Professional +laptop). I installed the driver locally to TURBO_XP from a Samba server called <code class="constant">KDE-BITSHOP</code>. +We could run an interactive <code class="literal">rpcclient</code> session; then we would get an +<code class="literal">rpcclient /></code> prompt and would type the subcommands at this prompt. This is left as +a good exercise for you. For now, we use <code class="literal">rpcclient</code> with the <code class="option">-c</code> +parameter to execute a single subcommand line and exit again. This is the method you use if you +want to create scripts to automate the procedure for a large number of printers and drivers. Note the +different quotation marks used to overcome the different spaces between words: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'Danka%xxxx' -c \ + 'getdriver "Heidelberg Digimaster 9110 (PS)" 3' TURBO_XP</code></strong> +cmd = getdriver "Heidelberg Digimaster 9110 (PS)" 3 + +[Windows NT x86] +Printer Driver Info 3: + Version: [2] + Driver Name: [Heidelberg Digimaster 9110 (PS)] + Architecture: [Windows NT x86] + Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.DLL] + Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.ppd] + Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.DLL] + Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.HLP] + + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.DLL] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.INI] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.dat] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.cat] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.def] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hre] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.vnd] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hlp] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01Aux.dll] + Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.NTF] + + Monitorname: [] + Defaultdatatype: [] +</pre><p> +<a class="indexterm" name="id396476"></a> +<a class="indexterm" name="id396483"></a> +<a class="indexterm" name="id396490"></a> +<a class="indexterm" name="id396497"></a> +You may notice that this driver has quite a large number of <span class="guilabel">Dependent files</span> +(there are worse cases, however). Also, strangely, the +<span class="guilabel">Driver File</span> is tagged here +<span class="guilabel">Driver Path</span>. We do not yet have support for the so-called +<span class="application">WIN40</span> architecture installed. This name is used by Microsoft for the Windows +9x/Me platforms. If we want to support these, we need to install the Windows 9x/Me driver files in +addition to those for <span class="application">W32X86</span> (i.e., the Windows NT 2000/XP clients) onto a +Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000, or XP. +</p><p> +<a class="indexterm" name="id396541"></a> +<a class="indexterm" name="id396548"></a> +<a class="indexterm" name="id396554"></a> +Since the <em class="parameter"><code>[print$]</code></em> share is usually accessible through the <span class="guiicon">Network +Neighborhood</span>, you can also use the UNC notation from Windows Explorer to poke at it. The Windows +9x/Me driver files will end up in subdirectory <code class="filename">0</code> of the <code class="filename">WIN40</code> +directory. The full path to access them is <code class="filename">\\WINDOWSHOST\print$\WIN40\0\</code>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +More recent drivers on Windows 2000 and Windows XP are installed into the “<span class="quote">3</span>” subdirectory +instead of the “<span class="quote">2</span>”. The version 2 of drivers, as used in Windows NT, were running in kernel +mode. Windows 2000 changed this. While it still can use the kernel mode drivers (if this is enabled by +the Admin), its native mode for printer drivers is user mode execution. This requires drivers designed +for this purpose. These types of drivers install into the “<span class="quote">3</span>” subdirectory. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396612"></a>Obtaining Driver Files from Windows Client [print$] Shares</h4></div></div></div><p> +Now we need to collect all the driver files we identified in our previous step. Where do we get them +from? Well, why not retrieve them from the very PC and the same <em class="parameter"><code>[print$]</code></em> +share that we investigated in our last step to identify the files? We can use <code class="literal">smbclient</code> +to do this. We will use the paths and names that were leaked to us by <code class="literal">getdriver</code>. The +listing is edited to include line breaks for readability: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //TURBO_XP/print\$ -U'Danka%xxxx' \ + -c 'cd W32X86/2;mget HD*_de.* hd*ppd Hd*_de.* Hddm*dll HDN*Aux.DLL'</code></strong> + +added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 +Got a positive name query response from 10.160.50.8 ( 10.160.50.8 ) +Domain=[DEVELOPMENT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] +<code class="prompt">Get file Hddm91c1_de.ABD? </code><strong class="userinput"><code>n</code></strong> +<code class="prompt">Get file Hddm91c1_de.def? </code><strong class="userinput"><code>y</code></strong> +getting file \W32X86\2\Hddm91c1_de.def of size 428 as Hddm91c1_de.def +<code class="prompt">Get file Hddm91c1_de.DLL? </code><strong class="userinput"><code>y</code></strong> +getting file \W32X86\2\Hddm91c1_de.DLL of size 876544 as Hddm91c1_de.DLL +[...] +</pre><p> +After this command is complete, the files are in our current local directory. You probably have noticed +that this time we passed several commands to the <code class="option">-c</code> parameter, separated by semicolons. +This ensures that all commands are executed in sequence on the remote Windows server before +<code class="literal">smbclient</code> exits again. +</p><p> +<a class="indexterm" name="id396708"></a> +Remember to repeat the procedure for the <span class="application">WIN40</span> architecture should you need to +support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the +<code class="filename">WIN40/0/</code> subdirectory. Once this is complete, we can run <code class="literal">smbclient. . +.put</code> to store the collected files on the Samba server's <em class="parameter"><code>[print$]</code></em> share. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396743"></a>Installing Driver Files into [print$]</h4></div></div></div><p> +We are now going to locate the driver files into the <em class="parameter"><code>[print$]</code></em> share. Remember, the +UNIX path to this share has been defined previously in your <code class="filename">smb.conf</code> file. You also have created +subdirectories for the different Windows client types you want to support. If, for example, your +<em class="parameter"><code>[print$]</code></em> share maps to the UNIX path <code class="filename">/etc/samba/drivers/</code>, your +driver files should now go here: +</p><div class="itemizedlist"><ul type="disc"><li><p> + For all Windows NT, 2000, and XP clients, <code class="filename">/etc/samba/drivers/W32X86/</code> but + not (yet) into the <code class="filename">2</code> subdirectory. + </p></li><li><p> + For all Windows 95, 98, and Me clients, <code class="filename">/etc/samba/drivers/WIN40/</code> but not + (yet) into the <code class="filename">0</code> subdirectory. + </p></li></ul></div><p> +<a class="indexterm" name="id396818"></a> +<a class="indexterm" name="id396824"></a> +We again use smbclient to transfer the driver files across the network. We specify the same files +and paths as were leaked to us by running <code class="literal">getdriver</code> against the original +<span class="emphasis"><em>Windows</em></span> install. However, now we are going to store the files into a +<span class="emphasis"><em>Samba/UNIX</em></span> print server's <em class="parameter"><code>[print$]</code></em> share. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -U'root%xxxx' -c \ + 'cd W32X86; put HDNIS01_de.DLL; \ + put Hddm91c1_de.ppd; put HDNIS01U_de.DLL; \ + put HDNIS01U_de.HLP; put Hddm91c1_de.DLL; \ + put Hddm91c1_de.INI; put Hddm91c1KMMin.DLL; \ + put Hddm91c1_de.dat; put Hddm91c1_de.dat; \ + put Hddm91c1_de.def; put Hddm91c1_de.hre; \ + put Hddm91c1_de.vnd; put Hddm91c1_de.hlp; \ + put Hddm91c1_de_reg.HLP; put HDNIS01Aux.dll; \ + put HDNIS01_de.NTF'</code></strong> + +added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 +Got a positive name query response from 10.160.51.162 ( 10.160.51.162 ) +Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] +putting file HDNIS01_de.DLL as \W32X86\HDNIS01_de.DLL +putting file Hddm91c1_de.ppd as \W32X86\Hddm91c1_de.ppd +putting file HDNIS01U_de.DLL as \W32X86\HDNIS01U_de.DLL +putting file HDNIS01U_de.HLP as \W32X86\HDNIS01U_de.HLP +putting file Hddm91c1_de.DLL as \W32X86\Hddm91c1_de.DLL +putting file Hddm91c1_de.INI as \W32X86\Hddm91c1_de.INI +putting file Hddm91c1KMMin.DLL as \W32X86\Hddm91c1KMMin.DLL +putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat +putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat +putting file Hddm91c1_de.def as \W32X86\Hddm91c1_de.def +putting file Hddm91c1_de.hre as \W32X86\Hddm91c1_de.hre +putting file Hddm91c1_de.vnd as \W32X86\Hddm91c1_de.vnd +putting file Hddm91c1_de.hlp as \W32X86\Hddm91c1_de.hlp +putting file Hddm91c1_de_reg.HLP as \W32X86\Hddm91c1_de_reg.HLP +putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll +putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF +</pre><p> +<a class="indexterm" name="id396882"></a> +<a class="indexterm" name="id396888"></a> +<a class="indexterm" name="id396895"></a> +Whew that was a lot of typing! Most drivers are a lot smaller many have only three generic +PostScript driver files plus one PPD. While we did retrieve the files from the <code class="filename">2</code> +subdirectory of the <code class="filename">W32X86</code> directory from the Windows box, we do not put them +(for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the +<code class="literal">adddriver</code> command, which we will run shortly (and do not forget to also put the files +for the Windows 9x/Me architecture into the <code class="filename">WIN40/</code> subdirectory should you need them). +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396937"></a><code class="literal">smbclient</code> to Confirm Driver Installation</h4></div></div></div><p> +<a class="indexterm" name="id396949"></a> +<a class="indexterm" name="id396956"></a> +For now we verify that our files are there. This can be done with <code class="literal">smbclient</code>, too +(but, of course, you can log in via SSH also and do this through a standard UNIX shell access): +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -U 'root%xxxx' \ + -c 'cd W32X86; pwd; dir; cd 2; pwd; dir'</code></strong> + added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 +Got a positive name query response from 10.160.51.162 ( 10.160.51.162 ) +Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.8a] + +Current directory is \\SAMBA-CUPS\print$\W32X86\ +. D 0 Sun May 4 03:56:35 2003 +.. D 0 Thu Apr 10 23:47:40 2003 +2 D 0 Sun May 4 03:56:18 2003 +HDNIS01Aux.dll A 15356 Sun May 4 03:58:59 2003 +Hddm91c1KMMin.DLL A 46966 Sun May 4 03:58:59 2003 +HDNIS01_de.DLL A 434400 Sun May 4 03:58:59 2003 +HDNIS01_de.NTF A 790404 Sun May 4 03:56:35 2003 +Hddm91c1_de.DLL A 876544 Sun May 4 03:58:59 2003 +Hddm91c1_de.INI A 101 Sun May 4 03:58:59 2003 +Hddm91c1_de.dat A 5044 Sun May 4 03:58:59 2003 +Hddm91c1_de.def A 428 Sun May 4 03:58:59 2003 +Hddm91c1_de.hlp A 37699 Sun May 4 03:58:59 2003 +Hddm91c1_de.hre A 323584 Sun May 4 03:58:59 2003 +Hddm91c1_de.ppd A 26373 Sun May 4 03:58:59 2003 +Hddm91c1_de.vnd A 45056 Sun May 4 03:58:59 2003 +HDNIS01U_de.DLL A 165888 Sun May 4 03:58:59 2003 +HDNIS01U_de.HLP A 19770 Sun May 4 03:58:59 2003 +Hddm91c1_de_reg.HLP A 228417 Sun May 4 03:58:59 2003 + 40976 blocks of size 262144. 709 blocks available + +Current directory is \\SAMBA-CUPS\print$\W32X86\2\ +. D 0 Sun May 4 03:56:18 2003 +.. D 0 Sun May 4 03:56:35 2003 +ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003 +laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003 +ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003 +ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003 +PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003 + 40976 blocks of size 262144. 709 blocks available +</pre><p> +<a class="indexterm" name="id397028"></a> +<a class="indexterm" name="id397035"></a> +<a class="indexterm" name="id397042"></a> +Notice that there are already driver files present in the <code class="filename">2</code> subdirectory (probably from a +previous installation). Once the files for the new driver are there too, you are still a few steps away from +being able to use them on the clients. The only thing you could do now is retrieve them from a client just +like you retrieve ordinary files from a file share, by opening print$ in Windows Explorer. But that wouldn't +install them per Point'n'Print. The reason is that Samba does not yet know that these files are something +special, namely <span class="emphasis"><em>printer driver files</em></span>, and it does not know to which print queue(s) these +driver files belong. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397066"></a>Running <code class="literal">rpcclient</code> with <code class="literal">adddriver</code></h4></div></div></div><p> +<a class="indexterm" name="id397084"></a> +<a class="indexterm" name="id397091"></a> +<a class="indexterm" name="id397098"></a> +Next, you must tell Samba about the special category of the files you just uploaded into the +<em class="parameter"><code>[print$]</code></em> share. This is done by the <code class="literal">adddriver</code> +command. It will prompt Samba to register the driver files into its internal TDB database files. The +following command and its output has been edited for readability: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \ + "dm9110:HDNIS01_de.DLL: \ + Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \ + NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ + Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ + Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ + HDNIS01Aux.dll,HDNIS01_de.NTF, \ + Hddm91c1_de_reg.HLP' SAMBA-CUPS</code></strong> + +cmd = adddriver "Windows NT x86" \ + "dm9110:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL: \ + HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ + Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ + Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ + HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP" + +Printer Driver dm9110 successfully installed. +</pre><p> +<a class="indexterm" name="id397143"></a> +<a class="indexterm" name="id397150"></a> +<a class="indexterm" name="id397157"></a> +After this step, the driver should be recognized by Samba on the print server. You need to be very +careful when typing the command. Don't exchange the order of the fields. Some changes would lead to +an <code class="computeroutput">NT_STATUS_UNSUCCESSFUL</code> error message. These become obvious. Other +changes might install the driver files successfully but render the driver unworkable. So take care! +Hints about the syntax of the adddriver command are in the man page. +provides a more detailed description, should you need it. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397176"></a>Checking <code class="literal">adddriver</code> Completion</h4></div></div></div><p> +One indication for Samba's recognition of the files as driver files is the <code class="computeroutput">successfully +installed</code> message. Another one is the fact that our files have been moved by the +<code class="literal">adddriver</code> command into the <code class="filename">2</code> subdirectory. You can check this +again with <code class="literal">smbclient</code>: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -Uroot%xx \ + -c 'cd W32X86;dir;pwd;cd 2;dir;pwd'</code></strong> + added interface ip=10.160.51.162 bcast=10.160.51.255 nmask=255.255.252.0 + Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] + + Current directory is \\SAMBA-CUPS\print$\W32X86\ + . D 0 Sun May 4 04:32:48 2003 + .. D 0 Thu Apr 10 23:47:40 2003 + 2 D 0 Sun May 4 04:32:48 2003 + 40976 blocks of size 262144. 731 blocks available + + Current directory is \\SAMBA-CUPS\print$\W32X86\2\ + . D 0 Sun May 4 04:32:48 2003 + .. D 0 Sun May 4 04:32:48 2003 + DigiMaster.PPD A 148336 Thu Apr 24 01:07:00 2003 + ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003 + laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003 + ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003 + ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003 + PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003 + HDNIS01Aux.dll A 15356 Sun May 4 04:32:18 2003 + Hddm91c1KMMin.DLL A 46966 Sun May 4 04:32:18 2003 + HDNIS01_de.DLL A 434400 Sun May 4 04:32:18 2003 + HDNIS01_de.NTF A 790404 Sun May 4 04:32:18 2003 + Hddm91c1_de.DLL A 876544 Sun May 4 04:32:18 2003 + Hddm91c1_de.INI A 101 Sun May 4 04:32:18 2003 + Hddm91c1_de.dat A 5044 Sun May 4 04:32:18 2003 + Hddm91c1_de.def A 428 Sun May 4 04:32:18 2003 + Hddm91c1_de.hlp A 37699 Sun May 4 04:32:18 2003 + Hddm91c1_de.hre A 323584 Sun May 4 04:32:18 2003 + Hddm91c1_de.ppd A 26373 Sun May 4 04:32:18 2003 + Hddm91c1_de.vnd A 45056 Sun May 4 04:32:18 2003 + HDNIS01U_de.DLL A 165888 Sun May 4 04:32:18 2003 + HDNIS01U_de.HLP A 19770 Sun May 4 04:32:18 2003 + Hddm91c1_de_reg.HLP A 228417 Sun May 4 04:32:18 2003 + 40976 blocks of size 262144. 731 blocks available +</pre><p> +Another verification is that the timestamp of the printing TDB files is now updated +(and possibly their file size has increased). +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397275"></a>Check Samba for Driver Recognition</h4></div></div></div><p> +<a class="indexterm" name="id397283"></a> +Now the driver should be registered with Samba. We can easily verify this and will do so in a +moment. However, this driver is not yet associated with a particular printer. We may check the driver +status of the files by at least three methods: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id397298"></a> +<a class="indexterm" name="id397305"></a> +<a class="indexterm" name="id397312"></a> +<a class="indexterm" name="id397319"></a> +<a class="indexterm" name="id397325"></a> + From any Windows client browse Network Neighborhood, find the Samba host, and open the Samba + <span class="guiicon">Printers and Faxes</span> folder. Select any printer icon, right-click and select + the printer <span class="guimenuitem">Properties</span>. Click the <span class="guilabel">Advanced</span> + tab. Here is a field indicating the driver for that printer. A drop-down menu allows you to + change that driver (be careful not to do this unwittingly). You can use this list to view + all drivers known to Samba. Your new one should be among them. (Each type of client will + see only its own architecture's list. If you do not have every driver installed for each platform, + the list will differ if you look at it from Windows95/98/ME or Windows NT/2000/XP.) + </p></li><li><p> +<a class="indexterm" name="id397360"></a> + From a Windows 200x/XP client (not Windows NT) browse <span class="guiicon">Network Neighborhood</span>, + search for the Samba server, open the server's <span class="guiicon">Printers</span> folder, + and right-click on the white background (with no printer highlighted). Select <span class="guimenuitem">Server + Properties</span>. On the <span class="guilabel">Drivers</span> tab you will see the new driver + listed. This view enables you to also inspect the list of files belonging to that driver + (this does not work on Windows NT, but only on Windows 2000 and Windows XP; Windows NT does not + provide the <span class="guimenuitem">Drivers</span> tab). An alternative and much quicker method for + Windows 2000/XP to start this dialog is by typing into a DOS box (you must of course adapt the + name to your Samba server instead of <em class="replaceable"><code>SAMBA-CUPS</code></em>): + </p><pre class="screen"> + <strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /s /t2 /n\\<em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> + </pre><p> + </p></li><li><p> + From a UNIX prompt, run this command (or a variant thereof), where + <em class="replaceable"><code>SAMBA-CUPS</code></em> is the name of the Samba host and xxxx represents the + actual Samba password assigned to root: + </p><pre class="screen"> + <strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'enumdrivers' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> + </pre><p> + </p><p> + You will see a listing of all drivers Samba knows about. Your new one should be among + them. But it is only listed under the <em class="parameter"><code>[Windows NT x86]</code></em> heading, not under + <em class="parameter"><code>[Windows 4.0]</code></em>, since you didn't install that part. Or did you? + In our example it is named <code class="constant">dm9110</code>. Note that the third column shows the other + installed drivers twice, one time for each supported architecture. Our new driver only shows up + for <span class="application">Windows NT 4.0 or 2000</span>. To have it present for <span class="application">Windows + 95, 98, and Me</span>, you'll have to repeat the whole procedure with the WIN40 architecture + and subdirectory. + </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397481"></a>Specific Driver Name Flexibility</h4></div></div></div><p> +<a class="indexterm" name="id397489"></a> +You can name the driver as you like. If you repeat the <code class="literal">adddriver</code> step with the same +files as before but with a different driver name, it will work the same: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx \ + -c 'adddriver "Windows NT x86" \ + "mydrivername:HDNIS01_de.DLL: \ + Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \ + NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ + Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ + Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ + HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP' SAMBA-CUPS + </code></strong> + +cmd = adddriver "Windows NT x86" \ + "mydrivername:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL:\ + HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ + Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ + Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ + HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP" + +Printer Driver mydrivername successfully installed. +</pre><p> +<a class="indexterm" name="id397528"></a> +<a class="indexterm" name="id397535"></a> +<a class="indexterm" name="id397541"></a> +You will be able to bind that driver to any print queue (however, you are responsible that +you associate drivers to queues that make sense with respect to target printers). You cannot run the +<code class="literal">rpcclient</code> <code class="literal">adddriver</code> command repeatedly. Each run consumes the +files you had put into the <em class="parameter"><code>[print$]</code></em> share by moving them into the +respective subdirectories, so you must execute an <code class="literal">smbclient ... put</code> command before +each <code class="literal">rpcclient ... adddriver</code> command. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397583"></a>Running <code class="literal">rpcclient</code> with <code class="literal">setdriver</code></h4></div></div></div><p> +<a class="indexterm" name="id397601"></a> +<a class="indexterm" name="id397608"></a> +Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and +store this information in Samba's memory, the TDB files. The <code class="literal">rpcclient setdriver</code> command +achieves exactly this: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'setdriver dm9110 mydrivername' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> + cmd = setdriver dm9110 mydrivername + +Successfully set dm9110 to driver mydrivername. +</pre><p> +Ah, no, I did not want to do that. Repeat, this time with the name I intended: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> + cmd = setdriver dm9110 dm9110 +Successfully set dm9110 to driver dm9110. +</pre><p> +The syntax of the command is: +</p><pre class="screen"> +<strong class="userinput"><code>rpcclient -U'root%<em class="replaceable"><code>sambapassword</code></em>' -c 'setdriver <em class="replaceable"><code>printername</code></em> \ + <em class="replaceable"><code>drivername</code></em>' <em class="replaceable"><code>SAMBA-Hostname</code></em></code></strong>. +</pre><p> +Now we have done most of the work, but not all of it. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The <code class="literal">setdriver</code> command will only succeed if the printer is already known to Samba. A +bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba, +or at least send an HUP signal to all running smbd processes to work around this: <strong class="userinput"><code>kill -HUP +`pidof smbd`</code></strong>. +</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id397714"></a>Client Driver Installation Procedure</h2></div></div></div><p> +As Don Quixote said, “<span class="quote">The proof of the pudding is in the eating.</span>” The proof +for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is +not as straightforward as it may seem. Read on. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id397729"></a>First Client Driver Installation</h3></div></div></div><p> +Especially important is the installation onto the first client PC (for each architectural platform +separately). Once this is done correctly, all further clients are easy to set up and shouldn't need further +attention. What follows is a description for the recommended first procedure. You now work from a client +workstation. You should check that your connection is not unwittingly mapped to <span class="emphasis"><em>bad +user</em></span> nobody. In a DOS box type: +</p><p><strong class="userinput"><code>net use \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\print$ /user:root</code></strong></p><p> +Replace root, if needed, by another valid <a class="indexterm" name="id397758"></a>printer admin user as given in +the definition. Should you already be connected as a different user, you will get an error message. There +is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging +off from a share connection (do not confuse this with logging off from the local workstation; that is +a different matter). On Windows NT/200x, you can force a logoff from all smb/cifs connections by restarting the +<span class="emphasis"><em>workstation</em></span> service. You can try to close all Windows file explorers and Internet Explorer for +Windows. As a last resort, you may have to reboot. Make sure there is no automatic reconnection set up. It may be +easier to go to a different workstation and try from there. After you have made sure you are connected +as a printer admin user (you can check this with the <code class="literal">smbstatus</code> command on Samba), +do this from the Windows workstation: +</p><div class="procedure"><ol type="1"><li><p> + Open <span class="guiicon">Network Neighborhood</span>. + </p></li><li><p> + Browse to Samba server. + </p></li><li><p> + Open its <span class="guiicon">Printers and Faxes</span> folder. + </p></li><li><p> + Highlight and right-click on the printer. + </p></li><li><p> + Select <span class="guimenuitem">Connect</span> (for Windows NT4/200x + it is possibly <span class="guimenuitem">Install</span>). + </p></li></ol></div><p> +A new printer (named <em class="replaceable"><code>printername</code></em> on Samba server) should now have +appeared in your <span class="emphasis"><em>local</em></span> Printer folder (check <span class="guimenu">Start</span> -> +<span class="guimenuitem">Settings</span> -> <span class="guimenuitem">Control Panel</span> -> <span class="guiicon">Printers +and Faxes</span>). +</p><p> +<a class="indexterm" name="id397881"></a> +Most likely you are tempted to try to print a test page. After all, you now can open the printer +properties, and on the <span class="guimenu">General</span> tab there is a button offering to do just that. But +chances are that you get an error message saying "<code class="literal">Unable to print Test Page</code>." The +reason might be that there is not yet a valid device mode set for the driver or that the “<span class="quote">printer +driver data</span>” set is still incomplete. +</p><p> +You must make sure that a valid <em class="parameter"><code>device mode</code></em> is set for the +driver. We now explain what that means. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="prt-modeset"></a>Setting Device Modes on New Printers</h3></div></div></div><p> +For a printer to be truly usable by a Windows NT/200x/XP client, it must possess: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id397938"></a> + A valid <span class="emphasis"><em>device mode</em></span> generated by the driver for the printer (defining things + like paper size, orientation and duplex settings). + </p></li><li><p> +<a class="indexterm" name="id397954"></a> + A complete set of <span class="emphasis"><em>printer driver data</em></span> generated by the driver. + </p></li></ul></div><p> +<a class="indexterm" name="id397969"></a> +<a class="indexterm" name="id397976"></a> +<a class="indexterm" name="id397982"></a> +<a class="indexterm" name="id397989"></a> +<a class="indexterm" name="id397996"></a> +If either of these is incomplete, the clients can produce less than optimal output at best. In the +worst cases, unreadable garbage or nothing at all comes from the printer, or it produces a harvest of +error messages when attempting to print. Samba stores the named values and all printing-related information in +its internal TDB database files <code class="filename">(ntprinters.tdb</code>, <code class="filename">ntdrivers.tdb</code>, +<code class="filename">printing.tdb</code>, and <code class="filename">ntforms.tdb</code>). +</p><p> +The device mode and the set of printer driver data are basically collections +of settings for all print queue properties, initialized in a sensible way. Device modes and +printer driver data should initially be set on the print server (the Samba host) to healthy +values so the clients can start to use them immediately. How do we set these initial healthy values? +This can be achieved by accessing the drivers remotely from an NT (or 200x/XP) client, as discussed +in the following paragraphs. +</p><p> +Be aware that a valid device mode can only be initiated by a <a class="indexterm" name="id398040"></a>printer admin or root +(the reason should be obvious). Device modes can be correctly set only by executing the printer driver program +itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL +(which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the +printer driver data that is needed when they are uploaded to the <em class="parameter"><code>[print$]</code></em> share with +the help of the APW or rpcclient. +</p><p> +The generation and setting of a first valid device mode, however, requires some tickling from a client +to set it on the Samba server. The easiest means of doing so is to simply change the page orientation on +the server's printer. This executes enough of the printer driver program on the client for the desired +effect to happen and feeds back the new device mode to our Samba server. You can use the native Windows +NT/200x/XP printer properties page from a Window client for this: +</p><div class="procedure"><a name="id398065"></a><p class="title"><b>Procedure 21.1. Procedure to Initialize the Printer Driver Settings</b></p><ol type="1"><li><p> + Browse the <span class="guiicon">Network Neighborhood</span>. + </p></li><li><p> + Find the Samba server. + </p></li><li><p> + Open the Samba server's <span class="guiicon">Printers and Faxes</span> folder. + </p></li><li><p> + Highlight the shared printer in question. + </p></li><li><p> + Right-click on the printer (you may already be here if you followed the last section's description). + </p></li><li><p> + At the bottom of the context menu select <span class="guimenu">Properties</span> (if the menu still offers the + <span class="guimenuitem">Connect</span> entry further above, you + need to click on that one first to achieve the driver + installation, as shown in the last section). + </p></li><li><p> + Go to the <span class="guilabel">Advanced</span> tab; click on <span class="guibutton">Printing Defaults</span>. + </p></li><li><p> + Change the <span class="guimenuitem">Portrait</span> page setting to <span class="guimenuitem">Landscape</span> (and back). + </p></li><li><p> + Make sure to apply changes between swapping the page orientation to cause the change to actually take effect. + </p></li><li><p> + While you are at it, you may also want to set the desired printing defaults here, which then apply to all future + client driver installations. + </p></li></ol></div><p> +This procedure executes the printer driver program on the client platform and feeds back the correct +device mode to Samba, which now stores it in its TDB files. Once the driver is installed on the client, +you can follow the analogous steps by accessing the <span class="emphasis"><em>local</em></span> <span class="guiicon">Printers</span> +folder, too, if you are a Samba printer admin user. From now on, printing should work as expected. +</p><p> +<a class="indexterm" name="id398210"></a> +Samba includes a service-level parameter name <em class="parameter"><code>default devmode</code></em> for generating a default +device mode for a printer. Some drivers function well with Samba's default set of properties. Others +may crash the client's spooler service. So use this parameter with caution. It is always better to have +the client generate a valid device mode for the printer and store it on the server for you. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id398228"></a>Additional Client Driver Installation</h3></div></div></div><p> +<a class="indexterm" name="id398236"></a> +Every additional driver may be installed in the same way as just described. Browse <code class="literal">Network +Neighborhood</code>, open the <span class="guiicon">Printers</span> folder on Samba server, right-click on +<span class="guiicon">Printer</span>, and choose <span class="guimenuitem">Connect...</span>. Once this completes (should be +not more than a few seconds, but could also take a minute, depending on network conditions), you should find +the new printer in your client workstation local <span class="guiicon">Printers and Faxes</span> folder. +</p><p> +You can also open your local <span class="guiicon">Printers and Faxes</span> folder by +using this command on Windows 200x/XP Professional workstations: +</p><pre class="screen"> +<strong class="userinput"><code>rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder</code></strong> +</pre><p> +or this command on Windows NT 4.0 workstations: +<a class="indexterm" name="id398298"></a> +</p><pre class="screen"> +<strong class="userinput"><code>rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2</code></strong> +</pre><p> +</p><p> +You can enter the commands either inside a <span class="guilabel">DOS box</span> window or in the <span class="guimenuitem">Run +command...</span> field from the <span class="guimenu">Start</span> menu. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id398340"></a>Always Make First Client Connection as root or “<span class="quote">printer admin</span>”</h3></div></div></div><p> +After you installed the driver on the Samba server (in its <em class="parameter"><code>[print$]</code></em> share), you +should always make sure that your first client installation completes correctly. Make it a habit for yourself +to build the very first connection from a client as <a class="indexterm" name="id398358"></a>printer admin. This is to make +sure that: +</p><div class="itemizedlist"><ul type="disc"><li><p> + A first valid <span class="emphasis"><em>device mode</em></span> is really initialized (see above <a href="classicalprinting.html#prt-modeset" title="Setting Device Modes on New Printers">Setting Device Modes on New Printers</a>) for more explanation details). + </p></li><li><p> + The default print settings of your printer for all further client installations are as you want them. + </p></li></ul></div><p> +Do this by changing the orientation to landscape, click on <span class="guiicon">Apply</span>, and then change it +back again. Next, modify the other settings (for example, you do not want the default media size set to +<span class="guiicon">Letter</span> when you are all using <span class="guiicon">A4</span>, right? You may want to set the +printer for <span class="guiicon">duplex</span> as the default, and so on). +</p><p> +<a class="indexterm" name="id398423"></a> +To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt: +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n + \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printername</code></em>"</code></strong> +</pre><p> +</p><p> +You will be prompted for <code class="constant">root</code>'s Samba password; type it, wait a few seconds, click on +<span class="guibutton">Printing Defaults</span>, and proceed to set the job options that should be used as defaults +by all clients. Alternatively, instead of root you can name one other member of the <a class="indexterm" name="id398469"></a>printer admin from the setting. +</p><p> +Now all the other users downloading and installing the driver the same way (using +<code class="literal">Point'n'Print</code>) will have the same defaults set for them. If you miss this step, you'll get a +lot of help desk calls from your users, but maybe you like to talk to people. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398491"></a>Other Gotchas</h2></div></div></div><p> +Your driver is installed. It is now ready for Point'n'Print installation by the clients. You may have tried to +download and use it on your first client machine, but wait. Let's make sure you are acquainted first with a +few tips and tricks you may find useful. For example, suppose you did not set the defaults on the printer, as +advised in the preceding paragraphs. Your users complain about various issues (such as, “<span class="quote">We need to set +the paper size for each job from Letter to A4 and it will not store it</span>”). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id398507"></a>Setting Default Print Options for Client Drivers</h3></div></div></div><p> +The last sentence might be viewed with mixed feelings by some users and Admins. They have struggled for hours +and could not arrive at a point where their settings seemed to be saved. It is not their fault. The confusing +thing is that in the multitabbed dialog that pops up when you right-click on the printer name and select +<span class="guimenuitem">Properties</span>, you can arrive at two dialogs that appear identical, each claiming that +they help you to set printer options in three different ways. Here is the definitive answer to the Samba +default driver setting FAQ: +</p><p><b>“<span class="quote">I can not set and save default print options +for all users on Windows 200x/XP. Why not?</span>”. </b> +How are you doing it? I bet the wrong way. (It is not easy to find out, though.) There are three different +ways to bring you to a dialog that seems to set everything. All three dialogs look the same, but only one of +them does what you intend. You need to be Administrator or Print Administrator to do this for all users. Here +is how I reproduce it in an XP Professional: +</p><div class="orderedlist"><ol type="A"><li><p>The first “<span class="quote">wrong</span>” way: + </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guiicon">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and + select in context menu <span class="guimenu">Printing Preferences...</span>.</p></li><li><p>Look at this dialog closely and remember what it looks like.</p></li></ol></div></li><li><p>The second “<span class="quote">wrong</span>” way: + </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guimenu">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on + cupshost</em></span>) and select in the context menu + <span class="guimenuitem">Properties</span></p></li><li><p>Click on the <span class="guilabel">General</span> + tab.</p></li><li><p>Click on the <span class="guibutton">Printing + Preferences...</span> button.</p></li><li><p>A new dialog opens. Keep this dialog open and go back + to the parent dialog.</p></li></ol></div><p> + </p></li><li><p> + The third and correct way (should you do this from the beginning, just carry out steps 1 + and 2 from the second method above): + </p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="guilabel">Advanced</span> + tab. (If everything is “<span class="quote">grayed out,</span>” then you are not logged + in as a user with enough privileges.)</p></li><li><p>Click on the <span class="guibutton">Printing + Defaults</span> button.</p></li><li><p>On any of the two new tabs, + click on the + <span class="guilabel">Advanced</span> button.</p></li><li><p>A new dialog opens. Compare + this one to the other. Are they + identical when you compare one from + “<span class="quote">B.5</span>” and one from A.3?</p></li></ol></div></li></ol></div><p> +Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you +arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults +for new users. If you want all clients to have the same defaults, you need to conduct these steps as +administrator (<a class="indexterm" name="id398731"></a>printer admin) before a client downloads the driver (the clients can +later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user +default settings and the ones the administrator gives them before they set up their own. The parents of the +identical-looking dialogs have a slight difference in their window names; one is called +<code class="computeroutput">Default Print Values for Printer Foo on Server Bar</code> (which is the one you +need) and the other is called “<span class="quote"><code class="computeroutput">Print Settings for Printer Foo on Server +Bar</code></span>”. The last one is the one you arrive at when you right-click on the printer and +select <span class="guimenuitem">Print Settings...</span>. This is the one that you were taught to use back in the +days of Windows NT, so it is only natural to try the same way with Windows 200x/XP. You would not dream that +there is now a different path to arrive at an identical-looking, but functionally different, dialog to set +defaults for all users. +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Windows 200x/XP) to run this command (as a user with the right privileges): +<a class="indexterm" name="id398769"></a> +</p><p><strong class="userinput"><code> +rundll32 printui.dll,PrintUIEntry /p /t3 /n\\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> +</code></strong></p><p> +To see the tab with the <span class="guilabel">Printing Defaults</span> button (the one you need), also run this command: +</p><p><strong class="userinput"><code> +rundll32 printui.dll,PrintUIEntry /p /t0 /n\\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> +</code></strong></p><p> +To see the tab with the <span class="guilabel">Printing Preferences</span> +button (the one that does not set systemwide defaults), you can +start the commands from inside a DOS box or from <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id398839"></a>Supporting Large Numbers of Printers</h3></div></div></div><p> +One issue that has arisen during the recent development phase of Samba is the need to support driver +downloads for hundreds of printers. Using Windows NT APW for this task is somewhat awkward (to say the least). If +you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need +to think about a non-interactive script. +</p><p> +If more than one printer is using the same driver, the <code class="literal">rpcclient setdriver</code> +command can be used to set the driver associated with an installed queue. If the driver is uploaded to +<em class="parameter"><code>[print$]</code></em> once and registered with the printing TDBs, it can be used by +multiple print queues. In this case, you just need to repeat the <code class="literal">setprinter</code> subcommand of +<code class="literal">rpcclient</code> for every queue (without the need to conduct the <code class="literal">adddriver</code> +repeatedly). The following is an example of how this can be accomplished: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumdrivers'</code></strong> + cmd = enumdrivers + + [Windows NT x86] + Printer Driver Info 1: + Driver Name: [infotec IS 2075 PCL 6] + + Printer Driver Info 1: + Driver Name: [DANKA InfoStream] + + Printer Driver Info 1: + Driver Name: [Heidelberg Digimaster 9110 (PS)] + + Printer Driver Info 1: + Driver Name: [dm9110] + + Printer Driver Info 1: + Driver Name: [mydrivername] + + [....] +</pre><p> + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> + cmd = enumprinters + flags:[0x800000] + name:[\\SAMBA-CUPS\dm9110] + description:[\\SAMBA-CUPS\dm9110,,110ppm HiVolume DANKA Stuttgart] + comment:[110 ppm HiVolume DANKA Stuttgart] + [....] +</pre><p> + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c \ + 'setdriver <em class="replaceable"><code>dm9110</code></em> "<em class="replaceable"><code>Heidelberg Digimaster 9110 (PS)</code></em>"'</code></strong> + cmd = setdriver dm9110 Heidelberg Digimaster 9110 (PPD) + Successfully set dm9110 to driver Heidelberg Digimaster 9110 (PS). +</pre><p> + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> + cmd = enumprinters + flags:[0x800000] + name:[\\SAMBA-CUPS\dm9110] + description:[\\SAMBA-CUPS\dm9110,Heidelberg Digimaster 9110 (PS),\ + 110ppm HiVolume DANKA Stuttgart] + comment:[110ppm HiVolume DANKA Stuttgart] + [....] +</pre><p> + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'setdriver <em class="replaceable"><code>dm9110</code></em> <em class="replaceable"><code>mydrivername</code></em>'</code></strong> + cmd = setdriver dm9110 mydrivername + Successfully set dm9110 to mydrivername. +</pre><p> + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> + cmd = enumprinters + flags:[0x800000] + name:[\\SAMBA-CUPS\dm9110] + description:[\\SAMBA-CUPS\dm9110,mydrivername,\ + 110ppm HiVolume DANKA Stuttgart] + comment:[110ppm HiVolume DANKA Stuttgart] + [....] +</pre><p> +It may not be easy to recognize that the first call to <code class="literal">enumprinters</code> showed the +“<span class="quote">dm9110</span>” printer with an empty string where the driver should have been listed (between +the two commas in the description field). After the <code class="literal">setdriver</code> command +succeeds, all is well. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399075"></a>Adding New Printers with the Windows NT APW</h3></div></div></div><p> +By default, Samba exhibits all printer shares defined in <code class="filename">smb.conf</code> in the <span class="guiicon">Printers</span> +folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if: +</p><div class="itemizedlist"><ul type="disc"><li><p> + The connected user is able to successfully execute an <code class="literal">OpenPrinterEx(\\server)</code> with + administrative privileges (i.e., root or <a class="indexterm" name="id399110"></a>printer admin). + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Try this from a Windows 200x/XP DOS box command prompt: + </p><p><strong class="userinput"><code> + runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> + </code></strong></p><p> + Click on <span class="guibutton">Printing Preferences</span>. + </p></div></li><li><p>... contains the setting + <a class="indexterm" name="id399150"></a>show add printer wizard = yes (the + default).</p></li></ul></div><p> +The APW can do various things: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Upload a new driver to the Samba <em class="parameter"><code>[print$]</code></em> share. + </p></li><li><p> + Associate an uploaded driver with an existing (but still driverless) print queue. + </p></li><li><p> + Exchange the currently used driver for an existing print queue with one that has been uploaded before. + </p></li><li><p> + Add an entirely new printer to the Samba host (only in conjunction with a working + <a class="indexterm" name="id399190"></a>add printer command. A corresponding + <a class="indexterm" name="id399197"></a>delete printer command for removing entries from the + <span class="guiicon">Printers</span> folder may also be provided). + </p></li></ul></div><p> +The last one (add a new printer) requires more effort than the previous ones. To use the APW to successfully +add a printer to a Samba server, the <a class="indexterm" name="id399216"></a>add printer command must have a defined value. +The program hook must successfully add the printer to the UNIX print system (i.e., to +<code class="filename">/etc/printcap</code>, <code class="filename">/etc/cups/printers.conf</code> or other appropriate files) +and to <code class="filename">smb.conf</code> if necessary. +</p><p> +When using the APW from a client, if the named printer share does not exist, smbd will execute the +<a class="indexterm" name="id399246"></a>add printer command and reparse to attempt to locate the new printer share. If the +share is still not defined, an error of "<span class="errorname">Access Denied"</span> is returned to the client. The +<a class="indexterm" name="id399258"></a>add printer command is executed under the context of the connected user, not +necessarily a root account. A <a class="indexterm" name="id399266"></a>map to guest = bad user may have connected +you unwittingly under the wrong privilege. You should check it by using the <code class="literal">smbstatus</code> +command. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399282"></a>Error Message: “<span class="quote">Cannot connect under a different Name</span>”</h3></div></div></div><p> +Once you are connected with the wrong credentials, there is no means to reverse the situation other than +to close all Explorer windows, and perhaps reboot. +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id399300"></a> + The <code class="literal">net use \\SAMBA-SERVER\sharename /user:root</code> gives you an error message: + “<span class="quote">Multiple connections to a server or a shared resource by the same user utilizing + several user names are not allowed. Disconnect all previous connections to the server, + esp. the shared resource, and try again.</span>” + </p></li><li><p> + Every attempt to “<span class="quote">connect a network drive</span>” to <code class="filename">\\SAMBASERVER\\print$</code> + to <code class="constant">z:</code> is countered by the pertinacious message: “<span class="quote">This + network folder is currently connected under different credentials (username and password). + Disconnect first any existing connection to this network share in order to connect again under + a different username and password</span>”. + </p></li></ul></div><p> +So you close all connections. You try again. You get the same message. You check from the Samba side, using +<code class="literal">smbstatus</code>. Yes, there are more connections. You kill them all. The client still gives you +the same error message. You watch the smbd.log file on a high debug level and try reconnect. Same error +message, but not a single line in the log. You start to wonder if there was a connection attempt at all. You +run ethereal and tcpdump while you try to connect. Result: not a single byte goes on the wire. Windows still +gives the error message. You close all Explorer windows and start it again. You try to connect and +this times it works! Windows seems to cache connection information somewhere and does not keep it up to date +(if you are unlucky, you might need to reboot to get rid of the error message). +</p><p> +The easiest way to forcefully terminate all connections from your client to a server is by executing: +</p><pre class="screen"> +<code class="prompt">C:\> </code> net use * /delete +</pre><p> +This will also disconnect all mapped drives and will allow you create fresh connection as required. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399380"></a>Take Care When Assembling Driver Files</h3></div></div></div><p> +You need to be extremely careful when you take notes about the files belonging to a particular +driver. Don't confuse the files for driver version “<span class="quote">0</span>” (for Windows 9x/Me, going into +<code class="filename">[print$]/WIN/0/</code>), driver version <code class="filename">2</code> (kernel mode driver for Windows NT, +going into <code class="filename">[print$]/W32X86/2/</code>; may be used on Windows 200x/XP also), and +driver version “<span class="quote">3</span>” (non-kernel mode driver going into <code class="filename">[print$]/W32X86/3/</code>; +cannot be used on Windows NT). Quite often these different driver versions contain +files that have the same name but actually are very different. If you look at them from +the Windows Explorer (they reside in <code class="filename">%WINDOWS%\system32\spool\drivers\W32X86\</code>), +you will probably see names in capital letters, while an <code class="literal">enumdrivers</code> command from Samba +would show mixed or lowercase letters, so it is easy to confuse them. If you install them manually using +<code class="literal">rpcclient</code> and subcommands, you may even succeed without an error message. Only later, +when you try install on a client, you will encounter error messages like <code class="computeroutput">This server +has no appropriate driver for the printer</code>. +</p><p> +Here is an example. You are invited to look closely at the various files, compare their names and +their spelling, and discover the differences in the composition of the version 2 and 3 sets. Note: the +version 0 set contained 40 <em class="parameter"><code>Dependentfiles</code></em>, so I left it out for space reasons: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U 'Administrator%<em class="replaceable"><code>secret</code></em>' -c 'enumdrivers 3' 10.160.50.8 </code></strong> + + Printer Driver Info 3: + Version: [3] + Driver Name: [Canon iR8500 PS3] + Architecture: [Windows NT x86] + Driver Path: [\\10.160.50.8\print$\W32X86\3\cns3g.dll] + Datafile: [\\10.160.50.8\print$\W32X86\3\iR8500sg.xpd] + Configfile: [\\10.160.50.8\print$\W32X86\3\cns3gui.dll] + Helpfile: [\\10.160.50.8\print$\W32X86\3\cns3g.hlp] + + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aucplmNT.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\ucs32p.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\tnl32.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussdrv.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cnspdc.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussapi.dat] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3407.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\CnS3G.cnt] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBAPI.DLL] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBIPC.DLL] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcview.exe] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcdspl.exe] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcedit.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm.exe] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcspl.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cfine32.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcr407.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\Cpcqm407.hlp] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm407.cnt] + Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3ggr.dll] + + Monitorname: [] + Defaultdatatype: [] + + Printer Driver Info 3: + Version: [2] + Driver Name: [Canon iR5000-6000 PS3] + Architecture: [Windows NT x86] + Driver Path: [\\10.160.50.8\print$\W32X86\2\cns3g.dll] + Datafile: [\\10.160.50.8\print$\W32X86\2\IR5000sg.xpd] + Configfile: [\\10.160.50.8\print$\W32X86\2\cns3gui.dll] + Helpfile: [\\10.160.50.8\print$\W32X86\2\cns3g.hlp] + + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\AUCPLMNT.DLL] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussdrv.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cnspdc.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussapi.dat] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3407.dll] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\CnS3G.cnt] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBAPI.DLL] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBIPC.DLL] + Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3gum.dll] + + Monitorname: [CPCA Language Monitor2] + Defaultdatatype: [] + +</pre><p> +If we write the “<span class="quote">version 2</span>” files and the “<span class="quote">version 3</span>” files +into different text files and compare the result, we see this +picture: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>sdiff 2-files 3-files</code></strong> + + + cns3g.dll cns3g.dll + iR8500sg.xpd iR8500sg.xpd + cns3gui.dll cns3gui.dll + cns3g.hlp cns3g.hlp + AUCPLMNT.DLL | aucplmNT.dll + > ucs32p.dll + > tnl32.dll + aussdrv.dll aussdrv.dll + cnspdc.dll cnspdc.dll + aussapi.dat aussapi.dat + cns3407.dll cns3407.dll + CnS3G.cnt CnS3G.cnt + NBAPI.DLL NBAPI.DLL + NBIPC.DLL NBIPC.DLL + cns3gum.dll | cpcview.exe + > cpcdspl.exe + > cpcqm.exe + > cpcspl.dll + > cfine32.dll + > cpcr407.dll + > Cpcqm407.hlp + > cpcqm407.cnt + > cns3ggr.dll + +</pre><p> + +Do not be fooled! Driver files for each version with identical +names may be different in their content, as you can see from this size +comparison: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>for i in cns3g.hlp cns3gui.dll cns3g.dll; do \ + smbclient //10.160.50.8/print\$ -U 'Administrator%xxxx' \ + -c "cd W32X86/3; dir $i; cd .. ; cd 2; dir $i"; \ + done</code></strong> + + CNS3G.HLP A 122981 Thu May 30 02:31:00 2002 + CNS3G.HLP A 99948 Thu May 30 02:31:00 2002 + + CNS3GUI.DLL A 1805824 Thu May 30 02:31:00 2002 + CNS3GUI.DLL A 1785344 Thu May 30 02:31:00 2002 + + CNS3G.DLL A 1145088 Thu May 30 02:31:00 2002 + CNS3G.DLL A 15872 Thu May 30 02:31:00 2002 +</pre><p> +In my example were even more differences than shown here. Conclusion: you must be careful to select the +correct driver files for each driver version. Don't rely on the names alone, and don't interchange files +belonging to different driver versions. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399581"></a>Samba and Printer Ports</h3></div></div></div><p> +<a class="indexterm" name="id399589"></a> +<a class="indexterm" name="id399595"></a> +<a class="indexterm" name="id399602"></a> +<a class="indexterm" name="id399609"></a> +Windows NT/2000 print servers associate a port with each printer. These normally take the form of +<code class="filename">LPT1:</code>, <code class="filename">COM1:</code>, <code class="filename">FILE:</code>, and so on. Samba must also +support the concept of ports associated with a printer. By default, only one printer port, named “<span class="quote">Samba +Printer Port</span>”, exists on a system. Samba does not really need such a “<span class="quote">port</span>” in order to +print; rather it is a requirement of Windows clients. They insist on being told about an available port when +they request this information; otherwise, they throw an error message at you. So Samba fakes the port +information to keep the Windows clients happy. +</p><p> +<a class="indexterm" name="id399648"></a> +Samba does not support the concept of <code class="constant">Printer Pooling</code> internally either. Printer +pooling assigns a logical printer to multiple ports as a form of load balancing or failover. +</p><p> +If you require multiple ports to be defined for some reason or another (my users and my boss should not know +that they are working with Samba), configure the <a class="indexterm" name="id399665"></a>enumports command, +which can be used to define an external program that generates a listing of ports on a system. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399675"></a>Avoiding Common Client Driver Misconfiguration</h3></div></div></div><p> +So now the printing works, but there are still problems. Most jobs print well, some do not print at +all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some +are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about +“<span class="quote">Avoiding the Wrong PostScript Driver Settings</span>” in <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing +Chapter</a>, <a href="CUPS-printing.html#cups-avoidps1" title="Avoiding Critical PostScript Driver Settings on the Client">Avoiding Critical PostScript Driver Settings on the +Client</a>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399708"></a>The Imprints Toolset</h2></div></div></div><p> +<a class="indexterm" name="id399715"></a> +The Imprints tool set provides a UNIX equivalent of the Windows NT APW. For complete information, please +refer to the <a href="http://imprints.sourceforge.net/" target="_top">Imprints</a> Web site as well as the +documentation included with the Imprints source distribution. This section provides only a brief introduction +to the features of Imprints. +</p><p> +Unfortunately, the Imprints toolset is no longer maintained. As of December 2000, the project is in +need of a new maintainer. The most important skill to have is Perl coding and an interest in MS-RPC-based +printing used in Samba. If you wish to volunteer, please coordinate your efforts on the Samba technical +mailing list. The toolset is still in usable form, but only for a series of older printer models where +there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints +should have a future. Information regarding the Imprints toolset can be obtained from the <a href="http://imprints.sourceforge.net/" target="_top">Imprints</a> home page. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399746"></a>What Is Imprints?</h3></div></div></div><p> +Imprints is a collection of tools for supporting these goals: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Providing a central repository of information regarding Windows NT and 95/98 printer driver packages. + </p></li><li><p> + Providing the tools necessary for creating the Imprints printer driver packages. + </p></li><li><p> + Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server + repository and install them on remote Samba and Windows NT4 print servers. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399776"></a>Creating Printer Driver Packages</h3></div></div></div><p> +The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt, +included with the Samba distribution for more information). In short, an Imprints driver package +is a gzipped tarball containing the driver files, related INF files, and a control file needed by the +installation client. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399789"></a>The Imprints Server</h3></div></div></div><p> +The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each +printer entry in the database has an associated URL for the actual downloading of the package. Each +package is digitally signed via GnuPG, which can be used to verify that +the package downloaded is actually +the one referred in the Imprints database. It is strongly recommended that this security check +not be disabled. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399802"></a>The Installation Client</h3></div></div></div><p> +More information regarding the Imprints installation client is available from the documentation file +<code class="filename">Imprints-Client-HOWTO.ps</code> that is included with the Imprints source package. The Imprints +installation client comes in two forms: +</p><div class="itemizedlist"><ul type="disc"><li><p>A set of command-line Perl scripts.</p></li><li><p>A GTK+-based graphical interface to the command-line Perl scripts.</p></li></ul></div><p> +The installation client (in both forms) provides a means of querying the Imprints database server for +a matching list of known printer model names as well as a means to download and install the drivers on +remote Samba and Windows NT print servers. +</p><p> +The basic installation process is in four steps, and Perl code is wrapped around smbclient and rpcclient. +</p><div class="itemizedlist"><ul type="disc"><li><p> + For each supported architecture for a given driver: + </p><div class="orderedlist"><ol type="1"><li><p>rpcclient: Get the appropriate upload directory on the remote server.</p></li><li><p>smbclient: Upload the driver files.</p></li><li><p>rpcclient: Issues an AddPrinterDriver() MS-RPC.</p></li></ol></div><p> + </p></li><li><p>rpcclient: Issues an AddPrinterEx() MS-RPC to actually create the printer.</p></li></ul></div><p> +One of the problems encountered when implementing the Imprints tool set was the namespace issues between +various supported client architectures. For example, Windows NT includes a driver named “<span class="quote">Apple LaserWriter +II NTX v51.8</span>”, and Windows 95 calls its version of this driver “<span class="quote">Apple LaserWriter II NTX</span>”. +</p><p> +The problem is how to know what client drivers have been uploaded for a printer. An astute reader will +remember that the Windows NT Printer Properties dialog only includes space for one printer driver name. A +quick look in the Windows NT 4.0 system registry at: +</p><p><code class="filename"> + HKLM\System\CurrentControlSet\Control\Print\Environment +</code></p><p> +will reveal that Windows NT always uses the NT driver name. This is okay because Windows NT always requires +that at least the Windows NT version of the printer driver is present. Samba does not have the +requirement internally; therefore, “<span class="quote">How can you use the NT driver name if it has not already been installed?</span>” +</p><p> +The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and +95/98 printer drivers and that the NT driver is installed first. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399919"></a>Adding Network Printers without User Interaction</h2></div></div></div><p> +The following MS Knowledge Base article may be of some help if you need to handle Windows 2000 clients: +<span class="emphasis"><em>How to Add Printers with No User Interaction in Windows 2000,</em></span> (<a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;189105" target="_top">Microsoft KB 189105</a>). It also +applies to Windows XP Professional clients. The ideas sketched out in this section are inspired by this +article, which describes a command-line method that can be applied to install network and local printers and +their drivers. This is most useful if integrated in Logon Scripts. You can see what options are available by +typing in the command prompt (<code class="literal">DOS box</code>): +</p><p><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /?</code></strong></p><p> +A window pops up that shows you all of the command-line switches available. An extensive list of examples +is also provided. This is only for Windows 200x/XP; it does not work on Windows NT. Windows NT probably has +some other tools in the respective Resource Kit. Here is a suggestion about what a client logon script +might contain, with a short explanation of what the lines actually do (it works if 200x/XP Windows +clients access printers via Samba, and works for Windows-based print servers too): +</p><pre class="screen"> +<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /dn /n "\\cupsserver\infotec2105-IPDS" /q</code></strong> +<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /in /n "\\cupsserver\infotec2105-PS"</code></strong> +<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /y /n "\\cupsserver\infotec2105-PS"</code></strong> +</pre><p> +Here is a list of the used command-line parameters: +</p><div class="variablelist"><dl><dt><span class="term">/dn</span></dt><dd><p>deletes a network printer.</p></dd><dt><span class="term">/q</span></dt><dd><p>quiet modus.</p></dd><dt><span class="term">/n</span></dt><dd><p>names a printer.</p></dd><dt><span class="term">/in</span></dt><dd><p>adds a network printer connection.</p></dd><dt><span class="term">/y</span></dt><dd><p>sets printer as default printer.</p></dd></dl></div><div class="itemizedlist"><ul type="disc"><li><p> + Line 1 deletes a possibly existing previous network printer <span class="emphasis"><em>infotec2105-IPDS</em></span> + (which had used native Windows drivers with LPRng that were removed from the server that was + converted to CUPS). The <code class="literal">/q</code> at the end prevents confirm + or error dialog boxes from popping up. They should not be presented to the user logging on. + </p></li><li><p> + Line 2 adds the new printer + <span class="emphasis"><em>infotec2105-PS</em></span> (which actually is the same + physical device but is now run by the new CUPS printing system and associated with the + CUPS/Adobe PS drivers). The printer and its driver must have been added to Samba prior to + the user logging in (e.g., by a procedure as discussed earlier in this chapter or by running + <code class="literal">cupsaddsmb</code>). The driver is now autodownloaded to the client PC where the + user is about to log in. + </p></li><li><p> + Line 3 sets the default printer to this new network printer (there might be several other + printers installed with this same method, and some may be local as well, so we decide for a + default printer). The default printer selection may, of course, be different for different users. + </p></li></ul></div><p> +The second line only works if the printer <span class="emphasis"><em>infotec2105-PS</em></span> has an already working +print queue on the <code class="constant">cupsserver</code> and if the +printer drivers have been successfully uploaded +(via the <code class="literal">APW</code>, <code class="literal">smbclient/rpcclient</code>, or <code class="literal">cupsaddsmb</code>) +into the <em class="parameter"><code>[print$]</code></em> driver repository of Samba. Some Samba versions +prior to version 3.0 required a restart of smbd after the printer install and the driver upload; +otherwise the script (or any other client driver download) would fail. +</p><p> +Since there is no easy way to test for the existence of an installed network printer from the logon script, +do not bother checking. Just allow the de-installation/re-installation to occur every time a user logs in; +it's really quick anyway (1 to 2 seconds). +</p><p> +The additional benefits for this are: +</p><div class="itemizedlist"><ul type="disc"><li><p> + It puts in place any printer default setup changes automatically at every user logon. + </p></li><li><p> + It allows for “<span class="quote">roaming</span>” users' login to the domain from different workstations. + </p></li></ul></div><p> +Since network printers are installed per user, this much simplifies the process of keeping the installation +up to date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally +added, changed, and deleted at will on the server with no user intervention required from the clients +(you just need to keep the logon scripts up to date). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400158"></a>The <code class="literal">addprinter</code> Command</h2></div></div></div><p> +The <code class="literal">addprinter</code> command can be configured to be a shell script or program executed by +Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks +the user to fill in several fields (such as printer name, driver to be used, comment, port monitor, +and so on). These parameters are passed on to Samba by the APW. If the addprinter command is designed in a +way that it can create a new printer (through writing correct printcap entries on legacy systems or +by executing the <code class="literal">lpadmin</code> command on more modern systems) and create the associated share, +then the APW will in effect really create a new printer on Samba and the UNIX print subsystem! +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400192"></a>Migration of Classical Printing to Samba</h2></div></div></div><p> +The basic NT-style printer driver management has not changed considerably in 3.0 over the 2.2.x releases +(apart from many small improvements). Here migration should be quite easy, especially if you followed +previous advice to stop using deprecated parameters in your setup. For migrations from an existing 2.0.x +setup, or if you continued Windows 9x/Me-style printing in your Samba 2.2 installations, it is more of +an effort. Please read the appropriate release notes and the HOWTO Collection for Samba-2.2.x. You can +follow several paths. Here are possible scenarios for migration: +</p><div class="itemizedlist"><ul type="disc"><li><p> + You need to study and apply the new Windows NT printer and driver support. Previously used + parameters <em class="parameter"><code>printer driver file</code></em>, <em class="parameter"><code>printer driver</code></em>, + and <em class="parameter"><code>printer driver location</code></em> are no longer supported. + </p></li><li><p> + If you want to take advantage of Windows NT printer driver support, you also need to migrate the + Windows 9x/Me drivers to the new setup. + </p></li><li><p> + An existing <code class="filename">printers.def</code> file (the one specified in the now removed parameter + <em class="parameter"><code>printer driver file</code></em>) will no longer work with Samba-3. In 3.0, smbd attempts + to locate Windows 9x/Me driver files for the printer in <em class="parameter"><code>[print$]</code></em> + and additional settings in the TDB and only there; if it fails, it will <span class="emphasis"><em>not</em></span> + (as 2.2.x used to do) drop down to using a <code class="filename">printers.def</code> (and all associated + parameters). The make_printerdef tool is removed and there is no backward compatibility for this. + </p></li><li><p>You need to install a Windows 9x/Me driver into the + <em class="parameter"><code>[print$]</code></em> share for a printer on your Samba + host. The driver files will be stored in the “<span class="quote">WIN40/0</span>” subdirectory of + <em class="parameter"><code>[print$]</code></em>, and some other settings and information go + into the printing-related TDBs.</p></li><li><p> + If you want to migrate an existing <code class="filename">printers.def</code> file into the new setup, the only current + solution is to use the Windows NT APW to install the NT drivers and the 9x/Me drivers. This can be scripted + using smbclient and rpcclient. See the Imprints installation client on the <a href="http://imprints.sourceforge.net/" target="_top">Imprints</a> web site for example. See also the discussion of + rpcclient usage in <a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing</a>. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400323"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div></div><p> +This topic has also been addressed in <a href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">Remote and Local Management The +Net Command</a>. If you wish to volunteer your services to help document this further, please contact +<a href="mail://jht@samba.org" target="_top">John H. Terpstra</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400350"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400355"></a>I Give My Root Password but I Do Not Get Access</h3></div></div></div><p> +Do not confuse the root password, which is valid for the UNIX system (and in most cases stored in the +form of a one-way hash in a file named <code class="filename">/etc/shadow</code>), with the password used to +authenticate against Samba. Samba does not know the UNIX password. Root access to Samba resources +requires that a Samba account for root must first be created. This is done with the <code class="literal">smbpasswd</code> +command as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: secret +Retype new SMB password: secret +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400392"></a>My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</h3></div></div></div><p> +Do not use the existing UNIX print system spool directory for the Samba spool directory. It may seem +convenient and a savings of space, but it only leads to problems. The two must be separate. The UNIX/Linux +system print spool directory (e.g., <code class="filename">/var/spool/cups</code>) is typically owned by a +non-privileged user such as <code class="literal">cups</code> or <code class="literal">lp</code>. Additionally. the permissions on +the spool directory are typically restrictive to the owner and/or group. On the other hand, the Samba +spool directory must be world writable, and should have the 't' bit set to ensure that only a temporary +spool file owner can change or delete the file. +</p><p> +Depending on the type of print spooling system in use on the UNIX/Linux host, files that the spool +management application finds and that are not currently part of job queue that it is managing can be deleted. +This may explain the observation that jobs are spooled (by Samba) into this directory and just disappear. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Hosting a Microsoft Distributed File System Tree </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. CUPS Printing Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/compiling.html b/docs/htmldocs/Samba3-HOWTO/compiling.html new file mode 100644 index 0000000000..1fe7d9a2c3 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/compiling.html @@ -0,0 +1,330 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. How to Compile Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Appendix.html" title="Part VI. Reference Section"><link rel="next" href="Portability.html" title="Chapter 42. Portability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. How to Compile Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Appendix.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 41. How to Compile Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div><div><p class="pubdate"> June 2005 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="compiling.html#id450070">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450076">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450114">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id450289">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450357">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450486">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450708">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450957">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id451161">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></div><p> +You can obtain the Samba source file from the +<a href="http://samba.org/" target="_top">Samba Web site</a>. To obtain a development version, +you can download Samba from Subversion or using <code class="literal">rsync</code>. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450070"></a>Access Samba Source Code via Subversion</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id450076"></a>Introduction</h3></div></div></div><p> +<a class="indexterm" name="id450084"></a> +Samba is developed in an open environment. Developers use a +Subversion to “<span class="quote">checkin</span>” (also known as +“<span class="quote">commit</span>”) new source code. Samba's various Subversion branches can +be accessed via anonymous Subversion using the instructions +detailed in this chapter. +</p><p> +This chapter is a modified version of the instructions found at the +<a href="http://samba.org/samba/subversion.html" target="_top">Samba</a> Web site. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id450114"></a>Subversion Access to samba.org</h3></div></div></div><p> +The machine samba.org runs a publicly accessible Subversion +repository for access to the source code of several packages, +including Samba, rsync, distcc, ccache, and jitterbug. There are two main ways +of accessing the Subversion server on this host. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id450125"></a>Access via ViewCVS</h4></div></div></div><p> +<a class="indexterm" name="id450133"></a> +You can access the source code via your favorite WWW browser. This allows you to access +the contents of individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository. +</p><p> +Use the URL +<a href="http://viewcvs.samba.org/" target="_top">http://viewcvs.samba.org/</a>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id450158"></a>Access via Subversion</h4></div></div></div><p> +<a class="indexterm" name="id450166"></a> +You can also access the source code via a normal Subversion client. This gives you much more control over what +you can do with the repository and allows you to check out whole source trees and keep them up to date via +normal Subversion commands. This is the preferred method of access if you are a developer and not just a +casual browser. +</p><p>In order to be able to download the Samba sources off Subversion, you need +a Subversion client. Your distribution might include one, or you can download the +sources from <a href="http://subversion.tigris.org/" target="_top">http://subversion.tigris.org/</a>. +</p><p> +To gain access via anonymous Subversion, use the following steps. +</p><div class="procedure"><a name="id450196"></a><p class="title"><b>Procedure 41.1. Retrieving Samba using Subversion</b></p><ol type="1"><li><p> + Install a recent copy of Subversion. All you really need is a + copy of the Subversion client binary. + </p></li><li><p> + Run the command + </p><pre class="screen"> + <strong class="userinput"><code>svn co svn://svnanon.samba.org/samba/trunk samba</code></strong>. + </pre><p> + </p><p> + This will create a directory called <code class="filename">samba</code> containing the + latest Samba source code (usually the branch that is going to be the next major release). This + currently corresponds to the 3.1 development tree. + </p><p> + Subversion branches other then trunk can be obtained by adding branches/BRANCH_NAME to the URL you check + out. A list of branch names can be found on the “<span class="quote">Development</span>” page of the Samba Web site. A + common request is to obtain the latest 3.0 release code. This could be done by using the following command: + </p><pre class="screen"> + <strong class="userinput"><code>svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0 samba_3</code></strong>. + </pre><p> + </p></li><li><p> + Whenever you want to merge in the latest code changes, use the following command from within the Samba + directory: + </p><pre class="screen"> + <strong class="userinput"><code>svn update</code></strong> + </pre><p> + </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450289"></a>Accessing the Samba Sources via rsync and ftp</h2></div></div></div><p> + <a class="indexterm" name="id450297"></a> + <a class="indexterm" name="id450304"></a> + <em class="parameter"><code>pserver.samba.org</code></em> also exports unpacked copies of most parts of the Subversion tree + at the Samba <a href="ftp://pserver.samba.org/pub/unpacked" target="_top">pserver</a> location and also + via anonymous rsync at the Samba <a href="rsync://pserver.samba.org/ftp/unpacked/" target="_top">rsync</a> server location. I recommend using rsync rather + than ftp, because rsync is capable of compressing data streams, but it is also more useful than FTP because + during a partial update it will transfer only the data that is missing plus a small overhead. See <a href="http://rsync.samba.org/" target="_top">the rsync home page</a> for more info on rsync. + </p><p> + The disadvantage of the unpacked trees is that they do not support automatic + merging of local changes as Subversion does. <code class="literal">rsync</code> access is most convenient + for an initial install. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450357"></a>Verifying Samba's PGP Signature</h2></div></div></div><p> +<a class="indexterm" name="id450365"></a> +<a class="indexterm" name="id450371"></a> +It is strongly recommended that you verify the PGP signature for any source file before +installing it. Even if you're not downloading from a mirror site, verifying PGP signatures +should be a standard reflex. Many people today use the GNU GPG tool set in place of PGP. +GPG can substitute for PGP. +</p><p> +With that said, go ahead and download the following files: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>wget http://us1.samba.org/samba/ftp/samba-3.0.20.tar.asc</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</code></strong> +</pre><p> +<a class="indexterm" name="id450415"></a> +The first file is the PGP signature for the Samba source file; the other is the Samba public +PGP key itself. Import the public PGP key with: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>gpg --import samba-pubkey.asc</code></strong> +</pre><p> +and verify the Samba source code integrity with: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>gzip -d samba-3.0.20.tar.gz</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>gpg --verify samba-3.0.20.tar.asc</code></strong> +</pre><p> +</p><p> +If you receive a message like, “<span class="quote">Good signature from Samba Distribution Verification Key...,</span>” +then all is well. The warnings about trust relationships can be ignored. An +example of what you would not want to see would be: +</p><pre class="screen"> +gpg: BAD signature from “<span class="quote">Samba Distribution Verification Key</span>” +</pre><p> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450486"></a>Building the Binaries</h2></div></div></div><p> + <a class="indexterm" name="id450493"></a> +<a class="indexterm" name="id450500"></a> + After the source tarball has been unpacked, the next step involves + configuration to match Samba to your operating system platform. + If your source directory does not contain the <code class="literal">configure</code> script, + it is necessary to build it before you can continue. Building of + the configure script requires the correct version of the autoconf + tool kit. Where the necessary version of autoconf is present, + the configure script can be generated by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> cd samba-3.0.20/source +<code class="prompt">root# </code> ./autogen.sh +</pre><p> + </p><p> + <a class="indexterm" name="id450538"></a> + To build the binaries, run the program <strong class="userinput"><code>./configure + </code></strong> in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs, then you may wish to first run: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>./configure --help</code></strong> +</pre><p> +</p><p> + This will help you to see what special options can be enabled. Now execute + <strong class="userinput"><code>./configure</code></strong> with any arguments it might need: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>./configure <em class="replaceable"><code>[... arguments ...]</code></em></code></strong> +</pre><p> + </p><p> + <a class="indexterm" name="id450600"></a> + Execute the following create the binaries: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>make</code></strong> +</pre><p> + Once it is successfully compiled, you can execute the command shown here to + install the binaries and manual pages: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>make install</code></strong> +</pre><p> + </p><p> + Some people prefer to install binary files and man pages separately. If this is + your wish, the binary files can be installed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>make installbin</code></strong> +</pre><p> + The man pages can be installed using this command: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>make installman</code></strong> +</pre><p> + </p><p> + Note that if you are upgrading from a previous version of Samba the old + versions of the binaries will be renamed with an “<span class="quote">.old</span>” extension. + You can go back to the previous version by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>make revert</code></strong> +</pre><p> + As you can see from this, building and installing Samba does not need to + result in disaster! + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id450708"></a>Compiling Samba with Active Directory Support</h3></div></div></div><p> + In order to compile Samba with ADS support, you need to have installed + on your system: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The MIT or Heimdal Kerberos development libraries + (either install from the sources or use a package). + </p></li><li><p> + The OpenLDAP development libraries. + </p></li></ul></div><p> + If your Kerberos libraries are in a nonstandard location, then + remember to add the configure option + <code class="option">--with-krb5=<em class="replaceable"><code>DIR</code></em></code>. + </p><p> + After you run configure, make sure that the + <code class="filename">include/config.h</code> it generates contain lines like this: +</p><pre class="programlisting"> +#define HAVE_KRB5 1 +#define HAVE_LDAP 1 +</pre><p> + </p><p> + If it does not, configure did not find your KRB5 libraries or + your LDAP libraries. Look in <code class="filename">config.log</code> to figure + out why and fix it. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id450768"></a>Installing the Required Packages for Debian</h4></div></div></div><p>On Debian, you need to install the following packages:</p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>libkrb5-dev</p></li><li><p>krb5-user</p></li></ul></div><p> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id450794"></a>Installing the Required Packages for Red Hat Linux</h4></div></div></div><p>On Red Hat Linux, this means you should have at least: </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>krb5-workstation (for kinit)</p></li><li><p>krb5-libs (for linking with)</p></li><li><p>krb5-devel (because you are compiling from source)</p></li></ul></div><p> + </p><p>in addition to the standard development environment.</p><p>If these files are not installed on your system, you should check the installation + CDs to find which has them and install the files using your tool of choice. If in doubt + about what tool to use, refer to the Red Hat Linux documentation.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id450834"></a>SuSE Linux Package Requirements</h4></div></div></div><p> + SuSE Linux installs Heimdal packages that may be required to allow you to build + binary packages. You should verify that the development libraries have been installed on + your system. + </p><p> + SuSE Linux Samba RPMs support Kerberos. Please refer to the documentation for + your SuSE Linux system for information regarding SuSE Linux specific configuration. + Additionally, SuSE is very active in the maintenance of Samba packages that provide + the maximum capabilities that are available. You should consider using SuSE-provided + packages where they are available. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="startingSamba"></a>Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></h2></div></div></div><p> + <a class="indexterm" name="id450882"></a> + You must choose to start <span class="application">smbd</span>, <span class="application">winbindd</span> and <span class="application">nmbd</span> either as daemons or from + <span class="application">inetd</span>. Don't try to do both! Either you can put + them in <code class="filename"> inetd.conf</code> and have them started on demand by + <span class="application">inetd</span> or <span class="application">xinetd</span>, or you + can start them as daemons either from the command-line or in + <code class="filename">/etc/rc.local</code>. See the man pages for details on the + command line options. Take particular care to read the bit about what user + you need to have to start Samba. In many cases, you must be root. + </p><p> + The main advantage of starting <span class="application">smbd</span> and <span class="application">nmbd</span> using the recommended daemon method + is that they will respond slightly more quickly to an initial connection request. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id450957"></a>Starting from inetd.conf</h3></div></div></div><a class="indexterm" name="id450963"></a><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if + you use NIS, NIS+, or LDAP to distribute services maps.</p></div><p>Look at your <code class="filename">/etc/services</code>. + What is defined at port 139/tcp? If nothing is defined, + then add a line like this:</p><pre class="programlisting">netbios-ssn 139/tcp</pre><p>Similarly for 137/udp, you should have an entry like:</p><pre class="programlisting">netbios-ns 137/udp</pre><p> + Next, edit your <code class="filename">/etc/inetd.conf</code> and add two lines like this: +</p><pre class="programlisting"> +netbios-ssn stream tcp nowait root /usr/local/samba/sbin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/sbin/nmbd nmbd +</pre><p> + </p><a class="indexterm" name="id451021"></a><p> + The exact syntax of <code class="filename">/etc/inetd.conf</code> + varies between UNIXes. Look at the other entries in inetd.conf + for a guide. + </p><p> + <a class="indexterm" name="id451040"></a> + Some distributions use xinetd instead of inetd. Consult the + xinetd manual for configuration information. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Some UNIXes already have entries like netbios_ns + (note the underscore) in <code class="filename">/etc/services</code>. + You must edit <code class="filename">/etc/services</code> or + <code class="filename">/etc/inetd.conf</code> to make them consistent. + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id451075"></a> + On many systems you may need to use the + <a class="indexterm" name="id451083"></a>interfaces option in <code class="filename">smb.conf</code> to specify + the IP address and netmask of your interfaces. Run + <span class="application">ifconfig</span> as root if you do + not know what the broadcast is for your net. <span class="application">nmbd</span> tries + to determine it at runtime, but fails on some UNIXes. + </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Many UNIXes only accept around five parameters on the command + line in <code class="filename">inetd.conf</code>. This means you shouldn't + use spaces between the options and arguments, or you should use + a script and start the script from <code class="literal">inetd</code>. + </p></div><p> + Restart <span class="application">inetd</span>, perhaps just send it a HUP, + like this: +<a class="indexterm" name="id451136"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>killall -HUP inetd</code></strong> +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id451161"></a>Alternative: Starting <span class="application">smbd</span> as a Daemon</h3></div></div></div><p> + <a class="indexterm" name="id451175"></a> +<a class="indexterm" name="id451182"></a> + To start the server as a daemon, you should create a script something + like this one, perhaps calling it <code class="filename">startsmb</code>. + </p><pre class="programlisting"> +#!/bin/sh +/usr/local/samba/sbin/smbd -D +/usr/local/samba/sbin/winbindd -B +/usr/local/samba/sbin/nmbd -D +</pre><p> + Make it executable with <code class="literal">chmod +x startsmb</code>. + </p><p> + You can then run <code class="literal">startsmb</code> by hand or execute + it from <code class="filename">/etc/rc.local</code>. + </p><p> + To kill it, send a kill signal to the processes <span class="application">nmbd</span> and <span class="application">smbd</span>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + If you use the SVR4-style init system, you may like to look at the + <code class="filename">examples/svr4-startup</code> script to make Samba fit + into that system. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id451255"></a>Starting Samba for Red Hat Linux</h4></div></div></div><p> + Red Hat Linux has not always included all Samba components in the standard installation. + So versions of Red Hat Linux do not install the winbind utility, even though it is present + on the installation CDROM media. Check to see if the <code class="literal">winbindd</code> is present + on the system: +</p><pre class="screen"> +<code class="prompt">root# </code> ls /usr/sbin/winbindd +/usr/sbin/winbindd +</pre><p> + This means that the appropriate RPM package was installed. The following response means + that it is not installed: +</p><pre class="screen"> +/bin/ls: /usr/sbin/winbind: No such file or directory +</pre><p> + In this case, it should be installed if you intend to use <code class="literal">winbindd</code>. Search + the CDROM installation media for the samba-winbind RPM and install it following Red Hat + guidelines. + </p><p> + The process for starting Samba will now be outlined. Be sure to configure Samba's <code class="filename">smb.conf</code> + file before starting Samba. When configured, start Samba by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service smb start +<code class="prompt">root# </code> service winbind start +</pre><p> + These steps will start <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span>. + </p><p> + To ensure that these services will be automatically restarted when the system is rebooted + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +</pre><p> + Samba will be started automatically at every system reboot. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id451368"></a>Starting Samba for Novell SUSE Linux</h4></div></div></div><p> + Novell SUSE Linux products automatically install all essential Samba components in a default installation. + Configure your <code class="filename">smb.conf</code> file, then execute the following to start Samba: +</p><pre class="screen"> +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + Now execute these commands so that Samba will be started automatically following a system + reboot: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +</pre><p> + The Samba services will now be started automatically following a system reboot. + </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part VI. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 42. Portability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/diagnosis.html b/docs/htmldocs/Samba3-HOWTO/diagnosis.html new file mode 100644 index 0000000000..7f7736a93b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/diagnosis.html @@ -0,0 +1,352 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. The Samba Checklist</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="next" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. The Samba Checklist</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 38. The Samba Checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="diagnosis.html#id446161">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446194">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446476">The Tests</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id446161"></a>Introduction</h2></div></div></div><p> +<a class="indexterm" name="id446169"></a> +This file contains a list of tests you can perform to validate your +Samba server. It also tells you what the likely cause of the problem +is if it fails any one of these steps. If it passes all these tests, +then it is probably working fine. +</p><p> +You should do all the tests in the order shown. We have tried to +carefully choose them so later tests only use capabilities verified in +the earlier tests. However, do not stop at the first error: there +have been some instances when continuing with the tests has helped +to solve a problem. +</p><p> +If you send one of the Samba mailing lists an email saying, “<span class="quote">It does not work,</span>” +and you have not followed this test procedure, you should not be surprised +if your email is ignored. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id446194"></a>Assumptions</h2></div></div></div><p> +In all of the tests, it is assumed you have a Samba server called +BIGSERVER and a PC called ACLIENT, both in workgroup TESTGROUP. +</p><p> +The procedure is similar for other types of clients. +</p><p> +It is also assumed you know the name of an available share in your +<code class="filename">smb.conf</code>. I for our examples this share is called <em class="parameter"><code>tmp</code></em>. +You can add a <em class="parameter"><code>tmp</code></em> share like this by adding the +lines shown in <a href="diagnosis.html#tmpshare" title="Example 38.1. smb.conf with [tmp] Share">the next example</a>. +</p><div class="example"><a name="tmpshare"></a><p class="title"><b>Example 38.1. smb.conf with [tmp] Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[tmp]</code></em></td></tr><tr><td><a class="indexterm" name="id446262"></a><em class="parameter"><code>comment = temporary files </code></em></td></tr><tr><td><a class="indexterm" name="id446274"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td><a class="indexterm" name="id446287"></a><em class="parameter"><code>read only = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +These tests assume version 3.0.0 or later of the Samba suite. +Some commands shown did not exist in earlier versions. +</p></div><p> +<a class="indexterm" name="id446308"></a> +<a class="indexterm" name="id446315"></a> +<a class="indexterm" name="id446321"></a> +Please pay attention to the error messages you receive. If any error message +reports that your server is being unfriendly, you should first check that your +IP name resolution is correctly set up. Make sure your <code class="filename">/etc/resolv.conf</code> +file points to name servers that really do exist. +</p><p> +<a class="indexterm" name="id446340"></a> +<a class="indexterm" name="id446346"></a> +<a class="indexterm" name="id446353"></a> +<a class="indexterm" name="id446360"></a> +Also, if you do not have DNS server access for name resolution, please check +that the settings for your <code class="filename">smb.conf</code> file results in <em class="parameter"><code>dns proxy = no</code></em>. The +best way to check this is with <code class="literal">testparm smb.conf</code>. +</p><p> +<a class="indexterm" name="id446389"></a> +<a class="indexterm" name="id446396"></a> +<a class="indexterm" name="id446402"></a> +<a class="indexterm" name="id446409"></a> +<a class="indexterm" name="id446416"></a> +It is helpful to monitor the log files during testing by using the +<code class="literal">tail -F log_file_name</code> in a separate +terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). +Relevant log files can be found (for default installations) in +<code class="filename">/usr/local/samba/var</code>. Also, connection logs from +machines can be found here or possibly in <code class="filename">/var/log/samba</code>, +depending on how or if you specified logging in your <code class="filename">smb.conf</code> file. +</p><p> +If you make changes to your <code class="filename">smb.conf</code> file while going through these test, +remember to restart <span class="application">smbd</span> and <span class="application">nmbd</span>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id446476"></a>The Tests</h2></div></div></div><div class="procedure"><a name="id446481"></a><p class="title"><b>Procedure 38.1. Diagnosing Your Samba Server</b></p><ol type="1"><li><p> +<a class="indexterm" name="id446494"></a> +In the directory in which you store your <code class="filename">smb.conf</code> file, run the command +<code class="literal">testparm smb.conf</code>. If it reports any errors, then your <code class="filename">smb.conf</code> +configuration file is faulty. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id446523"></a> +<a class="indexterm" name="id446530"></a> +Your <code class="filename">smb.conf</code> file may be located in <code class="filename">/etc/samba</code> +or in <code class="filename">/usr/local/samba/lib</code>. +</p></div></li><li><p> +<a class="indexterm" name="id446564"></a> +Run the command <code class="literal">ping BIGSERVER</code> from the PC and +<code class="literal">ping ACLIENT</code> from the UNIX box. If you do not get a valid response, +then your TCP/IP software is not correctly installed. +</p><p> +You will need to start a “<span class="quote">DOS prompt</span>” window on the PC to run ping. +</p><p> +<a class="indexterm" name="id446594"></a> +<a class="indexterm" name="id446601"></a> +<a class="indexterm" name="id446608"></a> +If you get a message saying “<span class="quote"><span class="errorname">host not found</span></span>” or a similar message, then +your DNS software or <code class="filename">/etc/hosts</code> file is not correctly set up. If using DNS, check that +the <code class="filename">/etc/resolv.conf</code> has correct, current, entries in it. It is possible to run +Samba without DNS entries for the server and client, but it is assumed you do have correct entries for the +remainder of these tests. +</p><p> +<a class="indexterm" name="id446637"></a> +<a class="indexterm" name="id446644"></a> +<a class="indexterm" name="id446651"></a> +Another reason why ping might fail is if your host is running firewall +software. You will need to relax the rules to let in the workstation +in question, perhaps by allowing access from another subnet (on Linux +this is done via the appropriate firewall maintenance commands <code class="literal">ipchains</code> +or <code class="literal">iptables</code>). +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Modern Linux distributions install ipchains/iptables by default. +This is a common problem that is often overlooked. +</p></div><p> +<a class="indexterm" name="id446682"></a> +<a class="indexterm" name="id446689"></a> +If you wish to check what firewall rules may be present in a system under test, simply run +<code class="literal">iptables -L -v</code>, or if <em class="parameter"><code>ipchains</code></em>-based firewall rules are in use, +<code class="literal">ipchains -L -v</code>. +</p><p> +Here is a sample listing from a system that has an external Ethernet interface (eth1) on which Samba +is not active and an internal (private network) interface (eth0) on which Samba is active: +</p><pre class="screen"> +frodo:~ # iptables -L -v +Chain INPUT (policy DROP 98496 packets, 12M bytes) + pkts bytes target prot opt in out source destination + 187K 109M ACCEPT all -- lo any anywhere anywhere + 892K 125M ACCEPT all -- eth0 any anywhere anywhere +1399K 1380M ACCEPT all -- eth1 any anywhere anywhere \ + state RELATED,ESTABLISHED + +Chain FORWARD (policy DROP 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 978K 1177M ACCEPT all -- eth1 eth0 anywhere anywhere \ + state RELATED,ESTABLISHED + 658K 40M ACCEPT all -- eth0 eth1 anywhere anywhere + 0 0 LOG all -- any any anywhere anywhere \ + LOG level warning + +Chain OUTPUT (policy ACCEPT 2875K packets, 1508M bytes) + pkts bytes target prot opt in out source destination + +Chain reject_func (0 references) + pkts bytes target prot opt in out source destination +</pre><p> +</p></li><li><p> +Run the command <code class="literal">smbclient -L BIGSERVER</code> +on the UNIX box. You should get back a list of available shares. +</p><p> +<a class="indexterm" name="id446752"></a> +<a class="indexterm" name="id446759"></a> +<a class="indexterm" name="id446766"></a> +<a class="indexterm" name="id446772"></a> +<a class="indexterm" name="id446779"></a> +<a class="indexterm" name="id446786"></a> +If you get an error message containing the string “<span class="quote">bad password</span>”, then +you probably have either an incorrect <em class="parameter"><code>hosts allow</code></em>, +<em class="parameter"><code>hosts deny</code></em>, or <em class="parameter"><code>valid users</code></em> line in your +<code class="filename">smb.conf</code>, or your guest account is not valid. Check what your guest account is using <span class="application">testparm</span> and +temporarily remove any <em class="parameter"><code>hosts allow</code></em>, <em class="parameter"><code>hosts deny</code></em>, +<em class="parameter"><code>valid users</code></em>, or <em class="parameter"><code>invalid users</code></em> lines. +</p><p> +<a class="indexterm" name="id446854"></a> +If you get a message <code class="literal">connection refused</code> response, then the <code class="literal">smbd</code> server may +not be running. If you installed it in <code class="filename">inetd.conf</code>, then you probably edited +that file incorrectly. If you installed it as a daemon, then check that +it is running and check that the netbios-ssn port is in a LISTEN +state using <code class="literal">netstat -a</code>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id446891"></a> +<a class="indexterm" name="id446898"></a> +Some UNIX/Linux systems use <code class="literal">xinetd</code> in place of +<code class="literal">inetd</code>. Check your system documentation for the location +of the control files for your particular system implementation of +the network super daemon. +</p></div><p> +If you get a message saying <code class="literal">session request failed,</code> the server refused the +connection. If it says “<span class="quote">Your server software is being unfriendly,</span>” then +it's probably because you have invalid command line parameters to <span class="application">smbd</span>, +or a similar fatal problem with the initial startup of <span class="application">smbd</span>. Also +check your config file (<code class="filename">smb.conf</code>) for syntax errors with <span class="application">testparm</span> +and that the various directories where Samba keeps its log and lock +files exist. +</p><p> +There are a number of reasons for which smbd may refuse or decline +a session request. The most common of these involve one or more of +the <code class="filename">smb.conf</code> file entries as shown in <a href="diagnosis.html#modif1" title="Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet">the next example</a>. +</p><div class="example"><a name="modif1"></a><p class="title"><b>Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[globals]</code></em></td></tr><tr><td><a class="indexterm" name="id447004"></a><em class="parameter"><code>hosts deny = ALL</code></em></td></tr><tr><td><a class="indexterm" name="id447016"></a><em class="parameter"><code>hosts allow = xxx.xxx.xxx.xxx/yy</code></em></td></tr><tr><td><a class="indexterm" name="id447029"></a><em class="parameter"><code>interfaces = eth0</code></em></td></tr><tr><td><a class="indexterm" name="id447042"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id447057"></a> +In <a href="diagnosis.html#modif1" title="Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet">Configuration for Allowing Connections Only from a Certain Subnet</a>, no +allowance has been made for any session requests that will automatically translate to the loopback adapter +address 127.0.0.1. To solve this problem, change these lines as shown in <a href="diagnosis.html#modif2" title="Example 38.3. Configuration for Allowing Connections from a Certain Subnet and localhost">the following +example</a>. +</p><div class="example"><a name="modif2"></a><p class="title"><b>Example 38.3. Configuration for Allowing Connections from a Certain Subnet and localhost</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[globals]</code></em></td></tr><tr><td><a class="indexterm" name="id447106"></a><em class="parameter"><code>hosts deny = ALL</code></em></td></tr><tr><td><a class="indexterm" name="id447119"></a><em class="parameter"><code>hosts allow = xxx.xxx.xxx.xxx/yy 127.</code></em></td></tr><tr><td><a class="indexterm" name="id447131"></a><em class="parameter"><code>interfaces = eth0 lo</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id447147"></a> +<a class="indexterm" name="id447154"></a> +Another common cause of these two errors is having something already running on port <code class="constant">139</code>, +such as Samba (<span class="application">smbd</span> is running from <span class="application">inetd</span> already) or Digital's Pathworks. Check +your <code class="filename">inetd.conf</code> file before trying to start <span class="application">smbd</span> as a daemon it can avoid a +lot of frustration! +</p><p> +<a class="indexterm" name="id447196"></a> +<a class="indexterm" name="id447202"></a> +<a class="indexterm" name="id447209"></a> +<a class="indexterm" name="id447216"></a> +<a class="indexterm" name="id447223"></a> +And yet another possible cause for failure of this test is when the subnet mask and/or broadcast address +settings are incorrect. Please check that the network interface IP address/broadcast address/subnet mask +settings are correct and that Samba has correctly noted these in the <code class="filename">log.nmbd</code> file. +</p></li><li><p> +<a class="indexterm" name="id447247"></a> +Run the command <code class="literal">nmblookup -B BIGSERVER __SAMBA__</code>. +You should get back the IP address of your Samba server. +</p><p> +<a class="indexterm" name="id447263"></a> +<a class="indexterm" name="id447270"></a> +<a class="indexterm" name="id447277"></a> +If you do not, then <span class="application">nmbd</span> is incorrectly installed. Check your <code class="filename">inetd.conf</code> +if you run it from there, or that the daemon is running and listening to UDP port 137. +</p><p> +One common problem is that many inetd implementations can't take many +parameters on the command line. If this is the case, then create a +one-line script that contains the right parameters and run that from +inetd. +</p></li><li><p> +<a class="indexterm" name="id447311"></a> +Run the command <code class="literal">nmblookup -B ACLIENT `*'</code>. +</p><p> +You should get the PC's IP address back. If you do not, then the client +software on the PC isn't installed correctly, or isn't started, or you +got the name of the PC wrong. +</p><p> +If ACLIENT does not resolve via DNS, then use the IP address of the +client in the above test. +</p></li><li><p> +Run the command <code class="literal">nmblookup -d 2 `*'</code>. +</p><p> +This time we are trying the same as the previous test but are trying +it via a broadcast to the default broadcast address. A number of +NetBIOS/TCP/IP hosts on the network should respond, although Samba may +not catch all of the responses in the short time it listens. You +should see the <code class="literal">got a positive name query response</code> +messages from several hosts. +</p><p> +<a class="indexterm" name="id447362"></a> +If this does not give a result similar to the previous test, then nmblookup isn't correctly getting your +broadcast address through its automatic mechanism. In this case you should experiment with the <a class="indexterm" name="id447371"></a>interfaces option in <code class="filename">smb.conf</code> to manually configure your IP address, broadcast, and netmask. +</p><p> +If your PC and server aren't on the same subnet, then you will need to use the +<code class="option">-B</code> option to set the broadcast address to that of the PC's subnet. +</p><p> +This test will probably fail if your subnet mask and broadcast address are +not correct. (Refer to test 3 notes above). +</p></li><li><p> +<a class="indexterm" name="id447405"></a> +Run the command <code class="literal">smbclient //BIGSERVER/TMP</code>. You should +then be prompted for a password. You should use the password of the account +with which you are logged into the UNIX box. If you want to test with +another account, then add the <code class="option">-U accountname</code> option to the end of +the command line for example, <code class="literal">smbclient //bigserver/tmp -Ujohndoe</code>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +It is possible to specify the password along with the username as follows: +<code class="literal">smbclient //bigserver/tmp -Ujohndoe%secret</code>. +</p></div><p> +Once you enter the password, you should get the <code class="prompt">smb></code> prompt. If you +do not, then look at the error message. If it says “<span class="quote"><span class="errorname">invalid network +name,</span></span>” then the service <em class="parameter"><code>tmp</code></em> is not correctly set up in your <code class="filename">smb.conf</code>. +</p><p> +If it says “<span class="quote"><span class="errorname">bad password,</span></span>” then the likely causes are: +</p><div class="orderedlist"><ol type="1"><li><p> + You have shadow passwords (or some other password system) but didn't + compile in support for them in <span class="application">smbd</span>. + </p></li><li><p> + Your <a class="indexterm" name="id447504"></a>valid users configuration is incorrect. + </p></li><li><p> + You have a mixed-case password and you haven't enabled the <a class="indexterm" name="id447518"></a>password level option at a high enough level. + </p></li><li><p> + The <a class="indexterm" name="id447532"></a>path line in <code class="filename">smb.conf</code> is incorrect. Check it with <span class="application">testparm</span>. + </p></li><li><p> + You enabled password encryption but didn't map UNIX to Samba users. Run + <code class="literal">smbpasswd -a username</code> + </p></li></ol></div><p> +<a class="indexterm" name="id447569"></a> +<a class="indexterm" name="id447576"></a> +<a class="indexterm" name="id447583"></a> +<a class="indexterm" name="id447589"></a> +Once connected, you should be able to use the commands <code class="literal">dir</code>, <code class="literal">get</code>, +<code class="literal">put</code>, and so on. Type <code class="literal">help command</code> for instructions. You should +especially check that the amount of free disk space shown is correct when you type <code class="literal">dir</code>. +</p></li><li><p> +<a class="indexterm" name="id447634"></a> +On the PC, type the command <code class="literal">net view \\BIGSERVER</code>. You will +need to do this from within a DOS prompt window. You should get back a +list of shares available on the server. +</p><p> +<a class="indexterm" name="id447652"></a> +If you get a message <code class="literal">network name not found</code> or similar error, then NetBIOS +name resolution is not working. This is usually caused by a problem in <code class="literal">nmbd</code>. +To overcome it, you could do one of the following (you only need to choose one of them): +</p><div class="orderedlist"><ol type="1"><li><p> + Fix the <span class="application">nmbd</span> installation. +</p></li><li><p> + Add the IP address of BIGSERVER to the <code class="literal">wins server</code> box in the + advanced TCP/IP setup on the PC. +</p></li><li><p> + Enable Windows name resolution via DNS in the advanced section of the TCP/IP setup. +</p></li><li><p> + Add BIGSERVER to your lmhosts file on the PC. +</p></li></ol></div><p> +If you get a message “<span class="quote"><span class="errorname">invalid network name</span></span>” or +“<span class="quote"><span class="errorname">bad password error,</span></span>” then apply the +same fixes as for the <code class="literal">smbclient -L</code> test. In +particular, make sure your <code class="literal">hosts allow</code> line is correct (see the man pages). +</p><p> +Also, do not overlook that fact that when the workstation requests the +connection to the Samba server, it will attempt to connect using the +name with which you logged onto your Windows machine. You need to make +sure that an account exists on your Samba server with that exact same +name and password. +</p><p> +If you get a message “<span class="quote"><span class="errorname">specified computer is not receiving requests</span></span>” or similar error, +it probably means that the host is not contactable via TCP services. +Check to see if the host is running TCP wrappers, and if so, add an entry in +the <code class="filename">hosts.allow</code> file for your client (or subnet, and so on.) +</p></li><li><p> +Run the command <code class="literal">net use x: \\BIGSERVER\TMP</code>. You should +be prompted for a password, then you should get a <code class="computeroutput">command completed +successfully</code> message. If not, then your PC software is incorrectly +installed or your <code class="filename">smb.conf</code> is incorrect. Make sure your <em class="parameter"><code>hosts allow</code></em> +and other config lines in <code class="filename">smb.conf</code> are correct. +</p><p> +It's also possible that the server can't work out what username to connect you as. +To see if this is the problem, add the line +<a class="indexterm" name="id447804"></a>user = username to the +<em class="parameter"><code>[tmp]</code></em> section of +<code class="filename">smb.conf</code> where <em class="parameter"><code>username</code></em> is the +username corresponding to the password you typed. If you find this +fixes things, you may need the username mapping option. +</p><p> +It might also be the case that your client only sends encrypted passwords +and you have <a class="indexterm" name="id447834"></a>encrypt passwords = no in <code class="filename">smb.conf</code>. +Change this setting to `yes' to fix this. +</p></li><li><p> +Run the command <code class="literal">nmblookup -M <em class="parameter"><code>testgroup</code></em></code> where +<em class="parameter"><code>testgroup</code></em> is the name of the workgroup that your Samba server and +Windows PCs belong to. You should get back the IP address of the +master browser for that workgroup. +</p><p> +If you do not, then the election process has failed. Wait a minute to +see if it is just being slow, then try again. If it still fails after +that, then look at the browsing options you have set in <code class="filename">smb.conf</code>. Make +sure you have <a class="indexterm" name="id447885"></a>preferred master = yes to ensure that +an election is held at startup. +</p></li><li><p> +From file manager, try to browse the server. Your Samba server should +appear in the browse list of your local workgroup (or the one you +specified in <code class="filename">smb.conf</code>). You should be able to double-click on the name +of the server and get a list of shares. If you get the error message “<span class="quote">invalid password,</span>” + you are probably running Windows NT and it +is refusing to browse a server that has no encrypted password +capability and is in user-level security mode. In this case, either set +<a class="indexterm" name="id447914"></a>security = server and +<a class="indexterm" name="id447921"></a>password server = Windows_NT_Machine in your +<code class="filename">smb.conf</code> file or make sure <a class="indexterm" name="id447935"></a>encrypt passwords is +set to “<span class="quote">yes</span>”. +</p></li></ol></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part V. Troubleshooting </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Analyzing and Solving Samba Problems</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/domain-member.html b/docs/htmldocs/Samba3-HOWTO/domain-member.html new file mode 100644 index 0000000000..1910053bfe --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/domain-member.html @@ -0,0 +1,964 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id342376">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343788">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344900">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id345150">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id345329">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346362">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id346622">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id342331"></a> +<a class="indexterm" name="id342337"></a> +<a class="indexterm" name="id342344"></a> +Domain membership is a subject of vital concern. Samba must be able to +participate as a member server in a Microsoft domain security context, and +Samba must be capable of providing domain machine member trust accounts; +otherwise it would not be able to offer a viable option for many users. +</p><p> +<a class="indexterm" name="id342357"></a> +<a class="indexterm" name="id342364"></a> +This chapter covers background information pertaining to domain membership, +the Samba configuration for it, and MS Windows client procedures for joining a +domain. Why is this necessary? Because both are areas in which there exists +within the current MS Windows networking world, and particularly in the +UNIX/Linux networking and administration world, a considerable level of +misinformation, incorrect understanding, and lack of knowledge. Hopefully +this chapter will fill the voids. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id342376"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id342383"></a> +<a class="indexterm" name="id342390"></a> +<a class="indexterm" name="id342397"></a> +MS Windows workstations and servers that want to participate in domain security need to +be made domain members. Participating in domain security is often called +<span class="emphasis"><em>single sign-on</em></span>, or <acronym class="acronym">SSO</acronym> for short. This +chapter describes the process that must be followed to make a workstation +(or another server be it an <span class="application">MS Windows NT4/200x</span> +server) or a Samba server a member of an MS Windows domain security context. +</p><p> +<a class="indexterm" name="id342425"></a> +<a class="indexterm" name="id342432"></a> +<a class="indexterm" name="id342439"></a> +<a class="indexterm" name="id342446"></a> +Samba-3 can join an MS Windows NT4-style domain as a native member server, an +MS Windows Active Directory domain as a native member server, or a Samba domain +control network. Domain membership has many advantages: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id342463"></a> + MS Windows workstation users get the benefit of SSO. + </p></li><li><p> + <a class="indexterm" name="id342475"></a> + <a class="indexterm" name="id342481"></a> + <a class="indexterm" name="id342488"></a> + <a class="indexterm" name="id342495"></a> + Domain user access rights and file ownership/access controls can be set + from the single Domain Security Account Manager (SAM) database + (works with domain member servers as well as with MS Windows workstations + that are domain members). + </p></li><li><p> + <a class="indexterm" name="id342508"></a> + <a class="indexterm" name="id342515"></a> + Only <span class="application">MS Windows NT4/200x/XP Professional</span> + workstations that are domain members can use network logon facilities. + </p></li><li><p> + <a class="indexterm" name="id342533"></a> + <a class="indexterm" name="id342540"></a> + <a class="indexterm" name="id342546"></a> + <a class="indexterm" name="id342553"></a> + Domain member workstations can be better controlled through the use of + policy files (<code class="filename">NTConfig.POL</code>) and desktop profiles. + </p></li><li><p> + <a class="indexterm" name="id342571"></a> + <a class="indexterm" name="id342578"></a> + <a class="indexterm" name="id342585"></a> + Through the use of logon scripts, users can be given transparent access to network + applications that run off application servers. + </p></li><li><p> + <a class="indexterm" name="id342597"></a> + <a class="indexterm" name="id342604"></a> + <a class="indexterm" name="id342610"></a> + <a class="indexterm" name="id342617"></a> + Network administrators gain better application and user access management + abilities because there is no need to maintain user accounts on any network + client or server other than the central domain database + (either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an + LDAP directory, or via an Active Directory infrastructure). + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div></div><p> +<a class="indexterm" name="id342641"></a> +<a class="indexterm" name="id342648"></a> +<a class="indexterm" name="id342655"></a> +<a class="indexterm" name="id342662"></a> +A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to +the domain controller server. In Windows terminology, this is known as a “<span class="quote">computer account.</span>” The +purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain +access to a domain member workstation. +</p><p> +<a class="indexterm" name="id342678"></a> +<a class="indexterm" name="id342687"></a> +<a class="indexterm" name="id342694"></a> +<a class="indexterm" name="id342701"></a> +<a class="indexterm" name="id342708"></a> +The password of a Machine Trust Account acts as the shared secret for secure communication with the domain +controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from +joining the domain, participating in domain security operations, and gaining access to domain user/group +accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home +clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not +possess a Machine Trust Account, and, thus, has no shared secret with the domain controller. +</p><p> +<a class="indexterm" name="id342723"></a> +<a class="indexterm" name="id342730"></a> +<a class="indexterm" name="id342736"></a> +<a class="indexterm" name="id342743"></a> +A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. +The introduction of MS Windows 2000 saw the introduction of Active Directory, +the new repository for Machine Trust Accounts. A Samba PDC, however, stores +each Machine Trust Account in two parts, +as follows: + +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id342758"></a> + <a class="indexterm" name="id342764"></a> + <a class="indexterm" name="id342771"></a> + A domain security account (stored in the <a class="indexterm" name="id342779"></a>passdb backend) that has been configured in + the <code class="filename">smb.conf</code> file. The precise nature of the account information that is stored depends on the type of + backend database that has been chosen. + </p><p> + <a class="indexterm" name="id342796"></a> + <a class="indexterm" name="id342803"></a> + <a class="indexterm" name="id342810"></a> + <a class="indexterm" name="id342816"></a> + <a class="indexterm" name="id342823"></a> + <a class="indexterm" name="id342830"></a> + The older format of this data is the <code class="filename">smbpasswd</code> database + that contains the UNIX login ID, the UNIX user identifier (UID), and the + LanMan and NT-encrypted passwords. There is also some other information in + this file that we do not need to concern ourselves with here. + </p><p> + <a class="indexterm" name="id342850"></a> + <a class="indexterm" name="id342857"></a> + <a class="indexterm" name="id342864"></a> + <a class="indexterm" name="id342870"></a> + The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older + <code class="filename">smbpasswd</code> file did. The extra information enables new user account controls to be + implemented. + </p></li><li><p> + <a class="indexterm" name="id342889"></a> + <a class="indexterm" name="id342896"></a> + A corresponding UNIX account, typically stored in <code class="filename">/etc/passwd</code>. Work is in progress to + allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature + of the early releases of Samba-3, and is not currently planned for release either. + </p></li></ul></div><p> +</p><p> +<a class="indexterm" name="id342920"></a> +There are three ways to create Machine Trust Accounts: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id342935"></a> + Manual creation from the UNIX/Linux command line. Here, both the Samba and + corresponding UNIX account are created by hand. + </p></li><li><p> + <a class="indexterm" name="id342948"></a> + <a class="indexterm" name="id342954"></a> + Using the MS Windows NT4 Server Manager, either from an NT4 domain member + server or using the Nexus toolkit available from the Microsoft Web site. + This tool can be run from any MS Windows machine as long as the user is + logged on as the administrator account. + </p></li><li><p> + <a class="indexterm" name="id342968"></a> + <a class="indexterm" name="id342975"></a> + “<span class="quote">On-the-fly</span>” creation. The Samba Machine Trust Account is automatically + created by Samba at the time the client is joined to the domain. + (For security, this is the recommended method.) The corresponding UNIX + account may be created automatically or manually. + </p></li></ul></div><p> +<a class="indexterm" name="id342991"></a> +<a class="indexterm" name="id342998"></a> +Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine +trust account creation. This is a matter of the administrator's choice. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id343010"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p> +<a class="indexterm" name="id343018"></a> +<a class="indexterm" name="id343025"></a> +<a class="indexterm" name="id343030"></a> +<a class="indexterm" name="id343037"></a> +The first step in manually creating a Machine Trust Account is to manually +create the corresponding UNIX account in <code class="filename">/etc/passwd</code>. +This can be done using <code class="literal">vipw</code> or another “<span class="quote">adduser</span>” command +that is normally used to create new UNIX accounts. The following is an example for +a Linux-based Samba server: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/sbin/useradd -g machines -d /var/lib/nobody \ + -c <em class="replaceable"><code>"machine nickname"</code></em> \ + -s /bin/false <em class="replaceable"><code>machine_name</code></em>$ </code></strong> + +<code class="prompt">root# </code><strong class="userinput"><code>passwd -l <em class="replaceable"><code>machine_name</code></em>$</code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id343102"></a> +<a class="indexterm" name="id343109"></a> +<a class="indexterm" name="id343116"></a> +In the example above there is an existing system group “<span class="quote">machines</span>” which is used +as the primary group for all machine accounts. In the following examples the “<span class="quote">machines</span>” group +numeric GID is 100. +</p><p> +<a class="indexterm" name="id343135"></a> +<a class="indexterm" name="id343142"></a> +On *BSD systems, this can be done using the <code class="literal">chpass</code> utility: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>chpass -a \ +'<em class="replaceable"><code>machine_name</code></em>$:*:101:100::0:0:Windows <em class="replaceable"><code>machine_name</code></em>:/dev/null:/sbin/nologin'</code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id343181"></a> +<a class="indexterm" name="id343188"></a> +<a class="indexterm" name="id343195"></a> +<a class="indexterm" name="id343202"></a> +The <code class="filename">/etc/passwd</code> entry will list the machine name +with a “<span class="quote">$</span>” appended, and will not have a password, will have a null shell and no +home directory. For example, a machine named “<span class="quote">doppy</span>” would have an +<code class="filename">/etc/passwd</code> entry like this: +</p><pre class="programlisting"> +doppy$:x:505:100:<em class="replaceable"><code>machine_nickname</code></em>:/dev/null:/bin/false +</pre><p> +</p><p> +<a class="indexterm" name="id343242"></a> +<a class="indexterm" name="id343248"></a> +<a class="indexterm" name="id343255"></a> +in which <em class="replaceable"><code>machine_nickname</code></em> can be any +descriptive name for the client, such as BasementComputer. +<em class="replaceable"><code>machine_name</code></em> absolutely must be the NetBIOS +name of the client to be joined to the domain. The “<span class="quote">$</span>” must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a Machine Trust Account. +</p><p> +<a class="indexterm" name="id343278"></a> +<a class="indexterm" name="id343285"></a> +<a class="indexterm" name="id343292"></a> +Now that the corresponding UNIX account has been created, the next step is to create +the Samba account for the client containing the well-known initial +Machine Trust Account password. This can be done using the +<code class="literal">smbpasswd</code> command +as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a -m <em class="replaceable"><code>machine_name</code></em></code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id343330"></a> +<a class="indexterm" name="id343337"></a> +<a class="indexterm" name="id343344"></a> +<a class="indexterm" name="id343350"></a> +where <em class="replaceable"><code>machine_name</code></em> is the machine's NetBIOS +name. The RID of the new machine account is generated from the UID of +the corresponding UNIX account. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p> +<a class="indexterm" name="id343371"></a> +<a class="indexterm" name="id343378"></a> +<a class="indexterm" name="id343384"></a> +<a class="indexterm" name="id343391"></a> +<a class="indexterm" name="id343398"></a> +Manually creating a Machine Trust Account using this method is the +equivalent of creating a Machine Trust Account on a Windows NT PDC using +<a class="indexterm" name="id343406"></a> +the <span class="application">Server Manager</span>. From the time at which the +account is created to the time the client joins the domain and +changes the password, your domain is vulnerable to an intruder joining +your domain using a machine with the same NetBIOS name. A PDC inherently +trusts members of the domain and will serve out a large degree of user +information to such clients. You have been warned! +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id343425"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p> +<a class="indexterm" name="id343433"></a> +<a class="indexterm" name="id343440"></a> +<a class="indexterm" name="id343447"></a> +A working <a class="indexterm" name="id343454"></a>add machine script is essential +for machine trust accounts to be automatically created. This applies no matter whether +you use automatic account creation or the NT4 Domain Server Manager. +</p><p> +<a class="indexterm" name="id343466"></a> +<a class="indexterm" name="id343473"></a> +<a class="indexterm" name="id343480"></a> +<a class="indexterm" name="id343486"></a> +If the machine from which you are trying to manage the domain is an +<span class="application">MS Windows NT4 workstation or MS Windows 200x/XP Professional</span>, +the tool of choice is the package called <code class="literal">SRVTOOLS.EXE</code>. +When executed in the target directory it will unpack <code class="literal">SrvMgr.exe</code> +and <code class="literal">UsrMgr.exe</code> (both are domain management tools for MS Windows NT4 workstation). +</p><p> +<a class="indexterm" name="id343522"></a> +<a class="indexterm" name="id343529"></a> +If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product, + you should download the <code class="literal">Nexus.exe</code> package from the Microsoft Web site. +When executed from the target directory, it will unpack the same tools but for use on +this platform. +</p><p> +Further information about these tools may be obtained from Knowledge Base articles +<a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673" target="_top">173673</a>, and +<a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540" target="_top">172540</a> +</p><p> +<a class="indexterm" name="id343570"></a> +<a class="indexterm" name="id343576"></a> +Launch the <code class="literal">srvmgr.exe</code> (Server Manager for Domains) and follow these steps: +</p><div class="procedure"><a name="id343591"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol type="1"><li><p> + From the menu select <span class="guimenu">Computer</span>. + </p></li><li><p> + Click <span class="guimenuitem">Select Domain</span>. + </p></li><li><p> + Click the name of the domain you wish to administer in the + <span class="guilabel">Select Domain</span> panel and then click + <span class="guibutton">OK</span>. + </p></li><li><p> + Again from the menu select <span class="guimenu">Computer</span>. + </p></li><li><p> + Select <span class="guimenuitem">Add to Domain</span>. + </p></li><li><p> + In the dialog box, click the radio button to + <span class="guilabel">Add NT Workstation of Server</span>, then + enter the machine name in the field provided, and click the + <span class="guibutton">Add</span> button. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id343687"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p> +<a class="indexterm" name="id343695"></a> +The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to +create them as needed when the client is joined to the domain. +</p><p> +<a class="indexterm" name="id343709"></a> +<a class="indexterm" name="id343718"></a> +<a class="indexterm" name="id343725"></a> +Since each Samba Machine Trust Account requires a corresponding UNIX account, a method +for automatically creating the UNIX account is usually supplied; this requires configuration of the +add machine script option in <code class="filename">smb.conf</code>. This method is not required; however, corresponding UNIX +accounts may also be created manually. +</p><p> +<a class="indexterm" name="id343744"></a> +<a class="indexterm" name="id343751"></a> +Here is an example for a Red Hat Linux system: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id343772"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id343788"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p> +The procedure for making an MS Windows workstation or server a member of the domain varies +with the version of Windows. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id343797"></a>Windows 200x/XP Professional Client</h4></div></div></div><p> +<a class="indexterm" name="id343805"></a> +<a class="indexterm" name="id343812"></a> +<a class="indexterm" name="id343821"></a> +<a class="indexterm" name="id343828"></a> + When the user elects to make the client a domain member, Windows 200x prompts for + an account and password that has privileges to create machine accounts in the domain. + A Samba administrator account (i.e., a Samba account that has <code class="constant">root</code> privileges on the + Samba server) must be entered here; the operation will fail if an ordinary user + account is given. + </p><p> +<a class="indexterm" name="id343844"></a> +<a class="indexterm" name="id343851"></a> + For security reasons, the password for this administrator account should be set + to a password that is other than that used for the root user in <code class="filename">/etc/passwd</code>. + </p><p> +<a class="indexterm" name="id343868"></a> +<a class="indexterm" name="id343875"></a> +<a class="indexterm" name="id343882"></a> +<a class="indexterm" name="id343889"></a> + The name of the account that is used to create domain member machine trust accounts can be + anything the network administrator may choose. If it is other than <code class="constant">root</code>, + then this is easily mapped to <code class="constant">root</code> in the file named in the <code class="filename">smb.conf</code> parameter + <a class="indexterm" name="id343910"></a>username map = /etc/samba/smbusers. + </p><p> +<a class="indexterm" name="id343921"></a> +<a class="indexterm" name="id343928"></a> +<a class="indexterm" name="id343934"></a> + The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust + account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id343945"></a>Windows NT4 Client</h4></div></div></div><p> +<a class="indexterm" name="id343953"></a> +<a class="indexterm" name="id343960"></a> +<a class="indexterm" name="id343967"></a> + If the Machine Trust Account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box <span class="guilabel">Create a Computer Account in the Domain</span>. + In this case, the existing Machine Trust Account is used to join the machine + to the domain. + </p><p> +<a class="indexterm" name="id343985"></a> +<a class="indexterm" name="id343992"></a> +<a class="indexterm" name="id343999"></a> +<a class="indexterm" name="id344005"></a> + If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain + name and check the box <span class="guilabel">Create a Computer Account in the Domain</span>. In this case, joining + the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when + prompted). + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id344023"></a>Samba Client</h4></div></div></div><p> +<a class="indexterm" name="id344031"></a> + Joining a Samba client to a domain is documented in <a href="domain-member.html#domain-member-server" title="Domain Member Server">the next section</a>. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div></div><p> +<a class="indexterm" name="id344059"></a> +<a class="indexterm" name="id344066"></a> +<a class="indexterm" name="id344073"></a> +<a class="indexterm" name="id344080"></a> +This mode of server operation involves the Samba machine being made a member +of a domain security context. This means by definition that all user +authentication will be done from a centrally defined authentication regime. +The authentication regime may come from an NT3/4-style (old domain technology) +server, or it may be provided from an Active Directory server (ADS) running on +MS Windows 2000 or later. +</p><p> +<span class="emphasis"><em> +<a class="indexterm" name="id344095"></a> +<a class="indexterm" name="id344104"></a> +<a class="indexterm" name="id344111"></a> +<a class="indexterm" name="id344118"></a> +<a class="indexterm" name="id344125"></a> +<a class="indexterm" name="id344131"></a> +<a class="indexterm" name="id344138"></a> +<a class="indexterm" name="id344145"></a> +Of course it should be clear that the authentication backend itself could be +from any distributed directory architecture server that is supported by Samba. +This can be LDAP (from OpenLDAP), or Sun's iPlanet, or Novell e-Directory +Server, and so on. +</em></span> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id344159"></a> +<a class="indexterm" name="id344166"></a> +<a class="indexterm" name="id344173"></a> +When Samba is configured to use an LDAP or other identity management and/or +directory service, it is Samba that continues to perform user and machine +authentication. It should be noted that the LDAP server does not perform +authentication handling in place of what Samba is designed to do. +</p></div><p> +<a class="indexterm" name="id344185"></a> +<a class="indexterm" name="id344192"></a> +<a class="indexterm" name="id344199"></a> +Please refer to <a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>, for more information regarding +how to create a domain machine account for a domain member server as well as for +information on how to enable the Samba domain member machine to join the domain +and be fully trusted by it. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id344216"></a>Joining an NT4-type Domain with Samba-3</h3></div></div></div><p><a href="domain-member.html#assumptions" title="Table 6.1. Assumptions">Assumptions</a> lists names that are used in the remainder of this chapter.</p><div class="table"><a name="assumptions"></a><p class="title"><b>Table 6.1. Assumptions</b></p><div class="table-contents"><table summary="Assumptions" border="1"><colgroup><col align="right"><col align="left"></colgroup><tbody><tr><td align="right">Samba DMS NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="right">Windows 200x/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="right">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="right">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id344298"></a> +First, you must edit your <code class="filename">smb.conf</code> file to tell Samba it should now use domain security. +</p><p> +<a class="indexterm" name="id344314"></a> +<a class="indexterm" name="id344321"></a> +<a class="indexterm" name="id344327"></a> +<a class="indexterm" name="id344334"></a> +Change (or add) your <a class="indexterm" name="id344341"></a>security line in the [global] section +of your <code class="filename">smb.conf</code> to read: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id344360"></a><em class="parameter"><code>security = domain</code></em></td></tr></table><p> +Note that if the parameter <em class="parameter"><code>security = user</code></em> is used, this machine would function as a +standalone server and not as a domain member server. Domain security mode causes Samba to work within the +domain security context. +</p><p> +Next change the <a class="indexterm" name="id344384"></a>workgroup line in the <em class="parameter"><code>[global]</code></em> +section to read: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id344402"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p> +This is the name of the domain we are joining. +</p><p> +<a class="indexterm" name="id344419"></a> +<a class="indexterm" name="id344425"></a> +You must also have the parameter <a class="indexterm" name="id344432"></a>encrypt passwords +set to <code class="constant">yes</code> in order for your users to authenticate to the NT PDC. +This is the default setting if this parameter is not specified. There is no need to specify this +parameter, but if it is specified in the <code class="filename">smb.conf</code> file, it must be set to <code class="constant">Yes</code>. +</p><p> +<a class="indexterm" name="id344457"></a> +<a class="indexterm" name="id344464"></a> +<a class="indexterm" name="id344470"></a> +<a class="indexterm" name="id344477"></a> +Finally, add (or modify) a <a class="indexterm" name="id344484"></a>password server line in the [global] +section to read: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id344497"></a><em class="parameter"><code>password server = DOMPDC DOMBDC1 DOMBDC2</code></em></td></tr></table><p> +These are the PDC and BDCs Samba +will attempt to contact in order to authenticate users. Samba will +try to contact each of these servers in order, so you may want to +rearrange this list in order to spread out the authentication load +among Domain Controllers. +</p><p> +<a class="indexterm" name="id344515"></a> +<a class="indexterm" name="id344522"></a> +<a class="indexterm" name="id344529"></a> +<a class="indexterm" name="id344536"></a> +Alternatively, if you want smbd to determine automatically the list of domain controllers to use for +authentication, you may set this line to be: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id344550"></a><em class="parameter"><code>password server = *</code></em></td></tr></table><p> +<a class="indexterm" name="id344562"></a> +This method allows Samba to use exactly the same mechanism that NT does. The +method either uses broadcast-based name resolution, performs a WINS database +lookup in order to find a domain controller against which to authenticate, +or locates the domain controller using DNS name resolution. +</p><p> +To join the domain, run this command: +<a class="indexterm" name="id344575"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -S DOMPDC -U<em class="replaceable"><code>Administrator%password</code></em></code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id344608"></a> +<a class="indexterm" name="id344614"></a> +<a class="indexterm" name="id344621"></a> +<a class="indexterm" name="id344628"></a> +If the <code class="option">-S DOMPDC</code> argument is not given, the domain name will be obtained from <code class="filename">smb.conf</code> and +the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name +look up. +</p><p> +<a class="indexterm" name="id344649"></a> +<a class="indexterm" name="id344656"></a> +<a class="indexterm" name="id344662"></a> +<a class="indexterm" name="id344669"></a> +The machine is joining the domain DOM, and the PDC for that domain (the only machine +that has write access to the domain SAM database) is DOMPDC; therefore, use the <code class="option">-S</code> +option. The <em class="replaceable"><code>Administrator%password</code></em> is the login name and +password for an account that has the necessary privilege to add machines to the +domain. If this is successful, you will see the following message in your terminal window. +Where the older NT4-style domain architecture is used: +</p><pre class="screen"> +<code class="computeroutput">Joined domain DOM.</code> +</pre><p> +</p><p> +<a class="indexterm" name="id344701"></a> +<a class="indexterm" name="id344712"></a> +<a class="indexterm" name="id344719"></a> +Where Active Directory is used, the command used to join the ADS domain is: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -U<em class="replaceable"><code>Administrator%password</code></em> +</pre><p> +And the following output is indicative of a successful outcome: +</p><pre class="screen"> +<code class="computeroutput">Joined SERV1 to realm MYREALM.</code> +</pre><p> +</p><p> +Refer to the <code class="literal">net</code> man page and to <a href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">the chapter on remote +administration</a> for further information. +</p><p> +<a class="indexterm" name="id344773"></a> +<a class="indexterm" name="id344780"></a> +<a class="indexterm" name="id344787"></a> +This process joins the server to the domain without separately having to create the machine +trust account on the PDC beforehand. +</p><p> +<a class="indexterm" name="id344798"></a> +<a class="indexterm" name="id344807"></a> +<a class="indexterm" name="id344814"></a> +<a class="indexterm" name="id344821"></a> +This command goes through the machine account password change protocol, then writes the new (random) machine +account password for this Samba server into a file in the same directory in which a smbpasswd file would be +normally stored. The trust account information that is needed by the DMS is written into the file +<code class="filename">/usr/local/samba/private/secrets.tdb</code> or <code class="filename">/etc/samba/secrets.tdb</code>. +</p><p> +<a class="indexterm" name="id344845"></a> +<a class="indexterm" name="id344852"></a> +This file is created and owned by root and is not readable by any other user. It is +the key to the domain-level security for your system and should be treated as carefully +as a shadow password file. +</p><p> +<a class="indexterm" name="id344864"></a> +<a class="indexterm" name="id344871"></a> +<a class="indexterm" name="id344878"></a> +Finally, restart your Samba daemons and get ready for clients to begin using domain +security. The way you can restart your Samba daemons depends on your distribution, +but in most cases the following will suffice: +</p><pre class="screen"> +<code class="prompt">root# </code>/etc/init.d/samba restart +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id344900"></a>Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</h3></div></div></div><p> +<a class="indexterm" name="id344914"></a> +<a class="indexterm" name="id344920"></a> +<a class="indexterm" name="id344927"></a> +Currently, domain security in Samba does not free you from having to create local UNIX users to represent the +users attaching to your server. This means that if domain user <code class="constant">DOM\fred</code> attaches to your +domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file +system. This is similar to the older Samba security mode <a class="indexterm" name="id344941"></a>security = server, where Samba would pass through the authentication request to a Windows +NT server in the same way as a Windows 95 or Windows 98 server would. +</p><p> +<a class="indexterm" name="id344952"></a> +<a class="indexterm" name="id344959"></a> +<a class="indexterm" name="id344966"></a> +Please refer to <a href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for information on a system +to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups. +</p><p> +<a class="indexterm" name="id344984"></a> +<a class="indexterm" name="id344990"></a> +<a class="indexterm" name="id344997"></a> +The advantage of domain-level security is that the authentication in domain-level security is passed down the +authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now +participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba +servers into a resource domain and have the authentication passed on from a resource domain PDC to an account +domain PDC). +</p><p> +<a class="indexterm" name="id345011"></a> +<a class="indexterm" name="id345018"></a> +<a class="indexterm" name="id345024"></a> +In addition, with <a class="indexterm" name="id345031"></a>security = server, every Samba daemon on a server has to +keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the +connection resources on a Microsoft NT server and cause it to run out of available connections. With +<a class="indexterm" name="id345040"></a>security = domain, however, the Samba daemons connect to the PDC or BDC +only for as long as is necessary to authenticate the user and then drop the connection, thus conserving PDC +connection resources. +</p><p> +<a class="indexterm" name="id345052"></a> +<a class="indexterm" name="id345059"></a> +<a class="indexterm" name="id345065"></a> +<a class="indexterm" name="id345072"></a> +Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the +authentication reply, the Samba server gets the user identification information such as the user SID, the list +of NT groups the user belongs to, and so on. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Much of the text of this document was first published in the Web magazine +<a href="http://www.linuxworld.com" target="_top"><span class="emphasis"><em>LinuxWorld</em></span></a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" target="_top">http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html</a> +<span class="emphasis"><em>Doing the NIS/NT Samba</em></span>. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div></div><p> +<a class="indexterm" name="id345119"></a> +<a class="indexterm" name="id345125"></a> +<a class="indexterm" name="id345134"></a> +<a class="indexterm" name="id345141"></a> +This is a rough guide to setting up Samba-3 with Kerberos authentication against a +Windows 200x KDC. A familiarity with Kerberos is assumed. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345150"></a>Configure <code class="filename">smb.conf</code></h3></div></div></div><p> +You must use at least the following three options in <code class="filename">smb.conf</code>: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id345175"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id345188"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td># The following parameter need only be specified if present.</td></tr><tr><td># The default setting if not present is Yes.</td></tr><tr><td><a class="indexterm" name="id345208"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr></table><p> +<a class="indexterm" name="id345223"></a> +<a class="indexterm" name="id345229"></a> +<a class="indexterm" name="id345236"></a> +<a class="indexterm" name="id345243"></a> +<a class="indexterm" name="id345249"></a> +In case samba cannot correctly identify the appropriate ADS server using the realm name, use the +<a class="indexterm" name="id345257"></a>password server option in <code class="filename">smb.conf</code>: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id345276"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p> +The most common reason for which Samba may not be able to locate the ADS domain controller is a consequence of +sites maintaining some DNS servers on UNIX systems without regard for the DNS requirements of the ADS +infrastructure. There is no harm in specifying a preferred ADS domain controller using the <em class="parameter"><code>password +server</code></em>. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id345301"></a> +<a class="indexterm" name="id345308"></a> +You do <span class="emphasis"><em>not</em></span> need an smbpasswd file, and older clients will be authenticated as +if <a class="indexterm" name="id345319"></a>security = domain, although it will not do any harm and +allows you to have local users not in the domain. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345329"></a>Configure <code class="filename">/etc/krb5.conf</code></h3></div></div></div><p> +<a class="indexterm" name="id345341"></a> +<a class="indexterm" name="id345348"></a> +<a class="indexterm" name="id345357"></a> +<a class="indexterm" name="id345364"></a> +With both MIT and Heimdal Kerberos, it is unnecessary to configure the <code class="filename">/etc/krb5.conf</code>, +and it may be detrimental. +</p><p> +<a class="indexterm" name="id345381"></a> +<a class="indexterm" name="id345388"></a> +<a class="indexterm" name="id345394"></a> +<a class="indexterm" name="id345401"></a> +<a class="indexterm" name="id345408"></a> +Microsoft ADS automatically create SRV records in the DNS zone +<em class="parameter"><code>_kerberos._tcp.REALM.NAME</code></em> for each KDC in the realm. This is part +of the installation and configuration process used to create an Active Directory domain. +A KDC is a Kerberos Key Distribution Center and forms an integral part of the Microsoft +active directory infrastructure. +</p><p> +<a class="indexterm" name="id345427"></a> +<a class="indexterm" name="id345433"></a> +<a class="indexterm" name="id345440"></a> +<a class="indexterm" name="id345447"></a> +<a class="indexterm" name="id345454"></a> +<a class="indexterm" name="id345461"></a> +UNIX systems can use kinit and the DES-CBC-MD5 or DES-CBC-CRC encryption types to authenticate to the Windows +2000 KDC. For further information regarding Windows 2000 ADS kerberos interoperability please refer to the +Microsoft Windows 2000 Kerberos <a href="http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp" target="_top">Interoperability</a> +guide. Another very useful document that may be referred to for general information regarding Kerberos +interoperability is <a href="http://www.ietf.org/rfc/rfc1510.txt?number=1510" target="_top">RFC1510</a>. This RFC +explains much of the magic behind the operation of Kerberos. +</p><p> +<a class="indexterm" name="id345487"></a> +<a class="indexterm" name="id345494"></a> +<a class="indexterm" name="id345500"></a> +<a class="indexterm" name="id345507"></a> +<a class="indexterm" name="id345514"></a> +<a class="indexterm" name="id345521"></a> +MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will +automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> only allows specifying +a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 +libraries to use whichever KDCs are available. +</p><p> +<a class="indexterm" name="id345539"></a> +When manually configuring <code class="filename">krb5.conf</code>, the minimal configuration is: +</p><pre class="screen"> +[libdefaults] + default_realm = YOUR.KERBEROS.REALM + +[realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + +[domain_realms] + .kerberos.server = YOUR.KERBEROS.REALM +</pre><p> +</p><p> +<a class="indexterm" name="id345563"></a> +When using Heimdal versions before 0.6, use the following configuration settings: +</p><pre class="screen"> +[libdefaults] + default_realm = YOUR.KERBEROS.REALM + default_etypes = des-cbc-crc des-cbc-md5 + default_etypes_des = des-cbc-crc des-cbc-md5 + +[realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + +[domain_realms] + .kerberos.server = YOUR.KERBEROS.REALM +</pre><p> +</p><p> +<a class="indexterm" name="id345582"></a> +<a class="indexterm" name="id345588"></a> +Test your config by doing a <strong class="userinput"><code>kinit +<em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong> and +making sure that your password is accepted by the Win2000 KDC. +</p><p> +<a class="indexterm" name="id345611"></a> +<a class="indexterm" name="id345618"></a> +<a class="indexterm" name="id345624"></a> +<a class="indexterm" name="id345631"></a> +With Heimdal versions earlier than 0.6.x you can use only newly created accounts +in ADS or accounts that have had the password changed once after migration, or +in case of <code class="constant">Administrator</code> after installation. At the +moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6 +(and no default etypes in krb5.conf). Unfortunately, this whole area is still +in a state of flux. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id345649"></a> +<a class="indexterm" name="id345656"></a> +<a class="indexterm" name="id345662"></a> +The realm must be in uppercase or you will get a “<span class="quote"><span class="errorname">Cannot find KDC for +requested realm while getting initial credentials</span></span>” error (Kerberos +is case-sensitive!). +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id345679"></a> +<a class="indexterm" name="id345686"></a> +<a class="indexterm" name="id345693"></a> +<a class="indexterm" name="id345700"></a> +Time between the two servers must be synchronized. You will get a “<span class="quote"><span class="errorname">kinit(v5): Clock skew too +great while getting initial credentials</span></span>” if the time difference (clock skew) is more than five minutes. +</p></div><p> +<a class="indexterm" name="id345716"></a> +<a class="indexterm" name="id345723"></a> +Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes. +</p><p> +<a class="indexterm" name="id345734"></a> +<a class="indexterm" name="id345740"></a> +<a class="indexterm" name="id345747"></a> +<a class="indexterm" name="id345753"></a> +You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that +this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain +attached) or it can be the NetBIOS name followed by the realm. +</p><p> +<a class="indexterm" name="id345766"></a> +<a class="indexterm" name="id345773"></a> +<a class="indexterm" name="id345779"></a> +The easiest way to ensure you get this right is to add a <code class="filename">/etc/hosts</code> entry mapping the IP +address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a <span class="errorname">local +error</span> when you try to join the realm. +</p><p> +<a class="indexterm" name="id345800"></a> +<a class="indexterm" name="id345807"></a> +<a class="indexterm" name="id345814"></a> +<a class="indexterm" name="id345821"></a> +If all you want is Kerberos support in <span class="application">smbclient</span>, then you can skip directly to <a href="domain-member.html#ads-test-smbclient" title="Testing with smbclient">Testing with <span class="application">smbclient</span></a> now. <a href="domain-member.html#ads-create-machine-account" title="Create the Computer Account">Create the Computer Account</a> and <a href="domain-member.html#ads-test-server" title="Testing Server Setup">Testing Server Setup</a> are needed only if you want Kerberos support for <span class="application">smbd</span> +and <span class="application">winbindd</span>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the Computer Account</h3></div></div></div><p> +<a class="indexterm" name="id345887"></a> +<a class="indexterm" name="id345894"></a> +<a class="indexterm" name="id345900"></a> +<a class="indexterm" name="id345907"></a> +As a user who has write permission on the Samba private directory (usually root), run: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>net ads join -U Administrator%password</code></strong> +</pre><p> +The Administrator account can be any account that has been designated in the ADS domain security settings with +permission to add machines to the ADS domain. It is, of course, a good idea to use an account other than Administrator. +On the UNIX/Linux system, this command must be executed by an account that has UID=0 (root). +</p><p> +<a class="indexterm" name="id345938"></a> +<a class="indexterm" name="id345944"></a> +<a class="indexterm" name="id345951"></a> +<a class="indexterm" name="id345958"></a> +<a class="indexterm" name="id345965"></a> +<a class="indexterm" name="id345971"></a> +When making a Windows client a member of an ADS domain within a complex organization, you +may want to create the machine trust account within a particular organizational unit. Samba-3 permits +this to be done using the following syntax: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>kinit Administrator@your.kerberos.REALM</code></strong> +<code class="prompt">root# </code> <strong class="userinput"><code>net ads join createcomputer="organizational_unit"</code></strong> +</pre><p> +Your ADS manager will be able to advise what should be specified for the "organizational_unit" parameter. +</p><p> +<a class="indexterm" name="id346018"></a> +<a class="indexterm" name="id346025"></a> +<a class="indexterm" name="id346031"></a> +<a class="indexterm" name="id346038"></a> +For example, you may want to create the machine trust account in a container called “<span class="quote">Servers</span>” +under the organizational directory “<span class="quote">Computers/BusinessUnit/Department,</span>” like this: +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>net ads join "Computers/BusinessUnit/Department/Servers"</code></strong> +</pre><p> +This command will place the Samba server machine trust account in the container +<code class="literal">Computers/BusinessUnit/Department/Servers</code>. The container should exist in the ADS directory +before executing this command. Please note that forward slashes must be used, because backslashes are both +valid characters in an OU name and used as escapes for other characters. If you need a backslash in an OU +name, it may need to be quadrupled to pass through the shell escape and ldap escape. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id346082"></a>Possible Errors</h4></div></div></div><p> +</p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p> + <a class="indexterm" name="id346100"></a> + <a class="indexterm" name="id346107"></a> + <a class="indexterm" name="id346114"></a> + Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the + Kerberos libraries and headers files are installed. + </p></dd><dt><span class="term"><span class="errorname">net ads join prompts for user name</span></span></dt><dd><p> + <a class="indexterm" name="id346132"></a> + <a class="indexterm" name="id346139"></a> + You need to log in to the domain using <strong class="userinput"><code>kinit + <em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong>. + <em class="replaceable"><code>USERNAME</code></em> must be a user who has rights to add a machine to the domain. + </p></dd><dt><span class="term">Unsupported encryption/or checksum types</span></dt><dd><p> + <a class="indexterm" name="id346171"></a> + <a class="indexterm" name="id346178"></a> + <a class="indexterm" name="id346185"></a> + Make sure that the <code class="filename">/etc/krb5.conf</code> is correctly configured + for the type and version of Kerberos installed on the system. + </p></dd></dl></div><p> +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Testing Server Setup</h3></div></div></div><p> +<a class="indexterm" name="id346215"></a> +<a class="indexterm" name="id346221"></a> +<a class="indexterm" name="id346228"></a> +If the join was successful, you will see a new computer account with the +NetBIOS name of your Samba server in Active Directory (in the “<span class="quote">Computers</span>” +folder under Users and Computers. +</p><p> +<a class="indexterm" name="id346243"></a> +<a class="indexterm" name="id346250"></a> +<a class="indexterm" name="id346259"></a> +On a Windows 2000 client, try <strong class="userinput"><code>net use * \\server\share</code></strong>. You should +be logged in with Kerberos without needing to know a password. If this fails, then run +<strong class="userinput"><code>klist tickets</code></strong>. Did you get a ticket for the server? Does it have +an encryption type of DES-CBC-MD5? +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id346284"></a> +<a class="indexterm" name="id346291"></a> +<a class="indexterm" name="id346297"></a> +Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div></div><p> +<a class="indexterm" name="id346323"></a> +<a class="indexterm" name="id346329"></a> +<a class="indexterm" name="id346336"></a> +On your Samba server try to log in to a Windows 2000 server or your Samba +server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but +specify the <code class="option">-k</code> option to choose Kerberos authentication. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346362"></a>Notes</h3></div></div></div><p> +<a class="indexterm" name="id346370"></a> +<a class="indexterm" name="id346376"></a> +<a class="indexterm" name="id346383"></a> +You must change the administrator password at least once after installing a domain controller, +to create the right encryption types. +</p><p> +<a class="indexterm" name="id346394"></a> +<a class="indexterm" name="id346401"></a> +<a class="indexterm" name="id346408"></a> +Windows 200x does not seem to create the <em class="parameter"><code>_kerberos._udp</code></em> and +<em class="parameter"><code>_ldap._tcp</code></em> in the default DNS setup. Perhaps this will be fixed later in service packs. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id346431"></a>Sharing User ID Mappings between Samba Domain Members</h2></div></div></div><p> +<a class="indexterm" name="id346439"></a> +<a class="indexterm" name="id346446"></a> +<a class="indexterm" name="id346453"></a> +<a class="indexterm" name="id346459"></a> +Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). +These mappings are done by the <em class="parameter"><code>idmap</code></em> subsystem of Samba. +</p><p> +<a class="indexterm" name="id346476"></a> +<a class="indexterm" name="id346483"></a> +<a class="indexterm" name="id346490"></a> +In some cases it is useful to share these mappings between Samba domain members, +so <span class="emphasis"><em>name->id</em></span> mapping is identical on all machines. +This may be needed in particular when sharing files over both CIFS and NFS. +</p><p> +<a class="indexterm" name="id346505"></a> +<a class="indexterm" name="id346512"></a> +To use the <span class="emphasis"><em>LDAP</em></span> <em class="parameter"><code>ldap idmap suffix</code></em>, set: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id346535"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr></table><p> +See the <code class="filename">smb.conf</code> man page entry for the <a class="indexterm" name="id346556"></a>ldap idmap suffix +parameter for further information. +</p><p> +<a class="indexterm" name="id346567"></a> +<a class="indexterm" name="id346574"></a> +<a class="indexterm" name="id346580"></a> +Do not forget to specify also the <a class="indexterm" name="id346588"></a>ldap admin dn +and to make certain to set the LDAP administrative password into the <code class="filename">secrets.tdb</code> using: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w ldap-admin-password +</pre><p> +In place of <code class="literal">ldap-admin-password</code>, substitute the LDAP administration password for your +system. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id346622"></a>Common Errors</h2></div></div></div><p> +<a class="indexterm" name="id346629"></a> +<a class="indexterm" name="id346636"></a> +In the process of adding/deleting/re-adding domain member machine trust accounts, there are +many traps for the unwary player and many “<span class="quote">little</span>” things that can go wrong. +It is particularly interesting how often subscribers on the Samba mailing list have concluded +after repeated failed attempts to add a machine account that it is necessary to “<span class="quote">reinstall</span>” +MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type +of problem. The real solution is often quite simple, and with an understanding of how MS Windows +networking functions, it is easy to overcome. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346656"></a>Cannot Add Machine Back to Domain</h3></div></div></div><p> +<a class="indexterm" name="id346664"></a> +<a class="indexterm" name="id346671"></a> +“<span class="quote">A Windows workstation was reinstalled. The original domain machine trust +account was deleted and added immediately. The workstation will not join the domain if I use +the same machine name. Attempts to add the machine fail with a message that the machine already +exists on the network I know it does not. Why is this failing?</span>” +</p><p> +<a class="indexterm" name="id346690"></a> +<a class="indexterm" name="id346696"></a> +The original name is still in the NetBIOS name cache and must expire after machine account +deletion before adding that same name as a domain member again. The best advice is to delete +the old account and then add the machine with a new name. Alternately, the name cache can be flushed and +reloaded with current data using the <code class="literal">nbtstat</code> command on the Windows client: +</p><pre class="screen"> +<code class="prompt">C:\> </code> nbtstat -R +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346726"></a>Adding Machine to Domain Fails</h3></div></div></div><p> +<a class="indexterm" name="id346734"></a> +<a class="indexterm" name="id346740"></a> +“<span class="quote">Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a +message that says, <span class="errorname">"The machine could not be added at this time, there is a network problem. +Please try again later."</span> Why?</span>” +</p><p> +<a class="indexterm" name="id346759"></a> +You should check that there is an <a class="indexterm" name="id346766"></a>add machine script in your <code class="filename">smb.conf</code> +file. If there is not, please add one that is appropriate for your OS platform. If a script +has been defined, you will need to debug its operation. Increase the <a class="indexterm" name="id346780"></a>log level +in the <code class="filename">smb.conf</code> file to level 10, then try to rejoin the domain. Check the logs to see which +operation is failing. +</p><p> +Possible causes include: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id346804"></a> +<a class="indexterm" name="id346811"></a> + The script does not actually exist, or could not be located in the path specified. + </p><p> +<a class="indexterm" name="id346822"></a> +<a class="indexterm" name="id346829"></a> + <span class="emphasis"><em>Corrective action:</em></span> Fix it. Make sure when run manually + that the script will add both the UNIX system account and the Samba SAM account. + </p></li><li><p> +<a class="indexterm" name="id346844"></a> +<a class="indexterm" name="id346851"></a> + The machine could not be added to the UNIX system accounts file <code class="filename">/etc/passwd</code>. + </p><p> +<a class="indexterm" name="id346868"></a> +<a class="indexterm" name="id346874"></a> + <span class="emphasis"><em>Corrective action:</em></span> Check that the machine name is a legal UNIX + system account name. If the UNIX utility <code class="literal">useradd</code> is called, + then make sure that the machine name you are trying to add can be added using this + tool. <code class="literal">Useradd</code> on some systems will not allow any uppercase characters + nor will it allow spaces in the name. + </p></li></ul></div><p> +<a class="indexterm" name="id346903"></a> +<a class="indexterm" name="id346910"></a> +<a class="indexterm" name="id346917"></a> +The <a class="indexterm" name="id346924"></a>add machine script does not create the +machine account in the Samba backend database; it is there only to create a UNIX system +account to which the Samba backend database account can be mapped. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346934"></a>I Can't Join a Windows 2003 PDC</h3></div></div></div><p> +<a class="indexterm" name="id346942"></a> +<a class="indexterm" name="id346949"></a> +<a class="indexterm" name="id346956"></a> +<a class="indexterm" name="id346962"></a> + Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0. + Set <a class="indexterm" name="id346970"></a>client use spnego = yes when communicating + with a Windows 2003 server. This will not interfere with other Windows clients that do not + support the more advanced security features of Windows 2003 because the client will simply + negotiate a protocol tha both it and the server suppport. This is a well-known fall-back facility + that is built into the SMB/CIFS protocols. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Backup Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Standalone Servers</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/go01.html b/docs/htmldocs/Samba3-HOWTO/go01.html new file mode 100644 index 0000000000..4a9626e1fe --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/go01.html @@ -0,0 +1,100 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Glossary</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="apa.html" title="Appendix A. GNU General Public License version 3"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Glossary</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="glossary"><div class="titlepage"><div><div><h2 class="title"><a name="id456447"></a>Glossary</h2></div></div></div><dl><dt>Access Control List</dt><dd><p> + A detailed list of permissions granted to users or groups with respect to file and network resource access. + See <a href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">???</a>, + for details.</p></dd><dt>Active Directory Service</dt><dd><p> + A service unique to Microsoft Windows 200x servers that provides a centrally managed + directory for management of user identities and computer objects, as well as the permissions + each user or computer may be granted to access + distributed network resources. ADS uses Kerberos-based + authentication and LDAP over Kerberos for directory access. + </p></dd><dt>Common Internet File System</dt><dd><p>The new name for SMB. Microsoft renamed the + SMB protocol to CIFS during the Internet hype in the nineties. + At about the time that the SMB protocol was renamed to CIFS, an + additional dialect of the SMB protocol was in development. + The need for the deployment of the NetBIOS layer was also + removed, thus paving the way for use of the SMB protocol natively + over TCP/IP (known as NetBIOS-less SMB or “<span class="quote">naked</span>” TCP transport). + </p></dd><dt>Common UNIX Printing System</dt><dd><p> + A recent implementation of a high capability printing system for UNIX developed by + <a href="http://www.easysw.com/" target="_top">http://www.easysw.com/</a>. The design objective of CUPS was to provide + a rich print processing system that has built-in intelligence capable of correctly rendering (processing) + a file that is submitted for printing even if it was formatted for an entirely different printer. + </p></dd><dt>Domain Master Browser</dt><dd><p>The domain master browser maintains a list of all the servers that + have announced their services within a given workgroup or NT domain. See <a href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">???</a> for details. + </p></dd><dt>Domain Name Service</dt><dd><p> + A protocol by which computer hostnames may be resolved to the matching IP address/es. DNS is implemented + by the Berkeley Internet Name Daemon. There exists a recent version of DNS that allows dynamic name registration + by network clients or by a DHCP server. This recent protocol is known as dynamic DNS (DDNS). + </p></dd><dt>Dynamic Host Configuration Protocol</dt><dd><p> + A protocol that was based on the BOOTP protocol that may be used to dynamically assign an IP address, + from a reserved pool of addresses, to a network client or device. Additionally, DHCP may assign all + network configuration settings and may be used to register a computer name and its address with a + dynamic DNS server. + </p></dd><dt>Extended Meta-file Format</dt><dd><p> + An intermediate file format used by Microsoft Windows-based servers and clients. EMF files may be + rendered into a page description language by a print processor. + </p></dd><dt>Graphical Device Interface</dt><dd><p> + Device-independent format for printing used by Microsoft Windows. + It is quite similar to what PostScript is for UNIX. Printing jobs are first generated in GDI and + then converted to a device-specific format. See <a href="CUPS-printing.html#gdipost" title="GDI on Windows, PostScript on UNIX">???</a> for details. + </p></dd><dt>Group IDentifier</dt><dd><p> + The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on newer systems + an unsigned 64-bit integer. The GID is used in UNIX-like operating systems for all group-level access + control. + </p></dd><dt>Internet Print Protocol</dt><dd><p>An IETF standard for network printing. CUPS + implements IPP.</p></dd><dt>Key Distribution Center</dt><dd><p>The Kerberos authentication protocol makes use of security keys (also called a ticket) + by which access to network resources is controlled. The issuing of Kerberos tickets is effected by + a KDC.</p></dd><dt>NetBIOS Extended User Interface</dt><dd><p> + Very simple network protocol invented by IBM and Microsoft. It is used + to do NetBIOS over Ethernet with low overhead. NetBEUI is a nonroutable + protocol. + </p></dd><dt>Network Basic Input/Output System</dt><dd><p> + NetBIOS is a simple application programming interface (API) invented in the 1980s + that allows programs to send data to certain network names. + NetBIOS is always run over another network protocol such + as IPX/SPX, TCP/IP, or Logical Link Control (LLC). NetBIOS run over LLC + is best known as NetBEUI (NetBIOS Extended User Interface a complete misnomer!). + </p></dd><dt>NetBT</dt><dd><p>Protocol for transporting NetBIOS frames over TCP/IP. Uses ports 137, 138, and 139. + NetBT is a fully routable protocol. + </p></dd><dt>Local Master Browser</dt><dd><p>The local master browser maintains a list + of all servers that have announced themselves within a given workgroup or NT domain on a particular + broadcast-isolated subnet. See <a href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">???</a> for details. + </p></dd><dt>Printer Command Language</dt><dd><p> + A printer page description language that was developed by Hewlett-Packard + and is in common use today. + </p></dd><dt>Portable Document Format</dt><dd><p> + A highly compressed document format, based on PostScript, used as a document distribution format + that is supported by Web browsers as well as many applications. Adobe also distributes an application + called “<span class="quote">Acrobat,</span>” which is a PDF reader. + </p></dd><dt>Page Description Language</dt><dd><p>A language for describing the layout and contents of a printed page. + The best-known PDLs are Adobe PostScript and Hewlett-Packard PCL (Printer Control Language), + both of which are used to control laser printers.</p></dd><dt>PostScript Printer Description</dt><dd><p> + PPDs specify and control options supported by PostScript printers, such as duplexing, stapling, + and DPI. See also <a href="CUPS-printing.html#post-and-ghost" title="PostScript and Ghostscript">???</a>. PPD files can be read by printing applications + to enable correct PostScript page layout for a particular PostScript printer. + </p></dd><dt>Remote Procedure Call</dt><dd><p> + RPCs are a means for executing network operations. The RPC protocol is independent of transport protocols. RPC + does not try to implement any kind of reliability and the application that uses RPCs must be aware of the type + of transport protocol underneath RPC. An RPC is like a programmatic jump subroutine over a network. RPCs used + in the UNIX environment are specified in RFC 1050. RPC is a powerful technique for constructing distributed, + client-server based applications. It is based on extending the notion of conventional, or local procedure + calling, so that the called procedure need not exist in the same address space as the calling procedure. The + two processes may be on the same system, or they may be on different systems with a network connecting them. + By using RPC, programmers of distributed applications avoid the details of the interface with the network. The + transport independence of RPC isolates the application from the physical and logical elements of the data + communications mechanism and allows the application to use a variety of transports. + </p></dd><dt>Server Message Block</dt><dd><p> + SMB was the original name of the protocol `spoken' by + Samba. It was invented in the 1980s by IBM and adopted + and extended further by Microsoft. Microsoft + renamed the protocol to CIFS during the Internet hype in the + 1990s. + </p></dd><dt>User IDentifier</dt><dd><p> + The UNIX system user identifier; on older systems a 32-bit unsigned integer, and on newer systems, + an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access + control. + </p></dd><dt>Universal Naming Convention</dt><dd><p>A syntax for specifying the location of network resources (such as file shares). + The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol. + </p></dd></dl></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Appendix A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/groupmapping.html b/docs/htmldocs/Samba3-HOWTO/groupmapping.html new file mode 100644 index 0000000000..e0d03dc16b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/groupmapping.html @@ -0,0 +1,505 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Group Mapping: MS Windows and UNIX</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Group Mapping: MS Windows and UNIX</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetCommand.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Group Mapping: MS Windows and UNIX</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="groupmapping.html#id367144">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id367529">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368424">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369250">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369322">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369332">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369493">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369607">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369618">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369692">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id367026"></a> +<a class="indexterm" name="id367035"></a> +<a class="indexterm" name="id367042"></a> +<a class="indexterm" name="id367048"></a> +<a class="indexterm" name="id367055"></a> +<a class="indexterm" name="id367062"></a> + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX group GIDs. The <code class="literal">groupmap</code> subcommand + included with the <span class="application">net</span> tool can be used to manage these associations. + </p><p> +<a class="indexterm" name="id367085"></a> +<a class="indexterm" name="id367092"></a> + The new facility for mapping NT groups to UNIX system groups allows the administrator to decide + which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map + to a UNIX group that has a value other than the default (<code class="constant">-1</code>) will be exposed + in group selection lists in tools that access domain users and groups. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + <a class="indexterm" name="id367110"></a> +<a class="indexterm" name="id367117"></a> + The <em class="parameter"><code>domain admin group</code></em> parameter has been removed in Samba-3 and should no longer + be specified in <code class="filename">smb.conf</code>. In Samba-2.2.x, this parameter was used to give the listed users membership in the + <code class="constant">Domain Admins</code> Windows group, which gave local admin rights on their workstations + (in default configurations). + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367144"></a>Features and Benefits</h2></div></div></div><p> + Samba allows the administrator to create MS Windows NT4/200x group accounts and to + arbitrarily associate them with UNIX/Linux group accounts. + </p><p> + <a class="indexterm" name="id367156"></a> + <a class="indexterm" name="id367163"></a> + <a class="indexterm" name="id367169"></a> +<a class="indexterm" name="id367176"></a> +<a class="indexterm" name="id367183"></a> +<a class="indexterm" name="id367189"></a> +<a class="indexterm" name="id367196"></a> + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. + Appropriate interface scripts should be provided in <code class="filename">smb.conf</code> if it is desired that UNIX/Linux system + accounts should be automatically created when these tools are used. In the absence of these scripts, and + so long as <code class="literal">winbindd</code> is running, Samba group accounts that are created using these + tools will be allocated UNIX UIDs and GIDs from the ID range specified by the + <a class="indexterm" name="id367219"></a>idmap uid/<a class="indexterm" name="id367226"></a>idmap gid + parameters in the <code class="filename">smb.conf</code> file. + </p><div class="figure"><a name="idmap-sid2gid"></a><p class="title"><b>Figure 12.1. IDMAP: Group SID-to-GID Resolution.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-sid2gid.png" width="270" alt="IDMAP: Group SID-to-GID Resolution."></div></div></div><br class="figure-break"><div class="figure"><a name="idmap-gid2sid"></a><p class="title"><b>Figure 12.2. IDMAP: GID Resolution to Matching SID.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-gid2sid.png" width="270" alt="IDMAP: GID Resolution to Matching SID."></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id367324"></a> +<a class="indexterm" name="id367330"></a> +<a class="indexterm" name="id367337"></a> +<a class="indexterm" name="id367346"></a> + In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to + <a href="groupmapping.html#idmap-sid2gid" title="Figure 12.1. IDMAP: Group SID-to-GID Resolution.">IDMAP: Group SID-to-GID Resolution</a> and <a href="groupmapping.html#idmap-gid2sid" title="Figure 12.2. IDMAP: GID Resolution to Matching SID.">IDMAP: GID Resolution to Matching SID</a>. The <code class="literal">net groupmap</code> is + used to establish UNIX group to NT SID mappings as shown in <a href="groupmapping.html#idmap-store-gid2sid" title="Figure 12.3. IDMAP Storing Group Mappings.">IDMAP: storing + group mappings</a>. + </p><div class="figure"><a name="idmap-store-gid2sid"></a><p class="title"><b>Figure 12.3. IDMAP Storing Group Mappings.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-store-gid2sid.png" width="270" alt="IDMAP Storing Group Mappings."></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id367427"></a> + <a class="indexterm" name="id367434"></a> +<a class="indexterm" name="id367440"></a> +<a class="indexterm" name="id367447"></a> + Administrators should be aware that where <code class="filename">smb.conf</code> group interface scripts make + direct calls to the UNIX/Linux system tools (the shadow utilities, <code class="literal">groupadd</code>, + <code class="literal">groupdel</code>, and <code class="literal">groupmod</code>), the resulting UNIX/Linux group names will be subject + to any limits imposed by these tools. If the tool does not allow uppercase characters + or space characters, then the creation of an MS Windows NT4/200x-style group of + <code class="literal">Engineering Managers</code> will attempt to create an identically named + UNIX/Linux group, an attempt that will of course fail. + </p><p> + <a class="indexterm" name="id367490"></a> + <a class="indexterm" name="id367497"></a> + There are several possible workarounds for the operating system tools limitation. One + method is to use a script that generates a name for the UNIX/Linux system group that + fits the operating system limits and that then just passes the UNIX/Linux group ID (GID) + back to the calling Samba interface. This will provide a dynamic workaround solution. + </p><p> +<a class="indexterm" name="id367510"></a> + Another workaround is to manually create a UNIX/Linux group, then manually create the + MS Windows NT4/200x group on the Samba server, and then use the <code class="literal">net groupmap</code> + tool to connect the two to each other. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367529"></a>Discussion</h2></div></div></div><p> +<a class="indexterm" name="id367536"></a> +<a class="indexterm" name="id367543"></a> + When you install <span class="application">MS Windows NT4/200x</span> on a computer, the installation + program creates default users and groups, notably the <code class="constant">Administrators</code> group, + and gives that group privileges necessary to perform essential system tasks, + such as the ability to change the date and time or to kill (or close) any process running on the + local machine. + </p><p> + <a class="indexterm" name="id367565"></a> + The <code class="constant">Administrator</code> user is a member of the <code class="constant">Administrators</code> group, and thus inherits + <code class="constant">Administrators</code> group privileges. If a <code class="constant">joe</code> user is created to be a member of the + <code class="constant">Administrators</code> group, <code class="constant">joe</code> has exactly the same rights as the user + <code class="constant">Administrator</code>. + </p><p> +<a class="indexterm" name="id367602"></a> +<a class="indexterm" name="id367609"></a> +<a class="indexterm" name="id367616"></a> +<a class="indexterm" name="id367622"></a> + When an MS Windows NT4/200x/XP machine is made a domain member, the “<span class="quote">Domain Admins</span>” group of the + PDC is added to the local <code class="constant">Administrators</code> group of the workstation. Every member of the + <code class="constant">Domain Admins</code> group inherits the rights of the local <code class="constant">Administrators</code> group when + logging on the workstation. + </p><p> +<a class="indexterm" name="id367649"></a> +<a class="indexterm" name="id367656"></a> + The following steps describe how to make Samba PDC users members of the <code class="constant">Domain Admins</code> group. + </p><div class="orderedlist"><ol type="1"><li><p> + Create a UNIX group (usually in <code class="filename">/etc/group</code>); let's call it <code class="constant">domadm</code>. + </p></li><li><p> +<a class="indexterm" name="id367692"></a> + Add to this group the users that must be “<span class="quote">Administrators</span>”. For example, + if you want <code class="constant">joe, john</code>, and <code class="constant">mary</code> to be administrators, + your entry in <code class="filename">/etc/group</code> will look like this: + </p><pre class="programlisting"> + domadm:x:502:joe,john,mary + </pre><p> + </p></li><li><p> + Map this domadm group to the “<span class="quote">Domain Admins</span>” group by executing the command: + </p><p> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d</code></strong> +</pre><p> + </p><p> + <a class="indexterm" name="id367756"></a> + The quotes around “<span class="quote">Domain Admins</span>” are necessary due to the space in the group name. + Also make sure to leave no white space surrounding the equal character (=). + </p></li></ol></div><p> + Now <code class="constant">joe, john</code>, and <code class="constant">mary</code> are domain administrators. + </p><p> + <a class="indexterm" name="id367783"></a> + It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as + to make any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + </p><p> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d</code></strong> +</pre><p> + The <code class="literal">ntgroup</code> value must be in quotes if it contains space characters to prevent + the space from being interpreted as a command delimiter. + </p><p> +<a class="indexterm" name="id367825"></a> +<a class="indexterm" name="id367832"></a> + Be aware that the RID parameter is an unsigned 32-bit integer that should + normally start at 1000. However, this RID must not overlap with any RID assigned + to a user. Verification for this is done differently depending on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367843"></a>Warning: User Private Group Problems</h3></div></div></div><p> +<a class="indexterm" name="id367851"></a> +<a class="indexterm" name="id367858"></a> +<a class="indexterm" name="id367864"></a> + Windows does not permit user and group accounts to have the same name. + This has serious implications for all sites that use private group accounts. + A private group account is an administrative practice whereby users are each + given their own group account. Red Hat Linux, as well as several free distributions + of Linux, by default create private groups. + </p><p> +<a class="indexterm" name="id367878"></a> +<a class="indexterm" name="id367884"></a> + When mapping a UNIX/Linux group to a Windows group account, all conflict can + be avoided by assuring that the Windows domain group name does not overlap + with any user account name. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367895"></a>Nested Groups: Adding Windows Domain Groups to Windows Local Groups</h3></div></div></div><a class="indexterm" name="id367901"></a><p> +<a class="indexterm" name="id367912"></a> + This functionality is known as <code class="constant">nested groups</code> and was first added to + Samba-3.0.3. + </p><p> +<a class="indexterm" name="id367927"></a> + All MS Windows products since the release of Windows NT 3.10 support the use of nested groups. + Many Windows network administrators depend on this capability because it greatly simplifies security + administration. + </p><p> +<a class="indexterm" name="id367939"></a> +<a class="indexterm" name="id367946"></a> +<a class="indexterm" name="id367952"></a> +<a class="indexterm" name="id367959"></a> +<a class="indexterm" name="id367966"></a> +<a class="indexterm" name="id367973"></a> +<a class="indexterm" name="id367980"></a> + The nested group architecture was designed with the premise that day-to-day user and group membership + management should be performed on the domain security database. The application of group security + should be implemented on domain member servers using only local groups. On the domain member server, + all file system security controls are then limited to use of the local groups, which will contain + domain global groups and domain global users. + </p><p> +<a class="indexterm" name="id367993"></a> +<a class="indexterm" name="id368000"></a> +<a class="indexterm" name="id368007"></a> + You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed + the dark depths of Windows networking architecture. Consider for a moment a server on which are stored + 200,000 files, each with individual domain user and domain group settings. The company that owns the + file server is bought by another company, resulting in the server being moved to another location, and then + it is made a member of a different domain. Who would you think now owns all the files and directories? + Answer: Account Unknown. + </p><p> +<a class="indexterm" name="id368022"></a> +<a class="indexterm" name="id368029"></a> +<a class="indexterm" name="id368036"></a> +<a class="indexterm" name="id368042"></a> + Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply + by using local groups to control all file and directory access control. In this case, only the members + of the local groups will have been lost. The files and directories in the storage subsystem will still + be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler + to delete the <code class="constant">Account Unknown</code> membership entries inside local groups with appropriate + entries for domain global groups in the new domain that the server has been made a member of. + </p><p> +<a class="indexterm" name="id368061"></a> +<a class="indexterm" name="id368068"></a> +<a class="indexterm" name="id368074"></a> +<a class="indexterm" name="id368081"></a> +<a class="indexterm" name="id368088"></a> +<a class="indexterm" name="id368095"></a> +<a class="indexterm" name="id368102"></a> +<a class="indexterm" name="id368109"></a> + Another prominent example of the use of nested groups involves implementation of administrative privileges + on domain member workstations and servers. Administrative privileges are given to all members of the + built-in local group <code class="constant">Administrators</code> on each domain member machine. To ensure that all domain + administrators have full rights on the member server or workstation, on joining the domain, the + <code class="constant">Domain Admins</code> group is added to the local Administrators group. Thus everyone who is + logged into the domain as a member of the Domain Admins group is also granted local administrative + privileges on each domain member. + </p><p> +<a class="indexterm" name="id368131"></a> +<a class="indexterm" name="id368138"></a> +<a class="indexterm" name="id368145"></a> +<a class="indexterm" name="id368152"></a> + UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported + them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in + <code class="filename">/etc/group</code>. This does not work because it was not a design requirement at the time + the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide + <code class="filename">/etc/group</code> entries on demand by obtaining user and group information from the domain + controller that the Samba server is a member of. + </p><p> +<a class="indexterm" name="id368178"></a> +<a class="indexterm" name="id368184"></a> +<a class="indexterm" name="id368191"></a> +<a class="indexterm" name="id368198"></a> +<a class="indexterm" name="id368205"></a> + In effect, Samba supplements the <code class="filename">/etc/group</code> data via the dynamic + <code class="literal">libnss_winbind</code> mechanism. Beginning with Samba-3.0.3, this facility is used to provide + local groups in the same manner as Windows. It works by expanding the local groups on the + fly as they are accessed. For example, the <code class="constant">Domain Users</code> group of the domain is made + a member of the local group <code class="constant">demo</code>. Whenever Samba needs to resolve membership of the + <code class="constant">demo</code> local (alias) group, winbind asks the domain controller for demo members of the Domain Users + group. By definition, it can only contain user objects, which can then be faked to be member of the + UNIX/Linux group <code class="constant">demo</code>. + </p><p> +<a class="indexterm" name="id368246"></a> +<a class="indexterm" name="id368253"></a> +<a class="indexterm" name="id368259"></a> +<a class="indexterm" name="id368266"></a> +<a class="indexterm" name="id368273"></a> +<a class="indexterm" name="id368280"></a> +<a class="indexterm" name="id368286"></a> + To enable the use of nested groups, <code class="literal">winbindd</code> must be used with NSS winbind. + Creation and administration of the local groups is done best via the Windows Domain User Manager or its + Samba equivalent, the utility <code class="literal">net rpc group</code>. Creating the local group + <code class="constant">demo</code> is achieved by executing: + </p><pre class="screen"> + <code class="prompt">root# </code> net rpc group add demo -L -Uroot%not24get + </pre><p> +<a class="indexterm" name="id368327"></a> +<a class="indexterm" name="id368334"></a> + Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U + switches for accessing the correct host with appropriate user or root privileges. Adding and removing + group members can be done via the <code class="constant">addmem</code> and <code class="constant">delmem</code> subcommands of + <code class="literal">net rpc group</code> command. For example, addition of “<span class="quote">DOM\Domain Users</span>” to the + local group <code class="constant">demo</code> is done by executing: + </p><pre class="screen"> + net rpc group addmem demo "DOM\Domain Users" + </pre><p> +<a class="indexterm" name="id368370"></a> +<a class="indexterm" name="id368377"></a> +<a class="indexterm" name="id368383"></a> +<a class="indexterm" name="id368390"></a> + Having completed these two steps, the execution of <code class="literal">getent group demo</code> will show demo + members of the global <code class="constant">Domain Users</code> group as members of the group + <code class="constant">demo</code>. This also works with any local or domain user. In case the domain DOM trusts + another domain, it is also possible to add global users and groups of the trusted domain as members of + <code class="constant">demo</code>. The users from the foreign domain who are members of the group that has been + added to the <code class="constant">demo</code> group now have the same local access permissions as local domain + users have. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368424"></a>Important Administrative Information</h3></div></div></div><p> + Administrative rights are necessary in two specific forms: + </p><div class="orderedlist"><ol type="1"><li><p>For Samba-3 domain controllers and domain member servers/clients.</p></li><li><p>To manage domain member Windows workstations.</p></li></ol></div><p> +<a class="indexterm" name="id368453"></a> +<a class="indexterm" name="id368460"></a> +<a class="indexterm" name="id368466"></a> + Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges + that are necessary for system administration tasks from a Windows domain member client machine, so + domain administration tasks such as adding, deleting, and changing user and group account information, and + managing workstation domain membership accounts, can be handled by any account other than root. + </p><p> +<a class="indexterm" name="id368480"></a> +<a class="indexterm" name="id368487"></a> +<a class="indexterm" name="id368494"></a> + Samba-3.0.11 introduced a new privilege management interface (see <a href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a>) + that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the + MS Windows Administrator) accounts. + </p><p> +<a class="indexterm" name="id368513"></a> +<a class="indexterm" name="id368519"></a> + Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the + <code class="constant">Domain Admins</code> group. This group can be mapped to any convenient UNIX group. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id368532"></a>Applicable Only to Versions Earlier than 3.0.11</h4></div></div></div><p> +<a class="indexterm" name="id368540"></a> + Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires + <code class="constant">root</code>-level privilege. The addition of a Windows client to a Samba domain involves the + addition of a user account for the Windows client. + </p><p> +<a class="indexterm" name="id368556"></a> +<a class="indexterm" name="id368563"></a> + Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or + the ability to add, delete, or modify user accounts, without requiring <code class="constant">root</code> privileges. + Such a request violates every understanding of basic UNIX system security. + </p><p> +<a class="indexterm" name="id368579"></a> +<a class="indexterm" name="id368586"></a> +<a class="indexterm" name="id368592"></a> +<a class="indexterm" name="id368599"></a> +<a class="indexterm" name="id368606"></a> +<a class="indexterm" name="id368613"></a> + There is no safe way to provide access on a UNIX/Linux system without providing + <code class="constant">root</code>-level privileges. Provision of <code class="constant">root</code> privileges can be done + either by logging on to the Domain as the user <code class="constant">root</code> or by permitting particular users to + use a UNIX account that has a UID=0 in the <code class="filename">/etc/passwd</code> database. Users of such accounts + can use tools like the NT4 Domain User Manager and the NT4 Domain Server Manager to manage user and group + accounts as well as domain member server and client accounts. This level of privilege is also needed to manage + share-level ACLs. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368644"></a>Default Users, Groups, and Relative Identifiers</h3></div></div></div><p> + <a class="indexterm" name="id368652"></a> + <a class="indexterm" name="id368661"></a> +<a class="indexterm" name="id368668"></a> +<a class="indexterm" name="id368674"></a> +<a class="indexterm" name="id368681"></a> +<a class="indexterm" name="id368688"></a> +<a class="indexterm" name="id368695"></a> +<a class="indexterm" name="id368702"></a> + When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and + alias entities. Each has a well-known RID. These must be preserved for continued + integrity of operation. Samba must be provisioned with certain essential domain groups that require + the appropriate RID value. When Samba-3 is configured to use <code class="constant">tdbsam</code>, the essential + domain groups are automatically created. It is the LDAP administrator's responsibility to create + (provision) the default NT groups. + </p><p> +<a class="indexterm" name="id368719"></a> +<a class="indexterm" name="id368726"></a> +<a class="indexterm" name="id368733"></a> +<a class="indexterm" name="id368740"></a> + Each essential domain group must be assigned its respective well-known RID. The default users, groups, + aliases, and RIDs are shown in <a href="groupmapping.html#WKURIDS" title="Table 12.1. Well-Known User Default RIDs">Well-Known User Default RIDs</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id368760"></a> +<a class="indexterm" name="id368766"></a> +<a class="indexterm" name="id368773"></a> +<a class="indexterm" name="id368780"></a> +<a class="indexterm" name="id368787"></a> + It is the administrator's responsibility to create the essential domain groups and to assign each + its default RID. + </p></div><p> +<a class="indexterm" name="id368798"></a> +<a class="indexterm" name="id368804"></a> + It is permissible to create any domain group that may be necessary; just make certain that the essential + domain groups (well known) have been created and assigned their default RIDs. Other groups you create may + be assigned any arbitrary RID you care to use. + </p><p> + Be sure to map each domain group to a UNIX system group. That is the only way to ensure that the group + will be available for use as an NT domain group. + </p><p> + </p><div class="table"><a name="WKURIDS"></a><p class="title"><b>Table 12.1. Well-Known User Default RIDs</b></p><div class="table-contents"><table summary="Well-Known User Default RIDs" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Well-Known Entity</th><th align="left">RID</th><th align="left">Type</th><th align="center">Essential</th></tr></thead><tbody><tr><td align="left">Domain Administrator</td><td align="left">500</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Guest</td><td align="left">501</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain KRBTGT</td><td align="left">502</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Admins</td><td align="left">512</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Users</td><td align="left">513</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Guests</td><td align="left">514</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Computers</td><td align="left">515</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Controllers</td><td align="left">516</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Certificate Admins</td><td align="left">517</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Schema Admins</td><td align="left">518</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Enterprise Admins</td><td align="left">519</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Policy Admins</td><td align="left">520</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Builtin Admins</td><td align="left">544</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin users</td><td align="left">545</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Guests</td><td align="left">546</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Power Users</td><td align="left">547</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Account Operators</td><td align="left">548</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin System Operators</td><td align="left">549</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Print Operators</td><td align="left">550</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Backup Operators</td><td align="left">551</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Replicator</td><td align="left">552</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin RAS Servers</td><td align="left">553</td><td align="left">Alias</td><td align="center">No</td></tr></tbody></table></div></div><p><br class="table-break"> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id369250"></a>Example Configuration</h3></div></div></div><p> +<a class="indexterm" name="id369258"></a> + You can list the various groups in the mapping database by executing + <code class="literal">net groupmap list</code>. Here is an example: + </p><p> +<a class="indexterm" name="id369279"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> <strong class="userinput"><code>net groupmap list</code></strong> +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest +</pre><p> + </p><p> + For complete details on <code class="literal">net groupmap</code>, refer to the net(8) man page. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id369322"></a>Configuration Scripts</h2></div></div></div><p> + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (i.e., prepared by someone else for general use). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id369332"></a>Sample <code class="filename">smb.conf</code> Add Group Script</h3></div></div></div><p> + <a class="indexterm" name="id369345"></a> + <a class="indexterm" name="id369352"></a> + <a class="indexterm" name="id369359"></a> +<a class="indexterm" name="id369366"></a> +<a class="indexterm" name="id369373"></a> + A script to create complying group names for use by the Samba group interfaces + is provided in <a href="groupmapping.html#smbgrpadd.sh" title="Example 12.1. smbgrpadd.sh">smbgrpadd.sh</a>. This script + adds a temporary entry in the <code class="filename">/etc/group</code> file and then renames + it to the desired name. This is an example of a method to get around operating + system maintenance tool limitations such as those present in some version of the + <code class="literal">groupadd</code> tool. +</p><div class="example"><a name="smbgrpadd.sh"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><div class="example-contents"><pre class="programlisting"> +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep ^smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cp /etc/group /etc/group.bak +cat /etc/group.bak | sed "s/^smbtmpgrp00/$1/g" > /etc/group +rm /etc/group.bak + +# Now return the GID as would normally happen. +echo $thegid +exit 0 +</pre></div></div><p><br class="example-break"> +</p><p> + The <code class="filename">smb.conf</code> entry for the above script shown in <a href="groupmapping.html#smbgrpadd" title="Example 12.2. Configuration of smb.conf for the add group Script">the configuration of + <code class="filename">smb.conf</code> for the add group Script</a> demonstrates how it may be used. + +</p><div class="example"><a name="smbgrpadd"></a><p class="title"><b>Example 12.2. Configuration of <code class="filename">smb.conf</code> for the add group Script</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id369477"></a><em class="parameter"><code>add group script = /path_to_tool/smbgrpadd.sh "%g"</code></em></td></tr></table></div></div><p><br class="example-break"> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id369493"></a>Script to Configure Group Mapping</h3></div></div></div><p> +<a class="indexterm" name="id369501"></a> + In our example we have created a UNIX/Linux group called <code class="literal">ntadmin</code>. + Our script will create the additional groups <code class="literal">Orks</code>, <code class="literal">Elves</code>, and <code class="literal">Gnomes</code>. + It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database. + For the sake of convenience we elect to save this script as a file called <code class="filename">initGroups.sh</code>. + This script is given in <a href="groupmapping.html#set-group-map" title="Example 12.3. Script to Set Group Mapping">intGroups.sh</a>. +<a class="indexterm" name="id369547"></a> +</p><div class="example"><a name="set-group-map"></a><p class="title"><b>Example 12.3. Script to Set Group Mapping</b></p><div class="example-contents"><pre class="programlisting"> +#!/bin/bash + +net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d + +groupadd Orks +groupadd Elves +groupadd Gnomes + +net groupmap add ntgroup="Orks" unixgroup=Orks type=d +net groupmap add ntgroup="Elves" unixgroup=Elves type=d +net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d +</pre></div></div><p><br class="example-break"> + </p><p> + Of course it is expected that the administrator will modify this to suit local needs. + For information regarding the use of the <code class="literal">net groupmap</code> tool please + refer to the man page. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Versions of Samba-3 prior to 3.0.23 automatically create default group mapping for the + <code class="literal">Domain Admins, Domain Users</code> and <code class="literal">Domain Guests</code> Windows + groups, but do not map them to UNIX GIDs. This was a cause of administrative confusion and + trouble. Commencing with Samba-3.0.23 this annomaly has been fixed - thus all Windows groups + must now be manually and explicitly created and mapped to a valid UNIX GID by the Samba + administrator. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id369607"></a>Common Errors</h2></div></div></div><p> +At this time there are many little surprises for the unwary administrator. In a real sense +it is imperative that every step of automated control scripts be carefully tested +manually before putting it into active service. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id369618"></a>Adding Groups Fails</h3></div></div></div><p> +<a class="indexterm" name="id369625"></a> + This is a common problem when the <code class="literal">groupadd</code> is called directly + by the Samba interface script for the <a class="indexterm" name="id369639"></a>add group script in + the <code class="filename">smb.conf</code> file. + </p><p> +<a class="indexterm" name="id369655"></a> +<a class="indexterm" name="id369662"></a> + The most common cause of failure is an attempt to add an MS Windows group account + that has an uppercase character and/or a space character in it. + </p><p> +<a class="indexterm" name="id369674"></a> + There are three possible workarounds. First, use only group names that comply + with the limitations of the UNIX/Linux <code class="literal">groupadd</code> system tool. + Second, it involves the use of the script mentioned earlier in this chapter, and + third is the option is to manually create a UNIX/Linux group account that can substitute + for the MS Windows group name, then use the procedure listed above to map that group + to the MS Windows group. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id369692"></a>Adding Domain Users to the Workstation Power Users Group</h3></div></div></div><p>“<span class="quote"> + What must I do to add domain users to the Power Users group? + </span>”</p><p> +<a class="indexterm" name="id369705"></a> + The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. + You cannot add the Domain Users group to the Power Users group automatically, it must be done on + each workstation by logging in as the local workstation <span class="emphasis"><em>administrator</em></span> and + then using the following procedure: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start -> Control Panel -> Users and Passwords</span>. + </p></li><li><p> + Click the <span class="guimenuitem">Advanced</span> tab. + </p></li><li><p> + Click the <span class="guibutton">Advanced</span> button. + </p></li><li><p> + Click <code class="constant">Groups</code>. + </p></li><li><p> + Double-click <code class="constant">Power Users</code>. This will launch the panel to add users or groups + to the local machine <code class="constant">Power Users</code> group. + </p></li><li><p> + Click the <span class="guibutton">Add</span> button. + </p></li><li><p> + Select the domain from which the <code class="constant">Domain Users</code> group is to be added. + </p></li><li><p> + Double-click the <code class="constant">Domain Users</code> group. + </p></li><li><p> + Click the <span class="guibutton">OK</span> button. If a logon box is presented during this process, + please remember to enter the connect as <code class="constant">DOMAIN\UserName</code>, that is, for the + domain <code class="constant">MIDEARTH</code> and the user <code class="constant">root</code> enter + <code class="constant">MIDEARTH\root</code>. + </p></li></ol></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetCommand.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Remote and Local Management: The Net Command</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/idmapper.html b/docs/htmldocs/Samba3-HOWTO/idmapper.html new file mode 100644 index 0000000000..89b1a92d21 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/idmapper.html @@ -0,0 +1,729 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id374968">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374992">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375941">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376159">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id376286">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id374715"></a> +<a class="indexterm" name="id374722"></a> +<a class="indexterm" name="id374729"></a> +<a class="indexterm" name="id374735"></a> +<a class="indexterm" name="id374744"></a> +<a class="indexterm" name="id374751"></a> +<a class="indexterm" name="id374758"></a> +The Microsoft Windows operating system has a number of features that impose specific challenges +to interoperability with the operating systems on which Samba is implemented. This chapter deals +explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the +key challenges in the integration of Samba servers into an MS Windows networking environment. +This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs) +to UNIX UIDs and GIDs. +</p><p> +To ensure sufficient coverage, each possible Samba deployment type is discussed. +This is followed by an overview of how the IDMAP facility may be implemented. +</p><p> +<a class="indexterm" name="id374776"></a> +<a class="indexterm" name="id374783"></a> +<a class="indexterm" name="id374790"></a> +<a class="indexterm" name="id374797"></a> +The IDMAP facility is of concern where more than one Samba server (or Samba network client) +is installed in a domain. Where there is a single Samba server, do not be too concerned regarding +the IDMAP infrastructure the default behavior of Samba is nearly always sufficient. +Where mulitple Samba servers are used it is often necessary to move data off one server and onto +another, and that is where the fun begins! +</p><p> +<a class="indexterm" name="id374814"></a> +<a class="indexterm" name="id374819"></a> +<a class="indexterm" name="id374826"></a> +<a class="indexterm" name="id374833"></a> +<a class="indexterm" name="id374839"></a> +<a class="indexterm" name="id374846"></a> +<a class="indexterm" name="id374853"></a> +<a class="indexterm" name="id374860"></a> +Where user and group account information is stored in an LDAP directory every server can have the same +consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba +can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat +reduced. This works reasonably well if the servers belong to a single domain, and interdomain trusts +are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS domain members, +or if there is a need to keep the security name-space separate (i.e., the user +<code class="literal">DOMINICUS\FJones</code> must not be given access to the account resources of the user +<code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id374883" href="#ftn.id374883">4</a>]</sup> free from inadvertent cross-over, close attention should be given +to the way that the IDMAP facility is configured. +</p><p> +<a class="indexterm" name="id374908"></a> +<a class="indexterm" name="id374915"></a> +<a class="indexterm" name="id374922"></a> +<a class="indexterm" name="id374929"></a> +<a class="indexterm" name="id374935"></a> +<a class="indexterm" name="id374942"></a> +The use of IDMAP is important where the Samba server will be accessed by workstations or servers from +more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) +of foreign SIDs to local UNIX UIDs and GIDs. +</p><p> +<a class="indexterm" name="id374954"></a> +The use of the IDMAP facility requires the execution of the <code class="literal">winbindd</code> upon Samba startup. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374968"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p> +<a class="indexterm" name="id374976"></a> +There are four basic server deployment types, as documented in <a href="ServerType.html" title="Chapter 3. Server Types and Security Modes">the chapter +on Server Types and Security Modes</a>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id374992"></a>Standalone Samba Server</h3></div></div></div><p> + <a class="indexterm" name="id375000"></a> + <a class="indexterm" name="id375006"></a> + <a class="indexterm" name="id375013"></a> + A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, + a Windows 200X Active Directory domain, or a Samba domain. + </p><p> + <a class="indexterm" name="id375025"></a> + <a class="indexterm" name="id375031"></a> + <a class="indexterm" name="id375038"></a> + By definition, this means that users and groups will be created and controlled locally, and + the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility + is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility + will not be relevant or of interest. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375050"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p> + <a class="indexterm" name="id375058"></a> + <a class="indexterm" name="id375064"></a> + <a class="indexterm" name="id375071"></a> + <a class="indexterm" name="id375078"></a> + <a class="indexterm" name="id375084"></a> + Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that + are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with + all versions of MS Windows products. Windows NT4, as with MS Active Directory, + extensively makes use of Windows SIDs. + </p><p> + <a class="indexterm" name="id375097"></a> + <a class="indexterm" name="id375104"></a> + <a class="indexterm" name="id375110"></a> + Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming + Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba + server must provide to MS Windows clients and servers appropriate SIDs. + </p><p> + <a class="indexterm" name="id375122"></a> + <a class="indexterm" name="id375129"></a> + A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle + identity mapping in a variety of ways. The mechanism it uses depends on whether or not + the <code class="literal">winbindd</code> daemon is used and how the winbind functionality is configured. + The configuration options are briefly described here: + </p><div class="variablelist"><dl><dt><span class="term">Winbind is not used; users and groups are local: </span></dt><dd><p> + <a class="indexterm" name="id375156"></a> + <a class="indexterm" name="id375163"></a> + <a class="indexterm" name="id375170"></a> + <a class="indexterm" name="id375177"></a> + <a class="indexterm" name="id375184"></a> + <a class="indexterm" name="id375190"></a> + <a class="indexterm" name="id375197"></a> + <a class="indexterm" name="id375204"></a> + <a class="indexterm" name="id375211"></a> + <a class="indexterm" name="id375217"></a> + <a class="indexterm" name="id375224"></a> + Where <code class="literal">winbindd</code> is not used Samba (<code class="literal">smbd</code>) + uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming + network traffic. This is done using the LoginID (account name) in the + session setup request and passing it to the getpwnam() system function call. + This call is implemented using the name service switch (NSS) mechanism on + modern UNIX/Linux systems. By saying "users and groups are local," + we are implying that they are stored only on the local system, in the + <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> respectively. + </p><p> + <a class="indexterm" name="id375262"></a> + <a class="indexterm" name="id375269"></a> + For example, when the user <code class="literal">BERYLIUM\WambatW</code> tries to open a + connection to a Samba server the incoming SessionSetupAndX request will make a + system call to look up the user <code class="literal">WambatW</code> in the + <code class="filename">/etc/passwd</code> file. + </p><p> + <a class="indexterm" name="id375298"></a> + <a class="indexterm" name="id375305"></a> + <a class="indexterm" name="id375312"></a> + <a class="indexterm" name="id375319"></a> + <a class="indexterm" name="id375325"></a> + <a class="indexterm" name="id375332"></a> + <a class="indexterm" name="id375338"></a> + <a class="indexterm" name="id375345"></a> + This configuration may be used with standalone Samba servers, domain member + servers (NT4 or ADS), and for a PDC that uses either an smbpasswd + or a tdbsam-based Samba passdb backend. + </p></dd><dt><span class="term">Winbind is not used; users and groups resolved via NSS: </span></dt><dd><p> + <a class="indexterm" name="id375366"></a> + <a class="indexterm" name="id375373"></a> + <a class="indexterm" name="id375380"></a> + <a class="indexterm" name="id375387"></a> + <a class="indexterm" name="id375393"></a> + <a class="indexterm" name="id375400"></a> + In this situation user and group accounts are treated as if they are local + accounts. The only way in which this differs from having local accounts is + that the accounts are stored in a repository that can be shared. In practice + this means that they will reside in either an NIS-type database or else in LDAP. + </p><p> + <a class="indexterm" name="id375413"></a> + <a class="indexterm" name="id375420"></a> + <a class="indexterm" name="id375426"></a> + <a class="indexterm" name="id375433"></a> + <a class="indexterm" name="id375440"></a> + <a class="indexterm" name="id375446"></a> + <a class="indexterm" name="id375453"></a> + This configuration may be used with standalone Samba servers, domain member + servers (NT4 or ADS), and for a PDC that uses either an smbpasswd + or a tdbsam-based Samba passdb backend. + </p></dd><dt><span class="term">Winbind/NSS with the default local IDMAP table: </span></dt><dd><p> + <a class="indexterm" name="id375474"></a> + <a class="indexterm" name="id375480"></a> + <a class="indexterm" name="id375487"></a> + <a class="indexterm" name="id375494"></a> + There are many sites that require only a simple Samba server or a single Samba + server that is a member of a Windows NT4 domain or an ADS domain. A typical example + is an appliance like file server on which no local accounts are configured and + winbind is used to obtain account credentials from the domain controllers for the + domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows + Active Directory. + </p><p> + <a class="indexterm" name="id375508"></a> + <a class="indexterm" name="id375515"></a> + <a class="indexterm" name="id375522"></a> + <a class="indexterm" name="id375528"></a> + <a class="indexterm" name="id375535"></a> + Winbind is a great convenience in this situation. All that is needed is a range of + UID numbers and GID numbers that can be defined in the <code class="filename">smb.conf</code> file. The + <code class="filename">/etc/nsswitch.conf</code> file is configured to use <code class="literal">winbind</code>, + which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs. + The SIDs are allocated a UID/GID in the order in which winbind receives them. + </p><p> + <a class="indexterm" name="id375566"></a> + <a class="indexterm" name="id375572"></a> + <a class="indexterm" name="id375579"></a> + <a class="indexterm" name="id375586"></a> + This configuration is not convenient or practical in sites that have more than one + Samba server and that require the same UID or GID for the same user or group across + all servers. One of the hazards of this method is that in the event that the winbind + IDMAP file becomes corrupted or lost, the repaired or rebuilt IDMAP file may allocate + UIDs and GIDs to different users and groups from what was there previously with the + result that MS Windows files that are stored on the Samba server may now not belong to + the rightful owners. + </p></dd><dt><span class="term">Winbind/NSS uses RID based IDMAP: </span></dt><dd><p> + <a class="indexterm" name="id375609"></a> + <a class="indexterm" name="id375616"></a> + <a class="indexterm" name="id375623"></a> + <a class="indexterm" name="id375629"></a> + The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier + for a number of sites that are committed to use of MS ADS, that do not apply + an ADS schema extension, and that do not have an installed an LDAP directory server just for + the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of + domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the + IDMAP table problem, then IDMAP_RID is an obvious choice. + </p><p> + <a class="indexterm" name="id375644"></a> + <a class="indexterm" name="id375651"></a> + <a class="indexterm" name="id375657"></a> + <a class="indexterm" name="id375664"></a> + <a class="indexterm" name="id375671"></a> + <a class="indexterm" name="id375677"></a> + <a class="indexterm" name="id375684"></a> + <a class="indexterm" name="id375691"></a> + This facility requires the allocation of the <em class="parameter"><code>idmap uid</code></em> and the + <em class="parameter"><code>idmap gid</code></em> ranges, and within the <em class="parameter"><code>idmap uid</code></em> + it is possible to allocate a subset of this range for automatic mapping of the relative + identifier (RID) portion of the SID directly to the base of the UID plus the RID value. + For example, if the <em class="parameter"><code>idmap uid</code></em> range is <code class="constant">1000-100000000</code> + and the <em class="parameter"><code>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</code></em>, and + a SID is encountered that has the value <code class="constant">S-1-5-21-34567898-12529001-32973135-1234</code>, + the resulting UID will be <code class="constant">1000 + 1234 = 2234</code>. + </p></dd><dt><span class="term">Winbind with an NSS/LDAP backend-based IDMAP facility: </span></dt><dd><p> + <a class="indexterm" name="id375754"></a> + <a class="indexterm" name="id375761"></a> + <a class="indexterm" name="id375768"></a> + <a class="indexterm" name="id375774"></a> + <a class="indexterm" name="id375781"></a> + <a class="indexterm" name="id375787"></a> + <a class="indexterm" name="id375794"></a> + <a class="indexterm" name="id375801"></a> + In this configuration <code class="literal">winbind</code> resolved SIDs to UIDs and GIDs from + the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> ranges specified + in the <code class="filename">smb.conf</code> file, but instead of using a local winbind IDMAP table, it is stored + in an LDAP directory so that all domain member machines (clients and servers) can share + a common IDMAP table. + </p><p> + <a class="indexterm" name="id375837"></a> + <a class="indexterm" name="id375844"></a> + <a class="indexterm" name="id375851"></a> + It is important that all LDAP IDMAP clients use only the master LDAP server because the + <em class="parameter"><code>idmap backend</code></em> facility in the <code class="filename">smb.conf</code> file does not correctly + handle LDAP redirects. + </p></dd><dt><span class="term">Winbind with NSS to resolve UNIX/Linux user and group IDs: </span></dt><dd><p> + The use of LDAP as the passdb backend is a smart solution for PDC, BDC, and + domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching + SIDs are consistent across all servers. + </p><p> + <a class="indexterm" name="id375888"></a> + <a class="indexterm" name="id375895"></a> + The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or + an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from + standalone Windows clients (i.e., not a member of our domain) as well as SIDs from + another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid) + in precisely the same manner as when using winbind with a local IDMAP table. + </p><p> + <a class="indexterm" name="id375909"></a> + <a class="indexterm" name="id375916"></a> + <a class="indexterm" name="id375923"></a> + The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active + Directory. In order to use Active Directory, it is necessary to modify the ADS schema by + installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX + version 3.5 or later to extend the ADS schema so it maintains UNIX account credentials. + Where the ADS schema is extended, a Microsoft Management Console (MMC) snap-in is also + installed to permit the UNIX credentials to be set and managed from the ADS User and Computer + Management tool. Each account must be separately UNIX-enabled before the UID and GID data can + be used by Samba. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375941"></a>Primary Domain Controller</h3></div></div></div><p> + <a class="indexterm" name="id375948"></a> + <a class="indexterm" name="id375955"></a> + <a class="indexterm" name="id375962"></a> + <a class="indexterm" name="id375968"></a> + Microsoft Windows domain security systems generate the user and group SID as part + of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather, + it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method + of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it + adds an RID that is calculated algorithmically from a base value that can be specified + in the <code class="filename">smb.conf</code> file, plus twice (2x) the UID or GID. This method is called “<span class="quote">algorithmic mapping</span>”. + </p><p> + <a class="indexterm" name="id375993"></a> + For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will + be <code class="literal">1000 + (2 x 4321) = 9642</code>. Thus, if the domain SID is + <code class="literal">S-1-5-21-89238497-92787123-12341112</code>, the resulting SID is + <code class="literal">S-1-5-21-89238497-92787123-12341112-9642</code>. + </p><p> + <a class="indexterm" name="id376022"></a> + <a class="indexterm" name="id376029"></a> + <a class="indexterm" name="id376036"></a> + <a class="indexterm" name="id376042"></a> + The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly + (as is the case when using a <em class="parameter"><code>passdb backend = [tdbsam | smbpasswd]</code></em>), or may be stored + as a permanent part of an account in an LDAP-based ldapsam. + </p><p> + <a class="indexterm" name="id376060"></a> + <a class="indexterm" name="id376067"></a> + <a class="indexterm" name="id376074"></a> + <a class="indexterm" name="id376080"></a> + <a class="indexterm" name="id376087"></a> + <a class="indexterm" name="id376094"></a> + <a class="indexterm" name="id376100"></a> + <a class="indexterm" name="id376107"></a> + <a class="indexterm" name="id376114"></a> + ADS uses a directory schema that can be extended to accommodate additional + account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand + the normal ADS schema to include UNIX account attributes. These must of course be managed separately + through a snap-in module to the normal ADS account management MMC interface. + </p><p> + <a class="indexterm" name="id376127"></a> + <a class="indexterm" name="id376133"></a> + <a class="indexterm" name="id376140"></a> + <a class="indexterm" name="id376147"></a> + Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity. + In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup + domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable + for such information is an LDAP backend. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376159"></a>Backup Domain Controller</h3></div></div></div><p> + <a class="indexterm" name="id376167"></a> + <a class="indexterm" name="id376173"></a> + <a class="indexterm" name="id376180"></a> + <a class="indexterm" name="id376187"></a> + <a class="indexterm" name="id376194"></a> + <a class="indexterm" name="id376200"></a> + <a class="indexterm" name="id376207"></a> + BDCs have read-only access to security credentials that are stored in LDAP. + Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write + changes to the directory. + </p><p> + IDMAP information can be written directly to the LDAP server so long as all domain controllers + have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects + in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with + the IDMAP facility. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id376225"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p> +<a class="indexterm" name="id376233"></a> +<a class="indexterm" name="id376242"></a> +<a class="indexterm" name="id376251"></a> +<a class="indexterm" name="id376257"></a> +<a class="indexterm" name="id376264"></a> +Anyone who wishes to use <code class="literal">winbind</code> will find the following example configurations helpful. +Remember that in the majority of cases <code class="literal">winbind</code> is of primary interest for use with +domain member servers (DMSs) and domain member clients (DMCs). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376286"></a>Default Winbind TDB</h3></div></div></div><p> + Two common configurations are used: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs). + </p></li><li><p> + Networks that use MS Windows 200x ADS. + </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376308"></a>NT4-Style Domains (Includes Samba Domains)</h4></div></div></div><p> + <a href="idmapper.html#idmapnt4dms" title="Example 14.1. NT4 Domain Member Server smb.conf">NT4 Domain Member Server smb.con</a> is a simple example of an NT4 DMS + <code class="filename">smb.conf</code> file that shows only the global section. + </p><div class="example"><a name="idmapnt4dms"></a><p class="title"><b>Example 14.1. NT4 Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id376359"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id376372"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id376384"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id376397"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id376409"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id376422"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id376438"></a> + <a class="indexterm" name="id376444"></a> + The use of <code class="literal">winbind</code> requires configuration of NSS. Edit the <code class="filename">/etc/nsswitch.conf</code> + so it includes the following entries: +</p><pre class="screen"> +... +passwd: files winbind +shadow: files winbind +group: files winbind +... +hosts: files [dns] wins +... +</pre><p> + The use of DNS in the hosts entry should be made only if DNS is used on site. + </p><p> + The creation of the DMS requires the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Create or install an <code class="filename">smb.conf</code> file with the above configuration. + </p></li><li><p> + Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -UAdministrator%password +Joined domain MEGANET2. +</pre><p> + <a class="indexterm" name="id376509"></a> + The success of the join can be confirmed with the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc testjoin +Join to 'MIDEARTH' is OK +</pre><p> + A failed join would report an error message like the following: + <a class="indexterm" name="id376529"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc testjoin +[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66) +Join to domain 'MEGANET2' is not valid +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id376555"></a> + <a class="indexterm" name="id376562"></a> + <a class="indexterm" name="id376568"></a> + Start the <code class="literal">nmbd, winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376591"></a>ADS Domains</h4></div></div></div><p> + <a class="indexterm" name="id376598"></a> + <a class="indexterm" name="id376605"></a> + The procedure for joining an ADS domain is similar to the NT4 domain join, except the <code class="filename">smb.conf</code> file + will have the contents shown in <a href="idmapper.html#idmapadsdms" title="Example 14.2. ADS Domain Member Server smb.conf">ADS Domain Member Server smb.conf</a> + </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id376655"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id376667"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id376680"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id376692"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id376705"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id376718"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id376730"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id376743"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id376756"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id376768"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id376784"></a> + <a class="indexterm" name="id376791"></a> + <a class="indexterm" name="id376798"></a> + <a class="indexterm" name="id376805"></a> + <a class="indexterm" name="id376811"></a> + <a class="indexterm" name="id376818"></a> + <a class="indexterm" name="id376825"></a> + ADS DMS operation requires use of kerberos (KRB). For this to work, the <code class="filename">krb5.conf</code> + must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being + used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version + 1.3.5 and Heimdal 0.61. + </p><p> + The creation of the DMS requires the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Create or install an <code class="filename">smb.conf</code> file with the above configuration. + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Execute: + <a class="indexterm" name="id376879"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%password +Joined domain BUTTERNET. +</pre><p> + The success or failure of the join can be confirmed with the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +Using short domain name -- BUTTERNET +Joined 'GARGOYLE' to realm 'BUTTERNET.BIZ' +</pre><p> + </p><p> + An invalid or failed join can be detected by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +GARGOYLE$@'s password: +[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) + ads_connect: No results returned +Join to domain is not valid +</pre><p> + <a class="indexterm" name="id376932"></a> + <a class="indexterm" name="id376938"></a> + <a class="indexterm" name="id376945"></a> + <a class="indexterm" name="id376952"></a> + The specific error message may differ from the above because it depends on the type of failure that + may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, + and then examine the log files produced to identify the nature of the failure. + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376996"></a>IDMAP_RID with Winbind</h3></div></div></div><p> + <a class="indexterm" name="id377004"></a> + <a class="indexterm" name="id377010"></a> + <a class="indexterm" name="id377017"></a> + <a class="indexterm" name="id377023"></a> + The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a + predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method + of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data + in a central place. The downside is that it can be used only within a single ADS domain and + is not compatible with trusted domain implementations. + </p><p> + <a class="indexterm" name="id377043"></a> + <a class="indexterm" name="id377049"></a> + <a class="indexterm" name="id377056"></a> + <a class="indexterm" name="id377063"></a> + This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid + plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the + RID to a base value specified. This utility requires that the parameter + “<span class="quote">allow trusted domains = No</span>” be specified, as it is not compatible + with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and + <em class="parameter"><code>idmap gid</code></em> ranges must be specified. + </p><p> + <a class="indexterm" name="id377092"></a> + <a class="indexterm" name="id377099"></a> + The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. + To use this with an NT4 domain, do not include the <em class="parameter"><code>realm</code></em> parameter; additionally, the + method used to join the domain uses the <code class="constant">net rpc join</code> process. + </p><p> + An example <code class="filename">smb.conf</code> file for and ADS domain environment is shown in <a href="idmapper.html#idmapadsridDMS" title="Example 14.3. ADS Domain Member smb.conf using idmap_rid">ADS + Domain Member smb.conf using idmap_rid</a>. + </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id377163"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id377175"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id377188"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id377200"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id377213"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id377226"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id377238"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id377251"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id377264"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id377276"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id377289"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377302"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id377314"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id377327"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id377340"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id377356"></a> + <a class="indexterm" name="id377362"></a> + <a class="indexterm" name="id377369"></a> + <a class="indexterm" name="id377376"></a> + In a large domain with many users it is imperative to disable enumeration of users and groups. + For example, at a site that has 22,000 users in Active Directory the winbind-based user and + group resolution is unavailable for nearly 12 minutes following first startup of + <code class="literal">winbind</code>. Disabling enumeration resulted in instantaneous response. + The disabling of user and group enumeration means that it will not be possible to list users + or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> + commands. It will be possible to perform the lookup for individual users, as shown in the following procedure. + </p><p> + <a class="indexterm" name="id377409"></a> + <a class="indexterm" name="id377415"></a> + The use of this tool requires configuration of NSS as per the native use of winbind. Edit the + <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: +</p><pre class="screen"> +... +passwd: files winbind +shadow: files winbind +group: files winbind +... +hosts: files wins +... +</pre><p> + </p><p> + The following procedure can use the idmap_rid facility: + </p><div class="procedure"><ol type="1"><li><p> + Create or install an <code class="filename">smb.conf</code> file with the above configuration. + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%password +Using short domain name -- KPAK +Joined 'BIGJOE' to realm 'CORP.KPAK.COM' +</pre><p> + </p><p> + <a class="indexterm" name="id377490"></a> + An invalid or failed join can be detected by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +BIGJOE$@'s password: +[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) + ads_connect: No results returned +Join to domain is not valid +</pre><p> + The specific error message may differ from the above because it depends on the type of failure that + may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, + and then examine the log files produced to identify the nature of the failure. + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. + </p></li><li><p> + Validate the operation of this configuration by executing: + <a class="indexterm" name="id377550"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd administrator +administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377571"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p> + <a class="indexterm" name="id377578"></a> + <a class="indexterm" name="id377585"></a> + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and + ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any + standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP + configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, + and so on. + </p><p> + An example is for an ADS domain is shown in <a href="idmapper.html#idmapldapDMS" title="Example 14.4. ADS Domain Member Server using LDAP">ADS Domain Member Server using + LDAP</a>. + </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id377634"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id377647"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id377659"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id377672"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id377684"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id377697"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id377710"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id377723"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id377735"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id377748"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id377761"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id377773"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id377786"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id377799"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id377815"></a> + In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the + command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates + advanced error-reporting techniques that are documented in <a href="bugreport.html#dbglvl" title="Debug Levels">Reporting Bugs</a>. + </p><p> + <a class="indexterm" name="id377846"></a> + <a class="indexterm" name="id377853"></a> + <a class="indexterm" name="id377860"></a> + Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> + file so it has the following contents: +</p><pre class="screen"> +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = SNOWSHOW.COM + dns_lookup_realm = false + dns_lookup_kdc = true + +[appdefaults] + pam = { + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + forwardable = true + krb4_convert = false + } +</pre><p> + </p><p> + Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> + file so it is either empty (i.e., no contents) or it has the following contents: +</p><pre class="screen"> +[libdefaults] + default_realm = SNOWSHOW.COM + clockskew = 300 + +[realms] + SNOWSHOW.COM = { + kdc = ADSDC.SHOWSHOW.COM + } + +[domain_realm] + .snowshow.com = SNOWSHOW.COM +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. + So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no + need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. + </p></div><p> + Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id377932"></a> + <a class="indexterm" name="id377939"></a> + You will need the <a href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> + tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has + the information needed. The following is an example of a working file: +</p><pre class="screen"> +host 192.168.2.1 +base dc=snowshow,dc=com +binddn cn=Manager,dc=snowshow,dc=com +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=snowshow,dc=com?one +nss_base_shadow ou=People,dc=snowshow,dc=com?one +nss_base_group ou=Groups,dc=snowshow,dc=com?one +ssl no +</pre><p> + </p><p> + The following procedure may be followed to effect a working configuration: + </p><div class="procedure"><ol type="1"><li><p> + Configure the <code class="filename">smb.conf</code> file as shown above. + </p></li><li><p> + Create the <code class="filename">/etc/krb5.conf</code> file as shown above. + </p></li><li><p> + Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Download, build, and install the PADL nss_ldap tool set. Configure the + <code class="filename">/etc/ldap.conf</code> file as shown above. + </p></li><li><p> + Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP, + shown in the following LDIF file: +</p><pre class="screen"> +dn: dc=snowshow,dc=com +objectClass: dcObject +objectClass: organization +dc: snowshow +o: The Greatest Snow Show in Singapore. +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=snowshow,dc=com +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=Idmap,dc=snowshow,dc=com +objectClass: organizationalUnit +ou: idmap +</pre><p> + </p></li><li><p> + Execute the command to join the Samba DMS to the ADS domain as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +Using short domain name -- SNOWSHOW +Joined 'GOODELF' to realm 'SNOWSHOW.COM' +</pre><p> + </p></li><li><p> + Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. + </p></li></ol></div><p> + <a class="indexterm" name="id378120"></a> + Follow the diagnositic procedures shown earlier in this chapter to identify success or failure of the join. + In many cases a failure is indicated by a silent return to the command prompt with no indication of the + reason for failure. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id378132"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p> + <a class="indexterm" name="id378140"></a> + <a class="indexterm" name="id378146"></a> + The use of this method is messy. The information provided in the following is for guidance only + and is very definitely not complete. This method does work; it is used in a number of large sites + and has an acceptable level of performance. + </p><p> + An example <code class="filename">smb.conf</code> file is shown in <a href="idmapper.html#idmaprfc2307" title="Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS">ADS Domain Member Server using +RFC2307bis Schema Extension Date via NSS</a>. + </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id378202"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id378214"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id378227"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id378239"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id378252"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id378265"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id378277"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id378290"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378303"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id378316"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id378331"></a> + The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary + to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the + following: +</p><pre class="screen"> +./configure --enable-rfc2307bis --enable-schema-mapping +make install +</pre><p> + </p><p> + <a class="indexterm" name="id378349"></a> + The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id378372"></a> + <a class="indexterm" name="id378379"></a> + The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation + and source code for nss_ldap to specific instructions. + </p><p> + The next step involves preparation of the ADS schema. This is briefly discussed in the remaining + part of this chapter. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id378398"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h4></div></div></div><p> + <a class="indexterm" name="id378406"></a> + The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free + <a href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> + from the Microsoft Web site. You will need to download this tool and install it following + Microsoft instructions. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id378423"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p> + Instructions for obtaining and installing the AD4UNIX tool set can be found from the + <a href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> + Geekcomix</a> Web site. + </p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><code class="literal"><sup>[<a name="ftn.id374883" href="#id374883">4</a>] </sup>DOMINICUS\FJones</code><code class="literal">FRANCISCUS\FJones</code><code class="literal">FJones</code></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Remote and Local Management: The Net Command </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. User Rights and Privileges</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/images/10small.png b/docs/htmldocs/Samba3-HOWTO/images/10small.png Binary files differnew file mode 100644 index 0000000000..56a9b0cd67 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/10small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/11small.png b/docs/htmldocs/Samba3-HOWTO/images/11small.png Binary files differnew file mode 100644 index 0000000000..18f5d9e4dd --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/11small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/12small.png b/docs/htmldocs/Samba3-HOWTO/images/12small.png Binary files differnew file mode 100644 index 0000000000..5bdf809c1b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/12small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/13small.png b/docs/htmldocs/Samba3-HOWTO/images/13small.png Binary files differnew file mode 100644 index 0000000000..536b2fc2c2 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/13small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/14small.png b/docs/htmldocs/Samba3-HOWTO/images/14small.png Binary files differnew file mode 100644 index 0000000000..89054249c0 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/14small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/1small.png b/docs/htmldocs/Samba3-HOWTO/images/1small.png Binary files differnew file mode 100644 index 0000000000..c4905163c9 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/1small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/2small.png b/docs/htmldocs/Samba3-HOWTO/images/2small.png Binary files differnew file mode 100644 index 0000000000..5fd9071349 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/2small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/3small.png b/docs/htmldocs/Samba3-HOWTO/images/3small.png Binary files differnew file mode 100644 index 0000000000..22a39bae52 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/3small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/4small.png b/docs/htmldocs/Samba3-HOWTO/images/4small.png Binary files differnew file mode 100644 index 0000000000..6b7f1b1fd4 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/4small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/5small.png b/docs/htmldocs/Samba3-HOWTO/images/5small.png Binary files differnew file mode 100644 index 0000000000..b23e1fc2c7 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/5small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/6small.png b/docs/htmldocs/Samba3-HOWTO/images/6small.png Binary files differnew file mode 100644 index 0000000000..35a646d826 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/6small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/7small.png b/docs/htmldocs/Samba3-HOWTO/images/7small.png Binary files differnew file mode 100644 index 0000000000..d182677510 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/7small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/8small.png b/docs/htmldocs/Samba3-HOWTO/images/8small.png Binary files differnew file mode 100644 index 0000000000..08aca66386 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/8small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/9small.png b/docs/htmldocs/Samba3-HOWTO/images/9small.png Binary files differnew file mode 100644 index 0000000000..90c2cde327 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/9small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME001.png b/docs/htmldocs/Samba3-HOWTO/images/WME001.png Binary files differnew file mode 100644 index 0000000000..c5db7570bc --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME001.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME002.png b/docs/htmldocs/Samba3-HOWTO/images/WME002.png Binary files differnew file mode 100644 index 0000000000..641f2179a0 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME002.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME003.png b/docs/htmldocs/Samba3-HOWTO/images/WME003.png Binary files differnew file mode 100644 index 0000000000..073c58eddd --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME003.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME005.png b/docs/htmldocs/Samba3-HOWTO/images/WME005.png Binary files differnew file mode 100644 index 0000000000..5e4e72e498 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME005.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME009.png b/docs/htmldocs/Samba3-HOWTO/images/WME009.png Binary files differnew file mode 100644 index 0000000000..f851876cee --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME009.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME010.png b/docs/htmldocs/Samba3-HOWTO/images/WME010.png Binary files differnew file mode 100644 index 0000000000..589be02b22 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME010.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME013.png b/docs/htmldocs/Samba3-HOWTO/images/WME013.png Binary files differnew file mode 100644 index 0000000000..0f0a70d062 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME013.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME014.png b/docs/htmldocs/Samba3-HOWTO/images/WME014.png Binary files differnew file mode 100644 index 0000000000..73f1dde37c --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WME014.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png Binary files differnew file mode 100644 index 0000000000..b87001bca4 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png Binary files differnew file mode 100644 index 0000000000..a60d6c413a --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png Binary files differnew file mode 100644 index 0000000000..4aa091767b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png Binary files differnew file mode 100644 index 0000000000..b540e238b8 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png Binary files differnew file mode 100644 index 0000000000..f1e02d3ce3 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/a_small.png b/docs/htmldocs/Samba3-HOWTO/images/a_small.png Binary files differnew file mode 100644 index 0000000000..a6622ef6cf --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/a_small.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/access1.png b/docs/htmldocs/Samba3-HOWTO/images/access1.png Binary files differnew file mode 100644 index 0000000000..c64fb0a14e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/access1.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/browsing1.png b/docs/htmldocs/Samba3-HOWTO/images/browsing1.png Binary files differnew file mode 100644 index 0000000000..6be530c069 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/browsing1.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups1.png b/docs/htmldocs/Samba3-HOWTO/images/cups1.png Binary files differnew file mode 100644 index 0000000000..0781260a1b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/cups1.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups2.png b/docs/htmldocs/Samba3-HOWTO/images/cups2.png Binary files differnew file mode 100644 index 0000000000..cc5331b084 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/cups2.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/domain.png b/docs/htmldocs/Samba3-HOWTO/images/domain.png Binary files differnew file mode 100644 index 0000000000..51af68e811 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/domain.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png b/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png Binary files differnew file mode 100644 index 0000000000..c8655389d0 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png b/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png Binary files differnew file mode 100644 index 0000000000..f366772d3b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png Binary files differnew file mode 100644 index 0000000000..66c4d4fae1 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png Binary files differnew file mode 100644 index 0000000000..1348102e3b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png Binary files differnew file mode 100644 index 0000000000..f23349c7d7 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png Binary files differnew file mode 100644 index 0000000000..dc3a99b9c4 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png Binary files differnew file mode 100644 index 0000000000..1bbf33a6c4 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png b/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png Binary files differnew file mode 100644 index 0000000000..5393f6a192 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png b/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png Binary files differnew file mode 100644 index 0000000000..e60f21044b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png b/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png Binary files differnew file mode 100644 index 0000000000..bc0e482c39 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/trusts1.png b/docs/htmldocs/Samba3-HOWTO/images/trusts1.png Binary files differnew file mode 100644 index 0000000000..42ac4a3567 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/trusts1.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png Binary files differnew file mode 100644 index 0000000000..43adf23463 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png Binary files differnew file mode 100644 index 0000000000..13bb029f53 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png Binary files differnew file mode 100644 index 0000000000..c7b779900e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png Binary files differnew file mode 100644 index 0000000000..d0e005a36e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png Binary files differnew file mode 100644 index 0000000000..a729b40cd7 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png Binary files differnew file mode 100644 index 0000000000..2e689a17e2 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png Binary files differnew file mode 100644 index 0000000000..656f67942e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png Binary files differnew file mode 100644 index 0000000000..a20b3ed583 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png Binary files differnew file mode 100644 index 0000000000..cf41352220 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png Binary files differnew file mode 100644 index 0000000000..9958c7c873 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png diff --git a/docs/htmldocs/Samba3-HOWTO/index.html b/docs/htmldocs/Samba3-HOWTO/index.html new file mode 100644 index 0000000000..6123285df0 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/index.html @@ -0,0 +1,50 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>The Official Samba 3.2.x HOWTO and Reference Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="next" href="pr01.html" title="About the Cover Artwork"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">The Official Samba 3.2.x HOWTO and Reference Guide</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>The Official Samba 3.2.x HOWTO and Reference Guide</h1></div><div><div class="authorgroup"><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div><div><p class="pubdate"></p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="pr01.html">About the Cover Artwork</a></span></dt><dt><span class="preface"><a href="pr02.html">Attribution</a></span></dt><dt><span class="preface"><a href="pr03.html">Foreword</a></span></dt><dt><span class="preface"><a href="TOSHpreface.html">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="TOSHpreface.html#id325110">Conventions Used</a></span></dt></dl></dd><dt><span class="preface"><a href="IntroSMB.html">Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="IntroSMB.html#id325287">What Is Samba?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id325330">Why This Book?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id325410">Book Structure and Layout</a></span></dt></dl></dd><dt><span class="part"><a href="introduction.html">I. General Installation</a></span></dt><dd><dl><dt><span class="chapter"><a href="install.html">1. How to Install and Test SAMBA</a></span></dt><dd><dl><dt><span class="sect1"><a href="install.html#id325669">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id325710">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325753">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id326670">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id326850">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id327272">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327325">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id327375">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id327472">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327550">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id327587">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327616">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327626">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id327714">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id327744">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="FastStart.html">2. Fast Start: Cure for Impatience</a></span></dt><dd><dl><dt><span class="sect1"><a href="FastStart.html#id327874">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327893">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327959">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id327975">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id329828">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id330741">Domain Controller</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="type.html">II. Server Configuration Basics</a></span></dt><dd><dl><dt><span class="chapter"><a href="ServerType.html">3. Server Types and Security Modes</a></span></dt><dd><dl><dt><span class="sect1"><a href="ServerType.html#id332909">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333060">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333211">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id333359">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333519">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334332">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id334587">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id334759">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id334776">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334805">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334843">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334868">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334909">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-pdc.html">4. Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-pdc.html#id335204">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id336284">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336302">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336759">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id337966">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id338009">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338026">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id338778">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338784">“<span class="quote">$</span>” Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338878">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338937">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339004">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339105">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339131">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339147">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-bdc.html">5. Backup Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-bdc.html#id339320">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id339696">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340717">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341471">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341906">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342144">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="domain-member.html">6. Domain Membership</a></span></dt><dd><dl><dt><span class="sect1"><a href="domain-member.html#id342376">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343788">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344900">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id345150">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id345329">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346362">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id346622">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="StandAloneServer.html">7. Standalone Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="StandAloneServer.html#id347049">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347134">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347312">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id348271">Common Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="ClientConfig.html">8. MS Windows Network Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="ClientConfig.html#id348335">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id348389">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id348430">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id351062">Common Errors</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="optional.html">III. Advanced Configuration</a></span></dt><dd><dl><dt><span class="chapter"><a href="ChangeNotes.html">9. Important and Critical Change Notes for the Samba 3.x Series</a></span></dt><dd><dl><dt><span class="sect1"><a href="ChangeNotes.html#id351284">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id351294">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id351342">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351632">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351743">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetworkBrowsing.html">10. Network Browsing</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id352162">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355362">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355550">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356273">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356540">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357120">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id358283">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358373">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358414">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="passdb.html">11. Account Information Databases</a></span></dt><dd><dl><dt><span class="sect1"><a href="passdb.html#id359091">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359295">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359822">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360825">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361615">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id363976">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364023">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364340">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364485">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id366875">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id366881">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id366912">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="groupmapping.html">12. Group Mapping: MS Windows and UNIX</a></span></dt><dd><dl><dt><span class="sect1"><a href="groupmapping.html#id367144">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id367529">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368424">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369250">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369322">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369332">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369493">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369607">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369618">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369692">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetCommand.html">13. Remote and Local Management: The Net Command</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetCommand.html#id370067">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370344">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370568">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id371804">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371995">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372040">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372102">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372494">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372506">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372844">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id373255">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373453">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373480">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374016">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id374226">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374244">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374303">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374407">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374423">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id374462">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374493">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></dd><dt><span class="chapter"><a href="idmapper.html">14. Identity Mapping (IDMAP)</a></span></dt><dd><dl><dt><span class="sect1"><a href="idmapper.html#id374968">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374992">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375941">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376159">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id376286">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="rights.html">15. User Rights and Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="rights.html#id378765">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id379021">Using the “<span class="quote">net rpc rights</span>” Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id379339">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id380042">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id380207">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AccessControls.html">16. File, Directory, and Share Access Controls</a></span></dt><dd><dl><dt><span class="sect1"><a href="AccessControls.html#id380678">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id380846">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381159">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381279">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381872">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381903">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382473">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382742">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382878">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id383200">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id383206">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383245">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383310">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383436">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383623">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383760">Interaction with the Standard Samba “<span class="quote">create mask</span>” Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384062">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384126">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id384487">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id384497">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384805">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384841">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="locking.html">17. File and Record Locking</a></span></dt><dd><dl><dt><span class="sect1"><a href="locking.html#id385057">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id385144">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385372">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386203">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386275">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386670">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386822">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id386841">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386898">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id386917">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386968">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id386996">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id387019">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id387048">Additional Reading</a></span></dt></dl></dd><dt><span class="chapter"><a href="securing-samba.html">18. Securing Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="securing-samba.html#id387214">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387302">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387436">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id387449">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387586">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387645">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388109">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id388158">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id388198">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id388210">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="InterdomainTrusts.html">19. Interdomain Trust Relationships</a></span></dt><dd><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id388758">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id390117">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id390128">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id390165">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="msdfs.html">20. Hosting a Microsoft Distributed File System Tree</a></span></dt><dd><dl><dt><span class="sect1"><a href="msdfs.html#id390330">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id390715">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id390744">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="classicalprinting.html">21. Classical Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="classicalprinting.html#id390934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id391142">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391282">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id391430">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391698">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id392225">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id392691">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395308">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395788">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395912">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396001">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397714">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id397729">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398228">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398340">Always Make First Client Connection as root or “<span class="quote">printer admin</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398491">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398507">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398839">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399282">Error Message: “<span class="quote">Cannot connect under a different Name</span>”</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399380">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399581">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399675">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399708">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id399746">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399776">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399789">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399802">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399919">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400158">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400192">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400323">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400350">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id400355">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id400392">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="CUPS-printing.html">22. CUPS Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="CUPS-printing.html#id400524">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400530">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400581">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400978">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401226">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401621">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401636">Central Spooling vs. “<span class="quote">Peer-to-Peer</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401884">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable “<span class="quote">raw</span>” Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402147">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404104">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404252">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404429">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404588">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404838">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405130">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405438">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405653">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405664"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405726">“<span class="quote">Raw</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406350"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407066">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407175">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407253">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407268">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407326">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407490">Network Printing (Windows Clients and UNIX/Samba Print +Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407671">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407739">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407819">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407856">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407917">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407928">Printer Drivers Running in “<span class="quote">Kernel Mode</span>” Cause Many +Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407959">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407973">CUPS: A “<span class="quote">Magical Stone</span>”?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408093">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408112"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408200">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408505">CUPS “<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408727">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408838">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408858">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409757">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409864">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409942">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410555">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410647">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id411985">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412184">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412246">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412307">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412353">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412624">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413329">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413751">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413781">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413832">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413996">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414132">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414190">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414225">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414238">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id414498">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414575">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414681">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414972">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id415081">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id415086">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop">“<span class="quote">cupsaddsmb</span>” Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415153">“<span class="quote">cupsaddsmb</span>” or “<span class="quote">rpcclient addriver</span>” Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415189">“<span class="quote">cupsaddsmb</span>” Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415259">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415282">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415360">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415399">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415434">Can't Use “<span class="quote">cupsaddsmb</span>” on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415468">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415499">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415530">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415567">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415591">Win XP-SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415632">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415896">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415949"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415995">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416081">Print Queue Called “<span class="quote">lp</span>” Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416144">Location of Adobe PostScript Driver Files for “<span class="quote">cupsaddsmb</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id416195">Overview of the CUPS Printing Processes</a></span></dt></dl></dd><dt><span class="chapter"><a href="VFS.html">23. Stackable VFS modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="VFS.html#id416378">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416413">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416800">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416806">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416845">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417334">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417705">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417753">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id418589">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id418611">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418663">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418700">vscan-clamav</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="winbind.html">24. Winbind: Use of Domain Accounts</a></span></dt><dd><dl><dt><span class="sect1"><a href="winbind.html#id418954">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419277">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419355">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419494">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419533">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id419645">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419770">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419814">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420026">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420167">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420241">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id420291">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id420297">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420404">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420546">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id422791">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id422837">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id422871">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id422905">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AdvancedNetworkManagement.html">25. Advanced Network Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423076">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423235">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423774">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423940">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423980">Limiting Logon Connections</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="PolicyMgmt.html">26. System and Account Policies</a></span></dt><dd><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id424107">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425313">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425400">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425437">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425500">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425652">Policy Does Not Work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ProfileMgmt.html">27. Desktop Profile Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id425731">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id425774">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id425822">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426376">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427615">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427726">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428249">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id429398">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id429408">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429461">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429610">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429770">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="pam.html">28. PAM-Based Distributed Authentication</a></span></dt><dd><dl><dt><span class="sect1"><a href="pam.html#id429934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id430534">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430584">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id431487">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id431757"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id431817">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id431902">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id432259">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id432269">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id432358">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="integrate-ms-networks.html">29. Integrating MS Windows Networks with Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id432559">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432576">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432767"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432923"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432956"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433004"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433586">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433711">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433736">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433763">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433898">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433909">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433936">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433974">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="unicode.html">30. Unicode/Charsets</a></span></dt><dd><dl><dt><span class="sect1"><a href="unicode.html#id434160">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434205">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434324">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434440">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434469">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id434585">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435148">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435264">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id435399">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id435405">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Backup.html">31. Backup Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="Backup.html#id435499">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id435539">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id435626">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435788">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435949">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435992">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SambaHA.html">32. High Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="SambaHA.html#id436084">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id436191">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id436222">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id436345">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437009">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437081">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437210">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437243">Conclusions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="largefile.html">33. Handling Large Directories</a></span></dt><dt><span class="chapter"><a href="cfgsmarts.html">34. Advanced Configuration Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="cfgsmarts.html#id437826">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="migration.html">IV. Migration and Updating</a></span></dt><dd><dl><dt><span class="chapter"><a href="upgrading-to-3.0.html">35. Updating and Upgrading Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440059">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440079">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440251">New Featuers in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440260">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id441421">New Functionality</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NT4Migration.html">36. Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><dl><dt><span class="sect1"><a href="NT4Migration.html#id442739">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442769">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id443632">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id443855">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id443938">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SWAT.html">37. SWAT: The Samba Web Administration Tool</a></span></dt><dd><dl><dt><span class="sect1"><a href="SWAT.html#id444620">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id444732">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444749">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445330">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id445656">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id445667">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445720">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445817">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445869">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445921">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445978">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446016">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446034">The Password Change Page</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="troubleshooting.html">V. Troubleshooting</a></span></dt><dd><dl><dt><span class="chapter"><a href="diagnosis.html">38. The Samba Checklist</a></span></dt><dd><dl><dt><span class="sect1"><a href="diagnosis.html#id446161">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446194">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446476">The Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="problems.html">39. Analyzing and Solving Samba Problems</a></span></dt><dd><dl><dt><span class="sect1"><a href="problems.html#id448088">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id448137">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id448378">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id448426">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id448565">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id448871">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id448906">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id449061">How to Get Off the Mailing Lists</a></span></dt></dl></dd><dt><span class="chapter"><a href="bugreport.html">40. Reporting Bugs</a></span></dt><dd><dl><dt><span class="sect1"><a href="bugreport.html#id449187">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449267">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id449471">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id449670">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449791">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449906">Patches</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="Appendix.html">VI. Reference Section</a></span></dt><dd><dl><dt><span class="chapter"><a href="compiling.html">41. How to Compile Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="compiling.html#id450070">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450076">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450114">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id450289">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450357">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id450486">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450708">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450957">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id451161">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Portability.html">42. Portability</a></span></dt><dd><dl><dt><span class="sect1"><a href="Portability.html#id451523">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451618">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451650">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451779">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451818">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451872">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451878">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Other-Clients.html">43. Samba and Other CIFS Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="Other-Clients.html#id452041">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452117">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452122">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452233">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452283">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452362">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452368">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452446">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452468">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452517">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id452542">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452594">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id452657">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452850">Windows NT 3.1</a></span></dt></dl></dd><dt><span class="chapter"><a href="speed.html">44. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="speed.html#id452955">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452984">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id453061">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id453095">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id453133">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id453152">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453197">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453234">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id453252">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id453354">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id453443">Samba Performance is Very Slow</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch-ldap-tls.html">45. LDAP and Transport Layer Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch46.html">46. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch46.html#id454529">Free Support</a></span></dt><dt><span class="sect1"><a href="ch46.html#id454727">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="DNSDHCP.html">47. DNS and DHCP Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454865">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id455025">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id455101">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="appendix"><a href="apa.html">A. + <acronym class="acronym">GNU</acronym> General Public License version 3 + </a></span></dt><dd><dl><dt><span class="bridgehead"><a href="apa.html#id455364">A. + Preamble + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455473">A. + TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455477">A. + 0. Definitions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455541">A. + 1. Source Code. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455603">A. + 2. Basic Permissions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455630">A. + 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455654">A. + 4. Conveying Verbatim Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455674">A. + 5. Conveying Modified Source Versions. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455746">A. + 6. Conveying Non-Source Forms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455878">A. + 7. Additional Terms. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455983">A. + 8. Termination. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456015">A. + 9. Acceptance Not Required for Having Copies. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456029">A. + 10. Automatic Licensing of Downstream Recipients. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456062">A. + 11. Patents. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456151">A. + 12. No Surrender of Others’ Freedom. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456167">A. + 13. Use with the ???TITLE??? Affero General Public License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456190">A. + 14. Revised Versions of this License. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456238">A. + 15. Disclaimer of Warranty. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456255">A. + 16. Limitation of Liability. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456270">A. + 17. Interpretation of Sections 15 and 16. + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456282">A. + END OF TERMS AND CONDITIONS + </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id456286">A. + How to Apply These Terms to Your New Programs + </a></span></dt></dl></dd><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>4.1. <a href="samba-pdc.html#domain-example">An Example Domain.</a></dt><dt>8.1. <a href="ClientConfig.html#WXPP002">Network Bridge Configuration.</a></dt><dt>8.2. <a href="ClientConfig.html#WXPP003">Internet Protocol (TCP/IP) Properties.</a></dt><dt>8.3. <a href="ClientConfig.html#WXPP005">Advanced Network Settings</a></dt><dt>8.4. <a href="ClientConfig.html#WXPP014">DNS Configuration.</a></dt><dt>8.5. <a href="ClientConfig.html#WXPP009">WINS Configuration</a></dt><dt>8.6. <a href="ClientConfig.html#w2kp001">Local Area Connection Properties.</a></dt><dt>8.7. <a href="ClientConfig.html#w2kp002">Internet Protocol (TCP/IP) Properties.</a></dt><dt>8.8. <a href="ClientConfig.html#w2kp003">Advanced Network Settings.</a></dt><dt>8.9. <a href="ClientConfig.html#w2kp004">DNS Configuration.</a></dt><dt>8.10. <a href="ClientConfig.html#w2kp005">WINS Configuration.</a></dt><dt>8.11. <a href="ClientConfig.html#WME001">The Windows Me Network Configuration Panel.</a></dt><dt>8.12. <a href="ClientConfig.html#WME002">IP Address.</a></dt><dt>8.13. <a href="ClientConfig.html#WME005">DNS Configuration.</a></dt><dt>8.14. <a href="ClientConfig.html#WME003">WINS Configuration.</a></dt><dt>8.15. <a href="ClientConfig.html#wxpp001">The General Panel.</a></dt><dt>8.16. <a href="ClientConfig.html#wxpp004">The Computer Name Panel.</a></dt><dt>8.17. <a href="ClientConfig.html#wxpp006">The Computer Name Changes Panel.</a></dt><dt>8.18. <a href="ClientConfig.html#wxpp007">The Computer Name Changes Panel Domain MIDEARTH.</a></dt><dt>8.19. <a href="ClientConfig.html#wxpp008">Computer Name Changes Username and Password Panel.</a></dt><dt>8.20. <a href="ClientConfig.html#WME009">The Network Panel.</a></dt><dt>8.21. <a href="ClientConfig.html#WME010">Client for Microsoft Networks Properties Panel.</a></dt><dt>8.22. <a href="ClientConfig.html#WME013">Identification Panel.</a></dt><dt>8.23. <a href="ClientConfig.html#WME014">Access Control Panel.</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsing1">Cross-Subnet Browsing Example.</a></dt><dt>11.1. <a href="passdb.html#idmap-sid2uid">IDMAP: Resolution of SIDs to UIDs.</a></dt><dt>11.2. <a href="passdb.html#idmap-uid2sid">IDMAP: Resolution of UIDs to SIDs.</a></dt><dt>12.1. <a href="groupmapping.html#idmap-sid2gid">IDMAP: Group SID-to-GID Resolution.</a></dt><dt>12.2. <a href="groupmapping.html#idmap-gid2sid">IDMAP: GID Resolution to Matching SID.</a></dt><dt>12.3. <a href="groupmapping.html#idmap-store-gid2sid">IDMAP Storing Group Mappings.</a></dt><dt>16.1. <a href="AccessControls.html#access1">Overview of UNIX permissions field.</a></dt><dt>19.1. <a href="InterdomainTrusts.html#trusts1">Trusts overview.</a></dt><dt>22.1. <a href="CUPS-printing.html#1small">Windows Printing to a Local Printer.</a></dt><dt>22.2. <a href="CUPS-printing.html#2small">Printing to a PostScript Printer.</a></dt><dt>22.3. <a href="CUPS-printing.html#3small">Ghostscript as a RIP for Non-PostScript Printers.</a></dt><dt>22.4. <a href="CUPS-printing.html#4small">Prefiltering in CUPS to Form PostScript.</a></dt><dt>22.5. <a href="CUPS-printing.html#5small">Adding Device-Specific Print Options.</a></dt><dt>22.6. <a href="CUPS-printing.html#cups-raster">PostScript to Intermediate Raster Format.</a></dt><dt>22.7. <a href="CUPS-printing.html#cups-raster2">CUPS-Raster Production Using Ghostscript.</a></dt><dt>22.8. <a href="CUPS-printing.html#small8">Image Format to CUPS-Raster Format Conversion.</a></dt><dt>22.9. <a href="CUPS-printing.html#small9">Raster to Printer-Specific Formats.</a></dt><dt>22.10. <a href="CUPS-printing.html#cupsomatic-dia">cupsomatic/foomatic Processing Versus Native CUPS.</a></dt><dt>22.11. <a href="CUPS-printing.html#pdftosocket">PDF to Socket Chain.</a></dt><dt>22.12. <a href="CUPS-printing.html#pdftoepsonusb">PDF to USB Chain.</a></dt><dt>22.13. <a href="CUPS-printing.html#small11">Print Driver Execution on the Client.</a></dt><dt>22.14. <a href="CUPS-printing.html#small12">Print Driver Execution on the Server.</a></dt><dt>22.15. <a href="CUPS-printing.html#13small">Printing via CUPS/Samba Server.</a></dt><dt>22.16. <a href="CUPS-printing.html#small14">cupsaddsmb Flowchart.</a></dt><dt>22.17. <a href="CUPS-printing.html#cups1">Filtering Chain 1.</a></dt><dt>22.18. <a href="CUPS-printing.html#cups2">Filtering Chain with cupsomatic</a></dt><dt>22.19. <a href="CUPS-printing.html#a_small">CUPS Printing Overview.</a></dt><dt>24.1. <a href="winbind.html#winbind_idmap">Winbind Idmap</a></dt><dt>39.1. <a href="problems.html#ethereal1">Starting a Capture.</a></dt><dt>39.2. <a href="problems.html#ethereal2">Main Ethereal Data Window.</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1.1. <a href="install.html#tdbpermfiledesc">Persistent TDB File Descriptions</a></dt><dt>1.2. <a href="install.html#tdbtempfiledesc">Temporary TDB File Descriptions</a></dt><dt>5.1. <a href="samba-bdc.html#pdc-bdc-table">Domain Backend Account Distribution Options</a></dt><dt>6.1. <a href="domain-member.html#assumptions">Assumptions</a></dt><dt>9.1. <a href="ChangeNotes.html#TOSH-domgroups">Essential Domain Group Mappings</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsubnet">Browse Subnet Example 1</a></dt><dt>10.2. <a href="NetworkBrowsing.html#brsbex">Browse Subnet Example 2</a></dt><dt>10.3. <a href="NetworkBrowsing.html#brsex2">Browse Subnet Example 3</a></dt><dt>10.4. <a href="NetworkBrowsing.html#brsex3">Browse Subnet Example 4</a></dt><dt>11.1. <a href="passdb.html#policycontrols">NT4 Domain v's Samba Policy Controls</a></dt><dt>11.2. <a href="passdb.html#accountflags">Samba SAM Account Control Block Flags</a></dt><dt>11.3. <a href="passdb.html#attribobjclPartA">Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</a></dt><dt>11.4. <a href="passdb.html#attribobjclPartB">Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</a></dt><dt>11.5. <a href="passdb.html#ldappwsync">Possible <em class="parameter"><code>ldap passwd sync</code></em> Values</a></dt><dt>12.1. <a href="groupmapping.html#WKURIDS">Well-Known User Default RIDs</a></dt><dt>15.1. <a href="rights.html#rp-privs">Current Privilege Capabilities</a></dt><dt>16.1. <a href="AccessControls.html#TOSH-Accesstbl">Managing Directories with UNIX and Windows</a></dt><dt>16.2. <a href="AccessControls.html#ugbc">User- and Group-Based Controls</a></dt><dt>16.3. <a href="AccessControls.html#fdpbc">File and Directory Permission-Based Controls</a></dt><dt>16.4. <a href="AccessControls.html#mcoc">Other Controls</a></dt><dt>16.5. <a href="AccessControls.html#fdsacls">How Windows File ACLs Map to UNIX POSIX File ACLs</a></dt><dt>21.1. <a href="classicalprinting.html#printOptions">Default Printing Settings</a></dt><dt>22.1. <a href="CUPS-printing.html#cups-ppds">PPDs Shipped with CUPS</a></dt><dt>23.1. <a href="VFS.html#xtdaudit">Extended Auditing Log Information</a></dt><dt>27.1. <a href="ProfileMgmt.html#ProfileLocs">User Shell Folder Registry Keys Default Values</a></dt><dt>27.2. <a href="ProfileMgmt.html#regkeys">Defaults of Profile Settings Registry Keys</a></dt><dt>27.3. <a href="ProfileMgmt.html#defregpthkeys">Defaults of Default User Profile Paths Registry Keys</a></dt><dt>28.1. <a href="pam.html#smbpassoptions">Options recognized by <em class="parameter"><code>pam_smbpass</code></em></a></dt><dt>29.1. <a href="integrate-ms-networks.html#uniqnetbiosnames">Unique NetBIOS Names</a></dt><dt>29.2. <a href="integrate-ms-networks.html#netbiosnamesgrp">Group Names</a></dt><dt>30.1. <a href="unicode.html#japancharsets">Japanese Character Sets in Samba-2.2 and Samba-3</a></dt><dt>35.1. <a href="upgrading-to-3.0.html#oldtdbfiledesc">Samba-2.2.x TDB File Descriptions</a></dt><dt>36.1. <a href="NT4Migration.html#majtypes">The Three Major Site Types</a></dt><dt>36.2. <a href="NT4Migration.html#natconchoices">Nature of the Conversion Choices</a></dt><dt>40.1. <a href="bugreport.html#dbgclass">Debuggable Functions</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>1.1. <a href="install.html#smbconfminimal">A minimal smb.conf</a></dt><dt>1.2. <a href="install.html#simple-example">Another simple smb.conf File</a></dt><dt>2.1. <a href="FastStart.html#anon-example">Anonymous Read-Only Server Configuration</a></dt><dt>2.2. <a href="FastStart.html#anon-rw">Modified Anonymous Read-Write smb.conf</a></dt><dt>2.3. <a href="FastStart.html#anon-print">Anonymous Print Server smb.conf</a></dt><dt>2.4. <a href="FastStart.html#OfficeServer">Secure Office Server smb.conf</a></dt><dt>2.5. <a href="FastStart.html#fast-member-server">Member Server smb.conf (Globals)</a></dt><dt>2.6. <a href="FastStart.html#fast-memberserver-shares">Member Server smb.conf (Shares and Services)</a></dt><dt>2.7. <a href="FastStart.html#fast-engoffice-global">Engineering Office smb.conf (globals)</a></dt><dt>2.8. <a href="FastStart.html#fast-engoffice-shares">Engineering Office smb.conf (shares and services)</a></dt><dt>2.9. <a href="FastStart.html#fast-ldap">LDAP backend smb.conf for PDC</a></dt><dt>2.10. <a href="FastStart.html#fast-bdc">Remote LDAP BDC smb.conf</a></dt><dt>4.1. <a href="samba-pdc.html#pdc-example">smb.conf for being a PDC</a></dt><dt>4.2. <a href="samba-pdc.html#PDC-config">smb.conf for being a PDC</a></dt><dt>5.1. <a href="samba-bdc.html#minimalPDC">Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC</a></dt><dt>5.2. <a href="samba-bdc.html#mulitldapcfg">Multiple LDAP Servers in <code class="filename">smb.conf</code></a></dt><dt>5.3. <a href="samba-bdc.html#minim-bdc">Minimal Setup for Being a BDC</a></dt><dt>7.1. <a href="StandAloneServer.html#simplynice">smb.conf for Reference Documentation Server</a></dt><dt>7.2. <a href="StandAloneServer.html#AnonPtrSvr"><code class="filename">smb.conf</code> for Anonymous Printing</a></dt><dt>10.1. <a href="NetworkBrowsing.html#dmbexample">Domain Master Browser smb.conf</a></dt><dt>10.2. <a href="NetworkBrowsing.html#lmbexample">Local master browser smb.conf</a></dt><dt>10.3. <a href="NetworkBrowsing.html#nombexample">smb.conf for Not Being a Master Browser</a></dt><dt>10.4. <a href="NetworkBrowsing.html#remsmb">Local Master Browser smb.conf</a></dt><dt>10.5. <a href="NetworkBrowsing.html#xremmb"><code class="filename">smb.conf</code> for Not Being a master browser</a></dt><dt>11.1. <a href="passdb.html#idmapbackendexample">Example Configuration with the LDAP idmap Backend</a></dt><dt>11.2. <a href="passdb.html#confldapex">Configuration with LDAP</a></dt><dt>12.1. <a href="groupmapping.html#smbgrpadd.sh">smbgrpadd.sh</a></dt><dt>12.2. <a href="groupmapping.html#smbgrpadd">Configuration of <code class="filename">smb.conf</code> for the add group Script</a></dt><dt>12.3. <a href="groupmapping.html#set-group-map">Script to Set Group Mapping</a></dt><dt>13.1. <a href="NetCommand.html#autopoweruserscript">Script to Auto-add Domain Users to Workstation Power Users Group</a></dt><dt>13.2. <a href="NetCommand.html#magicnetlogon">A Magic Netlogon Share</a></dt><dt>14.1. <a href="idmapper.html#idmapnt4dms">NT4 Domain Member Server smb.conf</a></dt><dt>14.2. <a href="idmapper.html#idmapadsdms">ADS Domain Member Server smb.conf</a></dt><dt>14.3. <a href="idmapper.html#idmapadsridDMS">ADS Domain Member smb.conf using idmap_rid</a></dt><dt>14.4. <a href="idmapper.html#idmapldapDMS">ADS Domain Member Server using LDAP</a></dt><dt>14.5. <a href="idmapper.html#idmaprfc2307">ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</a></dt><dt>16.1. <a href="AccessControls.html#access2">Example File</a></dt><dt>17.1. <a href="locking.html#far1">Share with Some Files Oplocked</a></dt><dt>17.2. <a href="locking.html#far3">Configuration with Oplock Break Contention Limit</a></dt><dt>20.1. <a href="msdfs.html#dfscfg">smb.conf with DFS Configured</a></dt><dt>21.1. <a href="classicalprinting.html#simpleprc">Simple Configuration with BSD Printing</a></dt><dt>21.2. <a href="classicalprinting.html#extbsdpr">Extended BSD Printing Configuration</a></dt><dt>21.3. <a href="classicalprinting.html#prtdollar">[print$] Example</a></dt><dt>22.1. <a href="CUPS-printing.html#cups-exam-simple">Simplest Printing-Related smb.conf</a></dt><dt>22.2. <a href="CUPS-printing.html#overridesettings">Overriding Global CUPS Settings for One Printer</a></dt><dt>22.3. <a href="CUPS-printing.html#cupsadd-ex">smb.conf for cupsaddsmb Usage</a></dt><dt>23.1. <a href="VFS.html#vfsrecyc">smb.conf with VFS modules</a></dt><dt>23.2. <a href="VFS.html#multimodule">smb.conf with multiple VFS modules</a></dt><dt>23.3. <a href="VFS.html#vfsshadow">Share With shadow_copy VFS</a></dt><dt>24.1. <a href="winbind.html#winbindcfg">smb.conf for Winbind Setup</a></dt><dt>25.1. <a href="AdvancedNetworkManagement.html#Tpees">Script to Enforce Single Resource Logon</a></dt><dt>30.1. <a href="unicode.html#vfscap-intl">VFS CAP</a></dt><dt>34.1. <a href="cfgsmarts.html#elastic">Elastic smb.conf File</a></dt><dt>34.2. <a href="cfgsmarts.html#cdserver">CDROM Server smb-cdserver.conf file</a></dt><dt>34.3. <a href="cfgsmarts.html#mastersmbc">Master smb.conf File Global Section</a></dt><dt>34.4. <a href="cfgsmarts.html#merlinsmbc">MERLIN smb-merlin.conf File Share Section</a></dt><dt>34.5. <a href="cfgsmarts.html#sauronsmbc">SAURON smb-sauron.conf File Share Section</a></dt><dt>38.1. <a href="diagnosis.html#tmpshare">smb.conf with [tmp] Share</a></dt><dt>38.2. <a href="diagnosis.html#modif1">Configuration for Allowing Connections Only from a Certain Subnet</a></dt><dt>38.3. <a href="diagnosis.html#modif2">Configuration for Allowing Connections from a Certain Subnet and localhost</a></dt><dt>43.1. <a href="Other-Clients.html#minimalprofile">Minimal Profile Share</a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> About the Cover Artwork</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/install.html b/docs/htmldocs/Samba3-HOWTO/install.html new file mode 100644 index 0000000000..3c23e152f5 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/install.html @@ -0,0 +1,316 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. How to Install and Test SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="introduction.html" title="Part I. General Installation"><link rel="next" href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. How to Install and Test SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 1. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:kauer@biplane.com.au">kauer@biplane.com.au</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="install.html#id325669">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id325710">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325753">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id326670">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id326850">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id327272">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327325">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id327375">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id327472">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327550">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id327587">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327616">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327626">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id327714">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id327744">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325669"></a>Obtaining and Installing Samba</h2></div></div></div><p> + <a class="indexterm" name="id325677"></a> + Binary packages of Samba are included in almost any Linux or UNIX distribution. There are also some + packages available at <a href="http://samba.org/" target="_top">the Samba home page</a>. Refer to the manual of your + operating system for details on installing packages for your specific operating system. + </p><p> + <a class="indexterm" name="id325695"></a> + If you need to compile Samba from source, check <a href="compiling.html" title="Chapter 41. How to Compile Samba">How to Compile Samba</a>. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325710"></a>Configuring Samba (smb.conf)</h2></div></div></div><p> + <a class="indexterm" name="id325718"></a> + <a class="indexterm" name="id325725"></a> + Samba's configuration is stored in the <code class="filename">smb.conf</code> file, which usually resides in + <code class="filename">/etc/samba/smb.conf</code> or <code class="filename">/usr/local/samba/lib/smb.conf</code>. You can either + edit this file yourself or do it using one of the many graphical tools that are available, such as the + Web-based interface SWAT, that is included with Samba. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id325753"></a>Configuration File Syntax</h3></div></div></div><p> + <a class="indexterm" name="id325761"></a> + The <code class="filename">smb.conf</code> file uses the same syntax as the various old <code class="filename">.ini</code> files in Windows + 3.1: Each file consists of various sections, which are started by putting the section name between brackets + (<code class="literal">[]</code>) on a new line. Each contains zero or more key/value pairs separated by an equality + sign (<code class="literal">=</code>). The file is just a plaintext file, so you can open and edit it with your favorite + editing tool. + </p><p> + <a class="indexterm" name="id325797"></a> + <a class="indexterm" name="id325804"></a> + <a class="indexterm" name="id325813"></a> + <a class="indexterm" name="id325820"></a> + <a class="indexterm" name="id325827"></a> + <a class="indexterm" name="id325836"></a> + Each section in the <code class="filename">smb.conf</code> file represents either a share or a meta-service on the Samba server. The + section <code class="literal">[global]</code> is special, since it contains settings that apply to the whole Samba + server. Samba supports a number of meta-services, each of which serves its own purpose. For example, the + <code class="literal">[homes]</code> share is a meta-service that causes Samba to provide a personal home share for + each user. The <code class="literal">[printers]</code> share is a meta-service that establishes print queue support + and that specifies the location of the intermediate spool directory into which print jobs are received + from Windows clients prior to being dispatched to the UNIX/Linux print spooler. + </p><p> +<a class="indexterm" name="id325877"></a> +<a class="indexterm" name="id325884"></a> +<a class="indexterm" name="id325891"></a> +<a class="indexterm" name="id325898"></a> +<a class="indexterm" name="id325904"></a> +<a class="indexterm" name="id325911"></a> + The <code class="literal">printers</code> meta-service will cause every printer that is either specified in a + <code class="literal">printcap</code> file, via the <code class="literal">lpstat</code>, or via the CUPS API, to be + published as a shared print queue. The <code class="literal">printers</code> stanza in the <code class="filename">smb.conf</code> file can + be set as not browseable. If it is set to be browseable, then it will be visible as if it is a share. + That makes no sense given that this meta-service is responsible only for making UNIX system printers + available as Windows print queues. If a <code class="literal">comment</code> parameter is specified, the value + of it will be displayed as part of the printer name in Windows Explorer browse lists. + </p><p> + <a class="indexterm" name="id325961"></a> + Each section of the <code class="filename">smb.conf</code> file that specifies a share, or a meta-service, is called a stanza. + The <code class="literal">global</code> stanza specifies settings that affect all the other stanzas in the + <code class="filename">smb.conf</code> file. Configuration parameters are documented in the <code class="filename">smb.conf</code> man page. Some parameters + can be used only in the <code class="literal">global</code> stanza, some only in share or meta-service stanzas, + and some can be used globally or just within a share or meta-service stanza. + </p><p> + <a class="indexterm" name="id326004"></a> + <a href="install.html#smbconfminimal" title="Example 1.1. A minimal smb.conf">A minimal smb.conf</a> contains a very minimal <code class="filename">smb.conf</code>. + <a class="indexterm" name="id326027"></a> + </p><div class="example"><a name="smbconfminimal"></a><p class="title"><b>Example 1.1. A minimal smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326058"></a><em class="parameter"><code>workgroup = WKG</code></em></td></tr><tr><td><a class="indexterm" name="id326071"></a><em class="parameter"><code>netbios name = MYNAME</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share1]</code></em></td></tr><tr><td><a class="indexterm" name="id326092"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share2]</code></em></td></tr><tr><td><a class="indexterm" name="id326114"></a><em class="parameter"><code>path = /my_shared_folder</code></em></td></tr><tr><td><a class="indexterm" name="id326126"></a><em class="parameter"><code>comment = Some random files</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="tdbdocs"></a>TDB Database File Information</h3></div></div></div><p> + This section contains brief descriptions of the databases that are used by Samba-3. + </p><p> +<a class="indexterm" name="id326156"></a> + The directory in which Samba stores the tdb files is determined by compile-time directives. Samba-3 stores + tdb files in two locations. The best way to determine these locations is to execute the following + command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep PRIVATE_DIR + PRIVATE_DIR: /etc/samba/private +</pre><p> + This means that the confidential tdb files are stored in the <code class="filename">/etc/samba/private</code> + directory. Samba-3 also uses a number of tdb files that contain more mundane data. The location of + these files can be found by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep LOCKDIR + LOCKDIR: /var/lib/samba +</pre><p> + Therefore the remaining control files will, in the example shown, be stored in the + <code class="filename">/var/lib/samba</code> directory. + </p><p> +<a class="indexterm" name="id326206"></a> + The persistent tdb files are described in <a href="install.html#tdbpermfiledesc" title="Table 1.1. Persistent TDB File Descriptions">the Persistent TDB File + Descriptions table</a>. All persistent tdb files should be regularly backed up. Use the + <code class="literal">tdbbackup</code> utility to backup the tdb files. All persistent tdb files must be + preserved during machine migrations, updates and upgrades. + </p><p> + The temporary tdb files do not need to be backed up, nor do they need to be preseved across machine + migrations, updates or upgrades. The temporary tdb files are described in <a href="install.html#tdbtempfiledesc" title="Table 1.2. Temporary TDB File Descriptions"> + the Temporary TDB File Descriptions</a>. + </p><div class="table"><a name="tdbpermfiledesc"></a><p class="title"><b>Table 1.1. Persistent TDB File Descriptions</b></p><div class="table-contents"><table summary="Persistent TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify"><p>Samba/NT account policy settings, includes password expiration settings.</p></td></tr><tr><td align="left">group_mapping</td><td align="justify"><p>Mapping table from Windows groups/SID to UNIX groups.</p></td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer installed driver information.</p></td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer installed forms information.</p></td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td></tr><tr><td align="left">passdb</td><td align="justify"><p> + Exists only when the tdbsam passwd backend is used. This file stores the + SambaSAMAccount information. Note: This file requires that user POSIX account information is + availble from either the /etc/passwd file, or from an alternative system source. + </p></td></tr><tr><td align="left">registry</td><td align="justify"><p> + Read-only Samba database of a Windows registry skeleton that provides support for exporting + various database tables via the winreg RPCs. + </p></td></tr><tr><td align="left">secrets</td><td align="justify"><p> + This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and + a further collection of critical environmental data that is necessary for Samba to operate + correctly. This file contains very sensitive information that must be protected. It is stored + in the PRIVATE_DIR directory. + </p></td></tr><tr><td align="left">share_info</td><td align="justify"><p>Stores per-share ACL information.</p></td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>Winbindd's local IDMAP database.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="tdbtempfiledesc"></a><p class="title"><b>Table 1.2. Temporary TDB File Descriptions</b></p><div class="table-contents"><table summary="Temporary TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup</th></tr></thead><tbody><tr><td align="left">brlock</td><td align="justify"><p>Byte-range locking information.</p></td><td align="left">No</td></tr><tr><td align="left">connections</td><td align="justify"><p>A temporary cache for current connection information used to enforce max connections.</p></td><td align="left">no</td></tr><tr><td align="left">eventlog/*tdb</td><td align="justify"><p>Records of eventlog entries. In most circumstances this is just a cache of system logs.</p></td><td align="left">no</td></tr><tr><td align="left">gencache</td><td align="justify"><p>Generic caching database for dead WINS servers and trusted domain data.</p></td><td align="left">no</td></tr><tr><td align="left">login_cache</td><td align="justify"><p>A temporary cache for login information, in particular bad password attempts.</p></td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">netsamlogon_cache</td><td align="justify"><p>Caches user net_info_3 structure data from net_samlogon requests (as a domain member).</p></td><td align="left">no</td></tr><tr><td align="left">perfmon/*.tdb</td><td align="justify"><p>Performance counter information.</p></td><td align="left">no</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">schannel_store</td><td align="justify"><p> + A confidential file, stored in the PRIVATE_DIR, containing crytographic connection + information so that clients that have temporarily disconnected can reconnect without + needing to renegotiate the connection setup process. + </p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information and for utmp handling.</p></td><td align="left">no</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Stores packets received for which no process is actively listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of Identity information received from an NT4 domain or from ADS. Includes user + lists, etc.</p></td><td align="left">yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326670"></a>Starting Samba</h3></div></div></div><p> + <a class="indexterm" name="id326677"></a> + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. + An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba there + are three daemons, two of which are needed as a minimum. + </p><p> + The Samba server is made up of the following daemons: + </p><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> + <a class="indexterm" name="id326708"></a> + <a class="indexterm" name="id326714"></a> + This daemon handles all name registration and resolution requests. It is the primary vehicle involved + in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should + be the first command started as part of the Samba startup process. + </p></dd><dt><span class="term">smbd</span></dt><dd><p> + <a class="indexterm" name="id326742"></a> + <a class="indexterm" name="id326748"></a> + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also + manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. + </p></dd><dt><span class="term">winbindd</span></dt><dd><p> + <a class="indexterm" name="id326775"></a> + <a class="indexterm" name="id326782"></a> + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when + Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the + <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> + parameters. If they are are found, <code class="literal">winbindd</code> will use the values specified for + for UID and GID allocation. If these parameters are not specified, <code class="literal">winbindd</code> + will start but it will not be able to allocate UIDs or GIDs. + </p></dd></dl></div><p> + <a class="indexterm" name="id326836"></a> + When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its + integration into the platform as a whole. Please refer to your operating system platform administration manuals for + specific information pertaining to correct management of Samba startup. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id326850"></a>Example Configuration</h3></div></div></div><p> + <a class="indexterm" name="id326858"></a> + <a class="indexterm" name="id326865"></a> + <a class="indexterm" name="id326871"></a> + <a class="indexterm" name="id326878"></a> + <a class="indexterm" name="id326885"></a> + There are sample configuration files in the examples subdirectory in the source code distribution tarball + package. It is suggested you read them carefully so you can see how the options go together in practice. See + the man page for all the options. It might be worthwhile to start out with the + <code class="filename">smb.conf.default</code> configuration file and adapt it to your needs. It contains plenty of comments. + </p><p> + <a class="indexterm" name="id326904"></a> + The simplest useful configuration file would contain something like that shown in + <a href="install.html#simple-example" title="Example 1.2. Another simple smb.conf File">Another simple smb.conf File</a>. + <a class="indexterm" name="id326922"></a> + </p><div class="example"><a name="simple-example"></a><p class="title"><b>Example 1.2. Another simple smb.conf File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326953"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id326974"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id326987"></a><em class="parameter"><code>read only = no</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id327003"></a> + <a class="indexterm" name="id327009"></a> + <a class="indexterm" name="id327016"></a> + <a class="indexterm" name="id327023"></a> + This will allow connections by anyone with an account on the server, using either + their login name or <em class="parameter"><code>homes</code></em> as the service name. + (Note: The workgroup that Samba should appear in must also be set. The default + workgroup name is WORKGROUP.) + </p><p> + <a class="indexterm" name="id327041"></a> + Make sure you put the <code class="filename">smb.conf</code> file in the correct place. Note, the correct location of this file + depends on how the binary files were built. You can discover the correct location by executing from + the directory that contains the <code class="literal">smbd</code> command file: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep smb.conf +</pre><p> + </p><p> + <a class="indexterm" name="id327077"></a> + For more information about security settings for the <em class="parameter"><code>[homes]</code></em> share, please refer to + <a href="securing-samba.html" title="Chapter 18. Securing Samba">Securing Samba</a>. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id327100"></a>Test Your Config File with <code class="literal">testparm</code></h4></div></div></div><p> + <a class="indexterm" name="id327113"></a> + <a class="indexterm" name="id327120"></a> + <a class="indexterm" name="id327126"></a> + It's important to validate the contents of the <code class="filename">smb.conf</code> file using the <span class="application">testparm</span> program. + If testparm runs correctly, it will list the loaded services. If not, it will give an error message. + Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command: + </p><pre class="screen"> + <code class="prompt">root# </code> testparm /etc/samba/smb.conf + </pre><p> + Testparm will parse your configuration file and report any unknown parameters or incorrect syntax. + It also performs a check for common misconfigurations and will issue a warning if one is found. + </p><p> + Always run testparm again whenever the <code class="filename">smb.conf</code> file is changed! + </p><p> + <a class="indexterm" name="id327174"></a> + <a class="indexterm" name="id327180"></a> + <a class="indexterm" name="id327187"></a> + <a class="indexterm" name="id327194"></a> + The <code class="filename">smb.conf</code> file is constantly checked by the Samba daemons <code class="literal">smbd</code> and every instance of + itself that it spawns, <code class="literal">nmbd</code> and <code class="literal">winbindd</code>. It is good practice to + keep this file as small as possible. Many administrators prefer to document Samba configuration settings + and thus the need to keep this file small goes against good documentation wisdom. One solution that may + be adopted is to do all documentation and configuration in a file that has another name, such as + <code class="filename">smb.conf.master</code>. The <code class="literal">testparm</code> utility can be used to generate a + fully optimized <code class="filename">smb.conf</code> file from this master configuration and documtenation file as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + This administrative method makes it possible to maintain detailed configuration change records while at + the same time keeping the working <code class="filename">smb.conf</code> file size to the minimum necessary. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327272"></a>SWAT</h3></div></div></div><p> + <a class="indexterm" name="id327280"></a> + SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. SWAT might not + be available in the Samba package that shipped with your platform, but in a separate package. If it is + necesaary to built SWAT please read the SWAT man page regarding compilation, installation, and + configuration of SWAT from the source code. + </p><p> + To launch SWAT, just run your favorite Web browser and point it to + <a href="http://localhost:901/" target="_top">http://localhost:901/</a>. + Replace <em class="replaceable"><code>localhost</code></em> with the name of the computer on which + Samba is running if that is a different computer than your browser. + </p><p> + SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote + machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear. + </p><p> + More information about SWAT can be found in <a href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool">The Samba Web Administration Tool</a>. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327325"></a>List Shares Available on the Server</h2></div></div></div><p> + To list shares that are available from the configured Samba server, execute the + following command: + </p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>smbclient -L <em class="replaceable"><code>yourhostname</code></em></code></strong> +</pre><p> + You should see a list of shares available on your server. If you do not, then + something is incorrectly configured. This method can also be used to see what shares + are available on other SMB servers, such as Windows 2000. + </p><p> + If you choose user-level security, you may find that Samba requests a password + before it will list the shares. See the <code class="literal">smbclient</code> man page for details. + You can force it to list the shares without a password by adding the option + <code class="option">-N</code> to the command line. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327375"></a>Connect with a UNIX Client</h2></div></div></div><p> + Enter the following command: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>smbclient <em class="replaceable"><code> //yourhostname/aservice</code></em></code></strong> +</pre><p>Typically <em class="replaceable"><code>yourhostname</code></em> is the name of the host on which <span class="application">smbd</span> + has been installed. The <em class="replaceable"><code>aservice</code></em> is any service that has been defined in the <code class="filename">smb.conf</code> + file. Try your username if you just have a <em class="parameter"><code>[homes]</code></em> section in the <code class="filename">smb.conf</code> file.</p><p>Example: If the UNIX host is called <em class="replaceable"><code>bambi</code></em> and a valid login name + is <em class="replaceable"><code>fred</code></em>, you would type:</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>smbclient //<em class="replaceable"><code>bambi</code></em>/<em class="replaceable"><code>fred</code></em></code></strong> +</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327472"></a>Connect from a Remote SMB Client</h2></div></div></div><p> + Now that Samba is working correctly locally, you can try to access it from other clients. Within a few + minutes, the Samba host should be listed in the Network Neighborhood on all Windows clients of its subnet. + Try browsing the server from another client or "mounting" it. + </p><p> + Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command such as: +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>net use m: \\servername\service</code></strong> +</pre><p> + Where the drive letter m: is any available drive letter. It is important to double-check that the + service (share) name that you used does actually exist. + </p><p> + Try printing, for example, +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>net use lpt1: \\servername\spoolservice</code></strong> +</pre><p> + The <code class="literal">spoolservice</code> is the name of the printer (actually the print queue) on the target + server. This will permit all print jobs that are captured by the lpt1: port on the Windows client to + be sent to the printer that owns the spoolservice that has been specified. + </p><p> +</p><pre class="screen"><code class="prompt">C:\> </code><strong class="userinput"><code>print filename</code></strong> +</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327550"></a>What If Things Don't Work?</h3></div></div></div><p> + You might want to read <a href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a>. If you are still + stuck, refer to <a href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems">Analyzing and Solving Samba Problems</a>. Samba has + been successfully installed at thousands of sites worldwide. It is unlikely that your particular problem is + unique, so it might be productive to perform an Internet search to see if someone else has encountered your + problem and has found a way to overcome it. + </p><p> + If you are new to Samba, and particularly if you are new to Windows networking, or to UNIX/Linux, + the book “<span class="quote">Samba-3 by Example</span>” will help you to create a validated network environment. + Simply choose from the first five chapters the network design that most closely matches site needs, + then follow the simple step-by-step procedure to deploy it. Later, when you have a working network + you may well want to refer back to this book for further insight into opportunities for improvement. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327587"></a>Still Stuck?</h3></div></div></div><p> + The best advice under the stress of abject frustration is to cool down! That may be challenging + of itself, but while you are angry or annoyed your ability to seek out a solution is somewhat + undermined. A cool head clears the way to finding the answer you are looking for. Just remember, + every problem has a solution there is a good chance that someone else has found it + even though you can't right now. That will change with time, patience and learning. + </p><p> + Now that you have cooled down a bit, please refer to <a href="diagnosis.html" title="Chapter 38. The Samba Checklist">the Samba Checklist</a> + for a process that can be followed to identify the cause of your problem. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id327616"></a>Common Errors</h2></div></div></div><p> +The following questions and issues are raised repeatedly on the Samba mailing list. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327626"></a>Large Number of smbd Processes</h3></div></div></div><p> + Samba consists of three core programs: <span class="application">nmbd</span>, <span class="application">smbd</span>, and <span class="application">winbindd</span>. <span class="application">nmbd</span> is the name server message daemon, + <span class="application">smbd</span> is the server message daemon, and <span class="application">winbindd</span> is the daemon that handles communication with domain controllers. + </p><p> + If Samba is <span class="emphasis"><em>not</em></span> running as a WINS server, then there will be one single instance of + <span class="application">nmbd</span> running on your system. If it is running as a WINS server, then there will be + two instances one to handle the WINS requests. + </p><p> + <span class="application">smbd</span> handles all connection requests. It spawns a new process for each client + connection made. That is why you may see so many of them, one per client connection. + </p><p> + <span class="application">winbindd</span> will run as one or two daemons, depending on whether or not it is being + run in <span class="emphasis"><em>split mode</em></span> (in which case there will be two instances). + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327714"></a>Error Message: open_oplock_ipc</h3></div></div></div><p> + An error message is observed in the log files when <span class="application">smbd</span> is started: “<span class="quote">open_oplock_ipc: Failed to + get local UDP socket for address 100007f. Error was Cannot assign requested.</span>” + </p><p> + Your loopback device isn't working correctly. Make sure it is configured correctly. The loopback + device is an internal (virtual) network device with the IP address <span class="emphasis"><em>127.0.0.1</em></span>. + Read your OS documentation for details on how to configure the loopback on your system. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id327744"></a>“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</h3></div></div></div><p> + This error can be caused by one of these misconfigurations: + </p><div class="itemizedlist"><ul type="disc"><li><p>You specified a nonexisting path + for the share in <code class="filename">smb.conf</code>.</p></li><li><p>The user you are trying to access the share with does not + have sufficient permissions to access the path for + the share. Both read (r) and access (x) should be possible.</p></li><li><p>The share you are trying to access does not exist.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Fast Start: Cure for Impatience</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html b/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html new file mode 100644 index 0000000000..1213067060 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html @@ -0,0 +1,461 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. Integrating MS Windows Networks with Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication"><link rel="next" href="unicode.html" title="Chapter 30. Unicode/Charsets"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. Integrating MS Windows Networks with Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 29. Integrating MS Windows Networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id432559">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432576">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432767"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432923"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432956"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433004"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433586">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433711">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433736">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433763">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433898">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433909">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433936">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433974">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id432523"></a> +This chapter deals with NetBIOS over TCP/IP name to IP address resolution. If +your MS Windows clients are not configured to use NetBIOS over TCP/IP, then this +section does not apply to your installation. If your installation involves the use of +NetBIOS over TCP/IP, then this chapter may help you to resolve networking problems. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id432538"></a> +<a class="indexterm" name="id432544"></a> +NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS +over Logical Link Control (LLC). On modern networks it is highly advised +to not run NetBEUI at all. Note also that there is no such thing as +NetBEUI over TCP/IP the existence of such a protocol is a complete +and utter misapprehension. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432559"></a>Features and Benefits</h2></div></div></div><p> +Many MS Windows network administrators have never been exposed to basic TCP/IP +networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and +Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP-based +networking (and may have no desire to be, either). +</p><p> +This chapter gives a short introduction to the basics of how a name can be resolved to +its IP address for each operating system environment. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432576"></a>Background Information</h2></div></div></div><p> +<a class="indexterm" name="id432584"></a> +<a class="indexterm" name="id432590"></a> +<a class="indexterm" name="id432597"></a> +<a class="indexterm" name="id432604"></a> +<a class="indexterm" name="id432611"></a> +Since the introduction of MS Windows 2000, it is possible to run MS Windows networking +without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS +name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over +TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 is +used, and the UDP port 137 and TCP port 139 are not. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +When using Windows 2000 or later clients, if NetBIOS over TCP/IP is not disabled, then +the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet +Name Service, or WINS), TCP port 139, and TCP port 445 (for actual file and print traffic). +</p></div><p> +<a class="indexterm" name="id432633"></a> +<a class="indexterm" name="id432640"></a> +<a class="indexterm" name="id432646"></a> +<a class="indexterm" name="id432653"></a> +<a class="indexterm" name="id432660"></a> +<a class="indexterm" name="id432667"></a> +When NetBIOS over TCP/IP is disabled, the use of DNS is essential. Most installations that disable NetBIOS +over TCP/IP today use MS Active Directory Service (ADS). ADS requires +<a class="indexterm" name="id432675"></a> dynamic DNS with Service Resource +Records (SRV RR) and with Incremental Zone Transfers (IXFR). <a class="indexterm" name="id432685"></a> +Use of DHCP with ADS is recommended as a further means of maintaining central control over the client +workstation network configuration. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432695"></a>Name Resolution in a Pure UNIX/Linux World</h2></div></div></div><p> +The key configuration files covered in this section are: +</p><a class="indexterm" name="id432705"></a><a class="indexterm" name="id432712"></a><a class="indexterm" name="id432718"></a><a class="indexterm" name="id432725"></a><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">/etc/hosts</code></p></li><li><p><code class="filename">/etc/resolv.conf</code></p></li><li><p><code class="filename">/etc/host.conf</code></p></li><li><p><code class="filename">/etc/nsswitch.conf</code></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id432767"></a><code class="filename">/etc/hosts</code></h3></div></div></div><p> +This file contains a static list of IP addresses and names. +</p><pre class="programlisting"> +127.0.0.1 localhost localhost.localdomain +192.168.1.1 bigbox.quenya.org bigbox alias4box +</pre><p> +</p><p> +<a class="indexterm" name="id432788"></a> +<a class="indexterm" name="id432795"></a> +The purpose of <code class="filename">/etc/hosts</code> is to provide a +name resolution mechanism so users do not need to remember +IP addresses. +</p><p> +<a class="indexterm" name="id432812"></a> +<a class="indexterm" name="id432819"></a> +<a class="indexterm" name="id432825"></a> +Network packets that are sent over the physical network transport +layer communicate not via IP addresses but rather using the Media +Access Control address, or MAC address. IP addresses are currently +32 bits in length and are typically presented as four decimal +numbers that are separated by a dot (or period) for example, 168.192.1.1. +</p><p> +<a class="indexterm" name="id432842"></a> +MAC addresses use 48 bits (or 6 bytes) and are typically represented +as two-digit hexadecimal numbers separated by colons: 40:8e:0a:12:34:56. +</p><p> +Every network interface must have a MAC address. Associated with a MAC address may be one or more IP +addresses. There is no relationship between an IP address and a MAC address; all such assignments are +arbitrary or discretionary in nature. At the most basic level, all network communications take place using MAC +addressing. Since MAC addresses must be globally unique and generally remain fixed for any particular +interface, the assignment of an IP address makes sense from a network management perspective. More than one IP +address can be assigned per MAC address. One address must be the primary IP address this is the +address that will be returned in the Address Resolution Protocol (ARP) reply. +</p><p> +<a class="indexterm" name="id432864"></a> +When a user or a process wants to communicate with another machine, +the protocol implementation ensures that the “<span class="quote">machine name</span>” or “<span class="quote">host +name</span>” is resolved to an IP address in a manner that is controlled +by the TCP/IP configuration control files. The file +<code class="filename">/etc/hosts</code> is one such file. +</p><p> +<a class="indexterm" name="id432890"></a> +When the IP address of the destination interface has been determined, a protocol called ARP/RARP is used to +identify the MAC address of the target interface. ARP is a broadcast-oriented method that uses User Datagram +Protocol (UDP) to send a request to all interfaces on the local network segment using the all 1s MAC address. +Network interfaces are programmed to respond to two MAC addresses only; their own unique address and the +address ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will contain the MAC address and the primary +IP address for each interface. +</p><p> +<a class="indexterm" name="id432904"></a> +The <code class="filename">/etc/hosts</code> file is foundational to all +UNIX/Linux TCP/IP installations and as a minimum will contain +the localhost and local network interface IP addresses and the +primary names by which they are known within the local machine. +This file helps to prime the pump so a basic level of name +resolution can exist before any other method of name resolution +becomes available. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id432923"></a><code class="filename">/etc/resolv.conf</code></h3></div></div></div><p> +This file tells the name resolution libraries: +</p><div class="itemizedlist"><ul type="disc"><li><p>The name of the domain to which the machine + belongs. + </p></li><li><p>The name(s) of any domains that should be + automatically searched when trying to resolve unqualified + host names to their IP address. + </p></li><li><p>The name or IP address of available domain + name servers that may be asked to perform name-to-address + translation lookups. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id432956"></a><code class="filename">/etc/host.conf</code></h3></div></div></div><p> +<a class="indexterm" name="id432967"></a> +<code class="filename">/etc/host.conf</code> is the primary means by which the setting in +<code class="filename">/etc/resolv.conf</code> may be effected. It is a critical configuration file. This file controls +the order by which name resolution may proceed. The typical structure is: +</p><pre class="programlisting"> +order hosts,bind +multi on +</pre><p>Both addresses should be returned. Please refer to the +man page for <code class="filename">host.conf</code> for further details. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433004"></a><code class="filename">/etc/nsswitch.conf</code></h3></div></div></div><p> +<a class="indexterm" name="id433015"></a> +This file controls the actual name resolution targets. The +file typically has resolver object specifications as follows: +</p><pre class="programlisting"> +# /etc/nsswitch.conf +# +# Name Service Switch configuration file. +# + +passwd: compat +# Alternative entries for password authentication are: +# passwd: compat files nis ldap winbind +shadow: compat +group: compat + +hosts: files nis dns +# Alternative entries for host name resolution are: +# hosts: files dns nis nis+ hesiod db compat ldap wins +networks: nis files dns + +ethers: nis files +protocols: nis files +rpc: nis files +services: nis files +</pre><p> +Of course, each of these mechanisms requires that the appropriate +facilities and/or services are correctly configured. +</p><p> +It should be noted that unless a network request/message must be +sent, TCP/IP networks are silent. All TCP/IP communications assume a +principal of speaking only when necessary. +</p><p> +<a class="indexterm" name="id433043"></a> +<a class="indexterm" name="id433050"></a> +<a class="indexterm" name="id433057"></a> +<a class="indexterm" name="id433064"></a> +<a class="indexterm" name="id433070"></a> +Starting with version 2.2.0, Samba has Linux support for extensions to +the name service switch infrastructure so Linux clients will +be able to obtain resolution of MS Windows NetBIOS names to IP +addresses. To gain this functionality, Samba needs to be compiled +with appropriate arguments to the make command (i.e., <strong class="userinput"><code>make +nsswitch/libnss_wins.so</code></strong>). The resulting library should +then be installed in the <code class="filename">/lib</code> directory, and +the <em class="parameter"><code>wins</code></em> parameter needs to be added to the “<span class="quote">hosts:</span>” line in +the <code class="filename">/etc/nsswitch.conf</code> file. At this point, it +will be possible to ping any MS Windows machine by its NetBIOS +machine name, as long as that machine is within the workgroup to +which both the Samba machine and the MS Windows machine belong. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id433113"></a>Name Resolution as Used within MS Windows Networking</h2></div></div></div><p> +<a class="indexterm" name="id433121"></a> +<a class="indexterm" name="id433128"></a> +<a class="indexterm" name="id433135"></a> +<a class="indexterm" name="id433142"></a> +MS Windows networking is predicated on the name each machine is given. This name is known variously (and +inconsistently) as the “<span class="quote">computer name,</span>” “<span class="quote">machine name,</span>” “<span class="quote">networking +name,</span>” “<span class="quote">NetBIOS name,</span>” or “<span class="quote">SMB name.</span>” All terms mean the same thing with the +exception of “<span class="quote">NetBIOS name,</span>” which can also apply to the name of the workgroup or the domain +name. The terms “<span class="quote">workgroup</span>” and “<span class="quote">domain</span>” are really just a simple name with which +the machine is associated. All NetBIOS names are exactly 16 characters in length. The +16<sup>th</sup> character is reserved. It is used to store a 1-byte value that indicates +service level information for the NetBIOS name that is registered. A NetBIOS machine name is therefore +registered for each service type that is provided by the client/server. +</p><p> +<a href="integrate-ms-networks.html#uniqnetbiosnames" title="Table 29.1. Unique NetBIOS Names">Unique NetBIOS names</a> and <a href="integrate-ms-networks.html#netbiosnamesgrp" title="Table 29.2. Group Names">group names</a> tables +list typical NetBIOS name/service type registrations. +</p><div class="table"><a name="uniqnetbiosnames"></a><p class="title"><b>Table 29.1. Unique NetBIOS Names</b></p><div class="table-contents"><table summary="Unique NetBIOS Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">MACHINENAME<00></td><td align="justify">Server Service is running on MACHINENAME</td></tr><tr><td align="left">MACHINENAME<03></td><td align="justify">Generic machine name (NetBIOS name)</td></tr><tr><td align="left">MACHINENAME<20></td><td align="justify">LanMan server service is running on MACHINENAME</td></tr><tr><td align="left">WORKGROUP<1b></td><td align="justify">Domain master browser</td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="netbiosnamesgrp"></a><p class="title"><b>Table 29.2. Group Names</b></p><div class="table-contents"><table summary="Group Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">WORKGROUP<03></td><td align="justify">Generic name registered by all members of WORKGROUP</td></tr><tr><td align="left">WORKGROUP<1c></td><td align="justify">Domain cntrollers/netlogon servers</td></tr><tr><td align="left">WORKGROUP<1d></td><td align="justify">Local master browsers</td></tr><tr><td align="left">WORKGROUP<1e></td><td align="justify">Browser election service</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id433323"></a> +It should be noted that all NetBIOS machines register their own +names as per <a href="integrate-ms-networks.html#uniqnetbiosnames" title="Table 29.1. Unique NetBIOS Names">Unique NetBIOS names</a> and <a href="integrate-ms-networks.html#netbiosnamesgrp" title="Table 29.2. Group Names">group names</a>. This is in vast contrast to TCP/IP +installations where the system administrator traditionally +determines in the <code class="filename">/etc/hosts</code> or in the DNS database what names +are associated with each IP address. +</p><p> +<a class="indexterm" name="id433355"></a> +<a class="indexterm" name="id433362"></a> +<a class="indexterm" name="id433369"></a> +One further point of clarification should be noted. The <code class="filename">/etc/hosts</code> +file and the DNS records do not provide the NetBIOS name information +that MS Windows clients depend on to locate the type of service that may +be needed. An example of this is what happens when an MS Windows client +wants to locate a domain logon server. It finds this service and the IP +address of a server that provides it by performing a lookup (via a +NetBIOS broadcast) for enumeration of all machines that have +registered the name type *<1C>. A logon request is then sent to each +IP address that is returned in the enumerated list of IP addresses. +Whichever machine first replies, it then ends up providing the logon services. +</p><p> +<a class="indexterm" name="id433393"></a> +<a class="indexterm" name="id433399"></a> +The name “<span class="quote">workgroup</span>” or “<span class="quote">domain</span>” really can be confusing, since these +have the added significance of indicating what is the security +architecture of the MS Windows network. The term “<span class="quote">workgroup</span>” indicates +that the primary nature of the network environment is that of a +peer-to-peer design. In a workgroup, all machines are responsible for +their own security, and generally such security is limited to the use of +just a password (known as share-level security). In most situations +with peer-to-peer networking, the users who control their own machines +will simply opt to have no security at all. It is possible to have +user-level security in a workgroup environment, thus requiring the use +of a username and a matching password. +</p><p> +<a class="indexterm" name="id433426"></a> +<a class="indexterm" name="id433433"></a> +<a class="indexterm" name="id433442"></a> +<a class="indexterm" name="id433451"></a> +<a class="indexterm" name="id433461"></a> +<a class="indexterm" name="id433470"></a> +<a class="indexterm" name="id433476"></a> +<a class="indexterm" name="id433483"></a> +MS Windows networking is thus predetermined to use machine names +for all local and remote machine message passing. The protocol used is +called Server Message Block (SMB), and this is implemented using +the NetBIOS protocol (Network Basic Input/Output System). NetBIOS can +be encapsulated using LLC (Logical Link Control) protocol in which case +the resulting protocol is called NetBEUI (Network Basic Extended User +Interface). NetBIOS can also be run over IPX (Internetworking Packet +Exchange) protocol as used by Novell NetWare, and it can be run +over TCP/IP protocols in which case the resulting protocol is called +NBT or NetBT, the NetBIOS over TCP/IP. +</p><p> +MS Windows machines use a complex array of name resolution mechanisms. +Since we are primarily concerned with TCP/IP, this demonstration is +limited to this area. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433506"></a>The NetBIOS Name Cache</h3></div></div></div><p> +<a class="indexterm" name="id433514"></a> +<a class="indexterm" name="id433521"></a> +<a class="indexterm" name="id433528"></a> +All MS Windows machines employ an in-memory buffer in which is +stored the NetBIOS names and IP addresses for all external +machines that machine has communicated with over the +past 10 to 15 minutes. It is more efficient to obtain an IP address +for a machine from the local cache than it is to go through all the +configured name resolution mechanisms. +</p><p> +<a class="indexterm" name="id433539"></a> +If a machine whose name is in the local name cache is shut +down before the name is expired and flushed from the cache, then +an attempt to exchange a message with that machine will be subject +to timeout delays. Its name is in the cache, so a name resolution +lookup will succeed, but the machine cannot respond. This can be +frustrating for users but is a characteristic of the protocol. +</p><p> +<a class="indexterm" name="id433553"></a> +<a class="indexterm" name="id433560"></a> +<a class="indexterm" name="id433566"></a> +The MS Windows utility that allows examination of the NetBIOS +name cache is called “<span class="quote">nbtstat.</span>” The Samba equivalent +is called <code class="literal">nmblookup</code>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433586"></a>The LMHOSTS File</h3></div></div></div><p> +<a class="indexterm" name="id433593"></a> +This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in the directory +<code class="filename">%SystemRoot%\SYSTEM32\DRIVERS\ETC</code> and contains the IP address +and the machine name in matched pairs. The <code class="filename">LMHOSTS</code> file +performs NetBIOS name to IP address mapping. +</p><p> +It typically looks like this: +</p><pre class="programlisting"> +# Copyright (c) 1998 Microsoft Corp. +# +# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS +# over TCP/IP) stack for Windows98 +# +# This file contains the mappings of IP addresses to NT computer names +# (NetBIOS) names. Each entry should be kept on an individual line. +# The IP address should be placed in the first column followed by the +# corresponding computer name. The address and the computer name +# should be separated by at least one space or tab. The "#" character +# is generally used to denote the start of a comment (see the exceptions +# below). +# +# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts +# files and offers the following extensions: +# +# #PRE +# #DOM:<domain> +# #INCLUDE <filename> +# #BEGIN_ALTERNATE +# #END_ALTERNATE +# \0xnn (non-printing character support) +# +# Following any entry in the file with the characters "#PRE" will cause +# the entry to be preloaded into the name cache. By default, entries are +# not preloaded, but are parsed only after dynamic name resolution fails. +# +# Following an entry with the "#DOM:<domain>" tag will associate the +# entry with the domain specified by <domain>. This effects how the +# browser and logon services behave in TCP/IP environments. To preload +# the host name associated with #DOM entry, it is necessary to also add a +# #PRE to the line. The <domain> is always pre-loaded although it will not +# be shown when the name cache is viewed. +# +# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) +# software to seek the specified <filename> and parse it as if it were +# local. <filename> is generally a UNC-based name, allowing a +# centralized lmhosts file to be maintained on a server. +# It is ALWAYS necessary to provide a mapping for the IP address of the +# server prior to the #INCLUDE. This mapping must use the #PRE directive. +# In addition the share "public" in the example below must be in the +# LanMan Server list of "NullSessionShares" in order for client machines to +# be able to read the lmhosts file successfully. This key is under +# \machine\system\currentcontrolset\services\lanmanserver\ +# parameters\nullsessionshares +# in the registry. Simply add "public" to the list found there. +# +# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE +# statements to be grouped together. Any single successful include +# will cause the group to succeed. +# +# Finally, non-printing characters can be embedded in mappings by +# first surrounding the NetBIOS name in quotations, then using the +# \0xnn notation to specify a hex value for a non-printing character. +# +# The following example illustrates all of these extensions: +# +# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC +# 102.54.94.102 "appname \0x14" #special app server +# 102.54.94.123 popular #PRE #source server +# 102.54.94.117 localsrv #PRE #needed for the include +# +# #BEGIN_ALTERNATE +# #INCLUDE \\localsrv\public\lmhosts +# #INCLUDE \\rhino\public\lmhosts +# #END_ALTERNATE +# +# In the above example, the "appname" server contains a special +# character in its name, the "popular" and "localsrv" server names are +# pre-loaded, and the "rhino" server name is specified so it can be used +# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" +# system is unavailable. +# +# Note that the whole file is parsed including comments on each lookup, +# so keeping the number of comments to a minimum will improve performance. +# Therefore it is not advisable to simply add lmhosts file entries onto the +# end of this file. +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433711"></a>HOSTS File</h3></div></div></div><p> +This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in +the directory <code class="filename">%SystemRoot%\SYSTEM32\DRIVERS\ETC</code> and contains +the IP address and the IP hostname in matched pairs. It can be +used by the name resolution infrastructure in MS Windows, depending +on how the TCP/IP environment is configured. This file is in +every way the equivalent of the UNIX/Linux <code class="filename">/etc/hosts</code> file. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433736"></a>DNS Lookup</h3></div></div></div><p> +<a class="indexterm" name="id433744"></a> +This capability is configured in the TCP/IP setup area in the network +configuration facility. If enabled, an elaborate name resolution sequence +is followed, the precise nature of which is dependent on how the NetBIOS +Node Type parameter is configured. A Node Type of 0 means that +NetBIOS broadcast (over UDP broadcast) is used if the name +that is the subject of a name lookup is not found in the NetBIOS name +cache. If that fails, then DNS, HOSTS, and LMHOSTS are checked. If set to +Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the +WINS server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast +lookup is used. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433763"></a>WINS Lookup</h3></div></div></div><p> +<a class="indexterm" name="id433771"></a> +<a class="indexterm" name="id433778"></a> +<a class="indexterm" name="id433787"></a> +A WINS (Windows Internet Name Server) service is the equivalent of the +rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores +the names and IP addresses that are registered by a Windows client +if the TCP/IP setup has been given at least one WINS server IP address. +</p><p> +To configure Samba to be a WINS server, the following parameter needs +to be added to the <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id433817"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr></table><p> +<a class="indexterm" name="id433831"></a> +To configure Samba to use a WINS server, the following parameters are +needed in the <code class="filename">smb.conf</code> file: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id433853"></a><em class="parameter"><code>wins support = No</code></em></td></tr><tr><td><a class="indexterm" name="id433865"></a><em class="parameter"><code>wins server = xxx.xxx.xxx.xxx</code></em></td></tr></table><p> +where <em class="replaceable"><code>xxx.xxx.xxx.xxx</code></em> is the IP address +of the WINS server. +</p><p>For information about setting up Samba as a WINS server, read +<a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id433898"></a>Common Errors</h2></div></div></div><p> +TCP/IP network configuration problems find every network administrator sooner or later. +The cause can be anything from keyboard mishaps to forgetfulness to simple mistakes to +carelessness. Of course, no one is ever deliberately careless! +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433909"></a>Pinging Works Only One Way</h3></div></div></div><p> + “<span class="quote">I can ping my Samba server from Windows, but I cannot ping my Windows + machine from the Samba server.</span>” + </p><p> + The Windows machine was at IP address 192.168.1.2 with netmask 255.255.255.0, the + Samba server (Linux) was at IP address 192.168.1.130 with netmask 255.255.255.128. + The machines were on a local network with no external connections. + </p><p> + Due to inconsistent netmasks, the Windows machine was on network 192.168.1.0/24, while + the Samba server was on network 192.168.1.128/25 logically a different network. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433936"></a>Very Slow Network Connections</h3></div></div></div><p> + A common cause of slow network response includes: + </p><div class="itemizedlist"><ul type="disc"><li><p>Client is configured to use DNS and the DNS server is down.</p></li><li><p>Client is configured to use remote DNS server, but the + remote connection is down.</p></li><li><p>Client is configured to use a WINS server, but there is no WINS server.</p></li><li><p>Client is not configured to use a WINS server, but there is a WINS server.</p></li><li><p>Firewall is filtering out DNS or WINS traffic.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id433974"></a>Samba Server Name-Change Problem</h3></div></div></div><p> + “<span class="quote">The name of the Samba server was changed, Samba was restarted, and now the Samba server cannot be + pinged by its new name from an MS Windows NT4 workstation, but it does still respond to pinging using + the old name. Why?</span>” + </p><p> + From this description, three things are obvious: + </p><div class="itemizedlist"><ul type="disc"><li><p>WINS is not in use; only broadcast-based name resolution is used.</p></li><li><p>The Samba server was renamed and restarted within the last 10 or 15 minutes.</p></li><li><p>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 workstation.</p></li></ul></div><p> + To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine, + open a <code class="literal">cmd</code> shell and then: + </p><p> +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>nbtstat -n</code></strong> + + NetBIOS Local Name Table + + Name Type Status +------------------------------------------------ +FRODO <03> UNIQUE Registered +ADMINISTRATOR <03> UNIQUE Registered +FRODO <00> UNIQUE Registered +SARDON <00> GROUP Registered +FRODO <20> UNIQUE Registered +FRODO <1F> UNIQUE Registered + + +<code class="prompt">C:\> </code>nbtstat -c + + NetBIOS Remote Cache Name Table + + Name Type Host Address Life [sec] +-------------------------------------------------------------- +GANDALF <20> UNIQUE 192.168.1.1 240 + +<code class="prompt">C:\> </code> +</pre><p> + </p><p> + In this example, GANDALF is the Samba server and FRODO is the MS Windows NT4 workstation. + The first listing shows the contents of the Local Name Table (i.e., identity information on + the MS Windows workstation), and the second shows the NetBIOS name in the NetBIOS name cache. + The name cache contains the remote machines known to this workstation. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. PAM-Based Distributed Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Unicode/Charsets</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/introduction.html b/docs/htmldocs/Samba3-HOWTO/introduction.html new file mode 100644 index 0000000000..6da1ad8e50 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/introduction.html @@ -0,0 +1,5 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. General Installation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="IntroSMB.html" title="Introduction"><link rel="next" href="install.html" title="Chapter 1. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. General Installation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>Part I. General Installation</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id325524"></a>Preparing Samba for Configuration</h1></div></div></div><p> +This section of the Samba-HOWTO-Collection contains general info on how to install Samba +and how to configure the parts of Samba you will most likely need. +PLEASE read this. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="install.html">1. How to Install and Test SAMBA</a></span></dt><dd><dl><dt><span class="sect1"><a href="install.html#id325669">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id325710">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325753">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id326670">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id326850">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id327272">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327325">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id327375">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id327472">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327550">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id327587">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id327616">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id327626">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id327714">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id327744">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="FastStart.html">2. Fast Start: Cure for Impatience</a></span></dt><dd><dl><dt><span class="sect1"><a href="FastStart.html#id327874">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327893">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id327959">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id327975">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id329828">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id330741">Domain Controller</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Introduction </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. How to Install and Test SAMBA</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ix01.html b/docs/htmldocs/Samba3-HOWTO/ix01.html new file mode 100644 index 0000000000..9cf1304e11 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ix01.html @@ -0,0 +1,9 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id456908"></a>Index</h2></div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>"Printers" folder, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a>, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt><dt>$, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>%i macro, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>%L, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>%PDF, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>%SystemRoot%\System32\config, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>../source/nsswitch, <a href="winbind.html#id422211">Configure Winbind and PAM</a></dt><dt>.ai, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>.AppleDouble, <a href="VFS.html#id417705">netatalk</a></dt><dt>.eps, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>.pdf, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>.PDS extension, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a></dt><dt>.profiles, <a href="ProfileMgmt.html#id425965">Windows 9x/Me User Profiles</a></dt><dt>.ps, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>.recycle, <a href="VFS.html#id417334">recycle</a></dt><dt>/bin/false, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>/dev/null, <a href="rights.html">User Rights and Privileges</a></dt><dt>/dev/shadowvol, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>/etc/cups/, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>/etc/cups/mime.convs, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>/etc/cups/mime.types, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>/etc/fstab, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>/etc/group, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="groupmapping.html#id367529">Discussion</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="groupmapping.html#id369332">Sample smb.conf Add Group Script</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="Portability.html#id451523">HPUX</a></dt><dt>/etc/groups, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>/etc/host.conf, <a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a>, <a href="integrate-ms-networks.html#id432956">/etc/host.conf</a></dt><dt>/etc/hosts, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a>, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>/etc/hosts>, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>/etc/inetd.conf, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="compiling.html#id450957">Starting from inetd.conf</a></dt><dt>/etc/init.d/samba, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="winbind.html#id421865">Linux</a></dt><dt>/etc/init.d/samba.server, <a href="winbind.html#id422049">Solaris</a></dt><dt>/etc/init.d/smb, <a href="winbind.html#id421865">Linux</a></dt><dt>/etc/krb5.conf, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#id346082">Possible Errors</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>/etc/ldap.conf, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>/etc/logingroup, <a href="Portability.html#id451523">HPUX</a></dt><dt>/etc/mime.conv, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>/etc/mime.types, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>/etc/nsswitch.conf, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="winbind.html#id419814">Name Service Switch</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a>, <a href="integrate-ms-networks.html#id433004">/etc/nsswitch.conf</a></dt><dt>/etc/openldap/slapd.conf, <a href="FastStart.html#id331703">The Primary Domain Controller</a></dt><dt>/etc/openldap/sldap.conf, <a href="passdb.html#id365886">Accounts and Groups Management</a></dt><dt>/etc/pam.conf, <a href="winbind.html#id422679">Solaris-Specific Configuration</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="pam.html#id430534">Technical Discussion</a>, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>/etc/pam.d, <a href="winbind.html#id420404">Requirements</a>, <a href="winbind.html#id420546">Testing Things Out</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>/etc/pam.d/, <a href="winbind.html#id420026">Pluggable Authentication Modules</a>, <a href="pam.html#id430534">Technical Discussion</a></dt><dt>/etc/pam.d/ftp, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/pam.d/login, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/pam.d/samba, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/passwd, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="samba-pdc.html#id338784">“$” Cannot Be Included in Machine Name</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a>, <a href="StandAloneServer.html#id347134">Background</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a>, <a href="passdb.html#id364023">Plaintext</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>/etc/printcap, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></dt><dt>/etc/resolv.conf, <a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a>, <a href="diagnosis.html#id446194">Assumptions</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>/etc/samba, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>/etc/samba/scripts, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>/etc/samba/secrets.tdb, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>/etc/samba/smb.conf, <a href="install.html#id325710">Configuring Samba (smb.conf)</a></dt><dt>/etc/samba/smbpasswd, <a href="passdb.html#id364023">Plaintext</a></dt><dt>/etc/samba/smbusers, <a href="NetCommand.html#id372102">User Mapping</a></dt><dt>/etc/shadow, <a href="StandAloneServer.html#id347134">Background</a>, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>/etc/smbpasswd, <a href="passdb.html#id364023">Plaintext</a></dt><dt>/etc/ssl/certs/slapd.pem, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>/etc/xinetd.d, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/xinetd.d/telnet, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/export, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>/lib/libnss_example.so, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>/lib/libnss_files.so, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>/lib/security, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="pam.html#id430584">PAM Configuration Syntax</a></dt><dt>/lib/security/, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>/opt/samba/bin, <a href="SWAT.html#id444812">Locating the SWAT File</a></dt><dt>/tmp, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>/usr/bin/openssl, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt><dt>/usr/lib/samba/vfs, <a href="VFS.html#id416413">Discussion</a></dt><dt>/usr/lib/security, <a href="winbind.html#id421002">NSS Winbind on AIX</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a></dt><dt>/usr/lib/security/methods.cfg, <a href="winbind.html#id421002">NSS Winbind on AIX</a></dt><dt>/usr/local/lib, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>/usr/local/samba, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>/usr/local/samba/bin, <a href="winbind.html#id421865">Linux</a>, <a href="winbind.html#id422049">Solaris</a>, <a href="SWAT.html#id444812">Locating the SWAT File</a></dt><dt>/usr/local/samba/lib, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>/usr/local/samba/lib/vfs, <a href="VFS.html#id416413">Discussion</a></dt><dt>/usr/local/samba/private/secrets.tdb, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>/usr/local/samba/swat, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/usr/local/samba/var, <a href="AccessControls.html#id382742">Access Controls on Shares</a>, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>/usr/local/samba/var/locks, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>/usr/sbin, <a href="SWAT.html#id444812">Locating the SWAT File</a>, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/usr/share/samba/swat, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/var/locks/*.tdb, <a href="speed.html#id453354">Corrupt tdb Files</a></dt><dt>/var/log/samba, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>/var/run/samba, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>/var/spool/cups/, <a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>/var/spool/samba, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>250-user limit, <a href="passdb.html#id364340">tdbsam</a></dt><dt>3.0.11, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>4,500 user accounts, <a href="passdb.html#id364340">tdbsam</a></dt><dt>4294967295, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>8.3 file names, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>>Domain User Manager, <a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></dt><dt>[global], <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>\\%L\%U\.profiles, <a href="ProfileMgmt.html#id425965">Windows 9x/Me User Profiles</a></dt><dt>\\SERVER, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>_kerberos.REALM.NAME, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>_kerberos._udp, <a href="domain-member.html#id346362">Notes</a></dt><dt>_ldap._tcp, <a href="domain-member.html#id346362">Notes</a></dt><dt>_ldap._tcp.pdc._msdcs.quenya.org, <a href="samba-bdc.html#id340956">NetBIOS Over TCP/IP Disabled</a></dt></dl></div><div class="indexdiv"><h3></h3><dl><dt>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id344023">Samba Client</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="NetCommand.html#id374016">Printer Migration</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a>, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="securing-samba.html#id387302">Features and Benefits</a>, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421865">Linux</a>, <a href="winbind.html#id422679">Solaris-Specific Configuration</a>, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a>, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a>, <a href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a> (see SSO)</dt><dd><dl><dt>backend, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>logon</dt><dd><dl><dt>service, <a href="samba-bdc.html#id339696">Essential Background Information</a></dt></dl></dd></dl></dd></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>abbreviated keystrokes, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a></dt><dt>aborting shutdown, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>accept connections, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>access, <a href="ChangeNotes.html#id351342">User and Group Changes</a></dt><dt>Access, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>access authentication, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>access control, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="StandAloneServer.html#id347134">Background</a>, <a href="AccessControls.html#id382742">Access Controls on Shares</a>, <a href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dt>Access Control, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Access Control Entries (see ACE)</dt><dt>Access Control List, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>access control needs, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>access controls, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a>, <a href="AccessControls.html#id380678">Features and Benefits</a>, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>Access Controls, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>access denied, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>access policies, <a href="passdb.html#id363711">Domain Account Policy Managment</a></dt><dt>access rights, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>account, <a href="install.html#id326850">Example Configuration</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dd><dl><dt>backend, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>database, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt><dd><dl><dt>backends, <a href="ServerType.html#id332909">Features and Benefits</a></dt></dl></dd></dl></dd><dt>account access controls, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>account attributes, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>account backends, <a href="passdb.html">Account Information Databases</a></dt><dt>account containers, <a href="passdb.html#id365225">Initialize the LDAP Database</a></dt><dt>account control block (see ACB)</dt><dt>account control flags, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account controls, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Account Controls, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>account database, <a href="passdb.html#id363976">Password Backends</a></dt><dt>account deleted, <a href="passdb.html#id363042">Deleting Accounts</a></dt><dt>account encode_bits, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account flag order, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>Account Flags, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>account flags, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account import/export, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id363855">Account Import/Export</a></dt><dt>account information, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dt>account information database, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>account management, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>account name, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="rights.html">User Rights and Privileges</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>account policies, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt><dt>account policy, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>account restrictions, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>account security, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>account storage backends, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a></dt><dt>account storage mechanisms, <a href="passdb.html">Account Information Databases</a></dt><dt>account storage system, <a href="passdb.html">Account Information Databases</a></dt><dt>Account Unknown, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>accountability, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>accounts, <a href="winbind.html#id420297">Introduction</a></dt><dt>ACL, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="passdb.html#id365990">Security and sambaSamAccount</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="securing-samba.html#id387302">Features and Benefits</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>ACLs, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></dt><dd><dl><dt>File System, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>POSIX, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>share, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>Windows, <a href="AccessControls.html#id380678">Features and Benefits</a></dt></dl></dd><dt>ACLs on share, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>ACLs on shares, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>across network segments, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>active directory, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337966">Samba ADS Domain Control</a></dt><dt>Active Directory, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a>, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a>, <a href="idmapper.html#id374992">Standalone Samba Server</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>Active Directory Server, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>AD4UNIX, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>ADAM, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>add a user account, <a href="passdb.html#id362965">Adding User Accounts</a></dt><dt>add client machines, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>add domain users and groups to a local group, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>add drivers, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>add group script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="groupmapping.html#id369332">Sample smb.conf Add Group Script</a>, <a href="groupmapping.html#id369618">Adding Groups Fails</a>, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>add machine script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="samba-pdc.html#id339004">The Machine Trust Account Is Not Accessible</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a>, <a href="ClientConfig.html#id351062">Common Errors</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="upgrading-to-3.0.html#id441782">Changes in Behavior</a></dt><dt>add printer command, <a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a></dt><dt>Add Printer Wizard, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>add printer wizard, <a href="CUPS-printing.html#id402147">Driver Upload Methods</a></dt><dt>add share command, <a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></dt><dt>add user script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="passdb.html#id362637">User Account Management</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="upgrading-to-3.0.html#id441782">Changes in Behavior</a></dt><dt>add user to group script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>add/delete/change share, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>adddriver, <a href="classicalprinting.html#id396743">Installing Driver Files into [print$]</a>, <a href="classicalprinting.html#id397066">Running rpcclient with adddriver</a>, <a href="classicalprinting.html#id397481">Specific Driver Name Flexibility</a>, <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a>, <a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></dt><dt>additional driver, <a href="classicalprinting.html#id398228">Additional Client Driver Installation</a></dt><dt>additional privileges, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>addmem, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>AddPrinterDriver(), <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></dt><dt>admin users, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="AccessControls.html#id384805">File Operations Done as root with force user Set</a></dt><dt>admincfg.exe, <a href="Other-Clients.html#id452468">Configuring Windows for Workgroups Password Handling</a></dt><dt>administrative actions, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>administrative duties, <a href="NetCommand.html#id370067">Overview</a></dt><dt>administrative privileges, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>administrative responsibilities, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>administrative rights, <a href="rights.html#id379339">Description of Privileges</a>, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>administrative rights and privileges, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Administrative Templates, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></dt><dt>Administrator, <a href="groupmapping.html#id367529">Discussion</a>, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>administrator account, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dt>Administrator account, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>administrator password, <a href="domain-member.html#id346362">Notes</a></dt><dt>Administrator%password, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>Adobe, <a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a>, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>Adobe driver, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>Adobe driver files, <a href="CUPS-printing.html#id408727">Recognizing Different Driver Files</a></dt><dt>Adobe PostScript, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a>, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>Adobe PostScript driver, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></dt><dt>Adobe PPD, <a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a></dt><dt>Adobe specifications, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>ADS, <a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a href="domain-member.html#ads-test-server">Testing Server Setup</a>, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a>, <a href="NetCommand.html#id370344">Administrative Tasks and Methods</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="rights.html">User Rights and Privileges</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id420241">Result Caching</a>, <a href="PolicyMgmt.html#id424107">Features and Benefits</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a>, <a href="PolicyMgmt.html#id425500">System Startup and Logon Processing Overview</a>, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a>, <a href="pam.html">PAM-Based Distributed Authentication</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="NT4Migration.html#id442769">Objectives</a>, <a href="DNSDHCP.html#id454865">Features and Benefits</a> (see Active Directory)</dt><dt>ADS DC, <a href="domain-member.html#id345150">Configure smb.conf</a></dt><dt>ADS domain, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>ADS domain members, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>ADS manager, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>ADS schema, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>Advanced TCP/IP configuration, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>advantages, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>affect users, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></dt><dt>affordable power, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>AFPL, <a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dt>AFPL Ghostscript, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>AFS, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>AIX, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="winbind.html#id421002">NSS Winbind on AIX</a></dt><dt>algorithmic mapping, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>alias group, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>allow access, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>allow trusted domains, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>already exists, <a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a></dt><dt>alternative solution, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>Amanda, <a href="Backup.html#id435949">Amanda</a></dt><dt>analyzes data, <a href="problems.html#id448088">Diagnostics Tools</a></dt><dt>anonymous, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dd><dl><dt>print server, <a href="FastStart.html#id328648">Anonymous Print Server</a></dt><dt>read-write server, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a></dt></dl></dd><dt>anonymous access, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>anonymous file server, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>anonymous server, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>ANSI compiler, <a href="Portability.html#id451523">HPUX</a></dt><dt>anticipate failure, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>API, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>Appliances, <a href="winbind.html#id419494">Target Uses</a></dt><dt>application servers, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>application/cups.vnd-postscript, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/octet-stream, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>application/pdf, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>application/postscript, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id404429">pstops</a>, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/vnd.cups-postscript, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id404429">pstops</a></dt><dt>application/vnd.cups-raster, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>application/vnd.cups-raw, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt><dt>application/x-shell, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>apt-get, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>ARCFOUR-HMAC-MD5, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>architecture, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>ARP/RARP, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>ASCII, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a>, <a href="unicode.html#id434469">Japanese Charsets</a></dt><dt>ASCII text, <a href="CUPS-printing.html#id404252">Prefilters</a></dt><dt>assign rights, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>assigned RID, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>assistance, <a href="ch46.html#id454529">Free Support</a></dt><dt>associations, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>attach gdb, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>attribute, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>attributes, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>audit file access, <a href="VFS.html#id416806">audit</a></dt><dt>audit module, <a href="VFS.html#id417038">extd_audit</a></dt><dt>auth, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>auth methods, <a href="passdb.html#id366912">Configuration of auth methods</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a></dt><dt>authenticate, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>authenticate users, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>authenticated, <a href="domain-member.html#id345150">Configure smb.conf</a></dt><dt>authenticating server, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></dt><dt>authentication, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#id363855">Account Import/Export</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dd><dl><dt>backend, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt></dl></dd><dt>authentication agents, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>authentication architecture, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>authentication backend, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>authentication control, <a href="winbind.html#id420297">Introduction</a></dt><dt>authentication database, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a></dt><dt>authentication management, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>authentication mechanisms, <a href="winbind.html#id420297">Introduction</a></dt><dt>authentication methods, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>authentication module API, <a href="winbind.html#id421002">NSS Winbind on AIX</a></dt><dt>authentication regime, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>authentication reply, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a></dt><dt>authentication server, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>authentication service, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>authentication system, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>authenticatior, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>authoritative, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>authoritive, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>authorization, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>auto-reconnect, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>autogen.sh, <a href="compiling.html#id450486">Building the Binaries</a></dt><dt>autogenerated printcap, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a></dt><dt>automatic account creation, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>automatic mapping, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>automatic reconnects, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>automatic redundancy, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>autopoweruser.sh, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>autotyping, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>AUXILIARY, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>auxiliary members, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>availability, <a href="SambaHA.html#id436084">Features and Benefits</a>, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>available, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>available port, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>available printerd, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>available rights, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>average print run, <a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>b-node, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>back up, <a href="winbind.html#id420404">Requirements</a></dt><dt>backed up, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>backend, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>backend authentication, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>backend database, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>backend failures, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>backend file system pool, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a></dt><dt>backends, <a href="ChangeNotes.html#id351743">Passdb Changes</a>, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dt>backup, <a href="Backup.html#id435499">Features and Benefits</a>, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>backup domain controller, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>backup solution, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>BackupPC, <a href="Backup.html#id435626">BackupPC</a></dt><dt>bad hardware, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>bad logon attempts, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>Bad networking hardware, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>bad password, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>banner pages, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a>, <a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a></dt><dt>barriers, <a href="securing-samba.html#id387214">Introduction</a></dt><dt>Batch Oplock, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>BDC, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="idmapper.html#id376159">Backup Domain Controller</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a>, <a href="NT4Migration.html#id443153">Domain Layout</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dt>BDCs, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>behavior approximately same, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></dt><dt>between domains, <a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></dt><dt>bias, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>binary format TDB, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>BIND, <a href="DNSDHCP.html#id455101">Dynamic DNS</a></dt><dt>bind interfaces only, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a>, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>BIND9, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>BIND9.NET, <a href="DNSDHCP.html#id454865">Features and Benefits</a></dt><dt>bindery-enabled, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>block device, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>block incoming packets, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>BOBS, <a href="Backup.html#id435992">BOBS: Browseable Online Backup System</a></dt><dt>bogus, <a href="ServerType.html#id334489">Example Configuration</a></dt><dt>boot disk`, <a href="winbind.html#id420404">Requirements</a></dt><dt>bridge, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>bridges networks, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>brlock.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>broadcast, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>broadcast address, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>broadcast isolated subnet, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>broadcast messages, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>broadcast messaging, <a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a></dt><dt>Broadcast node, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>broadcast request, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>broadcast traffic, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>broadcast-based, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>broadcast-based name resolution, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>broadcasts, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>browsable, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>browse across subnet, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>browse list, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>browse list handling, <a href="NetworkBrowsing.html">Network Browsing</a></dt><dt>browse list maintainers, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>browse list management, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>browse lists, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>browse resources, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>browse server resources, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>browse shares, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>browse.dat, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>browseable, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>browser election, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>browser elections, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>BrowseShortNames, <a href="CUPS-printing.html#id416081">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>browsing, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></dt><dt>browsing across subnets, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>browsing another subnet, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></dt><dt>browsing intrinsics, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>browsing problems, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a>, <a href="NetworkBrowsing.html#id358283">Common Errors</a>, <a href="NetworkBrowsing.html#id358414">I Get an "Unable to browse the network" Error</a></dt><dt>BSD, <a href="samba-pdc.html#id338784">“$” Cannot Be Included in Machine Name</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>BSD Printing, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>BSD-style printing, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a></dt><dt>bug report, <a href="ch46.html#id454529">Free Support</a></dt><dt>bug reports, <a href="bugreport.html#id449187">Introduction</a></dt><dt>Bugzilla, <a href="bugreport.html#id449187">Introduction</a></dt><dt>built-in commands, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>bypasses privilege, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>byte ranges, <a href="locking.html#id385144">Discussion</a></dt><dt>byte-range lock, <a href="locking.html#id385144">Discussion</a></dt><dt>byte-range locking, <a href="locking.html#id385144">Discussion</a>, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>c:\winnt\inf, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>C:\WinNT\System32\config, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>cached</dt><dd><dl><dt>password, <a href="ServerType.html#id334587">Password Checking</a></dt></dl></dd><dt>cached encrypted password, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>cached in memory, <a href="passdb.html#id360246">Advantages of Non-Encrypted Passwords</a></dt><dt>cached local file, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>cached locally, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>cached references, <a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></dt><dt>caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>caching reads, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>caching scheme, <a href="winbind.html#id420241">Result Caching</a></dt><dt>caching writes, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>called name, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>cannot join domain, <a href="ClientConfig.html#id351062">Common Errors</a></dt><dt>canonicalize files, <a href="largefile.html">Handling Large Directories</a></dt><dt>CAP, <a href="unicode.html#id434469">Japanese Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a>, <a href="Other-Clients.html#id452041">Macintosh Clients</a></dt><dt>cap-share, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>capability to delete, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>CAP_LINUX_IMMUTABLE, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>case options, <a href="largefile.html">Handling Large Directories</a></dt><dt>case sensitive, <a href="AccessControls.html#id382473">Miscellaneous Controls</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>case sensitivity, <a href="pam.html#id430584">PAM Configuration Syntax</a></dt><dt>case-insensitive, <a href="ServerType.html#id333359">User Level Security</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>case-preserving, <a href="ServerType.html#id333359">User Level Security</a></dt><dt>central environment, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>centralized</dt><dd><dl><dt>authentication, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt></dl></dd><dt>centralized identity management, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>centrally managed, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>certificate, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt><dt>Certificate Authority (see CA)</dt><dt>cfdisk, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>challenge/response mechanis, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>change capabilities, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt><dt>change motivations, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>change password, <a href="domain-member.html#id346362">Notes</a></dt><dt>change passwords, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt><dt>change share command, <a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></dt><dt>changed parameters, <a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>changes password, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>character device, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>character set, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>character sets, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>charset, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>charset conversion, <a href="unicode.html#id434440">Conversion from Old Names</a></dt><dt>chattr, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>check for locks, <a href="locking.html#id385144">Discussion</a></dt><dt>check logs, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>checksum-search, <a href="Backup.html#id435788">Rsync</a></dt><dt>chmod, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>chown, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="AccessControls.html#id383310">Viewing File Ownership</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>chpass, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>CIFS, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>CIFS function calls, <a href="rights.html">User Rights and Privileges</a></dt><dt>CIFS/SMB, <a href="SambaHA.html#id436084">Features and Benefits</a>, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>Citrix, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>classicalprinting, <a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt>clear purpose preferred, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>clear-text, <a href="ServerType.html#id334587">Password Checking</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>clear-text passwords, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>client client instructions, <a href="ClientConfig.html#id348335">Features and Benefits</a></dt><dt>Client for Microsoft Networks, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Client for Novell Networks, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>client use spnego, <a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a></dt><dt>client-server mode, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt><dt>client-side caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>client-side data caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a>, <a href="locking.html#id385973">PDM Data Shares</a></dt><dt>clock skew, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>cluster servers, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>clustered file server, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>Clustered smbds, <a href="SambaHA.html#id436827">Server Pool Communications</a></dt><dt>clustering technologies, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>cluttering, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>cmd, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a>, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>cmd shell, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>CN, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>code maintainer, <a href="ch46.html#id454529">Free Support</a></dt><dt>codepages, <a href="unicode.html#id434160">Features and Benefits</a></dt><dt>collating, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></dt><dt>collisions, <a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>color, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>COM1:, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>command-line, <a href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>command-line utility, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>comment, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>commenting out setting, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>commercial Linux products, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>commercial support, <a href="ch46.html">Samba Support</a>, <a href="ch46.html#id454727">Commercial Support</a></dt><dt>commit the settings, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>Common Internet Filesystem (see CIFS)</dt><dt>Common restrictions, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>Common UNIX Printing System (see CUPS)</dt><dt>common.adm, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>comp.protocols.smb, <a href="bugreport.html#id449187">Introduction</a></dt><dt>compatible, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="Portability.html">Portability</a></dt><dt>compile, <a href="install.html#id325669">Obtaining and Installing Samba</a></dt><dt>compile-time options, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>complex file name space, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>complex organization, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>complexity, <a href="StandAloneServer.html#id347312">Example Configuration</a></dt><dt>compliance, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>complicated, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>complicated problem, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>comprehensive documentation, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>Computer Account, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dt>computer account, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>computer accounts, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>Computer Management, <a href="AccessControls.html#id382742">Access Controls on Shares</a>, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>Computer Name, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>computer name, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>concurrent access, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Conectiva, <a href="CUPS-printing.html#id413155">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>config.cache, <a href="domain-member.html#id346082">Possible Errors</a></dt><dt>CONFIG.POL, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>Config.POL, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></dt><dt>configuration</dt><dd><dl><dt>documentation, <a href="install.html#id327100">Test Your Config File with testparm</a></dt></dl></dd><dt>configuration files, <a href="SWAT.html#id444620">Features and Benefits</a></dt><dt>configuration problem, <a href="bugreport.html#id449187">Introduction</a></dt><dt>configuration syntax, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>configuration techniques, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>configuration too complex, <a href="StandAloneServer.html#id348271">Common Errors</a></dt><dt>configuration tool, <a href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>configuration wizard, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>configure, <a href="compiling.html#id450486">Building the Binaries</a></dt><dt>configuring a firewall, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>confirm address, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>confirm the password, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></dt><dt>confirm the trust, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>connect transparently, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>connection resources, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a></dt><dt>connections, <a href="install.html#id326850">Example Configuration</a></dt><dt>connections.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>consistent case, <a href="largefile.html">Handling Large Directories</a></dt><dt>console, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>consumer expects, <a href="ch46.html">Samba Support</a></dt><dt>container, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>continuity of service, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>contribute, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>Control Panel, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>convert</dt><dd><dl><dt>domain member server, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt></dl></dd><dt>converted, <a href="passdb.html#passdbtech">Technical Information</a></dt><dt>copy'n'paste, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>core files, <a href="bugreport.html#id449670">Internal Errors</a></dt><dt>core graphic engine, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a></dt><dt>core values, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>corrupted file, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>cosine.schema, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>country of origin, <a href="ch46.html#id454727">Commercial Support</a></dt><dt>CP850, <a href="unicode.html#id434324">Samba and Charsets</a></dt><dt>CP932, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>cracker, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>create, <a href="AccessControls.html#id381159">Managing Directories</a></dt><dt>Create a Computer Account, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dt>create a domain machine account, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>create domain member, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a></dt><dt>create machine trust account, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>create mask, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></dt><dt>create partition, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>Create the Computer Account, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>create user accounts, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>create volume, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>credentials, <a href="ServerType.html#id333359">User Level Security</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>credentials validation, <a href="samba-bdc.html#id340905">NetBIOS Over TCP/IP Enabled</a></dt><dt>critical aspects of configuration, <a href="ClientConfig.html#id348335">Features and Benefits</a></dt><dt>crle, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>cron, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></dt><dt>cross post, <a href="problems.html#id448906">Getting Mailing List Help</a></dt><dt>cross-segment browsing, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>cross-subnet browsing, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>csc policy, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>CUPS, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="classicalprinting.html#id391142">Technical Introduction</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="CUPS-printing.html#id400530">Features and Benefits</a>, <a href="CUPS-printing.html#id400581">Overview</a>, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a></dt><dd><dl><dt>Page Accounting, <a href="CUPS-printing.html#id413751">Page Accounting with CUPS</a></dt><dt>quotas, <a href="CUPS-printing.html#id413781">Setting Up Quotas</a></dt></dl></dd><dt>CUPS API, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a></dt><dt>CUPS backends, <a href="CUPS-printing.html#id405130">CUPS Backends</a></dt><dt>CUPS filtering, <a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>CUPS filtering chain, <a href="CUPS-printing.html#id405130">CUPS Backends</a></dt><dt>CUPS libarary API, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>CUPS PostScript, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>CUPS PostScript driver, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>CUPS print filters, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>CUPS raster, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>CUPS-PPD, <a href="CUPS-printing.html#id412815">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>cups.hlp, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>cupsaddsmb, <a href="CUPS-printing.html#id402147">Driver Upload Methods</a>, <a href="CUPS-printing.html#id408112">cupsaddsmb: The Unknown Utility</a>, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a>, <a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id409864">cupsaddsmb with a Samba PDC</a>, <a href="CUPS-printing.html#id409942">cupsaddsmb Flowchart</a>, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a></dt><dt>cupsd.conf, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a>, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id405664">mime.convs</a>, <a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>cupsomatic, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id412815">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>custom scripts, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>customer expected, <a href="ch46.html">Samba Support</a></dt><dt>customers, <a href="ch46.html">Samba Support</a></dt><dt>customized print commands, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a href="install.html#id326670">Starting Samba</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="winbind.html#id420404">Requirements</a>, <a href="compiling.html#id451161">Alternative: Starting smbd as a Daemon</a></dt><dt>daemon running, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>daemons, <a href="winbind.html#id422168">Restarting</a></dt><dt>damaged data, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>data caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>data corruption, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a>, <a href="locking.html#id385864">UNIX or NFS Client-Accessed Files</a></dt><dt>data interchange, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>data stream, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>database, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></dt><dt>DatabaseFS, <a href="VFS.html#id418611">DatabaseFS</a></dt><dt>DAVE, <a href="Other-Clients.html#id452041">Macintosh Clients</a></dt><dt>dbx, <a href="bugreport.html#id449670">Internal Errors</a></dt><dt>DCE RPC, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>DDK, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a>, <a href="CUPS-printing.html#id408505">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dt>DDNS, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a>, <a href="integrate-ms-networks.html#id432576">Background Information</a></dt><dt>de-multiplex, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>de-multiplexing, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>Debian, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>Debian Sarge, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>debug, <a href="bugreport.html#id449670">Internal Errors</a></dt><dt>debug level, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="bugreport.html#dbglvl">Debug Levels</a>, <a href="speed.html#id453133">Log Level</a></dt><dt>debugging, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>debugging passwords, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>debugging problems, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>debuglevel, <a href="bugreport.html#dbglvl">Debug Levels</a></dt><dt>dedicated heartbeat, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>dedicated print server, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>default accounts, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>default aliases, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>default behavior, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>default case, <a href="AccessControls.html#id382473">Miscellaneous Controls</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>default devmode, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>default DNS setup, <a href="domain-member.html#id346362">Notes</a></dt><dt>default gateways, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>default groups, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>default mapping, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a></dt><dt>default mappings, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>default print command, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a></dt><dt>default print commands, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>default printer, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>default printing, <a href="CUPS-printing.html#id400530">Features and Benefits</a></dt><dt>default profile, <a href="ProfileMgmt.html#id428249">Default Profile for Windows Users</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a></dt><dt>default settings, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>default shells, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>Default User, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>default users, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>defective hardware, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>deferred open, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>defined shares, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>delegate administrative privileges, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>delegated, <a href="groupmapping.html#id368424">Important Administrative Information</a></dt><dt>delegation, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>delete, <a href="AccessControls.html#id381159">Managing Directories</a></dt><dt>delete a file, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>delete group script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>delete printer command, <a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a></dt><dt>delete roaming profiles, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>delete share command, <a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></dt><dt>delete user from group script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a></dt><dt>delete user script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="passdb.html#id363042">Deleting Accounts</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>deleted files, <a href="VFS.html#id417334">recycle</a></dt><dt>deleted parameters, <a href="upgrading-to-3.0.html#id440578">Removed Parameters</a></dt><dt>delmem, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>demote, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>demoted, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>denial of service, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>deny, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>deny access, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>deny modes, <a href="locking.html#id385144">Discussion</a></dt><dt>deny-none, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>DENY_ALL, <a href="locking.html#id385144">Discussion</a></dt><dt>DENY_DOS, <a href="locking.html#id385144">Discussion</a></dt><dt>DENY_FCB, <a href="locking.html#id385144">Discussion</a></dt><dt>DENY_NONE, <a href="locking.html#id385144">Discussion</a></dt><dt>DENY_READ, <a href="locking.html#id385144">Discussion</a></dt><dt>DENY_WRITE, <a href="locking.html#id385144">Discussion</a></dt><dt>deployment, <a href="ch46.html#id454529">Free Support</a></dt><dt>deployment guidelines, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>DES-CBC-CRC, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>DES-CBC-MD5, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>desirable solution, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>desktop cache, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>desktop profile, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>desktop profiles, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>deterents, <a href="securing-samba.html#id387214">Introduction</a></dt><dt>development libraries, <a href="winbind.html#id420404">Requirements</a></dt><dt>devfsd package, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>device mode, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>device-specific commands, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>DFS, <a href="msdfs.html#id390330">Features and Benefits</a> (see MS-DFS, Distributed File Systems)</dt><dt>DFS junction, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS links, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS root, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS server, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS tree, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS-aware, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DFS-aware clients, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>DHCP, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a>, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="DNSDHCP.html#id454865">Features and Benefits</a></dt><dt>DHCP servers, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>DHCP-enabled, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>DHCP-enabled operation, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>diagnostic, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>diagnostic tools, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>diff, <a href="bugreport.html#id449906">Patches</a></dt><dt>differences, <a href="Backup.html#id435788">Rsync</a></dt><dt>different resources, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>differently encrypted passwords, <a href="passdb.html#passdbtech">Technical Information</a></dt><dt>differing protocol, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></dt><dt>dir, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>direct internet access, <a href="securing-samba.html#id387214">Introduction</a></dt><dt>directory, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="idmapper.html#id376159">Backup Domain Controller</a></dt><dt>directory access control, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>directory access permissions, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>directory controls, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>Directory Information Tree (see DIT)</dt><dt>directory mask, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></dt><dt>directory permissions, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>directory schema, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>directory security mask, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a></dt><dt>Directory Separators, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>directory server, <a href="passdb.html#id364485">ldapsam</a></dt><dt>directory_mode, <a href="VFS.html#id417334">recycle</a></dt><dt>disable LMB, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>disable locking, <a href="locking.html#id385057">Features and Benefits</a></dt><dt>disable roaming profiles, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a></dt><dt>disable spoolss, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>disabling oplocks, <a href="locking.html#id385973">PDM Data Shares</a></dt><dt>disass, <a href="bugreport.html#id449670">Internal Errors</a></dt><dt>disaster recovery, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>disconnect a connection, <a href="ProfileMgmt.html#id425832">NT4/200x User Profiles</a></dt><dt>disk, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>disk space, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>disparate information systems, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>display charset, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a>, <a href="unicode.html#id435148">Individual Implementations</a>, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>display PostScript, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>displayName, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>distort, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>distribute authentication systems, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>distributed, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>distributed account, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>Distributed Computing Environment (see DCE)</dt><dt>distributed directory, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>distributed file system, <a href="SambaHA.html#id436222">The Ultimate Goal</a> (see DFS)</dt><dt>Distributed File Systems, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>distributed file systems, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>distributed locking protocol, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>distribution, <a href="install.html#id326850">Example Configuration</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>dithering algorithm, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>DMB, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>DMB for a workgroup, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></dt><dt>DMC, <a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a></dt><dt>DMS, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a>, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>DN, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>DNS, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a>, <a href="samba-bdc.html#id340956">NetBIOS Over TCP/IP Disabled</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="winbind.html#id419814">Name Service Switch</a>, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="integrate-ms-networks.html#id433736">DNS Lookup</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="DNSDHCP.html#id454865">Features and Benefits</a>, <a href="DNSDHCP.html#id455025">Example Configuration</a></dt><dd><dl><dt>Active Directory, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>Dynamic, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="DNSDHCP.html#id455101">Dynamic DNS</a></dt><dt>SRV records, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt></dl></dd><dt>DNS Configuration, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>DNS lookup, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>DNS name resolution, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>dns proxy, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>DNS server, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>DNS server access, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>DNS server settings, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>DNS servers, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>DNS zon, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>DNS/LDAP/ADS, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a></dt><dt>document design, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>documentation, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="SWAT.html#id444620">Features and Benefits</a>, <a href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>domain, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="passdb.html#id362965">Adding User Accounts</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dd><dl><dt>control, <a href="ServerType.html#id333060">Server Types</a></dt><dd><dl><dt>role, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt></dl></dd><dt>controller, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="samba-pdc.html">Domain Control</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dd><dl><dt>convert, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>hierarchy, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt></dl></dd><dt>controllers, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt><dt>groups, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>master</dt><dd><dl><dt>browser, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt></dl></dd><dt>member, <a href="ServerType.html#id333060">Server Types</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dd><dl><dt>server, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt></dl></dd><dt>member server, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>security, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt><dd><dl><dt>protocols, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt></dl></dd><dt>trust account, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt></dl></dd><dt>domain access, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>domain account access policies, <a href="passdb.html#id363711">Domain Account Policy Managment</a></dt><dt>domain admin group, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>domain Administrator, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>Domain Admins, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="groupmapping.html#id367529">Discussion</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>Domain Admins group, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>domain authentication, <a href="NetCommand.html#id370067">Overview</a></dt><dt>domain context, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>domain control, <a href="samba-pdc.html#id336284">Basics of Domain Control</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="samba-bdc.html#id341906">Common Errors</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt>backup, <a href="ServerType.html#id333060">Server Types</a></dt><dt>primary, <a href="ServerType.html#id333060">Server Types</a></dt></dl></dd><dt>domain control database (see SAM)</dt><dt>domain controller, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="samba-bdc.html#id339696">Essential Background Information</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a>, <a href="samba-bdc.html#id340905">NetBIOS Over TCP/IP Enabled</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="rights.html">User Rights and Privileges</a>, <a href="winbind.html#id419355">What Winbind Provides</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="NT4Migration.html#id443153">Domain Layout</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dt>Domain Controller, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>domain controllers, <a href="samba-pdc.html#id337966">Samba ADS Domain Control</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>domain environment, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>domain global, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global group, <a href="NetCommand.html#id370067">Overview</a>, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global groups, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain global user, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global users, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain group, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>domain group settings, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain groups, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>Domain Groups, <a href="passdb.html#id365886">Accounts and Groups Management</a></dt><dt>Domain Guests, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>domain information, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>domain join, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>domain joining, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>domain logon, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338009">Domain and Network Logon Configuration</a>, <a href="samba-pdc.html#id338026">Domain Network Logon Service</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>domain logon server, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>domain logons, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>domain management tools, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>domain master, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338026">Domain Network Logon Service</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></dt><dt>domain member, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="domain-member.html">Domain Membership</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="domain-member.html#id346622">Common Errors</a>, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="groupmapping.html#id367529">Discussion</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="winbind.html#id419533">Handling of Foreign SIDs</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>Domain Member, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dd><dl><dt>joining, <a href="ServerType.html#id333890">Example Configuration</a></dt></dl></dd><dt>domain member client, <a href="groupmapping.html#id368424">Important Administrative Information</a></dt><dt>Domain Member Client (see DMC)</dt><dt>domain member server, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>Domain Member Server (see DMS)</dt><dt>domain member servers, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>domain member workstations, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain members, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="winbind.html#id420297">Introduction</a></dt><dt>domain membership, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="domain-member.html">Domain Membership</a></dt><dt>domain name, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Domain Name System (see DNS)</dt><dt>domain non-member, <a href="winbind.html#id419533">Handling of Foreign SIDs</a></dt><dt>domain policies, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>domain radio button, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>domain security, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="domain-member.html">Domain Membership</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>domain security account, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Domain Server Manager, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>domain SID, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>domain trust, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></dt><dt>domain user, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>domain user accounts, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>domain user manager, <a href="passdb.html#id362637">User Account Management</a></dt><dt>Domain User Manager, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>Domain Users, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>domain users, <a href="winbind.html#id420404">Requirements</a>, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="winbind.html#id422791">Conclusion</a></dt><dt>Domain Users group, <a href="groupmapping.html#id369692">Adding Domain Users to the Workstation Power Users Group</a></dt><dt>domain-level, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a></dt><dt>domain-level security, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>domain-wide browse list, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></dt><dt>DOMAIN<1B>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>DOMAIN<1C>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>DOMAIN<1D>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>dont descend, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>dos charset, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a>, <a href="unicode.html#id435148">Individual Implementations</a>, <a href="unicode.html#id435405">CP850.so Can't Be Found</a></dt><dt>dos filemode, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></dt><dt>dos filetime resolution, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>dos filetimes, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>draft, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>Drive Identification, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>driver, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dt>driver CDROM, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>driver download, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></dt><dt>Driver File, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>driver files, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>Driver Path, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>dual-daemon winbindd, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>due diligence, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>duplex, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>duplex printing, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>duplicate, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>duplication of information, <a href="winbind.html#id419277">Introduction</a></dt><dt>DVI, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id404252">Prefilters</a></dt><dt>Dynamic DNS (see DDNS)</dt><dt>Dynamic Host Configuration Protocol (see DHCP)</dt><dt>dynamic link loader, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>dynamic registration files, <a href="DNSDHCP.html#id455101">Dynamic DNS</a></dt><dt>Dynamic SMB servers, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>dynamically loadable library modules, <a href="pam.html#id429934">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>e-Directory, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>EAs, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>economically wise, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>eDirectory, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>editreg, <a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a></dt><dt>efficient authentication, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>election, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>election criteria, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>election packet, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>election process, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>EMF, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id407268">From Windows Clients to an NT Print Server</a>, <a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></dt><dt>enable privileges, <a href="rights.html#id378765">Rights Management Capabilities</a></dt><dt>enables clients to print, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>enables NetBIOS over TCP/IP, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>encapsulating, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>encoding, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>encryped password, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>encrypt passwords, <a href="ServerType.html#id334489">Example Configuration</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="pam.html#id431757">smb.conf PAM Configuration</a>, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>encrypted, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="ServerType.html#id334587">Password Checking</a>, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>encrypted password, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>encrypted passwords, <a href="ServerType.html#id334587">Password Checking</a>, <a href="passdb.html#id359091">Features and Benefits</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a>, <a href="ProfileMgmt.html#id427726">Profile Migration from Windows NT4/200x Server to Samba</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a></dt><dt>encrypted session, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>encryption, <a href="ServerType.html#id334332">Server Security (User Level Security)</a></dt><dt>encryption key, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a></dt><dt>encryption types, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#id346362">Notes</a></dt><dt>enforcing, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>English, <a href="unicode.html#id434469">Japanese Charsets</a>, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>enhanced browsing, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>Enhanced MetaFile (see EMF)</dt><dt>enterprise, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>enumdrivers, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></dt><dt>enumerate domain groups, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></dt><dt>enumerate domain users, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></dt><dt>EnumJobs(), <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>enumports command, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>enumprinters, <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></dt><dt>environment variables, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>EPM (see ESP meta packager)</dt><dt>Epson Stylus, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>Epson Stylus inkjet, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>equivalence, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>equivalent rights and privileges, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>error message, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="classicalprinting.html#id397066">Running rpcclient with adddriver</a></dt><dt>error messages, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>errors that can afflict, <a href="ClientConfig.html#id351062">Common Errors</a></dt><dt>ESC/P, <a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></dt><dt>ESP, <a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dd><dl><dt>Ghostscript, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>meta packager, <a href="CUPS-printing.html#id408505">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dt>Print Pro, <a href="CUPS-printing.html#id407066">Sources of CUPS Drivers/PPDs</a>, <a href="CUPS-printing.html#id408858">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt></dl></dd><dt>ESP Ghostscript, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>established, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>ethereal, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="problems.html#id448378">Tcpdump</a>, <a href="problems.html#id448426">Ethereal</a>, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>Ethernet adapters, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>EUC-JP, <a href="unicode.html#id434469">Japanese Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>eucJP-ms locale, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Event Viewer, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>Everyone - Full Control, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>Everyone group, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>EVMS, <a href="VFS.html#id417753">shadow_copy</a></dt><dt>example1: parameter, <a href="VFS.html#id416413">Discussion</a></dt><dt>example: parameter, <a href="VFS.html#id416413">Discussion</a></dt><dt>examples, <a href="install.html#id326850">Example Configuration</a></dt><dt>examples/LDAP, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>execute, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>existing LDAP DIT, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>expands control abilities, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>expired password, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>explicit trust, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>explicitly set, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>exploit opportunities, <a href="PolicyMgmt.html#id424107">Features and Benefits</a></dt><dt>exploitation, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>exported file system, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>exposed, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>extd_audit module, <a href="VFS.html#id417038">extd_audit</a></dt><dt>Extended Attributes, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>extended attributes, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>Extended BSD Printing, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a></dt><dt>extended characters, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>extended protocol, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>extended SAM, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>extra machine, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fail, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>failed join, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>failed logins, <a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>failover communication, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>failover process, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>failover servers, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>fails, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>failure, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>failure semantics, <a href="SambaHA.html#id436958">Required Modifications to Samba</a></dt><dt>fake oplocks, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>fake-permissions module, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>fake_permissions, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>fake_perms, <a href="VFS.html#fakeperms">fake_perms</a>, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>fdisk, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>Federated Identity Management (see FIM)</dt><dt>federated organizations, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>federated-identity, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>Fiber Channel, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>fickle, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a></dt><dt>fid, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>file access permissions, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>File Naming Conventions, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>file ownership, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>file serving, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>File System, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dd><dl><dt>case sensitivity, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>feature comparison, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>UNIX, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>Windows, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>file system capabilities, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>FILE:, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>filemanager, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>filename mangling, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>filter, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>Filter Oplock, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>FilterLimit, <a href="CUPS-printing.html#id405664">mime.convs</a></dt><dt>filters, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>FIM, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>firewall, <a href="securing-samba.html#id387214">Introduction</a>, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>firewall active, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>firewall setups, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>fixed IP address, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>fixed IP addresses, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a></dt><dt>flush local locks, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>flush name cache, <a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></dt><dt>foomatic, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a href="CUPS-printing.html#id412624">foomatic-rip and Foomatic Explained</a>, <a href="CUPS-printing.html#id412752">Foomatic's Strange Name</a></dt><dt>Foomatic database, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>Foomatic Printer, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>Foomatic tutorial, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>foomatic-rip, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id412624">foomatic-rip and Foomatic Explained</a>, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>Foomatic/cupsomatic, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>force an election, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>force create mode, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a>, <a href="AccessControls.html#id384841">MS Word with Samba Changes Owner of File</a></dt><dt>force directory mode, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a>, <a href="AccessControls.html#id384841">MS Word with Samba Changes Owner of File</a></dt><dt>force directory security mode, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a></dt><dt>force election, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></dt><dt>force group, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="AccessControls.html#id384497">Users Cannot Write to a Public Share</a></dt><dt>force security mode, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a></dt><dt>force unknown acl user, <a href="NetCommand.html#id373747">File and Directory Migration</a></dt><dt>force user, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="AccessControls.html#id384805">File Operations Done as root with force user Set</a>, <a href="locking.html#id386022">Beware of Force User</a></dt><dt>forced synchronization, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>foreign domain, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>foreign SID, <a href="winbind.html#id419533">Handling of Foreign SIDs</a></dt><dt>foreign user, <a href="winbind.html#id419533">Handling of Foreign SIDs</a></dt><dt>FQDN, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>framing error, <a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>free support, <a href="ch46.html">Samba Support</a>, <a href="ch46.html#id454529">Free Support</a></dt><dt>FreeBSD, <a href="samba-pdc.html#id338784">“$” Cannot Be Included in Machine Name</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>freezing, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>French, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>front-end virtual server, <a href="SambaHA.html#id436456">The Front-End Challenge</a>, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>frustrating experience, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dt>FTP, <a href="passdb.html#id360246">Advantages of Non-Encrypted Passwords</a></dt><dt>ftp, <a href="Backup.html#id435788">Rsync</a>, <a href="compiling.html#id450289">Accessing the Samba Sources via rsync and ftp</a></dt><dt>ftp access, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftp service, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftp services, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftpd, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>full rights, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>functional components, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>functionality, <a href="NT4Migration.html#id442769">Objectives</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>gateway address, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>gcc, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="Portability.html#id451523">HPUX</a></dt><dt>gdb, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="bugreport.html#id449670">Internal Errors</a>, <a href="bugreport.html#id449791">Attaching to a Running Process</a></dt><dt>GDI, <a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id407268">From Windows Clients to an NT Print Server</a>, <a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></dt><dt>general security service application programming interface (see GSSAPI)</dt><dt>generic PostScript, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>generic raster, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>generic raster format, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>genlogon.pl, <a href="AdvancedNetworkManagement.html#id423774">Network Logon Script Magic</a></dt><dt>Gentoo, <a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>Germany, <a href="SambaHA.html#id436191">Technical Discussion</a></dt><dt>get, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>getdriver, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="classicalprinting.html#id396743">Installing Driver Files into [print$]</a></dt><dt>getdriverdir, <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></dt><dt>getent, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>getent group demo, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>gethostbyname() function call, <a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></dt><dt>getpwnam, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>getpwnam() call, <a href="upgrading-to-3.0.html#id441782">Changes in Behavior</a></dt><dt>GetSID.exe, <a href="ProfileMgmt.html#id427998">Get SID</a></dt><dt>GhostScript, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dd><dl><dt>(see also PostScript)</dt></dl></dd><dt>Ghostscript, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dd><dl><dt>ESP (see ESP + GhostScript)</dt></dl></dd><dt>GID, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="ChangeNotes.html#id351743">Passdb Changes</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419533">Handling of Foreign SIDs</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>GID numbers, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>GID range, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>GIF, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>Gimp-Print, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a>, <a href="CUPS-printing.html#id413062">Driver Development Outside</a></dt><dt>global print command, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>global right, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>global section, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>Global support, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>global-level, <a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a></dt><dt>GNOME, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>GNU Ghostscript, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>GNU GPL, <a href="Backup.html#id435626">BackupPC</a></dt><dt>GNU tar, <a href="Backup.html#id435949">Amanda</a></dt><dt>GNU/Linux, <a href="VFS.html#id416413">Discussion</a></dt><dt>GPG, <a href="compiling.html#id450357">Verifying Samba's PGP Signature</a></dt><dt>GPL, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>gpolmig.exe, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a></dt><dt>GPOs, <a href="PolicyMgmt.html#id424107">Features and Benefits</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a>, <a href="PolicyMgmt.html#id425500">System Startup and Logon Processing Overview</a>, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>grace time, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>grant rights, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>graphical objects, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>graphically illustrated client configuration, <a href="ClientConfig.html#id348335">Features and Benefits</a></dt><dt>grayscale, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>greater scalability, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>greatest mistake, <a href="StandAloneServer.html#id348271">Common Errors</a></dt><dt>grep, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>group, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dd><dl><dt>account, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>mapping, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt></dl></dd><dt>group account, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="idmapper.html#id376159">Backup Domain Controller</a></dt><dt>group accounts, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="groupmapping.html#id367843">Warning: User Private Group Problems</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>group management, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>group mapping, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>group mappings, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>group membership, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>group ownership, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>group permissions, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>Group Policies, <a href="PolicyMgmt.html#id424107">Features and Benefits</a></dt><dt>group policies, <a href="PolicyMgmt.html#id424107">Features and Benefits</a></dt><dt>group policy, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>Group Policy, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></dt><dt>Group Policy Container (see GPC)</dt><dt>Group Policy Editor, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a>, <a href="PolicyMgmt.html#id425400">Windows NT4/200x</a>, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>Group Policy Objects, <a href="NT4Migration.html#id442769">Objectives</a> (see GPO)</dt><dt>group policy objects (see GPOs)</dt><dt>Group Policy Template (see GPT)</dt><dt>group privileges, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>group profiles, <a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></dt><dt>group SID, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>groupadd, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="groupmapping.html#id369332">Sample smb.conf Add Group Script</a>, <a href="groupmapping.html#id369618">Adding Groups Fails</a></dt><dt>groupadd limitations, <a href="groupmapping.html#id369332">Sample smb.conf Add Group Script</a></dt><dt>groupdel, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>groupmap, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>groupmod, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>grouppol.inf, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></dt><dt>groups, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a>, <a href="PolicyMgmt.html#id424107">Features and Benefits</a></dt><dd><dl><dt>domain, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>mapping, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>nested, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt></dl></dd><dt>groups of users, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>growing, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>GSSAPI, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>gtklp, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>guest, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>guest account, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="NetworkBrowsing.html#id358373">Server Resources Cannot Be Listed</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id394436">Custom Print Commands</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>guest ok, <a href="install.html#id326850">Example Configuration</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>guest only, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>GUI, <a href="CUPS-printing.html#id400581">Overview</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>h-node, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>harvesting password hashes, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>hashed password equivalent, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>headers files, <a href="domain-member.html#id346082">Possible Errors</a></dt><dt>Heimdal, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>Heimdal kerberos, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>help, <a href="ch46.html#id454529">Free Support</a></dt><dt>help command, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>heterogeneous computing, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>HEX, <a href="unicode.html#id434469">Japanese Charsets</a></dt><dt>hi-res photo, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>hide dot files, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>hide files, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>hide unreadable, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></dt><dt>hide unwriteable files, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></dt><dt>high availability, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>high order ports, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>high-availability, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>high-availability services, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>high-speed server interconnect, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>higher availability, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>HKEY_CURRENT_USER, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></dt><dt>HKEY_LOCAL_MACHINE, <a href="PolicyMgmt.html#id424667">Registry Spoiling</a></dt><dt>holy grail, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>home directories, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>home directory, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>home directory template, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>home drive, <a href="samba-bdc.html#id340141">Example PDC Configuration</a></dt><dt>host msdfs, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>host multiple servers, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>host security, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>host-based protection, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>hostname, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>hosts allow, <a href="securing-samba.html#id387449">Using Host-Based Protection</a>, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>hosts deny, <a href="securing-samba.html#id387449">Using Host-Based Protection</a>, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>house-keeping, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>HOWTO documents, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>HP JetDirect, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>HP Photosmart, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>HP-GL, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>HP-GL., <a href="CUPS-printing.html#id404252">Prefilters</a></dt><dt>hpgltops, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>HPIJS, <a href="CUPS-printing.html#id413062">Driver Development Outside</a></dt><dt>HPUX, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>http, <a href="Backup.html#id435788">Rsync</a></dt><dt>hybrid, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>Hybrid node, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>IANA, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>ID mapping, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>ID mapping database, <a href="winbind.html#id420167">User and Group ID Allocation</a></dt><dt>ID range, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>IDEALX, <a href="passdb.html#id364485">ldapsam</a></dt><dt>Identification, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>identify, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>identity, <a href="idmapper.html#id374992">Standalone Samba Server</a></dt><dt>identity information, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>identity management, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt>centralized, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt></dl></dd><dt>identity resolution, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>IDMAP, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id374992">Standalone Samba Server</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>idmap, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>idmap backend, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="upgrading-to-3.0.html#id442574">IdMap LDAP Support</a></dt><dt>IDMAP backend, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>idmap gid, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421104">Configure smb.conf</a>, <a href="winbind.html#id422905">Winbind Is Not Resolving Users and Groups</a>, <a href="pam.html#id432358">Winbind Is Not Resolving Users and Groups</a>, <a href="upgrading-to-3.0.html#id442574">IdMap LDAP Support</a></dt><dt>idmap GID, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>IDMAP infrastructure, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>idmap uid, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421104">Configure smb.conf</a>, <a href="winbind.html#id422905">Winbind Is Not Resolving Users and Groups</a>, <a href="pam.html#id432358">Winbind Is Not Resolving Users and Groups</a>, <a href="upgrading-to-3.0.html#id442574">IdMap LDAP Support</a></dt><dt>idmap UID, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>idmap_ad, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>idmap_ldap module, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>idmap_rid, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>IETF, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>ifconfig, <a href="compiling.html#id450957">Starting from inetd.conf</a>, <a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>ignore connection, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>imagetoraster, <a href="CUPS-printing.html#id404838">imagetops and imagetoraster</a></dt><dt>immutible, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>impersonate, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>implementing oplocks, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a></dt><dt>Implicit Classes, <a href="CUPS-printing.html#id416081">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>important announcements, <a href="securing-samba.html#id388158">Upgrading Samba</a></dt><dt>Imprints, <a href="classicalprinting.html#id399708">The Imprints Toolset</a></dt><dt>imprints, <a href="CUPS-printing.html#id402147">Driver Upload Methods</a></dt><dt>include, <a href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="bugreport.html#dbglvl">Debug Levels</a></dt><dt>independent, <a href="StandAloneServer.html#id347134">Background</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>individual domain user, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>individual section, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>inetd, <a href="SWAT.html#id444749">Validate SWAT Installation</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="compiling.html#startingSamba">Starting the smbd nmbd and winbindd</a>, <a href="compiling.html#id450957">Starting from inetd.conf</a></dt><dt>inetd.conf, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>inetorgperson.schema, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>inf file, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>infrastructure, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="winbind.html#id419494">Target Uses</a></dt><dt>inheritance, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>inherits rights, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>initdb.ldif, <a href="FastStart.html#id331703">The Primary Domain Controller</a></dt><dt>initGroups.sh, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="groupmapping.html#id369493">Script to Configure Group Mapping</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dt>inktype, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>insecure, <a href="StandAloneServer.html#id347049">Features and Benefits</a>, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>inspire simplicity, <a href="StandAloneServer.html#id347312">Example Configuration</a></dt><dt>inspired structure, <a href="SambaHA.html#id436191">Technical Discussion</a></dt><dt>install drivers, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>interactive help, <a href="ch46.html#id454529">Free Support</a></dt><dt>interdomain</dt><dd><dl><dt>trust</dt><dd><dl><dt>account, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt></dl></dd><dt>trustrs, <a href="ServerType.html#id332909">Features and Benefits</a></dt></dl></dd><dt>interdomain connection, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></dt><dt>interdomain trust, <a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a>, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>interdomain trust accounts, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>interdomain trusts, <a href="NetCommand.html#id370067">Overview</a>, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a></dt><dt>Interdomain Trusts, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt>Completing, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></dt><dt>creating, <a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a></dt><dt>Facilities, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></dt></dl></dd><dt>interface, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>interface scripts, <a href="passdb.html#id362637">User Account Management</a></dt><dt>interface-based exclusion, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>interfaces, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="compiling.html#id450957">Starting from inetd.conf</a></dt><dt>intermediate information, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>intermediate tools, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>internal ordering, <a href="SWAT.html#id444620">Features and Benefits</a></dt><dt>internationalization support, <a href="SWAT.html#id444732">Guidelines and Technical Tips</a></dt><dt>Internet, <a href="securing-samba.html#id387449">Using Host-Based Protection</a>, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>Internet Engineering Task Force (see IETF)</dt><dt>Internet Printing Protocol (see IPP)</dt><dt>Internet Protocol TCP/IP, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>Internetworking Packet Exchange (see IPX)</dt><dt>internetworking super daemon, <a href="SWAT.html#id444620">Features and Benefits</a></dt><dt>interoperability, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a></dt><dt>intolerance, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>invalid shell, <a href="ServerType.html#id333890">Example Configuration</a></dt><dt>invalid users, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>IP address, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>IP address automatically, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>IP addresses, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>IP aliases, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>IPC$, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>IPC$ connections, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>ipchains, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>ipconfig, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></dt><dt>iPlanet, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>IPP, <a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a></dt><dt>IPP client, <a href="CUPS-printing.html#id415530">Administrator Cannot Install Printers for All Local Users</a></dt><dt>iptables, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>IPX, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>IRC, <a href="ch46.html#id454529">Free Support</a></dt><dt>IRIX, <a href="VFS.html#id416413">Discussion</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>ISC</dt><dd><dl><dt>DHCP, <a href="DNSDHCP.html#id454865">Features and Benefits</a></dt><dt>DNS, <a href="DNSDHCP.html#id454865">Features and Benefits</a></dt></dl></dd><dt>ISC DHCP server, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>isolated workgroup, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>IXFR, <a href="integrate-ms-networks.html#id432576">Background Information</a></dt></dl></div><div class="indexdiv"><h3>J</h3><dl><dt>Japanese, <a href="unicode.html#id434469">Japanese Charsets</a>, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>Japanese locale, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Japanese UNIX, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Java, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>JIS X 0208, <a href="unicode.html#id434469">Japanese Charsets</a></dt><dt>join, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a></dt><dt>join client, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>join domain, <a href="samba-pdc.html#id338878">Joining Domain Fails Because of Existing Machine Account</a></dt><dt>join the ADS domain, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>join the domain, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>join the machine, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dt>joined client, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Joined domain, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>joining domain, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>joining the domain, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>JPEG, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KB 129202, <a href="locking.html#id387048">Additional Reading</a></dt><dt>KB 224992, <a href="locking.html#id387048">Additional Reading</a></dt><dt>KB 296264, <a href="locking.html#id387048">Additional Reading</a></dt><dt>KB 811492, <a href="locking.html#id387019">Long Delays Deleting Files over Network with XP SP1</a></dt><dt>KB 812937, <a href="locking.html#id386996">Problems Saving Files in MS Office on Windows XP</a></dt><dt>KDC, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>KDE, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>KDE konqueror, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>KDE session, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>KDEPrint, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>kerberos, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>Kerberos, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#id346082">Possible Errors</a>, <a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="winbind.html#id419770">Microsoft Active Directory Services</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a></dt><dd><dl><dt>/etc/krb5.conf, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt></dl></dd><dt>Kerberos authentication, <a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt>kernel oplocks, <a href="locking.html#id386378">Disabling Kernel Oplocks</a></dt><dt>killall, <a href="compiling.html#id450957">Starting from inetd.conf</a></dt><dt>kinit, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a href="domain-member.html#id346082">Possible Errors</a></dt><dt>kixstart, <a href="NT4Migration.html#id443491">Logon Scripts</a></dt><dt>kprinter, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>KRB, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>KRB5, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>krb5.conf, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>LAN, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a>, <a href="SambaHA.html#id437081">High-Availability Server Products</a>, <a href="problems.html#id448088">Diagnostics Tools</a></dt><dt>LanMan, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id339696">Essential Background Information</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>LanMan logon service, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt><dt>LanMan passwords, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>LanManager, <a href="ServerType.html#id333359">User Level Security</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>LanManager-compatible, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>LanManger password, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>laptops, <a href="Backup.html#id435626">BackupPC</a></dt><dt>large directory, <a href="largefile.html">Handling Large Directories</a></dt><dt>large domain, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>large numbers of files, <a href="largefile.html">Handling Large Directories</a></dt><dt>large organizations, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>last change time, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>latency, <a href="locking.html#id385895">Slow and/or Unreliable Networks</a></dt><dt>laws, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>LCT (see last change time)</dt><dt>LDAP, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="samba-bdc.html#id342144">Can I Do This All with LDAP?</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="passdb.html#id364716">Supported LDAP Servers</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376159">Backup Domain Controller</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a href="winbind.html#id419770">Microsoft Active Directory Services</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dd><dl><dt>directories, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>master, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>server, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>slave, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt></dl></dd><dt>ldap admin dn, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>LDAP administration password, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></dt><dt>LDAP administrative password, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>LDAP backend, <a href="StandAloneServer.html#id347134">Background</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></dt><dt>LDAP backends, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>LDAP database, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>ldap delete dn, <a href="passdb.html#id365392">Configuring Samba</a></dt><dt>LDAP deployment, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>LDAP directory, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>ldap filter, <a href="passdb.html#id365392">Configuring Samba</a></dt><dt>ldap group suffix, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>LDAP idmap Backend, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>ldap idmap suffix, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a>, <a href="upgrading-to-3.0.html#id442574">IdMap LDAP Support</a></dt><dt>ldap machine suffix, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>ldap page size, <a href="passdb.html#id365392">Configuring Samba</a></dt><dt>ldap passwd sync, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="passdb.html#id366686">Password Synchronization</a></dt><dt>LDAP queries, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>LDAP redirects, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>ldap replication sleep, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="passdb.html#id365392">Configuring Samba</a></dt><dt>LDAP schema, <a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></dt><dt>LDAP server, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>ldap ssl, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>ldap suffix, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>ldap timeout, <a href="passdb.html#id365392">Configuring Samba</a></dt><dt>ldap user suffix, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>LDAP-based, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>LDAP., <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dt>LDAP/Kerberos, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>LDAPS, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>ldapsam, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="passdb.html#id364716">Supported LDAP Servers</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a>, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>ldapsam_compat, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>ldapsearch, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>LDAPv3, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>ldconfig, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>ldd, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>LDIF, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>LDIF file, <a href="passdb.html#id365225">Initialize the LDAP Database</a></dt><dt>legacy systems, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>legal UNIX system account name, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>Level1 Oplock, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Level1 oplock, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Level2 Oplock, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>level2 oplocks, <a href="locking.html#id386284">Disabling Oplocks</a></dt><dt>LGPL, <a href="passdb.html#id364485">ldapsam</a></dt><dt>libcups, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a>, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>libcups.so, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>libcups.so.2, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>Liberty Alliance, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>libiconv, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>libnss_winbind, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>libnss_winbind.so, <a href="winbind.html#id419814">Name Service Switch</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>libnss_wins.so, <a href="integrate-ms-networks.html#id433004">/etc/nsswitch.conf</a></dt><dt>libraries, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>licensing, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>limitations, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>linewidth, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>link loader configuration, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>Links</dt><dd><dl><dt>hard, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>soft, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>Linux, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Linux High Availability project, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>Linux LVM, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>Linux LVM partition, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>LinuxKongress2002, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>Linuxprinting.org, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id413062">Driver Development Outside</a></dt><dt>list of domain controllers, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>listen for connections, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>listen own socket, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>LLC, <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dt>lm announce, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>lm interval, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>LM/NT password hashes, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>LMB, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a> (see Local Master Browser)</dt><dt>LMHOSTS, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="integrate-ms-networks.html#id433586">The LMHOSTS File</a></dt><dt>lmhosts, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>load balancing, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>load printers, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a></dt><dt>loaded modules, <a href="VFS.html#id416378">Features and Benefits</a></dt><dt>loading printer drivers, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a></dt><dt>local</dt><dd><dl><dt>groups, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>master</dt><dd><dl><dt>browser, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt></dl></dd></dl></dd><dt>local access permissions, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>local accounts, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>local administrative privileges, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>Local Area Connection, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>Local Area Connection Properties, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>local authentication, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>local authentication database, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>local cache, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></dt><dt>local disk, <a href="Backup.html#id435626">BackupPC</a></dt><dt>local domain, <a href="winbind.html#id419533">Handling of Foreign SIDs</a></dt><dt>local group, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>local groups, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>Local Machine Trust Account, <a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a></dt><dt>local master, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a></dt><dt>Local Master Browser, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#id355550">Use of the Remote Announce Parameter</a></dt><dt>local master browser (see LMB)</dt><dt>local names, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>local print driver, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></dt><dt>local profile, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>local profiles, <a href="ProfileMgmt.html#id425731">Features and Benefits</a></dt><dt>local registry values, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></dt><dt>Local security policies, <a href="CUPS-printing.html#id415499">Windows 200x/XP Local Security Policies</a></dt><dt>local smbpasswd file, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>local spool area, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>local subnet, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>local system printing, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>local UNIX groups, <a href="NetCommand.html#id370067">Overview</a></dt><dt>local user, <a href="idmapper.html#id374992">Standalone Samba Server</a>, <a href="winbind.html#id422168">Restarting</a></dt><dt>local user account, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>local users, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>locale, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>localhost, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>locally known UID, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>locate domain controller, <a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a></dt><dt>Lock caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>lock directory, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>lock password, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>lock the account, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>locking, <a href="locking.html">File and Record Locking</a>, <a href="locking.html#id385057">Features and Benefits</a>, <a href="locking.html#id385144">Discussion</a>, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>locking protocol, <a href="locking.html#id385057">Features and Benefits</a></dt><dt>locking semantics, <a href="locking.html#id385057">Features and Benefits</a>, <a href="locking.html#id385144">Discussion</a></dt><dt>locking.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>lockout, <a href="ServerType.html#id334489">Example Configuration</a></dt><dt>log file, <a href="VFS.html#id417186">Configuration of Auditing</a>, <a href="bugreport.html#dbglvl">Debug Levels</a>, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>log files, <a href="diagnosis.html#id446194">Assumptions</a></dt><dd><dl><dt>monitoring, <a href="diagnosis.html#id446194">Assumptions</a></dt></dl></dd><dt>log level, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="VFS.html#id417038">extd_audit</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="bugreport.html#dbglvl">Debug Levels</a>, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>log.nmbd, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>logging, <a href="VFS.html#id417186">Configuration of Auditing</a>, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>logical directories, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>Logical Link Control (see LLC)</dt><dt>logical volume, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>Logical Volume Manager (see LVM)</dt><dt>Login, <a href="passdb.html#id360246">Advantages of Non-Encrypted Passwords</a></dt><dt>login, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>login id, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>login name, <a href="install.html#id326850">Example Configuration</a></dt><dt>login shells, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>LoginID, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>logon, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt><dt>logon authentication, <a href="samba-bdc.html#id340956">NetBIOS Over TCP/IP Disabled</a></dt><dt>logon drive, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>logon home, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a>, <a href="ProfileMgmt.html#id425965">Windows 9x/Me User Profiles</a>, <a href="ProfileMgmt.html#id426108">Mixed Windows Windows 9x/Me and NT4/200x User Profiles</a>, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>logon name, <a href="NetCommand.html#id372102">User Mapping</a></dt><dt>logon path, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a>, <a href="ProfileMgmt.html#id425832">NT4/200x User Profiles</a>, <a href="ProfileMgmt.html#id426108">Mixed Windows Windows 9x/Me and NT4/200x User Profiles</a>, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>logon processing, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dt>logon requests, <a href="samba-bdc.html#id339696">Essential Background Information</a>, <a href="samba-bdc.html#id340905">NetBIOS Over TCP/IP Enabled</a>, <a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></dt><dt>logon script, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>Logon Scripts, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>Logon scripts, <a href="NT4Migration.html#id443491">Logon Scripts</a></dt><dt>logon server, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></dt><dt>logons, <a href="ProfileMgmt.html#id425832">NT4/200x User Profiles</a></dt><dt>lookups, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>loopback adapter, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>loopback interface, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="Portability.html#id451779">Red Hat Linux</a></dt><dt>lower-case, <a href="ServerType.html#id333359">User Level Security</a></dt><dt>lowercase filenames, <a href="largefile.html">Handling Large Directories</a></dt><dt>lp, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a>, <a href="CUPS-printing.html#id416081">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>lpadmin, <a href="CUPS-printing.html#id405726">“Raw” Printing</a>, <a href="CUPS-printing.html#id407175">Printing with Interface Scripts</a>, <a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id413781">Setting Up Quotas</a></dt><dt>LPD, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>lpinfo, <a href="CUPS-printing.html#id405130">CUPS Backends</a></dt><dt>lppause command, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id414575">Preconditions</a></dt><dt>lpq cache time, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>lpq command, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id414575">Preconditions</a></dt><dt>lpresume command, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id414575">Preconditions</a></dt><dt>lprm command, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id414575">Preconditions</a></dt><dt>LPRNG, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>lpstat, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></dt><dt>LPT1:, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>LsaEnumTrustedDomains, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>LTSP, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>Lustre, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>lvcreate, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>LVM, <a href="VFS.html#id417753">shadow_copy</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>LVM snapshots, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>LVM volume, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>lvm10 package, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>m-node, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>MAC address, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>MAC Addresses, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>Mac OS X , <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>machine, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dd><dl><dt>account, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>machine account, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>machine account password</dt><dd><dl><dt>change protocol, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt></dl></dd><dt>machine accounts, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>machine accounts database, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>machine authentication, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>machine name, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>Machine Policy Objects, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>machine SID, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>machine trust account, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="domain-member.html">Domain Membership</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a></dt><dd><dl><dt>create privilege, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a></dt><dt>creation, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>password, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>Machine Trust Account, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dd><dl><dt>creation, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>password, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>UNIX account, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></dt></dl></dd><dt>Machine Trust Accounts, <a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt>creating, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>machine trust accounts, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="domain-member.html#id346622">Common Errors</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>machine_name, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>machine_nickname, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>Macintosh, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>macros, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>mail, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>mailing list, <a href="ch46.html#id454529">Free Support</a></dt><dt>mailing lists, <a href="ch46.html#id454529">Free Support</a></dt><dt>maintaining ids, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>major changes, <a href="upgrading-to-3.0.html#id441421">New Functionality</a></dt><dt>make, <a href="integrate-ms-networks.html#id433004">/etc/nsswitch.conf</a>, <a href="compiling.html#id450486">Building the Binaries</a></dt><dt>man, <a href="SWAT.html#id444620">Features and Benefits</a></dt><dt>man page, <a href="winbind.html#id421104">Configure smb.conf</a></dt><dt>man pages, <a href="NetCommand.html#id370067">Overview</a></dt><dt>man-in-the-middle, <a href="rights.html">User Rights and Privileges</a></dt><dt>manage accounts, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>manage drivers, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>manage groups, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>manage printers, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>manage privileges, <a href="rights.html#id378765">Rights Management Capabilities</a></dt><dt>manage roaming profiles, <a href="ProfileMgmt.html#id425731">Features and Benefits</a></dt><dt>manage share permissions, <a href="AccessControls.html#id382888">Windows NT4 Workstation/Server</a></dt><dt>manage share-level ACL, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>manage shares, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>manage users, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>manageability, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>Manageability, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>managed by humans, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>management bottleneck, <a href="locking.html#id385935">Multiuser Databases</a></dt><dt>management costs, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>management overheads, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>management procedures, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>management tools, <a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>managing rights, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>mandatory profiles, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>Mandrake, <a href="CUPS-printing.html#id413155">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>Mandriva, <a href="CUPS-printing.html#id413155">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>manual UNIX account creation, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>manual WINS server entries, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>manually configured, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>manually configured DNS settings, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>map, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="NT4Migration.html#id443588">User and Group Accounts</a></dt><dt>map to guest, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a>, <a href="CUPS-printing.html#id415282">New Account Reconnection from Windows 200x/XP Troubles</a>, <a href="CUPS-printing.html#id415360">Avoid Being Connected to the Samba Server as the Wrong User</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>mapped, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>mapping, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>mapping home directory, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>mapping printer driver, <a href="classicalprinting.html#id397583">Running rpcclient with setdriver</a></dt><dt>mappings, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>maps UNIX users and groups, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>master browser, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>master browsers, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>master server, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>master smb.conf, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>MasterAnnouncement, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>match case, <a href="largefile.html">Handling Large Directories</a></dt><dt>max log size, <a href="VFS.html#id417186">Configuration of Auditing</a>, <a href="bugreport.html#id449471">Debugging-Specific Operations</a></dt><dt>max print jobs, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>max xmit, <a href="speed.html#id453095">Max Xmit</a></dt><dt>maximum value, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>mbd kept spawning, <a href="speed.html#id453354">Corrupt tdb Files</a></dt><dt>Meccano set, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>mechanism, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>media type, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>member, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>member machine, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>memory, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>messages.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>messaging systems, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>Meta node, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>meta-directory, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>meta-service, <a href="install.html#id325753">Configuration File Syntax</a></dt><dt>meta-services, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>Microsoft Active Directory, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>Microsoft Developer Network CDs, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>Microsoft driver, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a></dt><dt>Microsoft management console (see MMC)</dt><dt>Microsoft Remote Procedure Call (see MSRPC)</dt><dt>Microsoft Windows 9x/Me, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>Microsoft Wolfpack, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>middle-ware, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>migrate, <a href="ServerType.html">Server Types and Security Modes</a>, <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dt>migrate account settings, <a href="NT4Migration.html#id443588">User and Group Accounts</a></dt><dt>migrate group, <a href="NT4Migration.html#id443588">User and Group Accounts</a></dt><dt>migrate user, <a href="NT4Migration.html#id443588">User and Group Accounts</a></dt><dt>migrating, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>migration, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>migration plan, <a href="NT4Migration.html#id442739">Planning and Getting Started</a></dt><dt>migration process, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>MIME, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id404104">Filtering Overview</a>, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dd><dl><dt>filters, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>raw, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt></dl></dd><dt>MIME conversion rules, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>MIME recognition, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>MIME type, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>mime.types, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>minimal</dt><dd><dl><dt>configuration, <a href="install.html#id325753">Configuration File Syntax</a></dt></dl></dd><dt>minimal configuration, <a href="install.html#id325753">Configuration File Syntax</a></dt><dt>minimum security control, <a href="StandAloneServer.html">Standalone Servers</a></dt><dt>misconfigurations, <a href="install.html#id327100">Test Your Config File with testparm</a></dt><dt>misconfigured settings, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>misinformation, <a href="domain-member.html">Domain Membership</a></dt><dt>mission-critical, <a href="locking.html#id385372">Opportunistic Locking Overview</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>MIT, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>MIT kerberos, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>MIT Kerberos, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>mixed mode, <a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a>, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>mixed profile, <a href="ProfileMgmt.html#id426108">Mixed Windows Windows 9x/Me and NT4/200x User Profiles</a></dt><dt>mkdir, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>mkfs.xfs, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>MMC, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="AccessControls.html#id382742">Access Controls on Shares</a>, <a href="AccessControls.html#id382986">Windows 200x/XP</a>, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id425400">Windows NT4/200x</a>, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a></dt><dt>MMC snap-in, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a></dt><dt>modem/ISDN, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>moderately secure, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>modprobe, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>module, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>modules, <a href="VFS.html#id416378">Features and Benefits</a>, <a href="VFS.html#id416413">Discussion</a></dt><dt>more than one protocol, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>mount, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>mouse-over, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>moveuser.exe, <a href="ProfileMgmt.html#id427959">moveuser.exe</a></dt><dt>MS DCE RPC, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>MS Windows 2000, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a></dt><dt>MS Windows NT4/200x, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>MS Windows SID, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>MS WINS, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a></dt><dt>MS-DFS, <a href="SambaHA.html#id437210">MS-DFS: The Poor Man's Cluster</a></dt><dt>MS-RPC, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>MS-WINS replication, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>msdfs links, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>msdfs root, <a href="msdfs.html#id390330">Features and Benefits</a>, <a href="msdfs.html#id390744">MSDFS UNIX Path Is Case-Critical</a></dt><dt>msg, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>msg file, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt><dt>MSRPC, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a>, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>multibyte character sets, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>multibyte charsets, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>multiple backends, <a href="passdb.html#id363976">Password Backends</a></dt><dt>multiple domains, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>multiple hosting, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>multiple modules, <a href="VFS.html#id416413">Discussion</a></dt><dt>multiple network interfaces, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></dt><dt>multiple network segments, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>multiple personality, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>multiple server hosting, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>multiple server personalities, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>multiple servers, <a href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>multiple universal naming convention provider (see MUP)</dt><dt>multiple VFS, <a href="VFS.html#id416413">Discussion</a></dt><dt>multiple virtual servers, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>multiple Windows workgroups or domains, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>multiple WINS servers, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>Multiuser databases, <a href="locking.html#id385935">Multiuser Databases</a></dt><dt>mutual assistance, <a href="ch46.html#id454529">Free Support</a></dt><dt>mutually exclusive options, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>My Network Places, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a></dt><dt>Myrinet, <a href="SambaHA.html#id436908">Server Pool Communications Demands</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>n security context, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>n-memory buffer, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></dt><dt>name conflict, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a></dt><dt>name lookup, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></dt><dt>name lookups, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>name registration, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a></dt><dt>name resolution, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="NetworkBrowsing.html#id358283">Common Errors</a>, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a>, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>name resolution across routed networks, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>name resolve order, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></dt><dt>name service switch (see NSS)</dt><dt>name-to-address, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>nameserv.h, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>name_type, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></dt><dt>native ACLs, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>native dump, <a href="Backup.html#id435949">Amanda</a></dt><dt>native member, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>native mode, <a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a>, <a href="winbind.html#id419770">Microsoft Active Directory Services</a></dt><dt>NBT, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>nbtstat, <a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a>, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></dt><dt>necessary rights, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>negotiate, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>negotiating the charset, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>nested group, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>Nested Group Support, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>nested groups, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>net, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370344">Administrative Tasks and Methods</a>, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a>, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dd><dl><dt>ads, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dd><dl><dt>join, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a href="NetCommand.html#id372506">Machine Trust Accounts</a>, <a href="idmapper.html#id376591">ADS Domains</a></dt><dt>leave, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>printer info, <a href="NetCommand.html#id374303">Printers and ADS</a></dt><dt>printer publish, <a href="NetCommand.html#id374303">Printers and ADS</a></dt><dt>printer remove, <a href="NetCommand.html#id374303">Printers and ADS</a></dt><dt>printer search, <a href="NetCommand.html#id374303">Printers and ADS</a></dt><dt>status, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>testjoin, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt></dl></dd><dt>getlocalsid, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>groupmap, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="groupmapping.html#id369250">Example Configuration</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dd><dl><dt>add, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>delete, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>list, <a href="groupmapping.html#id369250">Example Configuration</a>, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>modify, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt></dl></dd><dt>localgroup, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>rap, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dd><dl><dt>session, <a href="NetCommand.html#id374244">Session and Connection Management</a></dt></dl></dd><dt>rpc, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dd><dl><dt>getsid, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>group, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>group add, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>group addmem, <a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a>, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>group delete, <a href="NetCommand.html#id371060">Deleting a Group Account</a></dt><dt>group delmem, <a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></dt><dt>group list, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>group members, <a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></dt><dt>group rename, <a href="NetCommand.html#id371098">Rename Group Accounts</a></dt><dt>info, <a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a>, <a href="ProfileMgmt.html#id427910">Side Bar Notes</a></dt><dt>join, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="NetCommand.html#id372506">Machine Trust Accounts</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dt>join bdc, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>join member, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>list, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>printer migrate drivers, <a href="NetCommand.html#id374016">Printer Migration</a></dt><dt>printer migrate forms, <a href="NetCommand.html#id374016">Printer Migration</a></dt><dt>printer migrate printers, <a href="NetCommand.html#id374016">Printer Migration</a></dt><dt>printer migrate security, <a href="NetCommand.html#id374016">Printer Migration</a></dt><dt>printer migrate settings, <a href="NetCommand.html#id374016">Printer Migration</a></dt><dt>right list accounts, <a href="NetCommand.html#id373571">Share Migration</a></dt><dt>rights grant, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>rights list, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>rights list accounts, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>share add, <a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></dt><dt>share delete, <a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></dt><dt>share migrate, <a href="NetCommand.html#id373571">Share Migration</a></dt><dt>share migrate all, <a href="NetCommand.html#id373962">Simultaneous Share and File Migration</a></dt><dt>share migrate files, <a href="NetCommand.html#id373747">File and Directory Migration</a></dt><dt>share migrate security, <a href="NetCommand.html#id373924">Share-ACL Migration</a></dt><dt>testjoin, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>trustdom add, <a href="NetCommand.html#id372844">Interdomain Trusts</a></dt><dt>trustdom establish, <a href="NetCommand.html#id372844">Interdomain Trusts</a>, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></dt><dt>trustdom list, <a href="NetCommand.html#id372844">Interdomain Trusts</a></dt><dt>trustdom revoke, <a href="NetCommand.html#id372844">Interdomain Trusts</a></dt><dt>user add, <a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></dt><dt>user delete, <a href="NetCommand.html#id371995">Deletion of User Accounts</a>, <a href="NetCommand.html#id372506">Machine Trust Accounts</a></dt><dt>user info, <a href="NetCommand.html#id372040">Managing User Accounts</a></dt><dt>user password, <a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></dt><dt>user rename, <a href="NetCommand.html#id372040">Managing User Accounts</a></dt><dt>vampire, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="NetCommand.html#id373480">Share, Directory, and File Migration</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt></dl></dd><dt>setlocalsid, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>time, <a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dd><dl><dt>set, <a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dt>system, <a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dt>zone, <a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt></dl></dd><dt>use, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt></dl></dd><dt>NET, <a href="PolicyMgmt.html#id425437">Samba PDC</a></dt><dt>net command, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>net getlocalsid, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>net groupmap, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>net rpc user add, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>net tool, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a></dt><dt>net use, <a href="classicalprinting.html#id399282">Error Message: “Cannot connect under a different Name”</a></dt><dt>net use /home, <a href="ProfileMgmt.html#id425965">Windows 9x/Me User Profiles</a></dt><dt>net use lpt1:, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></dt><dt>net view, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>netatalk, <a href="VFS.html#id417705">netatalk</a></dt><dt>NetAtalk, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Netatalk, <a href="Other-Clients.html#id452041">Macintosh Clients</a></dt><dt>NetBEUI, <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dt>NetBIOS, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#netdiscuss">Discussion</a>, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a>, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></dt><dd><dl><dt>brooadcast, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt><dt>name, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>netbios alias, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>netbios aliases, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>NetBIOS broadcast, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>NetBIOS disabled, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a></dt><dt>NetBIOS flags, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>netbios name, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="msdfs.html#id390330">Features and Benefits</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>NetBIOS name, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>NetBIOS name cache, <a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a>, <a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></dt><dt>NetBIOS name length, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>NetBIOS name resolution, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>NetBIOS Name Server (see NBNS)</dt><dt>NetBIOS name type, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>NetBIOS names, <a href="NetworkBrowsing.html#id356676">Name Resolution Order</a>, <a href="integrate-ms-networks.html#id433004">/etc/nsswitch.conf</a></dt><dt>NetBIOS network interface, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>NetBIOS networking, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a></dt><dt>NetBIOS over TCP/IP, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="integrate-ms-networks.html#id432576">Background Information</a></dt><dt>NetBIOS over TCP/IP disabled, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>NetBIOS-less, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>NetBIOS-less SMB, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>NetBIOSless SMB over TCP/IP, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>NetBT, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>netlogon, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>NETLOGON, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a>, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>Netlogon, <a href="samba-bdc.html#id339696">Essential Background Information</a></dt><dt>NetLogon service, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>netlogon share, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a></dt><dt>Netmon, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>Netmon., <a href="problems.html#id448620">Installing Network Monitor on an NT Workstation</a></dt><dt>netmon.exe, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>NetSAMLogon, <a href="ProfileMgmt.html#id425774">Roaming Profiles</a></dt><dt>Netscape's Directory Server, <a href="passdb.html#id364716">Supported LDAP Servers</a></dt><dt>NetServerEnum2, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>NetUserGetInfo, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="ProfileMgmt.html#id425774">Roaming Profiles</a></dt><dt>NetWare, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>NetWare Bindery, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>NetWare Core Protocol-based server, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>NetWkstaUserLogon, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>network</dt><dd><dl><dt>browsing, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>logon, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></dt><dd><dl><dt>service, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt></dl></dd><dt>performance, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>wide-area, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt></dl></dd><dt>network access controls, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>network access profile, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>network administrator, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>network administrator's toolbox, <a href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>network administrators, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>network analyzer, <a href="problems.html#id448088">Diagnostics Tools</a></dt><dt>network bandwidth, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>Network Basic Extended User Interface (see NetBEUI)</dt><dt>Network Basic Input/Output System (see NetBIOS)</dt><dt>Network Bridge, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>Network Bridge Configuration, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>network browsing problems, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>network client, <a href="ClientConfig.html#id348335">Features and Benefits</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>network clients, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>network configuration problems, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a></dt><dt>network difficulty, <a href="ClientConfig.html#id348335">Features and Benefits</a></dt><dt>network environment, <a href="AdvancedNetworkManagement.html#id423235">Remote Desktop Management</a></dt><dt>Network ID, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>network interface, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>network logon, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>network logon services, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>network membership, <a href="ClientConfig.html#id348389">Technical Details</a></dt><dt>Network Monitor, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>Network Monitor Tools and Agent, <a href="problems.html#id448620">Installing Network Monitor on an NT Workstation</a></dt><dt>Network Neighborhood, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>network neighborhood, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>network policies, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></dt><dt>network security, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>network segment, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>Network settings, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>network sniffer, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>network storage, <a href="Backup.html#id435626">BackupPC</a></dt><dt>network traffic, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>networked workstation, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>networking advocates, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>networking environment, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>networking systems, <a href="ClientConfig.html#id351062">Common Errors</a></dt><dt>networks access, <a href="speed.html#id453443">Samba Performance is Very Slow</a></dt><dt>Networks Properties, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>new account, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>new parameters, <a href="upgrading-to-3.0.html#id440744">New Parameters</a></dt><dt>newsgroup, <a href="bugreport.html#id449187">Introduction</a></dt><dt>Nexus toolkit, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Nexus.exe, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>NFS, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a>, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a>, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a>, <a href="upgrading-to-3.0.html#id442574">IdMap LDAP Support</a></dt><dt>NFS clients, <a href="locking.html#id385864">UNIX or NFS Client-Accessed Files</a></dt><dt>NIS, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>NIS database, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>nmbd, <a href="install.html#id326670">Starting Samba</a>, <a href="install.html#id327100">Test Your Config File with testparm</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="winbind.html#id420546">Testing Things Out</a>, <a href="winbind.html#id421865">Linux</a>, <a href="winbind.html#id422049">Solaris</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="problems.html#id448137">Debugging with Samba Itself</a>, <a href="speed.html#id453354">Corrupt tdb Files</a></dt><dt>nmblookup, <a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>No NetBIOS layer, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></dt><dt>no network logon service, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>no printcap file, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>nobody, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>nobody account, <a href="classicalprinting.html#id394436">Custom Print Commands</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>node-type, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>NoMachine, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>NoMachine.Com, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>non-authentication-based account management, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>non-authoritative, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>non-LDAP</dt><dd><dl><dt>backend, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt></dl></dd><dt>non-member Windows client, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>non-PostScript, <a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>non-PostScript printers, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>nonhierarchical, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>nontransitive, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>normal color, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>normal user, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>not domain member, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>not domain members, <a href="StandAloneServer.html">Standalone Servers</a></dt><dt>not part of domain, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>not stored anywhere, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>not transitive, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>Novell, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>Novell eDirectory server, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>NSS, <a href="StandAloneServer.html#id347134">Background</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419355">What Winbind Provides</a>, <a href="winbind.html#id419645">How Winbind Works</a>, <a href="winbind.html#id419814">Name Service Switch</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="winbind.html#id422791">Conclusion</a></dt><dt>nsswitch.conf, <a href="ServerType.html#id333519">Share-Level Security</a></dt><dt>nss_ldap, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>nss_winbind.so.1, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>nt acl support, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383310">Viewing File Ownership</a>, <a href="AccessControls.html#id383436">Viewing File or Directory Permissions</a>, <a href="AccessControls.html#id383623">Modifying File or Directory Permissions</a>, <a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></dt><dt>NT domain, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>NT groups, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>NT migration scripts, <a href="passdb.html#id364485">ldapsam</a></dt><dt>NT password, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>NT Server Manager, <a href="AccessControls.html#id382888">Windows NT4 Workstation/Server</a></dt><dt>NT-controlled domain, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></dt><dt>NT-encrypted password, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>NT-encrypted passwords, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>NT4, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>NT4 Domain, <a href="idmapper.html#id374992">Standalone Samba Server</a></dt><dt>NT4 domain, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="winbind.html#id418954">Features and Benefits</a></dt><dt>NT4 domain members, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>NT4 style policy updates, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>NT4 User Manager for Domains, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>NT4-style, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>NT4-style domain, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>NT4-style domains, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>Nt4sp6ai.exe, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>NTConfig.POL, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a>, <a href="PolicyMgmt.html#id424667">Registry Spoiling</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a>, <a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a>, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a>, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>ntconfig.pol, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>ntdrivers.tdb, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>ntforms.tdb, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTFS, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>NTLMv2, <a href="securing-samba.html#id388109">NTLMv2 Security</a></dt><dt>ntlm_auth, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>ntprinters.tdb, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTUser.DAT, <a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a>, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a>, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>NTuser.DAT, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a>, <a href="NT4Migration.html#id443546">Profile Migration/Creation</a></dt><dt>NTuser.MAN, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a></dt><dt>NTUser.MAN, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>NT_STATUS_LOGON_FAILURE, <a href="upgrading-to-3.0.html#id441782">Changes in Behavior</a></dt><dt>NT_STATUS_UNSUCCESSFUL, <a href="classicalprinting.html#id397066">Running rpcclient with adddriver</a></dt><dt>null shell, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>NX, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>obey pam restrictions, <a href="pam.html#id431757">smb.conf PAM Configuration</a></dt><dt>object class, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>object class declaration, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>object module dependencies, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>ObjectClass, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>ObjectClasses, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>obtuse complexity, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>office server, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a></dt><dt>OID, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>old sambaAccount, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>Omni, <a href="CUPS-printing.html#id413062">Driver Development Outside</a></dt><dt>on the fly, <a href="domain-member.html#id343945">Windows NT4 Client</a></dt><dt>on-the-fly, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>on-the-fly logon scripts, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>on-the-fly policy files, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>one direction, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>one domain, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>one-way trust, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></dt><dt>only one WINS server, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>only user, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>OpenGFS, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>OpenLDAP, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="domain-member.html#domain-member-server">Domain Member Server</a>, <a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id364716">Supported LDAP Servers</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>OpenLDAP backend, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>OpenSSL, <a href="SWAT.html#id445330">Securing SWAT through SSL</a>, <a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></dt><dt>operating costs, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>operating system search path, <a href="SWAT.html#id444812">Locating the SWAT File</a></dt><dt>oplock, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>oplock break, <a href="locking.html#id385372">Opportunistic Locking Overview</a>, <a href="locking.html#id386022">Beware of Force User</a></dt><dt>oplock break contention limit, <a href="locking.html#id386378">Disabling Kernel Oplocks</a></dt><dt>oplock break wait time, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a>, <a href="locking.html#id386378">Disabling Kernel Oplocks</a></dt><dt>oplock contention limit, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a></dt><dt>oplock handling, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a></dt><dt>oplock mechanism, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a></dt><dt>oplock messages, <a href="SambaHA.html#id436958">Required Modifications to Samba</a></dt><dt>oplock parameters, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a></dt><dt>oplocks, <a href="locking.html#id385372">Opportunistic Locking Overview</a>, <a href="locking.html#id386284">Disabling Oplocks</a></dt><dt>oplocks disabled, <a href="locking.html#id385935">Multiuser Databases</a></dt><dt>oplocks management, <a href="locking.html#id385973">PDM Data Shares</a></dt><dt>opportunistic locking, <a href="locking.html#id385057">Features and Benefits</a>, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Opportunistic locking, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>optional, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>ordinary connection, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></dt><dt>Organization for the Advancement of Structured Information Standards (see OASIS)</dt><dt>organizational directory, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>organizational unit, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a> (see OU)</dt><dt>os level, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a></dt><dt>os2 driver map, <a href="Other-Clients.html#id452283">Printer Driver Download for OS/2 Clients</a></dt><dt>OSS/Free Software, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>other, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>output duplexing, <a href="CUPS-printing.html#id404429">pstops</a></dt><dt>outside threat, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>own home directory, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>ownership, <a href="AccessControls.html#id383310">Viewing File Ownership</a></dt><dt>ownership cost, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>ownership rights, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>p-node, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>package, <a href="install.html#id326850">Example Configuration</a></dt><dt>packages, <a href="install.html#id325669">Obtaining and Installing Samba</a></dt><dt>packet sniffer, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>packet trace, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>PADL, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>PADL Software, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>page description languages (see PDL)</dt><dt>pager program, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>page_log, <a href="CUPS-printing.html#id413996">The page_log File Syntax</a></dt><dt>paid-for support, <a href="ch46.html">Samba Support</a></dt><dt>PAM, <a href="StandAloneServer.html#id347134">Background</a>, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id364023">Plaintext</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="winbind.html#id419645">How Winbind Works</a>, <a href="winbind.html#id420026">Pluggable Authentication Modules</a>, <a href="winbind.html#id420404">Requirements</a>, <a href="winbind.html#id420546">Testing Things Out</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="winbind.html#id422791">Conclusion</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="pam.html#id430534">Technical Discussion</a></dt><dt>PAM authentication module, <a href="pam.html#id430584">PAM Configuration Syntax</a></dt><dt>PAM configuration, <a href="winbind.html#id420404">Requirements</a></dt><dt>PAM management, <a href="pam.html">PAM-Based Distributed Authentication</a></dt><dt>PAM module, <a href="winbind.html#id421002">NSS Winbind on AIX</a></dt><dt>PAM modules, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>PAM-capable, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam-devel, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>PAM-enabled, <a href="winbind.html#id419355">What Winbind Provides</a>, <a href="pam.html">PAM-Based Distributed Authentication</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>PAM-specific tokens, <a href="pam.html#id430584">PAM Configuration Syntax</a></dt><dt>pam_krb5.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_ldap, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>pam_ldap.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_mkhomedir, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>pam_ncp_auth.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_pwdb.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_securetty.so, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>pam_smbpass.so, <a href="pam.html">PAM-Based Distributed Authentication</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_smbpasswd.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_smb_auth.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_unix.so, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_unix2.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_userdb.so, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>pam_winbind.so, <a href="winbind.html#id420026">Pluggable Authentication Modules</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>parameters, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>paranoid, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>passdb, <a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a></dt><dt>passdb backend, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="ChangeNotes.html#id351743">Passdb Changes</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a>, <a href="passdb.html#id361615">The smbpasswd Tool</a>, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id363042">Deleting Accounts</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="passdb.html#id366881">Users Cannot Logon</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="rights.html#id380042">The Administrator Domain SID</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="pam.html#id431817">Remote CIFS Authentication Using winbindd.so</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>passdb backends, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>passed across the network, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>passwd, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id361615">The smbpasswd Tool</a>, <a href="winbind.html#id419814">Name Service Switch</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>password, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a>, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dd><dl><dt>plaintext, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt></dl></dd><dt>password aging, <a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>password assigned, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></dt><dt>password backend, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>password backends, <a href="passdb.html">Account Information Databases</a></dt><dt>password change facility, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>password database, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>password encryption, <a href="passdb.html#id364023">Plaintext</a></dt><dt>password expiration, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>password expired, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>password history, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>password level, <a href="ServerType.html#id334587">Password Checking</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="Other-Clients.html#id452517">Password Case Sensitivity</a>, <a href="speed.html#id453234">Slow Logins</a></dt><dt>password management, <a href="winbind.html#id420026">Pluggable Authentication Modules</a></dt><dt>password prompt, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>password scheme, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>password server, <a href="ServerType.html#id334251">Example Configuration</a>, <a href="ServerType.html#id334332">Server Security (User Level Security)</a>, <a href="ServerType.html#id334489">Example Configuration</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>password uniqueness, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>passwords, <a href="winbind.html#id419277">Introduction</a></dt><dt>patch, <a href="bugreport.html#id449906">Patches</a></dt><dt>path, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338061">Example Configuration</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a>, <a href="msdfs.html#id390330">Features and Benefits</a>, <a href="msdfs.html#id390744">MSDFS UNIX Path Is Case-Critical</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="classicalprinting.html#id393900">Print Commands</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="classicalprinting.html#id395788">The [print$] Share Directory</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id407671">Samba Receiving Job-Files and Passing Them to CUPS</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a>, <a href="CUPS-printing.html#id415995">Permissions on /var/spool/samba/ Get Reset After Each Reboot</a>, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a>, <a href="largefile.html">Handling Large Directories</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446194">Assumptions</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></dt><dt>path specified, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>pauses, <a href="speed.html#id453443">Samba Performance is Very Slow</a></dt><dt>PBM, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>PCL, <a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a>, <a href="CUPS-printing.html#id407175">Printing with Interface Scripts</a>, <a href="CUPS-printing.html#id407391">Driver Execution on the Server</a>, <a href="CUPS-printing.html#id407739">Network PostScript RIP</a></dt><dt>pdbedit, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id362637">User Account Management</a>, <a href="passdb.html#id362746">Listing User and Machine Accounts</a>, <a href="passdb.html#id362965">Adding User Accounts</a>, <a href="passdb.html#id363042">Deleting Accounts</a>, <a href="passdb.html#id363122">Changing User Accounts</a>, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a href="passdb.html#id363855">Account Import/Export</a>, <a href="rights.html#id380042">The Administrator Domain SID</a>, <a href="PolicyMgmt.html#id425437">Samba PDC</a>, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="NT4Migration.html#id443632">Steps in Migration Process</a>, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>pdb_ldap, <a href="samba-bdc.html#id342144">Can I Do This All with LDAP?</a></dt><dt>PDC, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a>, <a href="groupmapping.html#id367529">Discussion</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a>, <a href="CUPS-printing.html#id409864">cupsaddsmb with a Samba PDC</a>, <a href="winbind.html#id419533">Handling of Foreign SIDs</a>, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a>, <a href="winbind.html#id420026">Pluggable Authentication Modules</a>, <a href="winbind.html#id420241">Result Caching</a>, <a href="winbind.html#id420297">Introduction</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a>, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a>, <a href="NT4Migration.html#id443153">Domain Layout</a>, <a href="problems.html#id448906">Getting Mailing List Help</a>, <a href="speed.html#id453354">Corrupt tdb Files</a></dt><dt>PDF, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a>, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>pdf, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>PDF distilling, <a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a></dt><dt>PDF filter, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>pdftops, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>pdftosocket, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>PDL, <a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a></dt><dt>PDM, <a href="locking.html#id385973">PDM Data Shares</a></dt><dt>peer domain, <a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></dt><dt>Peer node, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>per-share access control, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>performance, <a href="largefile.html">Handling Large Directories</a>, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>performance advantage, <a href="locking.html#id385057">Features and Benefits</a></dt><dt>performance degradation, <a href="largefile.html">Handling Large Directories</a></dt><dt>performance enhancement, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>performance improvement, <a href="locking.html#id385895">Slow and/or Unreliable Networks</a></dt><dt>performance-based, <a href="passdb.html#id364340">tdbsam</a></dt><dt>performed as root, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>perimeter firewall, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>permanent changes, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>Permanent name, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>permissions, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dd><dl><dt>file/directory ACLs, <a href="AccessControls.html#id383206">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt>share, <a href="AccessControls.html#id381872">Share Definition Access Controls</a></dt><dt>share ACLs, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>UNIX file and directory, <a href="AccessControls.html#id380678">Features and Benefits</a></dt></dl></dd><dt>Permissions, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>permissions and controls, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>PGP, <a href="compiling.html#id450357">Verifying Samba's PGP Signature</a></dt><dt>phasing out NetBIOS, <a href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dt>Photo-CD, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>physical locations, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>physical network transport layer, <a href="integrate-ms-networks.html#id432767">/etc/hosts</a></dt><dt>PID, <a href="bugreport.html#id449791">Attaching to a Running Process</a></dt><dt>pid directory, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>ping, <a href="NT4Migration.html#id443153">Domain Layout</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>pipe device, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>PJL, <a href="CUPS-printing.html#id407739">Network PostScript RIP</a>, <a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a>, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>PJL-header, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>plague network users, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a></dt><dt>plain-text</dt><dd><dl><dt>passwords, <a href="ServerType.html#id334587">Password Checking</a></dt></dl></dd><dt>plaintext, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>plaintext authentication, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>plaintext password, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a></dt><dt>plaintext passwords, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>platforms, <a href="Portability.html">Portability</a></dt><dt>PLP, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>Pluggable Authentication Modules (see PAM)</dt><dt>PNG, <a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>PNM, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>point 'n' print, <a href="CUPS-printing.html#id401884">Installation of Windows Client Drivers</a>, <a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt><dt>Point'n'Print, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a>, <a href="classicalprinting.html#id396937">smbclient to Confirm Driver Installation</a></dt><dt>point'n'print, <a href="CUPS-printing.html#id402147">Driver Upload Methods</a>, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></dt><dt>Poledit, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a></dt><dt>poledit.exe, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a>, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a></dt><dt>Policies, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>policies, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>policy editor, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></dt><dt>Policy Editor, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>policy file , <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>policy files, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>policy settings, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>port 135, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></dt><dt>Port 135/TCP, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 137, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>Port 137/UDP, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 138, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></dt><dt>Port 138/UDP, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 139, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></dt><dt>Port 139/TCP, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 445, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></dt><dt>Port 445/TCP, <a href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>ports, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a>, <a href="problems.html#id448426">Ethereal</a></dt><dt>POSIX, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a>, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>POSIX account, <a href="passdb.html#id362637">User Account Management</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dt>POSIX ACLs, <a href="AccessControls.html#id381279">File and Directory Access Control</a>, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>POSIX ACLS, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>POSIX identity, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>POSIX locks, <a href="SambaHA.html#id436827">Server Pool Communications</a></dt><dt>POSIX semantics, <a href="SambaHA.html#id436827">Server Pool Communications</a></dt><dt>POSIX user accounts, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>posixAccount, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>posixGroup, <a href="passdb.html#id364973">OpenLDAP Configuration</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a></dt><dt>PostScript, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a>, <a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a>, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a>, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id404429">pstops</a>, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a>, <a href="CUPS-printing.html#id407391">Driver Execution on the Server</a>, <a href="CUPS-printing.html#id407739">Network PostScript RIP</a>, <a href="CUPS-printing.html#id407973">CUPS: A “Magical Stone”?</a>, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a>, <a href="CUPS-printing.html#id408505">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dd><dl><dt>(see also Ghostscript)</dt><dt>RIP, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt></dl></dd><dt>PostScript driver, <a href="classicalprinting.html#id396743">Installing Driver Files into [print$]</a></dt><dt>PostScript interpreter, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt>PostScript Printer Description (see PPD)</dt><dt>PostScript printers, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dt>potential master browsers, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>potential printer, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></dt><dt>Power Users, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>powerful, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>PPD, <a href="classicalprinting.html#id396743">Installing Driver Files into [print$]</a>, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a>, <a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id405726">“Raw” Printing</a>, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a>, <a href="CUPS-printing.html#id407819">PPDs for Non-PS Printers on UNIX</a>, <a href="CUPS-printing.html#id407856">PPDs for Non-PS Printers on Windows</a>, <a href="CUPS-printing.html#id407973">CUPS: A “Magical Stone”?</a>, <a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a>, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a>, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dd><dl><dt>CUPS (see CUPS-PPD)</dt></dl></dd><dt>PPD-aware, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt>PPDs, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>PPP, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>precedence, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>preferred master, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>prefilter, <a href="CUPS-printing.html#id404838">imagetops and imagetoraster</a></dt><dt>prefilters, <a href="CUPS-printing.html#id404252">Prefilters</a></dt><dt>preserve case, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>primary domain controller, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>primary group, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>Primary Logon, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>Primary WINS Server, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>print, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dd><dl><dt>queue, <a href="install.html#id325753">Configuration File Syntax</a></dt><dt>spooler, <a href="install.html#id325753">Configuration File Syntax</a></dt></dl></dd><dt>print accounting, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>print command, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#id393900">Print Commands</a>, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a>, <a href="classicalprinting.html#id394436">Custom Print Commands</a>, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id414575">Preconditions</a>, <a href="CUPS-printing.html#id414681">Manual Configuration</a></dt><dt>print commands, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>print configuration, <a href="classicalprinting.html#id391142">Technical Introduction</a>, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dt>print environment, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>print filtering, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>print job, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>print jobs, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>print processing, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>print queue, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a>, <a href="classicalprinting.html#id396937">smbclient to Confirm Driver Installation</a>, <a href="classicalprinting.html#id397481">Specific Driver Name Flexibility</a>, <a href="CUPS-printing.html#id405130">CUPS Backends</a></dt><dt>print quota, <a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dt>print server, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>print service, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>print spooling, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></dt><dt>print spooling system, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>print statistics, <a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dt>print subsystem, <a href="classicalprinting.html#id391142">Technical Introduction</a>, <a href="classicalprinting.html#id393900">Print Commands</a></dt><dt>print test page, <a href="classicalprinting.html#id397729">First Client Driver Installation</a></dt><dt>printable, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>printcap, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a>, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id414575">Preconditions</a></dt><dt>Printcap, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></dt><dt>printcap name, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>PrintcapFormat, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></dt><dt>printer admin, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="classicalprinting.html#id396001">Add Printer Wizard Driver Installation</a>, <a href="classicalprinting.html#id397729">First Client Driver Installation</a>, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a href="classicalprinting.html#id398340">Always Make First Client Connection as root or “printer admin”</a>, <a href="classicalprinting.html#id398507">Setting Default Print Options for Client Drivers</a>, <a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id415632">Print Options for All Users Can't Be Set on Windows 200x/XP</a></dt><dt>printer attributes publishing, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>printer default permissions, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printer driver, <a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a></dt><dt>printer driver data, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>printer driver file, <a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></dt><dt>printer driver files, <a href="classicalprinting.html#id396937">smbclient to Confirm Driver Installation</a></dt><dt>printer drivers, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a>, <a href="CUPS-printing.html#id412953">The Grand Unification Achieved</a></dt><dt>printer icon, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>printer management, <a href="NetCommand.html#id370067">Overview</a></dt><dt>printer management system, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>printer migration, <a href="NetCommand.html#id370067">Overview</a></dt><dt>printer monitor, <a href="speed.html#id453443">Samba Performance is Very Slow</a></dt><dt>printer objects, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>Printer Pooling, <a href="classicalprinting.html#id399581">Samba and Printer Ports</a></dt><dt>printer queue, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printer share, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>printer shares , <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a>, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>printer$ share, <a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></dt><dt>printers, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>Printers, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>printers admin, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>Printers and Faxes, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>printers available, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>printers section, <a href="classicalprinting.html#ptrsect">The [printers] Section</a></dt><dt>printing, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#id393964">Default UNIX System Printing Commands</a>, <a href="classicalprinting.html#id394436">Custom Print Commands</a>, <a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="CUPS-printing.html#id414575">Preconditions</a>, <a href="CUPS-printing.html#id414681">Manual Configuration</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>printing behavior, <a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a></dt><dt>printing calls, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printing now, <a href="speed.html#id453443">Samba Performance is Very Slow</a></dt><dt>printing support, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>printing system, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>printing systems, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>printing-related settings, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dt>printing.tdb, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>PrintPro (see ESP Print Pro)</dt><dt>private dir, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>private groups, <a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></dt><dt>private key, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt><dt>private network, <a href="securing-samba.html#id387214">Introduction</a></dt><dt>private networks, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>private/MACHINE.SID, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></dt><dt>private/secrets.tdb, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></dt><dt>privilege, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a>, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>privilege management, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>privilege model, <a href="rights.html#id378765">Rights Management Capabilities</a></dt><dt>privilege-granting applications, <a href="pam.html#id430534">Technical Discussion</a></dt><dt>privileged accounts, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>privileges, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>privileges assigned, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>problem report, <a href="ch46.html#id454529">Free Support</a></dt><dt>problem resolution, <a href="ch46.html">Samba Support</a></dt><dt>problematic print, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>Process data management, <a href="locking.html#id385973">PDM Data Shares</a></dt><dt>professional support, <a href="ch46.html#id454529">Free Support</a></dt><dt>profile, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#passdbtech">Technical Information</a></dt><dt>profile access rights, <a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></dt><dt>profile acls, <a href="FastStart.html#id330805">Example: Engineering Office</a></dt><dt>profile contents, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>profile directory, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>profile migration tool, <a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></dt><dt>profile path, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="ProfileMgmt.html#id427016">Windows NT4 Workstation</a></dt><dt>profile sharing, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>Profile Type, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a></dt><dt>ProfilePath, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>profiles, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>Profiles, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></dt><dt>project, <a href="ch46.html#id454529">Free Support</a></dt><dt>promiscuous mode, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>promote, <a href="samba-pdc.html#id336302">Domain Controller Types</a></dt><dt>promoted, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>propagate, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt><dt>Properties, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>protect directories, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>protect files, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>protection against attackers, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>protocol stack settings, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>provided services, <a href="ch46.html">Samba Support</a></dt><dt>provisioned, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>pstops, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id404429">pstops</a>, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a>, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>pstoraster, <a href="CUPS-printing.html#id404588">pstoraster</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>public, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a></dt><dt>publish printers, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>publishing printers, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>PulseAudio, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>punching, <a href="CUPS-printing.html#id404429">pstops</a></dt><dt>purchase support, <a href="ch46.html#id454529">Free Support</a></dt><dt>put, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>pvcreate, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>QNX, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>qualified problem, <a href="ch46.html#id454529">Free Support</a></dt><dt>queue control, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>queue resume command, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>queuepause command, <a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></dt><dt>quota controls, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>RAID, <a href="Backup.html#id435626">BackupPC</a></dt><dt>random machine account password, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>range, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dt>range of hosts, <a href="securing-samba.html#id387449">Using Host-Based Protection</a></dt><dt>RAP, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>raster, <a href="CUPS-printing.html#id404252">Prefilters</a>, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>raster driver, <a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></dt><dt>raster drivers, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>raster image processor (see RIP)</dt><dt>raster images, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>rasterization, <a href="CUPS-printing.html#id404588">pstoraster</a>, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>rastertoalps, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertobj, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertoepson, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a>, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>rastertoescp, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertohp, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertopcl, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertoprinter, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>rastertosomething, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>rastertoturboprint, <a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></dt><dt>raw mode, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>raw print, <a href="CUPS-printing.html#id409942">cupsaddsmb Flowchart</a></dt><dt>raw printers, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>raw printing, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt><dt>raw SMB, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>raw SMB over TCP/IP, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></dt><dt>rawprinter, <a href="CUPS-printing.html#id405726">“Raw” Printing</a></dt><dt>rcp, <a href="Backup.html#id435788">Rsync</a></dt><dt>rdesktop, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>rdesktop/RDP, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>read, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>read directory into memory, <a href="largefile.html">Handling Large Directories</a></dt><dt>read list, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a></dt><dt>read only, <a href="install.html#id326850">Example Configuration</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a>, <a href="AccessControls.html#id382473">Miscellaneous Controls</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a>, <a href="VFS.html#fakeperms">fake_perms</a>, <a href="largefile.html">Handling Large Directories</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446194">Assumptions</a>, <a href="Other-Clients.html#id452675">Windows 2000 Service Pack 2</a></dt><dd><dl><dt>server, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a></dt></dl></dd><dt>read raw, <a href="speed.html#id453152">Read Raw</a></dt><dt>read size, <a href="speed.html#id453061">Read Size</a></dt><dt>Read-ahead, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>read-only, <a href="StandAloneServer.html#id347049">Features and Benefits</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>read-only access, <a href="idmapper.html#id376159">Backup Domain Controller</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>read-only files, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>read-write access, <a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></dt><dt>realm, <a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a>, <a href="ServerType.html#id334251">Example Configuration</a>, <a href="samba-bdc.html#id340956">NetBIOS Over TCP/IP Disabled</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>rebooted, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>rebooting server, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>recompiling, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>reconfiguration, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>record locking, <a href="locking.html#id385144">Discussion</a></dt><dt>recycle, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle bin, <a href="VFS.html#id416413">Discussion</a></dt><dt>recycle directory, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:exclude, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:exclude_dir, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:keeptree, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:maxsize, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:noversions, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:repository, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:subdir_mode, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:touch, <a href="VFS.html#id417334">recycle</a></dt><dt>recycle:versions, <a href="VFS.html#id417334">recycle</a></dt><dt>Red Hat Cluster Manager, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>Red Hat Linux, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a>, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a>, <a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></dt><dt>redirect, <a href="samba-bdc.html#id341471">Example Configuration</a></dt><dt>redirection, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>redirector, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>redundancy, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>reference documents, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>refusing connection, <a href="securing-samba.html#id387645">Using Interface Protection</a></dt><dt>regedit.exe, <a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></dt><dt>regedt32, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></dt><dt>regedt32.exe, <a href="PolicyMgmt.html#id425400">Windows NT4/200x</a></dt><dt>register driver files, <a href="classicalprinting.html#id397066">Running rpcclient with adddriver</a></dt><dt>register NetBIOS names, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>registered, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>registers, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a></dt><dt>registry, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="locking.html#id385057">Features and Benefits</a>, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a>, <a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></dt><dt>registry change, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>registry keys, <a href="ProfileMgmt.html#id428249">Default Profile for Windows Users</a></dt><dt>registry settings, <a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></dt><dt>regulations, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>rejoin, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>relationship password, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>relative identifier, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a> (see RID)</dt><dt>Relative Identifier (see RID)</dt><dt>Relative Identifiers (see RID)</dt><dt>reliability, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>Remote Access Dial-In User Service (see RADIUS)</dt><dt>remote announce, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id355550">Use of the Remote Announce Parameter</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>remote browse sync, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>remote desktop capabilities, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>remote desktop management, <a href="AdvancedNetworkManagement.html#id423235">Remote Desktop Management</a></dt><dt>remote domain, <a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a>, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>remote login, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>remote management, <a href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></dt><dt>Remote Procedure Call (see RPC)</dt><dt>Remote Procedure Call System Service (see RPCSS)</dt><dt>remote profile, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>remote segment, <a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>Remote X, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>Remote X protocol, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>remote-update protocol, <a href="Backup.html#id435788">Rsync</a></dt><dt>rename, <a href="AccessControls.html#id381159">Managing Directories</a></dt><dt>render, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>rendering, <a href="CUPS-printing.html#id406350">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>repeated intervals, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>replicate, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>replicated, <a href="ServerType.html#id332909">Features and Benefits</a>, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id340717">Active Directory Domain Control</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></dt><dt>replicated SYSVOL, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></dt><dt>replication, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dd><dl><dt>browse lists, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>SAM, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a></dt><dt>WINS, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id356273">WINS Replication</a></dt></dl></dd><dt>replication protocols, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>repository, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>requesting payment, <a href="ch46.html#id454529">Free Support</a></dt><dt>required, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>requisite, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>research, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>resizing, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>resolution, <a href="CUPS-printing.html#id405438">The Role of cupsomatic/foomatic</a></dt><dt>resolution of NetBIOS names, <a href="NetworkBrowsing.html">Network Browsing</a></dt><dt>resolve NetBIOS names, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></dt><dt>resolver functions, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>resource failover, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>resource kit, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a>, <a href="ProfileMgmt.html#profilemigrn">Windows NT4 Profile Management Tools</a></dt><dt>resource-based exclusion, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>response, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></dt><dt>restrict DNS, <a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></dt><dt>reviewers, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>revoke privileges, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>RFC 1001, <a href="DNSDHCP.html#id455025">Example Configuration</a></dt><dt>RFC 1002, <a href="DNSDHCP.html#id455025">Example Configuration</a></dt><dt>RFC 1179, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>RFC 2307, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>RFC 2307., <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>RFC 2830, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>rfc2307bis, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>RFC2830, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>RFCs, <a href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>rich database backend, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>rich directory backend, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>RID, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="groupmapping.html#id367529">Discussion</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="rights.html#id380042">The Administrator Domain SID</a>, <a href="winbind.html#id420167">User and Group ID Allocation</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>RID 500, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>RID base, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>right to join domain, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>rights, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="domain-member.html#id346082">Possible Errors</a>, <a href="rights.html#id378765">Rights Management Capabilities</a></dt><dt>rights and privilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></dt><dt>rights and privileges, <a href="groupmapping.html#id368424">Important Administrative Information</a>, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>rights assigned, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>RIP, <a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>rlogind, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>Roaming Profile, <a href="VFS.html#fakeperms">fake_perms</a></dt><dt>roaming profiles, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="ProfileMgmt.html#id425731">Features and Benefits</a>, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>rogue machine, <a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></dt><dt>rogue user, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>root, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>root account, <a href="rights.html">User Rights and Privileges</a>, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>root preexec, <a href="NetCommand.html#id371525">Managing Nest Groups on Workstations from the Samba Server</a>, <a href="NT4Migration.html#id443491">Logon Scripts</a></dt><dt>root user, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>rotate, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>RPC, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="ProfileMgmt.html#id425774">Roaming Profiles</a></dt><dt>RPC calls, <a href="winbind.html#id422791">Conclusion</a>, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>RPC modules, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>rpc.lockd, <a href="locking.html#id385144">Discussion</a></dt><dt>rpcclient, <a href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="classicalprinting.html#id397481">Specific Driver Name Flexibility</a>, <a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a>, <a href="PolicyMgmt.html#id425437">Samba PDC</a></dt><dd><dl><dt>adddriver, <a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id410555">Understanding the rpcclient man Page</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt><dt>enumdrivers, <a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt><dt>enumports, <a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dt>enumprinters, <a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a>, <a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></dt><dt>getdriver, <a href="CUPS-printing.html#id410647">Producing an Example by Querying a Windows Box</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt><dt>getprinter, <a href="CUPS-printing.html#id410647">Producing an Example by Querying a Windows Box</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a>, <a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></dt><dt>setdriver, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a>, <a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></dt></dl></dd><dt>rsh, <a href="Backup.html#id435626">BackupPC</a></dt><dt>rsync, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="Backup.html#id435626">BackupPC</a>, <a href="Backup.html#id435788">Rsync</a>, <a href="compiling.html#id450289">Accessing the Samba Sources via rsync and ftp</a></dt><dt>rsyncd, <a href="Backup.html#id435626">BackupPC</a></dt><dt>runas, <a href="classicalprinting.html#id398340">Always Make First Client Connection as root or “printer admin”</a></dt><dt>rundll32, <a href="classicalprinting.html#id398228">Additional Client Driver Installation</a>, <a href="classicalprinting.html#id398507">Setting Default Print Options for Client Drivers</a>, <a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a>, <a href="AdvancedNetworkManagement.html#id423940">Adding Printers without User Intervention</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>SAM, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a>, <a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="winbind.html#id420241">Result Caching</a></dt><dd><dl><dt>delta file, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>replication, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt></dl></dd><dt>SAM backend, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dd><dl><dt>LDAP, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt><dt>ldapsam, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id364485">ldapsam</a></dt><dt>ldapsam_compat, <a href="passdb.html#id359091">Features and Benefits</a></dt><dt>non-LDAP, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt><dt>smbpasswd, <a href="passdb.html#id359091">Features and Benefits</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>tdbsam, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="passdb.html#id364340">tdbsam</a></dt></dl></dd><dt>Samba 1.9.17, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>Samba account, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>Samba administrator, <a href="winbind.html#id420297">Introduction</a></dt><dt>Samba backend database, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>Samba daemons, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>Samba differences, <a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>Samba mailing lists, <a href="Backup.html#id435499">Features and Benefits</a></dt><dt>Samba private directory, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>Samba SAM, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>Samba SAM account, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>Samba SAM account flags, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>Samba schema, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>Samba security, <a href="securing-samba.html#id387302">Features and Benefits</a></dt><dt>Samba-2.2.x LDAP schema, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></dt><dt>Samba-3-compatible LDAP backend, <a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></dt><dt>Samba-PDC-LDAP-HOWTO, <a href="passdb.html#id364485">ldapsam</a></dt><dt>samba-to-samba trusts, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>samba-vscan, <a href="VFS.html#id418663">vscan</a></dt><dt>samba.schema, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>sambaDomain, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>sambaGroupMapping, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>sambaHomeDrive, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>sambaHomePath, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>sambaIdmapEntry, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>sambaLogonScript, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>SambaNTPassword, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>sambaProfilePath, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>SambaSAMAccount, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="passdb.html#id362965">Adding User Accounts</a>, <a href="passdb.html#id363042">Deleting Accounts</a>, <a href="passdb.html#id363122">Changing User Accounts</a>, <a href="passdb.html#id364340">tdbsam</a></dt><dt>sambaSamAccount, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a>, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>sambaSAMAccount, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>sambaSID, <a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></dt><dt>sambaUNIXIdPool, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>SambaXP conference, <a href="SambaHA.html#id436191">Technical Discussion</a></dt><dt>samdb interface, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>same domain/workgroup, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>Sarbanes-Oxley, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>scalability, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-bdc.html#id339320">Features and Benefits</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a></dt><dt>scalable, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>scalable backend, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a></dt><dt>scalable coherent interface (see SCI)</dt><dt>scale, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>scanner module, <a href="VFS.html#id416413">Discussion</a></dt><dt>schannel, <a href="samba-pdc.html#id339147">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>schema, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>schema file, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>scp, <a href="Backup.html#id435788">Rsync</a></dt><dt>script, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>scripted control, <a href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>scripts, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>SCSI, <a href="SambaHA.html#id437081">High-Availability Server Products</a></dt><dt>SeAddUsersPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>SeAssignPrimaryTokenPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeAuditPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeBackupPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeChangeNotifyPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>Seclib, <a href="AccessControls.html#id383310">Viewing File Ownership</a></dt><dt>secondary controller, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>SeCreateGlobalPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeCreatePagefilePrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeCreatePermanentPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeCreateTokenPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>secret, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>secrets.tdb, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>section name, <a href="install.html#id325753">Configuration File Syntax</a></dt><dt>secure, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>secure access, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>secure authentication, <a href="rights.html">User Rights and Privileges</a></dt><dt>secure communications, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>secured networks, <a href="securing-samba.html#id387214">Introduction</a></dt><dt>security, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="ServerType.html#id333211">Samba Security Modes</a>, <a href="ServerType.html#id333479">Example Configuration</a>, <a href="ServerType.html#id333654">Example Configuration</a>, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="ServerType.html#id334251">Example Configuration</a>, <a href="ServerType.html#id334332">Server Security (User Level Security)</a>, <a href="ServerType.html#id334489">Example Configuration</a>, <a href="ServerType.html#id334776">What Makes Samba a Server?</a>, <a href="ServerType.html#id334805">What Makes Samba a Domain Controller?</a>, <a href="ServerType.html#id334843">What Makes Samba a Domain Member?</a>, <a href="ServerType.html#id334868">Constantly Losing Connections to Password Server</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="securing-samba.html#id387214">Introduction</a>, <a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#root-ask-loop">“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop</a>, <a href="ProfileMgmt.html#id429610">Changing the Default Profile</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="Other-Clients.html#id452468">Configuring Windows for Workgroups Password Handling</a></dt><dd><dl><dt>controllers, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt><dt>modes, <a href="ServerType.html#id332909">Features and Benefits</a></dt><dt>settings, <a href="install.html#id326850">Example Configuration</a></dt></dl></dd><dt>security = user, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>security account, <a href="NetCommand.html#id370067">Overview</a></dt><dt>Security Account Manager (see SAM)</dt><dt>Security Assertion Markup Language (see SAML)</dt><dt>security context, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>security contexts, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>security credentials, <a href="idmapper.html#id376159">Backup Domain Controller</a>, <a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a></dt><dt>security domain, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>security domains, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>security flaw, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>security hole, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>security identifier, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a> (see SID)</dt><dt>security level, <a href="ServerType.html#id334332">Server Security (User Level Security)</a></dt><dt>security levels, <a href="ServerType.html#id333211">Samba Security Modes</a></dt><dt>security mask, <a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id383760">Interaction with the Standard Samba “create mask” Parameters</a></dt><dt>security mode, <a href="ServerType.html">Server Types and Security Modes</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>Security Mode, <a href="ServerType.html#id333211">Samba Security Modes</a></dt><dt>security modes, <a href="ServerType.html#id333211">Samba Security Modes</a></dt><dt>security name-space, <a href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>security policies, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>security settings, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>security structure, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>security vulnerability, <a href="securing-samba.html#id388158">Upgrading Samba</a></dt><dt>security-aware, <a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></dt><dt>SeDebugPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeDiskOperatorPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>SeEnableDelegationPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeImpersonatePrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeIncreaseBasePriorityPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeIncreaseQuotaPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeLoadDriverPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeLockMemoryPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeMachineAccountPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeManageVolumePrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>separate instances, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>separate servers, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>separate shares, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>separate workgroups, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>SePrintOperatorPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>SeProfileSingleProcessPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeRemoteShutdownPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeRestorePrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>server failure, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>Server Manager, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>Server Manager for Domains, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>Server Message Block (see SMB)</dt><dt>server pool, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a>, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a></dt><dt>server string, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></dt><dt>Server Type, <a href="ServerType.html#id333060">Server Types</a></dt><dd><dl><dt>Domain Controller, <a href="FastStart.html#id330741">Domain Controller</a></dt><dt>Domain Member, <a href="FastStart.html#id329828">Domain Member Server</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>Stand-alone, <a href="FastStart.html#id327975">Standalone Server</a></dt></dl></dd><dt>server type, <a href="NetCommand.html#id370067">Overview</a></dt><dd><dl><dt>domain member, <a href="ServerType.html#id333890">Example Configuration</a></dt></dl></dd><dt>Server Types, <a href="idmapper.html#id374968">Samba Server Deployment Types and IDMAP</a></dt><dt>server-mode, <a href="ServerType.html#id334805">What Makes Samba a Domain Controller?</a></dt><dt>service name, <a href="install.html#id326850">Example Configuration</a></dt><dt>service-level, <a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a>, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>services provided, <a href="ch46.html">Samba Support</a></dt><dt>SeSecurityPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeShutdownPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>session, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>session services, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>session setup, <a href="ServerType.html#id333359">User Level Security</a>, <a href="ServerType.html#id334332">Server Security (User Level Security)</a></dt><dt>sessionid.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>SessionSetupAndX, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>SeSyncAgentPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeSystemEnvironmentPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeSystemProfilePrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeSystemtimePrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>set a password, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>set group id (see SGID)</dt><dt>set primary group script, <a href="FastStart.html#id331703">The Primary Domain Controller</a></dt><dt>set printer properties, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>set user id (see SUID)</dt><dt>SeTakeOwnershipPrivilege, <a href="NetCommand.html#id372180">Administering User Rights and Privileges</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>SeTcbPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>setdriver, <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a>, <a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a></dt><dt>SetPrinter(), <a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></dt><dt>setting up directories, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>SeUndockPrivilege, <a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></dt><dt>severely impaired, <a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></dt><dt>SFU, <a href="idmapper.html#id378398">IDMAP, Active Directory, and MS Services for UNIX 3.5</a></dt><dt>SFU 3.5, <a href="idmapper.html#id375941">Primary Domain Controller</a></dt><dt>SGI-RGB, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>SGID, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>shadow, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dt>shadow copies, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>shadow password file, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>shadow utilities, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>shadow_copy, <a href="VFS.html#id417753">shadow_copy</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>shadow_copy module, <a href="VFS.html#id417753">shadow_copy</a></dt><dt>share, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>share access, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>share ACLs, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>share management, <a href="NetCommand.html#id370067">Overview</a></dt><dt>share modes, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>share permissions, <a href="AccessControls.html#id382888">Windows NT4 Workstation/Server</a></dt><dt>Share Permissions, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>share settings, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>share stanza controls, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>share-level, <a href="ServerType.html#id333211">Samba Security Modes</a>, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>share-level ACLs, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>share-mode, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>share-mode security, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>share-mode server, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>shared secret, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>shares, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>shares and files, <a href="winbind.html#id420404">Requirements</a></dt><dt>share_info.tdb, <a href="AccessControls.html#id382742">Access Controls on Shares</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>Sharing, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>shell scripts, <a href="classicalprinting.html#id393900">Print Commands</a></dt><dt>shift, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>Shift_JIS, <a href="unicode.html#id434469">Japanese Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>short preserve case, <a href="AccessControls.html#id382473">Miscellaneous Controls</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>shortcuts, <a href="ClientConfig.html#id348430">TCP/IP Configuration</a>, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>Shortcuts, <a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>show add printer wizard, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>show-stopper-type, <a href="NT4Migration.html#id442739">Planning and Getting Started</a></dt><dt>SID, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id338937">The System Cannot Log You On (C000019B)</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="rights.html#id378765">Rights Management Capabilities</a>, <a href="rights.html#id380042">The Administrator Domain SID</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419533">Handling of Foreign SIDs</a>, <a href="ProfileMgmt.html#id427910">Side Bar Notes</a>, <a href="ProfileMgmt.html#id427998">Get SID</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a>, <a href="NT4Migration.html#id443546">Profile Migration/Creation</a></dt><dt>SID management, <a href="NetCommand.html#id370067">Overview</a></dt><dt>SID-to-GID, <a href="groupmapping.html#id367144">Features and Benefits</a></dt><dt>SIDs, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>signing, <a href="samba-pdc.html#id339147">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>simple access controls, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>simple configuration, <a href="install.html#id326850">Example Configuration</a></dt><dt>simple guide, <a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>Simple Object Access Protocol (see SOAP)</dt><dt>simple operation, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>simple print server, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>simple printing, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>simplest</dt><dd><dl><dt>configuration, <a href="install.html#id326850">Example Configuration</a></dt></dl></dd><dt>simplicity, <a href="StandAloneServer.html#id347049">Features and Benefits</a></dt><dt>Simplicity is king, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>single DHCP server, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>single repository, <a href="passdb.html">Account Information Databases</a></dt><dt>single server, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>single sign-on, <a href="domain-member.html#id342376">Features and Benefits</a> (see SSO)</dt><dt>Single Sign-On, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>single-byte charsets, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>single-logon, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>single-sign-on, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>single-user mode, <a href="winbind.html#id420404">Requirements</a></dt><dt>slapadd, <a href="passdb.html#id365225">Initialize the LDAP Database</a></dt><dt>slapd, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>slapd.conf, <a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a>, <a href="passdb.html#id364973">OpenLDAP Configuration</a>, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>slapd.pem, <a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></dt><dt>slapindex, <a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></dt><dt>slappasswd, <a href="passdb.html#id365225">Initialize the LDAP Database</a></dt><dt>slave servers, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>slow browsing, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>slow network, <a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>slow network browsing, <a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></dt><dt>slow performance, <a href="speed.html#id453443">Samba Performance is Very Slow</a></dt><dt>smart printers, <a href="CUPS-printing.html#id400581">Overview</a></dt><dt>SMB, <a href="ServerType.html#id334332">Server Security (User Level Security)</a>, <a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a>, <a href="StandAloneServer.html#id347134">Background</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="securing-samba.html#id387645">Using Interface Protection</a>, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a>, <a href="Backup.html#id435626">BackupPC</a>, <a href="SambaHA.html#id436456">The Front-End Challenge</a>, <a href="SambaHA.html#id436827">Server Pool Communications</a>, <a href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>SMB encryption, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>SMB locks, <a href="SambaHA.html#id436827">Server Pool Communications</a></dt><dt>SMB name, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></dt><dt>SMB networking, <a href="problems.html#id448088">Diagnostics Tools</a></dt><dt>SMB password, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt><dt>SMB Password, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>SMB password encryption, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>smb ports, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>SMB printers, <a href="CUPS-printing.html#id415530">Administrator Cannot Install Printers for All Local Users</a></dt><dt>SMB requests, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>SMB semantics, <a href="SambaHA.html#id436641">The Distributed File System Challenge</a></dt><dt>SMB server, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>SMB Server, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>SMB services, <a href="SambaHA.html#id436764">Restrictive Constraints on Distributed File Systems</a></dt><dt>SMB signing, <a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>SMB state information, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>SMB-based messaging, <a href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dt>smb-cdserver.conf, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>smb.conf, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>SMB/CIFS, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a>, <a href="passdb.html#id359822">Important Notes About Security</a>, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>SMB/CIFS server, <a href="passdb.html#id363976">Password Backends</a></dt><dt>smbclient, <a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a>, <a href="classicalprinting.html#id396743">Installing Driver Files into [print$]</a>, <a href="classicalprinting.html#id396937">smbclient to Confirm Driver Installation</a>, <a href="Backup.html#id435626">BackupPC</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>smbd, <a href="install.html#id326670">Starting Samba</a>, <a href="install.html#id326850">Example Configuration</a>, <a href="install.html#id327100">Test Your Config File with testparm</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="rights.html#id379339">Description of Privileges</a>, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a>, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a>, <a href="VFS.html#id417038">extd_audit</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id420546">Testing Things Out</a>, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a>, <a href="winbind.html#id421865">Linux</a>, <a href="winbind.html#id422049">Solaris</a>, <a href="SambaHA.html#id436827">Server Pool Communications</a>, <a href="largefile.html">Handling Large Directories</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>smbgroupedit, <a href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>smbgrpadd.sh, <a href="groupmapping.html#id369332">Sample smb.conf Add Group Script</a></dt><dt>smbHome, <a href="passdb.html#id366198">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>smbldap-groupadd, <a href="NetCommand.html#id370603">Adding or Creating a New Group</a></dt><dt>smbldap-tools, <a href="passdb.html#id364485">ldapsam</a></dt><dt>smbpasswd, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id345150">Configure smb.conf</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a>, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="passdb.html#id361615">The smbpasswd Tool</a>, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id362637">User Account Management</a>, <a href="passdb.html#id363855">Account Import/Export</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id364485">ldapsam</a>, <a href="passdb.html#id364767">Schema and Relationship to the RFC 2307 posixAccount</a>, <a href="passdb.html#id365225">Initialize the LDAP Database</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="PolicyMgmt.html#id425437">Samba PDC</a>, <a href="upgrading-to-3.0.html#id441871">Passdb Backends and Authentication</a>, <a href="upgrading-to-3.0.html#id442043">New Schema</a></dt><dt>smbpasswd format, <a href="passdb.html#id362746">Listing User and Machine Accounts</a></dt><dt>smbpasswd plaintext database, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>SMBsessetupX, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>smbspool, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dt>smbstatus, <a href="CUPS-printing.html#id415360">Avoid Being Connected to the Samba Server as the Wrong User</a>, <a href="bugreport.html#id449791">Attaching to a Running Process</a></dt><dt>SMBtconX, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a></dt><dt>smbusers, <a href="securing-samba.html#id387586">User-Based Protection</a></dt><dt>SMS, <a href="problems.html#id448565">The Windows Network Monitor</a></dt><dt>Snapshots, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>sniffer, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="problems.html#id448088">Diagnostics Tools</a></dt><dt>socket, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>socket address, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>socket options, <a href="speed.html#id452984">Socket Options</a></dt><dt>SOFTQ printing system, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>Solaris, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a>, <a href="pam.html#id429934">Features and Benefits</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Solaris 9, <a href="winbind.html#id422049">Solaris</a></dt><dt>source code, <a href="install.html#id326850">Example Configuration</a></dt><dt>space character, <a href="groupmapping.html#id369618">Adding Groups Fails</a></dt><dt>special account, <a href="rights.html">User Rights and Privileges</a>, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>special section, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></dt><dt>special sections, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>special stanza, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></dt><dt>specific restrictions, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>Specify an IP address, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>spinning process, <a href="bugreport.html#id449791">Attaching to a Running Process</a></dt><dt>spool, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dd><dl><dt>directory, <a href="install.html#id325753">Configuration File Syntax</a></dt></dl></dd><dt>spool files, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>spooled file, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>spooler., <a href="install.html#id325753">Configuration File Syntax</a></dt><dt>spooling, <a href="classicalprinting.html#id394436">Custom Print Commands</a>, <a href="CUPS-printing.html#id401636">Central Spooling vs. “Peer-to-Peer” Printing</a></dt><dd><dl><dt>central, <a href="CUPS-printing.html#id401636">Central Spooling vs. “Peer-to-Peer” Printing</a></dt><dt>peer-to-peer, <a href="CUPS-printing.html#id401636">Central Spooling vs. “Peer-to-Peer” Printing</a></dt></dl></dd><dt>spooling path, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a></dt><dt>spooling-only, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>SPOOLSS, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>SQL, <a href="ChangeNotes.html#id351743">Passdb Changes</a></dt><dt>SQUID, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>SRV records, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>SRV RR, <a href="integrate-ms-networks.html#id432576">Background Information</a></dt><dt>SrvMgr.exe, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>srvmgr.exe, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>SRVTOOLS.EXE, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>ssh, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="Backup.html#id435626">BackupPC</a></dt><dt>SSH, <a href="classicalprinting.html#id396937">smbclient to Confirm Driver Installation</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>SSL, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt><dt>SSO, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="domain-member.html#id342376">Features and Benefits</a>, <a href="passdb.html#id360825">Comments Regarding LDAP</a></dt><dt>stability, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>stack trace, <a href="bugreport.html#id449670">Internal Errors</a></dt><dt>stale network links, <a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></dt><dt>stand-alone server, <a href="idmapper.html#id374992">Standalone Samba Server</a></dt><dt>standalone, <a href="ServerType.html#id333060">Server Types</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>standalone filter, <a href="CUPS-printing.html#id404588">pstoraster</a></dt><dt>standalone server, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="StandAloneServer.html">Standalone Servers</a>, <a href="StandAloneServer.html#id347049">Features and Benefits</a>, <a href="StandAloneServer.html#id347134">Background</a>, <a href="passdb.html#id362965">Adding User Accounts</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a>, <a href="NT4Migration.html#id443153">Domain Layout</a></dt><dt>standard confirmation, <a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></dt><dt>stanza, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>stapling, <a href="CUPS-printing.html#id404429">pstops</a></dt><dt>StartDocPrinter, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>starting samba</dt><dd><dl><dt>nmbd, <a href="install.html#id326670">Starting Samba</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a></dt><dt>smbd, <a href="install.html#id326670">Starting Samba</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a></dt><dt>winbindd, <a href="install.html#id326670">Starting Samba</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="winbind.html#id418954">Features and Benefits</a></dt></dl></dd><dt>startsmb, <a href="compiling.html#id451161">Alternative: Starting smbd as a Daemon</a></dt><dt>StartTLS, <a href="passdb.html#id365990">Security and sambaSamAccount</a></dt><dt>startup</dt><dd><dl><dt>process, <a href="install.html#id326670">Starting Samba</a></dt></dl></dd><dt>startup script, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>state, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>state information, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>state of knowledge, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>static WINS entries, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>status32 codes, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>sticky bit, <a href="AccessControls.html#id381279">File and Directory Access Control</a>, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>storage mechanism, <a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>storage methods, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt><dt>stphoto2.ppd, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>strange delete semantics, <a href="largefile.html">Handling Large Directories</a></dt><dt>strict locking, <a href="locking.html#id385144">Discussion</a></dt><dt>stripped of comments, <a href="SWAT.html#id444620">Features and Benefits</a></dt><dt>strptime, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>stunnel, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt><dt>su, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>subnet mask, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>subnets, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>subscription, <a href="ch46.html#id454529">Free Support</a></dt><dt>subsuffix parameters, <a href="upgrading-to-3.0.html#id442417">New Suffix for Searching</a></dt><dt>Subversion, <a href="compiling.html#id450076">Introduction</a>, <a href="compiling.html#id450158">Access via Subversion</a></dt><dt>successful join, <a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>successful migration, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>sufficient, <a href="pam.html#id430654">Anatomy of /etc/pam.d Entries</a></dt><dt>suffixes, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>SUID, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>Sun, <a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>Sun ONE iDentity server, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>Sun Solaris, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>SUN-Raster, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>support, <a href="ch46.html">Samba Support</a></dt><dt>support exposure, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>SVN</dt><dd><dl><dt>web, <a href="compiling.html#id450125">Access via ViewCVS</a></dt></dl></dd><dt>SVRTOOLS.EXE, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>SWAT, <a href="install.html#id325710">Configuring Samba (smb.conf)</a>, <a href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>swat, <a href="install.html#id327272">SWAT</a>, <a href="SWAT.html#id444749">Validate SWAT Installation</a>, <a href="SWAT.html#id444812">Locating the SWAT File</a>, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dd><dl><dt>enable, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>security, <a href="SWAT.html#id445330">Securing SWAT through SSL</a></dt></dl></dd><dt>SWAT binary support, <a href="SWAT.html#id444749">Validate SWAT Installation</a></dt><dt>swat command-line options, <a href="SWAT.html#id444812">Locating the SWAT File</a></dt><dt>SWAT permission allowed, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>symbolic links, <a href="msdfs.html#id390330">Features and Benefits</a></dt><dt>synchronization, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>synchronization problems, <a href="winbind.html#id419277">Introduction</a></dt><dt>synchronize, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>synchronized, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></dt><dt>syntax tolerates spelling errors, <a href="classicalprinting.html#id391430">Simple Print Configuration</a></dt><dt>syslog, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>system access controls, <a href="passdb.html#id359295">New Account Storage Systems</a></dt><dt>system accounts, <a href="passdb.html#id362637">User Account Management</a></dt><dt>system administrator, <a href="rights.html">User Rights and Privileges</a></dt><dt>system groups, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>system interface scripts, <a href="rights.html">User Rights and Privileges</a></dt><dt>system policies, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></dt><dt>System Policy Editor, <a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id424881">Administration of Windows 200x/XP Policies</a>, <a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></dt><dt>system security, <a href="groupmapping.html#id368532">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>system tools, <a href="Backup.html#id435499">Features and Benefits</a></dt><dt>SYSV, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>SYSVOL, <a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>tail, <a href="diagnosis.html#id446194">Assumptions</a></dt><dt>take ownership, <a href="rights.html#id379339">Description of Privileges</a></dt><dt>Take Ownership, <a href="AccessControls.html#id383310">Viewing File Ownership</a></dt><dt>tape, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>tar, <a href="Backup.html#id435626">BackupPC</a></dt><dt>tarball, <a href="install.html#id326850">Example Configuration</a></dt><dt>tattoo effect, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>TCP, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a>, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>TCP data streams, <a href="SambaHA.html#id436456">The Front-End Challenge</a></dt><dt>TCP failover, <a href="SambaHA.html#id436345">Why Is This So Hard?</a></dt><dt>TCP port, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>TCP port 139, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>TCP port 445, <a href="integrate-ms-networks.html#id432576">Background Information</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></dt><dt>tcp ports, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>TCP/IP, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>TCP/IP configuration, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>TCP/IP configuration panel, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>TCP/IP protocol configuration, <a href="ClientConfig.html#id348389">Technical Details</a></dt><dt>TCP/IP protocol settings, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>TCP/IP protocol stack, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>TCP/IP-only, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></dt><dt>tcpdump, <a href="problems.html#id448378">Tcpdump</a></dt><dt>TDB, <a href="passdb.html#id359295">New Account Storage Systems</a>, <a href="classicalprinting.html#id397583">Running rpcclient with setdriver</a>, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a>, <a href="CUPS-printing.html#id412184">Trivial Database Files</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dd><dl><dt>backing up (see tdbbackup)</dt></dl></dd><dt>tdb, <a href="winbind.html#id420167">User and Group ID Allocation</a>, <a href="SambaHA.html#id436827">Server Pool Communications</a></dt><dt>tdb data files, <a href="upgrading-to-3.0.html#id441445">TDB Data Files</a></dt><dt>TDB database, <a href="classicalprinting.html#id397066">Running rpcclient with adddriver</a></dt><dt>TDB database files, <a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>tdb file backup, <a href="upgrading-to-3.0.html#id441445">TDB Data Files</a></dt><dt>tdb file descriptions, <a href="install.html#tdbdocs">TDB Database File Information</a>, <a href="upgrading-to-3.0.html#id441445">TDB Data Files</a></dt><dt>tdb file locations, <a href="install.html#tdbdocs">TDB Database File Information</a></dt><dt>tdb files, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>tdbbackup, <a href="CUPS-printing.html#id412353">Using tdbbackup</a>, <a href="speed.html#id453354">Corrupt tdb Files</a></dt><dt>tdbdump, <a href="AccessControls.html#id382742">Access Controls on Shares</a></dt><dt>tdbsam, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id362746">Listing User and Machine Accounts</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="passdb.html#id364340">tdbsam</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>tdbsam databases, <a href="passdb.html#id363976">Password Backends</a></dt><dt>technical reviewers, <a href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>Telnet, <a href="passdb.html#id360246">Advantages of Non-Encrypted Passwords</a></dt><dt>telnet logins, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>template, <a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></dt><dt>template homedir, <a href="winbind.html#id421104">Configure smb.conf</a>, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>template primary group, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a></dt><dt>template shell, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="winbind.html#id421104">Configure smb.conf</a></dt><dt>temporary location, <a href="classicalprinting.html#id393900">Print Commands</a></dt><dt>terminal server, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>Terminal Server, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>test: parameter, <a href="VFS.html#id416413">Discussion</a></dt><dt>Testing Server Setup, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>testparm, <a href="install.html#id327100">Test Your Config File with testparm</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id391698">Verifying Configuration with testparm</a>, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="diagnosis.html#id446194">Assumptions</a>, <a href="diagnosis.html#id446476">The Tests</a>, <a href="problems.html#id448137">Debugging with Samba Itself</a></dt><dt>tethereal, <a href="problems.html#id448378">Tcpdump</a></dt><dt>text/plain, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>texttops, <a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></dt><dt>thin client, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>ThinLinc, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>tid, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt><dt>TIFF, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>TightVNC, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a>, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>time difference, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a></dt><dt>time format, <a href="passdb.html#id363122">Changing User Accounts</a></dt><dt>time-to-live (see TTL)</dt><dt>tool, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>tools, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a></dt><dt>tools\reskit\netadmin\poledit, <a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></dt><dt>traditional printing, <a href="classicalprinting.html#id394436">Custom Print Commands</a></dt><dt>training course, <a href="Backup.html#id435539">Discussion of Backup Solutions</a></dt><dt>transfer differences, <a href="Backup.html#id435788">Rsync</a></dt><dt>transformation, <a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></dt><dt>transitive, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>transparent access, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>transparently reconnected, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>transport connection loss, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Transport Layer Seccurity, TLS</dt><dd><dl><dt>Configuring, <a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></dt><dt>Introduction, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt></dl></dd><dt>transport layer security (see TLS)</dt><dt>Transport Layer Security, TLS</dt><dd><dl><dt>Testing, <a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></dt><dt>Troubleshooting, <a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></dt></dl></dd><dt>trigger, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>trivial database, <a href="passdb.html#id359295">New Account Storage Systems</a> (see TDB)</dt><dt>troubleshoot, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>troubleshooting, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dt>Tru64 UNIX, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>trust, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dd><dl><dt>account, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>trust account, <a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a>, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dd><dl><dt>interdomain, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt><dt>machine, <a href="samba-pdc.html#id335204">Features and Benefits</a></dt></dl></dd><dt>trust account password, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt><dt>trust accounts, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="NetCommand.html#id370067">Overview</a></dt><dt>trust established, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></dt><dt>trust relationship, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a>, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a>, <a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a>, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>trust relationships, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388758">Features and Benefits</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>trusted, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>trusted domain, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a>, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a>, <a href="winbind.html#id419814">Name Service Switch</a></dt><dt>trusted domain name, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusted party, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusting domain, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></dt><dt>trusting party, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusts, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>TTL, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>turn oplocks off, <a href="locking.html#id386096">Advanced Samba Oplocks Parameters</a></dt><dt>turnkey solution, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dt>two-up, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>two-way</dt><dd><dl><dt>propagation, <a href="samba-bdc.html#id339320">Features and Benefits</a></dt></dl></dd><dt>two-way trust, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a>, <a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a>, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UCS-2, <a href="unicode.html#id434469">Japanese Charsets</a></dt><dt>UDP, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></dt><dt>UDP port 137, <a href="integrate-ms-networks.html#id432576">Background Information</a></dt><dt>udp ports, <a href="winbind.html#id421301">Join the Samba Server to the PDC Domain</a></dt><dt>UDP unicast, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>UID, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id362746">Listing User and Machine Accounts</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id375941">Primary Domain Controller</a>, <a href="rights.html">User Rights and Privileges</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419533">Handling of Foreign SIDs</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>uid, <a href="passdb.html#id364973">OpenLDAP Configuration</a></dt><dt>UID numbers, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></dt><dt>UID range, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>unauthorized, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>unauthorized access, <a href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>UNC notation, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>unexpected.tdb, <a href="CUPS-printing.html#id411985">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>unicast, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></dt><dt>unicode, <a href="unicode.html#id434205">What Are Charsets and Unicode?</a></dt><dt>Unicode, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>Unicode UTF-8, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>unified logon, <a href="winbind.html#id419277">Introduction</a></dt><dt>UNIX, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dd><dl><dt>server, <a href="ServerType.html#id332909">Features and Benefits</a></dt></dl></dd><dt>UNIX account, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>unix charset, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a>, <a href="unicode.html#id435148">Individual Implementations</a>, <a href="unicode.html#id435264">Migration from Samba-2.2 Series</a></dt><dt>UNIX Domain Socket, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>UNIX domain socket, <a href="winbind.html#id419645">How Winbind Works</a></dt><dt>UNIX file system access controls, <a href="AccessControls.html#id380678">Features and Benefits</a></dt><dt>UNIX group, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>UNIX groups, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>UNIX home directories, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></dt><dt>UNIX host system, <a href="rights.html">User Rights and Privileges</a></dt><dt>UNIX ID, <a href="winbind.html#id420167">User and Group ID Allocation</a></dt><dt>UNIX locking, <a href="locking.html#id385144">Discussion</a></dt><dt>UNIX login ID, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>UNIX permissions, <a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></dt><dt>UNIX printer, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>UNIX printing, <a href="classicalprinting.html#id391142">Technical Introduction</a></dt><dt>UNIX system account, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></dt><dt>UNIX system accounts, <a href="rights.html">User Rights and Privileges</a></dt><dt>UNIX system files, <a href="Backup.html#id435499">Features and Benefits</a></dt><dt>UNIX user identifier (see UID)</dt><dt>UNIX users, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>UNIX-style encrypted passwords, <a href="passdb.html#passdbtech">Technical Information</a></dt><dt>UNIX-user database, <a href="StandAloneServer.html#id347134">Background</a></dt><dt>UNIX/Linux group, <a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></dt><dt>UNIX/Linux user account, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dt>unlink calls, <a href="VFS.html#id417334">recycle</a></dt><dt>unlinked, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>unmapped groups, <a href="ChangeNotes.html#id351342">User and Group Changes</a></dt><dt>unmapped users, <a href="ChangeNotes.html#id351342">User and Group Changes</a></dt><dt>unprivileged account names, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>unsigned drivers, <a href="CUPS-printing.html#id415499">Windows 200x/XP Local Security Policies</a></dt><dt>unstoppable services, <a href="SambaHA.html#id436222">The Ultimate Goal</a></dt><dt>unsupported encryption, <a href="domain-member.html#id346082">Possible Errors</a></dt><dt>unsupported software, <a href="ch46.html#id454727">Commercial Support</a></dt><dt>updates, <a href="securing-samba.html#id388158">Upgrading Samba</a></dt><dt>upload drivers, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>uploaded driver, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>uploaded drivers, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>uploading, <a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>upper-case, <a href="ServerType.html#id333359">User Level Security</a></dt><dt>uppercase, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#id346726">Adding Machine to Domain Fails</a>, <a href="largefile.html">Handling Large Directories</a></dt><dt>uppercase character, <a href="groupmapping.html#id369618">Adding Groups Fails</a></dt><dt>USB, <a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></dt><dt>use client driver, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#id392714">The [global] Section</a>, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a href="CUPS-printing.html#id409757">How to Recognize If cupsaddsmb Completed Successfully</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>use computer anywhere, <a href="unicode.html#id434160">Features and Benefits</a></dt><dt>user, <a href="ServerType.html#id333519">Share-Level Security</a>, <a href="ChangeNotes.html#id351342">User and Group Changes</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="AccessControls.html#id381279">File and Directory Access Control</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>user access management, <a href="domain-member.html#id342376">Features and Benefits</a></dt><dt>user account, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="passdb.html#id362637">User Account Management</a>, <a href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dd><dl><dt>Adding/Deleting, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt></dl></dd><dt>user account database, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></dt><dt>user accounts, <a href="passdb.html#id361076">Caution Regarding LDAP and Samba</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>User Accounts</dt><dd><dl><dt>Adding/Deleting, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a></dt></dl></dd><dt>user and group, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>user and trust accounts, <a href="passdb.html">Account Information Databases</a></dt><dt>user attributes, <a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></dt><dt>user authentication, <a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></dt><dt>user database, <a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a>, <a href="passdb.html#id364023">Plaintext</a></dt><dt>user encoded, <a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></dt><dt>user groups, <a href="ch46.html#id454529">Free Support</a></dt><dt>user logons, <a href="rights.html">User Rights and Privileges</a></dt><dt>user management, <a href="passdb.html#id361615">The smbpasswd Tool</a>, <a href="NetCommand.html#id370067">Overview</a>, <a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></dt><dt>User Management, <a href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a href="passdb.html#id365886">Accounts and Groups Management</a></dt><dt>User Manager, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a>, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a>, <a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></dt><dt>User Manager for Domains, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>user or group, <a href="rights.html#id379021">Using the “net rpc rights” Utility</a></dt><dt>user profiles, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>User Rights and Privileges, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>user-level, <a href="ServerType.html#id333211">Samba Security Modes</a>, <a href="ServerType.html#id333359">User Level Security</a></dt><dt>User-level access control, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>user-level security, <a href="passdb.html#id360113">Advantages of Encrypted Passwords</a></dt><dt>user-mode security, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></dt><dt>user.DAT, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a>, <a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>user.MAN, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>User.MAN, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>useradd, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a>, <a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>username, <a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a></dt><dt>username and password, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>username level, <a href="ServerType.html#id334587">Password Checking</a></dt><dt>username map, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="domain-member.html#id343797">Windows 200x/XP Professional Client</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a>, <a href="NetCommand.html#id372102">User Mapping</a></dt><dt>username-level, <a href="ServerType.html#id334587">Password Checking</a></dt><dt>userPassword, <a href="passdb.html#id365225">Initialize the LDAP Database</a></dt><dt>users, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a>, <a href="PolicyMgmt.html#id424107">Features and Benefits</a></dt><dt>UsrMgr.exe, <a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>UTF-8, <a href="unicode.html#id434324">Samba and Charsets</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>UTF-8 encoding, <a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid username/password, <a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></dt><dt>valid users, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="securing-samba.html#id387586">User-Based Protection</a>, <a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a>, <a href="diagnosis.html#id446476">The Tests</a></dt><dt>validate, <a href="install.html#id327100">Test Your Config File with testparm</a>, <a href="diagnosis.html#id446161">Introduction</a></dt><dt>validate every backup, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>validation, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a>, <a href="PolicyMgmt.html">System and Account Policies</a></dt><dt>vendor-provided drivers, <a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>verifiable, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a></dt><dt>verify, <a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></dt><dt>version control, <a href="VFS.html#id417753">shadow_copy</a></dt><dt>veto files, <a href="AccessControls.html#id382473">Miscellaneous Controls</a></dt><dt>veto oplock files, <a href="locking.html#id386284">Disabling Oplocks</a>, <a href="locking.html#id386378">Disabling Kernel Oplocks</a></dt><dt>VFS, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="VFS.html#id416413">Discussion</a></dt><dt>VFS module, <a href="VFS.html#id417753">shadow_copy</a>, <a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></dt><dt>VFS modules, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#id418589">VFS Modules Available Elsewhere</a></dt><dt>vfs objects, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>vfs option, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>vgcreate, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>vgdisplay, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>vipw, <a href="samba-pdc.html#id338784">“$” Cannot Be Included in Machine Name</a>, <a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></dt><dt>Virtual File System (see VFS)</dt><dt>virtual server, <a href="SambaHA.html#id436456">The Front-End Challenge</a>, <a href="SambaHA.html#id437009">A Simple Solution</a></dt><dt>virus scanner, <a href="VFS.html#id416413">Discussion</a></dt><dt>Visual Studio, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a></dt><dt>vital task, <a href="SambaHA.html#id436084">Features and Benefits</a></dt><dt>VNC/RFB, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>volume group, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>volunteers, <a href="problems.html#id448906">Getting Mailing List Help</a></dt><dt>vscan, <a href="VFS.html#id418663">vscan</a></dt><dt>vuid, <a href="SambaHA.html#id436543">Demultiplexing SMB Requests</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>W32X86, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a>, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>W32X86/2, <a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a></dt><dt>WAN, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="locking.html#id385895">Slow and/or Unreliable Networks</a></dt><dt>wbinfo, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>Web-based configuration, <a href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>WebClient, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>Welcome, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>well known RID, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>well-controlled network, <a href="NT4Migration.html#id443343">Server Share and Directory Layout</a></dt><dt>well-known RID, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></dt><dt>wide-area network bandwidth, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>win election, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></dt><dt>Win32 printing API, <a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>WIN40, <a href="classicalprinting.html#id396246">Identifying Driver Files</a>, <a href="classicalprinting.html#id396612">Obtaining Driver Files from Windows Client [print$] Shares</a>, <a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></dt><dt>winbind, <a href="domain-member.html#id344900">Why Is This Better Than security = server?</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id421104">Configure smb.conf</a></dt><dt>Winbind, <a href="StandAloneServer.html#id347134">Background</a>, <a href="winbind.html#id419494">Target Uses</a>, <a href="winbind.html#id419770">Microsoft Active Directory Services</a>, <a href="winbind.html#id420026">Pluggable Authentication Modules</a>, <a href="winbind.html#id420167">User and Group ID Allocation</a>, <a href="winbind.html#id420241">Result Caching</a>, <a href="winbind.html#id420297">Introduction</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a href="winbind.html#id421002">NSS Winbind on AIX</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a>, <a href="winbind.html#id422370">Linux/FreeBSD-Specific PAM Configuration</a>, <a href="winbind.html#id422791">Conclusion</a>, <a href="pam.html">PAM-Based Distributed Authentication</a>, <a href="pam.html#id429934">Features and Benefits</a></dt><dt>Winbind architecture, <a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></dt><dt>winbind cache time, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>winbind enum groups, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="winbind.html#id421104">Configure smb.conf</a></dt><dt>winbind enum users, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="winbind.html#id421104">Configure smb.conf</a></dt><dt>Winbind hooks, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>winbind nested groups, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>winbind separator, <a href="winbind.html#id421104">Configure smb.conf</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>Winbind services, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a></dt><dt>winbind trusted domains only, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>winbind use default domain, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>Winbind-based authentication, <a href="pam.html">PAM-Based Distributed Authentication</a></dt><dt>winbind.so, <a href="winbind.html#id422679">Solaris-Specific Configuration</a></dt><dt>winbindd, <a href="install.html#id326670">Starting Samba</a>, <a href="install.html#id327100">Test Your Config File with testparm</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a>, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a>, <a href="groupmapping.html#id367144">Features and Benefits</a>, <a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a>, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a>, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a href="winbind.html#id418954">Features and Benefits</a>, <a href="winbind.html#id419645">How Winbind Works</a>, <a href="winbind.html#id420404">Requirements</a>, <a href="winbind.html#id420546">Testing Things Out</a>, <a href="winbind.html#id420628">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a href="winbind.html#id421104">Configure smb.conf</a>, <a href="winbind.html#id421528">Starting and Testing the winbindd Daemon</a>, <a href="winbind.html#id422049">Solaris</a>, <a href="winbind.html#id422211">Configure Winbind and PAM</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></dt><dt>winbindd daemon, <a href="winbind.html#id421865">Linux</a></dt><dt>Windows, <a href="idmapper.html">Identity Mapping (IDMAP)</a>, <a href="unicode.html#id434585">Basic Parameter Setting</a></dt><dt>Windows 2000, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#ads-test-server">Testing Server Setup</a>, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></dt><dt>Windows 2000 Professional TCP/IP, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>Windows 2000 server, <a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>Windows 2003, <a href="domain-member.html#id345329">Configure /etc/krb5.conf</a>, <a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a></dt><dt>Windows 200x/XP, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>Windows 9x/Me, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a>, <a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></dt><dt>Windows 9x/Me/XP Home, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Windows account management, <a href="winbind.html#id419355">What Winbind Provides</a></dt><dt>Windows client, <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Windows client failover, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>Windows domain, <a href="upgrading-to-3.0.html#id441782">Changes in Behavior</a></dt><dt>Windows Explorer, <a href="NetworkBrowsing.html#id357120">Problem Resolution</a>, <a href="classicalprinting.html#id396246">Identifying Driver Files</a></dt><dt>Windows group, <a href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a href="groupmapping.html#id367843">Warning: User Private Group Problems</a>, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a>, <a href="rights.html">User Rights and Privileges</a></dt><dt>Windows group account, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>Windows groups, <a href="NetCommand.html#id370780">Mapping Windows Groups to UNIX Groups</a></dt><dt>Windows Internet Name Server (see WINS)</dt><dt>Windows Logon, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>Windows Me TCP/IP, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>Windows Millennium, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>Windows Millennium edition (Me) TCP/IP, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>Windows network clients, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a></dt><dt>Windows NT domain name, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Windows NT PostScript driver, <a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></dt><dt>Windows NT Server, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>Windows NT/2000/XP, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>Windows NT/200x, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="winbind.html#id420297">Introduction</a></dt><dt>Windows NT/200x/XP, <a href="classicalprinting.html#id392714">The [global] Section</a></dt><dt>Windows NT/200x/XP Professional, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a>, <a href="ClientConfig.html#id351062">Common Errors</a></dt><dt>Windows NT3.10, <a href="samba-bdc.html#id339696">Essential Background Information</a></dt><dt>Windows NT4, <a href="AccessControls.html#id382888">Windows NT4 Workstation/Server</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>Windows NT4 domains, <a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></dt><dt>Windows NT4 Server, <a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></dt><dt>Windows NT4/200X, <a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></dt><dt>Windows NT4/200x, <a href="groupmapping.html#id367529">Discussion</a></dt><dt>Windows NT4/200x/XP, <a href="samba-bdc.html#id340905">NetBIOS Over TCP/IP Enabled</a>, <a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a>, <a href="AccessControls.html#id382986">Windows 200x/XP</a></dt><dt>Windows NT4/2kX/XPPro, <a href="rights.html">User Rights and Privileges</a></dt><dt>Windows PPD, <a href="CUPS-printing.html#id412685">690 “Perfect” Printers</a></dt><dt>Windows privilege model, <a href="rights.html#id378765">Rights Management Capabilities</a></dt><dt>Windows Registry, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>windows registry settings, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dd><dl><dt>default profile locations, <a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>profile path, <a href="ProfileMgmt.html#id426382">Windows 9x/Me Profile Setup</a></dt><dt>roaming profiles, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a></dt></dl></dd><dt>Windows Resource Kit, <a href="ProfileMgmt.html#id426176">Disabling Roaming Profile Support</a></dt><dt>Windows Security Identifiers (see SID)</dt><dt>Windows Terminal server, <a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></dt><dt>Windows Terminal Server, <a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></dt><dt>Windows user, <a href="rights.html">User Rights and Privileges</a></dt><dt>Windows user accounts, <a href="NetCommand.html#id371804">UNIX and Windows User Management</a></dt><dt>Windows workstation., <a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Windows XP Home, <a href="passdb.html#id359822">Important Notes About Security</a></dt><dt>Windows XP Home edition, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id338177">The Special Case of MS Windows XP Home Edition</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Windows XP Home Edition, <a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></dt><dt>Windows XP Professional, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="classicalprinting.html#id390934">Features and Benefits</a></dt><dt>Windows XP Professional TCP/IP, <a href="ClientConfig.html#id349114">MS Windows 2000</a></dt><dt>Windows XP TCP/IP, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a></dt><dt>Windows95/98/ME, <a href="classicalprinting.html#id397275">Check Samba for Driver Recognition</a></dt><dt>winnt.adm, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>WINS, <a href="samba-pdc.html#id335204">Features and Benefits</a>, <a href="samba-pdc.html#id336302">Domain Controller Types</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="ClientConfig.html#id348498">MS Windows XP Professional</a>, <a href="ClientConfig.html#id349114">MS Windows 2000</a>, <a href="ClientConfig.html#id349640">MS Windows Me</a>, <a href="NetworkBrowsing.html">Network Browsing</a>, <a href="NetworkBrowsing.html#id352162">Features and Benefits</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a>, <a href="NetworkBrowsing.html#id357499">Behavior of Cross-Subnet Browsing</a>, <a href="integrate-ms-networks.html#id433763">WINS Lookup</a>, <a href="DNSDHCP.html#id455025">Example Configuration</a></dt><dt>wins, <a href="integrate-ms-networks.html#id433004">/etc/nsswitch.conf</a></dt><dt>WINS Configuration, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>wins hook, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>WINS lookup, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></dt><dt>wins proxy, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>WINS replication, <a href="NetworkBrowsing.html#id356273">WINS Replication</a>, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>wins server, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="integrate-ms-networks.html#id433763">WINS Lookup</a></dt><dt>WINS Server, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>WINS server, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></dt><dt>WINS server address, <a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></dt><dt>WINS server settings, <a href="ClientConfig.html#id349640">MS Windows Me</a></dt><dt>WINS servers, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></dt><dt>WINS service, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></dt><dt>wins support, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a>, <a href="integrate-ms-networks.html#id433763">WINS Lookup</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dt>WINS Support, <a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></dt><dt>wins.dat, <a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></dt><dt>without Administrator account, <a href="rights.html#id380042">The Administrator Domain SID</a></dt><dt>without ADS, <a href="NT4Migration.html#id442769">Objectives</a></dt><dt>work-flow protocol, <a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></dt><dt>workgroup, <a href="install.html#id325753">Configuration File Syntax</a>, <a href="install.html#id326850">Example Configuration</a>, <a href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a href="FastStart.html#id328408">Anonymous Read-Write Document Server</a>, <a href="FastStart.html#id328648">Anonymous Print Server</a>, <a href="FastStart.html#id329032">Secure Read-Write File and Print Server</a>, <a href="FastStart.html#id329884">Example Configuration</a>, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="FastStart.html#id331703">The Primary Domain Controller</a>, <a href="FastStart.html#id332366">Backup Domain Controller</a>, <a href="ServerType.html#id333890">Example Configuration</a>, <a href="ServerType.html#id334332">Server Security (User Level Security)</a>, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="samba-pdc.html#id338208">The Special Case of Windows 9x/Me</a>, <a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a>, <a href="samba-bdc.html#id340141">Example PDC Configuration</a>, <a href="samba-bdc.html#id341471">Example Configuration</a>, <a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a>, <a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a>, <a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a>, <a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a>, <a href="passdb.html#id365392">Configuring Samba</a>, <a href="idmapper.html#id376308">NT4-Style Domains (Includes Samba Domains)</a>, <a href="idmapper.html#id376591">ADS Domains</a>, <a href="idmapper.html#id376996">IDMAP_RID with Winbind</a>, <a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a>, <a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a>, <a href="cfgsmarts.html#id437835">Multiple Server Hosting</a>, <a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a>, <a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></dt><dd><dl><dt>membership, <a href="samba-pdc.html#id336759">Preparing for Domain Control</a></dt></dl></dd><dt>workstations, <a href="passdb.html#passdbtech">Technical Information</a></dt><dt>world-writable, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>writable, <a href="classicalprinting.html#id391430">Simple Print Configuration</a>, <a href="classicalprinting.html#id392225">Extended Printing Configuration</a>, <a href="classicalprinting.html#ptrsect">The [printers] Section</a>, <a href="classicalprinting.html#id393656">Any [my_printer_name] Section</a>, <a href="CUPS-printing.html#id400978">Simple smb.conf Settings for CUPS</a>, <a href="CUPS-printing.html#id401226">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a></dt><dt>write, <a href="AccessControls.html#id381279">File and Directory Access Control</a></dt><dt>write access, <a href="AccessControls.html#id381646">Protecting Directories and Files from Deletion</a></dt><dt>Write caching, <a href="locking.html#id385372">Opportunistic Locking Overview</a></dt><dt>write changes, <a href="idmapper.html#id376159">Backup Domain Controller</a></dt><dt>write list, <a href="FastStart.html#id330805">Example: Engineering Office</a>, <a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a>, <a href="AccessControls.html#id381903">User- and Group-Based Controls</a>, <a href="classicalprinting.html#id395308">Creating the [print$] Share</a>, <a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a>, <a href="CUPS-printing.html#id408200">Prepare Your smb.conf for cupsaddsmb</a></dt><dt>write permission, <a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>write raw, <a href="speed.html#id453197">Write Raw</a></dt><dt>writeable, <a href="VFS.html#id416413">Discussion</a>, <a href="VFS.html#fakeperms">fake_perms</a>, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>WYSIWYG, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>X Window + System, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>X.509 certificates, <a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>XFS file system, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>xfsprogs, <a href="VFS.html#id417924">Shadow Copy Setup</a></dt><dt>xinetd, <a href="SWAT.html#id444749">Validate SWAT Installation</a>, <a href="compiling.html#id450957">Starting from inetd.conf</a> (see inetd)</dt><dt>XML, <a href="ChangeNotes.html#id351743">Passdb Changes</a></dt><dt>XML-based datasets, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>xpp, <a href="CUPS-printing.html#id413227">Foomatic Database-Generated PPDs</a></dt><dt>Xprint, <a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a>, <a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></dt><dt>xxxxBSD, <a href="pam.html#id429934">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>Y</h3><dl><dt>yppasswd, <a href="passdb.html#id361615">The smbpasswd Tool</a></dt></dl></div><div class="indexdiv"><h3>Z</h3><dl><dt>Zero Administration Kit, <a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></dt><dt>zero-based broadcast, <a href="NetworkBrowsing.html#id355362">Note about Broadcast Addresses</a></dt></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Glossary </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/largefile.html b/docs/htmldocs/Samba3-HOWTO/largefile.html new file mode 100644 index 0000000000..26125e0b0d --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/largefile.html @@ -0,0 +1,55 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 33. Handling Large Directories</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="SambaHA.html" title="Chapter 32. High Availability"><link rel="next" href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 33. Handling Large Directories</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="cfgsmarts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="largefile"></a>Chapter 33. Handling Large Directories</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">March 5, 2005</p></div></div></div><p> +<a class="indexterm" name="id437341"></a> +<a class="indexterm" name="id437348"></a> +<a class="indexterm" name="id437355"></a> +Samba-3.0.12 and later implements a solution for sites that have experienced performance degradation due to the +problem of using Samba-3 with applications that need large numbers of files (100,000 or more) per directory. +</p><p> +<a class="indexterm" name="id437367"></a> +<a class="indexterm" name="id437374"></a> +The key was fixing the directory handling to read only the current list requested instead of the old +(up to samba-3.0.11) behavior of reading the entire directory into memory before doling out names. +Normally this would have broken OS/2 applications, which have very strange delete semantics, but by +stealing logic from Samba4 (thanks, Tridge), the current code in 3.0.12 handles this correctly. +</p><p> +<a class="indexterm" name="id437387"></a> +<a class="indexterm" name="id437394"></a> +To set up an application that needs large numbers of files per directory in a way that does not +damage performance unduly, follow these steps: +</p><p> +<a class="indexterm" name="id437406"></a> +First, you need to canonicalize all the files in the directory to have one case, upper or lower take your +pick (I chose upper because all my files were already uppercase names). Then set up a new custom share for the +application as follows: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[bigshare]</code></em></td></tr><tr><td><a class="indexterm" name="id437431"></a><em class="parameter"><code>path = /data/manyfilesdir</code></em></td></tr><tr><td><a class="indexterm" name="id437444"></a><em class="parameter"><code>read only = no</code></em></td></tr><tr><td><a class="indexterm" name="id437457"></a><em class="parameter"><code>case sensitive = True</code></em></td></tr><tr><td><a class="indexterm" name="id437469"></a><em class="parameter"><code>default case = upper</code></em></td></tr><tr><td><a class="indexterm" name="id437482"></a><em class="parameter"><code>preserve case = no</code></em></td></tr><tr><td><a class="indexterm" name="id437494"></a><em class="parameter"><code>short preserve case = no</code></em></td></tr></table><p> +</p><p> +<a class="indexterm" name="id437510"></a> +<a class="indexterm" name="id437517"></a> +<a class="indexterm" name="id437524"></a> +Of course, use your own path and settings, but set the case options to match the case of all the files in your +directory. The path should point at the large directory needed for the application any new files created in +there and in any paths under it will be forced by smbd into uppercase, but smbd will no longer have to scan +the directory for names: it knows that if a file does not exist in uppercase, then it doesn't exist at all. +</p><p> +<a class="indexterm" name="id437541"></a> +<a class="indexterm" name="id437547"></a> +<a class="indexterm" name="id437554"></a> +The secret to this is really in the <a class="indexterm" name="id437561"></a>case sensitive = True +line. This tells smbd never to scan for case-insensitive versions of names. So if an application asks for a file +called <code class="filename">FOO</code>, and it cannot be found by a simple stat call, then smbd will return file not +found immediately without scanning the containing directory for a version of a different case. The other +<code class="filename">xxx case xxx</code> lines make this work by forcing a consistent case on all files created by +<span class="application">smbd</span>. +</p><p> +<a class="indexterm" name="id437592"></a> +<a class="indexterm" name="id437598"></a> +<a class="indexterm" name="id437605"></a> +Remember, all files and directories under the <em class="parameter"><code>path</code></em> directory must be in uppercase +with this <code class="filename">smb.conf</code> stanza because <span class="application">smbd</span> will not be able to find lowercase filenames with these settings. Also +note that this is done on a per-share basis, allowing this parameter to be set only for a share servicing an application with +this problematic behavior (using large numbers of entries in a directory) the rest of your <span class="application">smbd</span> shares +don't need to be affected. +</p><p> +This makes smbd much faster when dealing with large directories. My test case has over 100,000 files, and +smbd now deals with this very efficiently. +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="cfgsmarts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. High Availability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 34. Advanced Configuration Techniques</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/locking.html b/docs/htmldocs/Samba3-HOWTO/locking.html new file mode 100644 index 0000000000..825ad3cccc --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/locking.html @@ -0,0 +1,711 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 17. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 18. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 17. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 17. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><code class="email"><<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="locking.html#id385057">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id385144">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385372">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386203">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386275">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386670">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386822">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id386841">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386898">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id386917">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386968">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id386996">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id387019">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id387048">Additional Reading</a></span></dt></dl></div><p> +<a class="indexterm" name="id385048"></a> +One area that causes trouble for many network administrators is locking. +The extent of the problem is readily evident from searches over the Internet. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385057"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id385065"></a> +Samba provides all the same locking semantics that MS Windows clients expect +and that MS Windows NT4/200x servers also provide. +</p><p> +<a class="indexterm" name="id385076"></a> +The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers +a range of functions that are all categorized under this one term. +</p><p> +<a class="indexterm" name="id385091"></a> +<a class="indexterm" name="id385097"></a> +<a class="indexterm" name="id385104"></a> +Opportunistic locking is a desirable feature when it can enhance the +perceived performance of applications on a networked client. However, the +opportunistic locking protocol is not robust and therefore can +encounter problems when invoked beyond a simplistic configuration or +on extended slow or faulty networks. In these cases, operating +system management of opportunistic locking and/or recovering from +repetitive errors can offset the perceived performance advantage that +it is intended to provide. +</p><p> +<a class="indexterm" name="id385118"></a> +The MS Windows network administrator needs to be aware that file and record +locking semantics (behavior) can be controlled either in Samba or by way of registry +settings on the MS Windows client. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id385132"></a> +Sometimes it is necessary to disable locking control settings on the Samba +server as well as on each MS Windows client! +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385144"></a>Discussion</h2></div></div></div><p> +<a class="indexterm" name="id385151"></a> +<a class="indexterm" name="id385158"></a> +There are two types of locking that need to be performed by an SMB server. +The first is <span class="emphasis"><em>record locking</em></span> that allows a client to lock +a range of bytes in an open file. The second is the <span class="emphasis"><em>deny modes</em></span> +that are specified when a file is open. +</p><p> +<a class="indexterm" name="id385177"></a> +<a class="indexterm" name="id385184"></a> +<a class="indexterm" name="id385191"></a> +<a class="indexterm" name="id385198"></a> +<a class="indexterm" name="id385204"></a> +Record locking semantics under UNIX are very different from record locking under +Windows. Versions of Samba before 2.2 have tried to use the native fcntl() UNIX +system call to implement proper record locking between different Samba clients. +This cannot be fully correct for several reasons. The simplest is +that a Windows client is allowed to lock a byte range up to 2^32 or 2^64, +depending on the client OS. The UNIX locking only supports byte ranges up to 2^31. +So it is not possible to correctly satisfy a lock request above 2^31. There are +many more differences, too many to be listed here. +</p><p> +<a class="indexterm" name="id385220"></a> +<a class="indexterm" name="id385226"></a> +Samba 2.2 and above implement record locking completely independently of the +underlying UNIX system. If a byte-range lock that the client requests happens +to fall into the range of 0 to 2^31, Samba hands this request down to the UNIX system. +No other locks can be seen by UNIX, anyway. +</p><p> +<a class="indexterm" name="id385239"></a> +<a class="indexterm" name="id385246"></a> +Strictly speaking, an SMB server should check for locks before every read and write call on +a file. Unfortunately, with the way fcntl() works, this can be slow and may overstress +the <code class="literal">rpc.lockd</code>. This is almost always unnecessary because clients are +independently supposed to make locking calls before reads and writes if locking is +important to them. By default, Samba only makes locking calls when explicitly asked +to by a client, but if you set <a class="indexterm" name="id385262"></a>strict locking = yes, it +will make lock checking calls on <span class="emphasis"><em>every</em></span> read and write call. +</p><p> +<a class="indexterm" name="id385277"></a> +You can also disable byte-range locking completely by using +<a class="indexterm" name="id385284"></a>locking = no. +This is useful for those shares that do not support locking or do not need it +(such as CD-ROMs). In this case, Samba fakes the return codes of locking calls to +tell clients that everything is okay. +</p><p> +<a class="indexterm" name="id385296"></a> +<a class="indexterm" name="id385303"></a> +<a class="indexterm" name="id385310"></a> +<a class="indexterm" name="id385316"></a> +<a class="indexterm" name="id385323"></a> +<a class="indexterm" name="id385330"></a> +<a class="indexterm" name="id385337"></a> +The second class of locking is the <span class="emphasis"><em>deny modes</em></span>. These +are set by an application when it opens a file to determine what types of +access should be allowed simultaneously with its open. A client may ask for +<code class="constant">DENY_NONE</code>, <code class="constant">DENY_READ</code>, +<code class="constant">DENY_WRITE</code>, or <code class="constant">DENY_ALL</code>. There are also special compatibility +modes called <code class="constant">DENY_FCB</code> and <code class="constant">DENY_DOS</code>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385372"></a>Opportunistic Locking Overview</h3></div></div></div><p> +<a class="indexterm" name="id385380"></a> +<a class="indexterm" name="id385386"></a> +<a class="indexterm" name="id385393"></a> +Opportunistic locking (oplocks) is invoked by the Windows file system +(as opposed to an API) via registry entries (on the server and the client) +for the purpose of enhancing network performance when accessing a file +residing on a server. Performance is enhanced by caching the file +locally on the client that allows the following: +</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p> +<a class="indexterm" name="id385414"></a> + The client reads the local copy of the file, eliminating network latency. + </p></dd><dt><span class="term">Write caching:</span></dt><dd><p> +<a class="indexterm" name="id385431"></a> + The client writes to the local copy of the file, eliminating network latency. + </p></dd><dt><span class="term">Lock caching:</span></dt><dd><p> +<a class="indexterm" name="id385449"></a> + The client caches application locks locally, eliminating network latency. + </p></dd></dl></div><p> +<a class="indexterm" name="id385462"></a> +<a class="indexterm" name="id385469"></a> +<a class="indexterm" name="id385475"></a> +The performance enhancement of oplocks is due to the opportunity of +exclusive access to the file even if it is opened with deny-none +because Windows monitors the file's status for concurrent access from +other processes. +</p><div class="variablelist"><p class="title"><b>Windows Defines Four Kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock</span></dt><dd><p> +<a class="indexterm" name="id385504"></a> +<a class="indexterm" name="id385511"></a> +<a class="indexterm" name="id385517"></a> +<a class="indexterm" name="id385524"></a> + The redirector sees that the file was opened with deny + none (allowing concurrent access), verifies that no + other process is accessing the file, checks that + oplocks are enabled, then grants deny-all/read-write/exclusive + access to the file. The client now performs + operations on the cached local file. + </p><p> +<a class="indexterm" name="id385537"></a> +<a class="indexterm" name="id385544"></a> +<a class="indexterm" name="id385551"></a> +<a class="indexterm" name="id385557"></a> + If a second process attempts to open the file, the open + is deferred while the redirector "breaks" the original + oplock. The oplock break signals the caching client to + write the local file back to the server, flush the + local locks, and discard read-ahead data. The break is + then complete, the deferred open is granted, and the + multiple processes can enjoy concurrent file access as + dictated by mandatory or byte-range locking options. + However, if the original opening process opened the + file with a share mode other than deny-none, then the + second process is granted limited or no access, despite + the oplock break. + </p></dd><dt><span class="term">Level2 Oplock</span></dt><dd><p> +<a class="indexterm" name="id385580"></a> +<a class="indexterm" name="id385586"></a> +<a class="indexterm" name="id385593"></a> + Performs like a Level1 oplock, except caching is only + operative for reads. All other operations are performed + on the server disk copy of the file. + </p></dd><dt><span class="term">Filter Oplock</span></dt><dd><p> +<a class="indexterm" name="id385612"></a> + Does not allow write or delete file access. + </p></dd><dt><span class="term">Batch Oplock</span></dt><dd><p> +<a class="indexterm" name="id385629"></a> + Manipulates file openings and closings and allows caching + of file attributes. + </p></dd></dl></div><p> +<a class="indexterm" name="id385642"></a> +An important detail is that oplocks are invoked by the file system, not +an application API. Therefore, an application can close an oplocked +file, but the file system does not relinquish the oplock. When the +oplock break is issued, the file system then simply closes the file in +preparation for the subsequent open by the second process. +</p><p> +<a class="indexterm" name="id385655"></a> +<a class="indexterm" name="id385662"></a> +<a class="indexterm" name="id385669"></a> +<a class="indexterm" name="id385676"></a> +<span class="emphasis"><em>Opportunistic locking</em></span> is actually an improper name for this feature. +The true benefit of this feature is client-side data caching, and +oplocks is merely a notification mechanism for writing data back to the +networked storage disk. The limitation of oplocks is the +reliability of the mechanism to process an oplock break (notification) +between the server and the caching client. If this exchange is faulty +(usually due to timing out for any number of reasons), then the +client-side caching benefit is negated. +</p><p> +<a class="indexterm" name="id385694"></a> +The actual decision that a user or administrator should consider is +whether it is sensible to share among multiple users data that will +be cached locally on a client. In many cases the answer is no. +Deciding when to cache or not cache data is the real question, and thus +oplocks should be treated as a toggle for client-side +caching. Turn it “<span class="quote">on</span>” when client-side caching is desirable and +reliable. Turn it “<span class="quote">off</span>” when client-side caching is redundant, +unreliable, or counterproductive. +</p><p> +<a class="indexterm" name="id385714"></a> +Oplocks is by default set to “<span class="quote">on</span>” by Samba on all +configured shares, so careful attention should be given to each case to +determine if the potential benefit is worth the potential for delays. +The following recommendations will help to characterize the environment +where oplocks may be effectively configured. +</p><p> +<a class="indexterm" name="id385730"></a> +<a class="indexterm" name="id385737"></a> +Windows oplocks is a lightweight performance-enhancing +feature. It is not a robust and reliable protocol. Every +implementation of oplocks should be evaluated as a +trade-off between perceived performance and reliability. Reliability +decreases as each successive rule above is not enforced. Consider a +share with oplocks enabled, over a wide-area network, to a client on a +South Pacific atoll, on a high-availability server, serving a +mission-critical multiuser corporate database during a tropical +storm. This configuration will likely encounter problems with oplocks. +</p><p> +<a class="indexterm" name="id385752"></a> +Oplocks can be beneficial to perceived client performance when treated +as a configuration toggle for client-side data caching. If the data +caching is likely to be interrupted, then oplock usage should be +reviewed. Samba enables oplocks by default on all +shares. Careful attention should be given to the client usage of +shared data on the server, the server network reliability, and the +oplocks configuration of each share. +In mission-critical, high-availability environments, data integrity is +often a priority. Complex and expensive configurations are implemented +to ensure that if a client loses connectivity with a file server, a +failover replacement will be available immediately to provide +continuous data availability. +</p><p> +<a class="indexterm" name="id385768"></a> +<a class="indexterm" name="id385775"></a> +Windows client failover behavior is more at risk of application +interruption than other platforms because it is dependent upon an +established TCP transport connection. If the connection is interrupted + as in a file server failover a new session must be established. +It is rare for Windows client applications to be coded to recover +correctly from a transport connection loss; therefore, most applications +will experience some sort of interruption at worst, abort and +require restarting. +</p><p> +<a class="indexterm" name="id385798"></a> +<a class="indexterm" name="id385804"></a> +<a class="indexterm" name="id385811"></a> +If a client session has been caching writes and reads locally due to +oplocks, it is likely that the data will be lost when the +application restarts or recovers from the TCP interrupt. When the TCP +connection drops, the client state is lost. When the file server +recovers, an oplock break is not sent to the client. In this case, the +work from the prior session is lost. Observing this scenario with +oplocks disabled and with the client writing data to the file server +real-time, the failover will provide the data on disk as it +existed at the time of the disconnect. +</p><p> +In mission-critical, high-availability environments, careful attention +should be given to oplocks. Ideally, comprehensive +testing should be done with all affected applications with oplocks +enabled and disabled. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385829"></a>Exclusively Accessed Shares</h4></div></div></div><p> +Oplocks is most effective when it is confined to shares +that are exclusively accessed by a single user, or by only one user at +a time. Because the true value of oplocks is the local +client caching of data, any operation that interrupts the caching +mechanism will cause a delay. +</p><p> +Home directories are the most obvious examples of where the performance +benefit of oplocks can be safely realized. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385845"></a>Multiple-Accessed Shares or Files</h4></div></div></div><p> +As each additional user accesses a file in a share with oplocks +enabled, the potential for delays and resulting perceived poor +performance increases. When multiple users are accessing a file on a +share that has oplocks enabled, the management impact of sending and +receiving oplock breaks and the resulting latency while other clients +wait for the caching client to flush data offset the performance gains +of the caching user. +</p><p> +As each additional client attempts to access a file with oplocks set, +the potential performance improvement is negated and eventually results +in a performance bottleneck. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385864"></a>UNIX or NFS Client-Accessed Files</h4></div></div></div><p> +<a class="indexterm" name="id385872"></a> +<a class="indexterm" name="id385879"></a> +Local UNIX and NFS clients access files without a mandatory +file-locking mechanism. Thus, these client platforms are incapable of +initiating an oplock break request from the server to a Windows client +that has a file cached. Local UNIX or NFS file access can therefore +write to a file that has been cached by a Windows client, which +exposes the file to likely data corruption. +</p><p> +If files are shared between Windows clients and either local UNIX +or NFS users, turn oplocks off. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385895"></a>Slow and/or Unreliable Networks</h4></div></div></div><p> +<a class="indexterm" name="id385903"></a> +<a class="indexterm" name="id385910"></a> +<a class="indexterm" name="id385916"></a> +The biggest potential performance improvement for oplocks +occurs when the client-side caching of reads and writes delivers the +most differential over sending those reads and writes over the wire. +This is most likely to occur when the network is extremely slow, +congested, or distributed (as in a WAN). However, network latency also +has a high impact on the reliability of the oplock break +mechanism, and thus increases the likelihood of encountering oplock +problems that more than offset the potential perceived performance +gain. Of course, if an oplock break never has to be sent, then this is +the most advantageous scenario in which to utilize oplocks. +</p><p> +If the network is slow, unreliable, or a WAN, then do not configure +oplocks if there is any chance of multiple users +regularly opening the same file. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385935"></a>Multiuser Databases</h4></div></div></div><p> +<a class="indexterm" name="id385943"></a> +<a class="indexterm" name="id385950"></a> +<a class="indexterm" name="id385957"></a> +Multiuser databases clearly pose a risk due to their very nature they are typically heavily +accessed by numerous users at random intervals. Placing a multiuser database on a share with oplocks enabled +will likely result in a locking management bottleneck on the Samba server. Whether the database application is +developed in-house or a commercially available product, ensure that the share has oplocks disabled. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id385973"></a>PDM Data Shares</h4></div></div></div><p> +<a class="indexterm" name="id385980"></a> +<a class="indexterm" name="id385986"></a> +<a class="indexterm" name="id385993"></a> +<a class="indexterm" name="id386000"></a> +<a class="indexterm" name="id386007"></a> +Process data management (PDM) applications such as IMAN, Enovia, and Clearcase are increasing in usage with +Windows client platforms and therefore with SMB datastores. PDM applications manage multiuser environments for +critical data security and access. The typical PDM environment is usually associated with sophisticated client +design applications that will load data locally as demanded. In addition, the PDM application will usually +monitor the data state of each client. In this case, client-side data caching is best left to the local +application and PDM server to negotiate and maintain. It is appropriate to eliminate the client OS from any +caching tasks, and the server from any oplocks management, by disabling oplocks on the share. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386022"></a>Beware of Force User</h4></div></div></div><p> +<a class="indexterm" name="id386030"></a> +Samba includes an <code class="filename">smb.conf</code> parameter called <a class="indexterm" name="id386043"></a>force user that changes the user +accessing a share from the incoming user to whatever user is defined by the <code class="filename">smb.conf</code> variable. If oplocks is +enabled on a share, the change in user access causes an oplock break to be sent to the client, even if the +user has not explicitly loaded a file. In cases where the network is slow or unreliable, an oplock break can +become lost without the user even accessing a file. This can cause apparent performance degradation as the +client continually reconnects to overcome the lost oplock break. +</p><p> +Avoid the combination of the following: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id386070"></a>force user in the <code class="filename">smb.conf</code> share configuration. + </p></li><li><p> + Slow or unreliable networks. + </p></li><li><p> + Oplocks enabled. + </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386096"></a>Advanced Samba Oplocks Parameters</h4></div></div></div><p> +<a class="indexterm" name="id386103"></a> +<a class="indexterm" name="id386110"></a> +<a class="indexterm" name="id386117"></a> +Samba provides oplock parameters that allow the +administrator to adjust various properties of the oplock mechanism to +account for timing and usage levels. These parameters provide good +versatility for implementing oplocks in environments where they would +likely cause problems. The parameters are +<a class="indexterm" name="id386126"></a>oplock break wait time, and +<a class="indexterm" name="id386134"></a>oplock contention limit. +</p><p> +<a class="indexterm" name="id386144"></a> +For most users, administrators, and environments, if these parameters +are required, then the better option is simply to turn oplocks off. +The Samba SWAT help text for both parameters reads: “<span class="quote">Do not change +this parameter unless you have read and understood the Samba oplock code.</span>” +This is good advice. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386159"></a>Mission-Critical, High-Availability</h4></div></div></div><p> +In mission-critical, high-availability environments, data integrity is +often a priority. Complex and expensive configurations are implemented +to ensure that if a client loses connectivity with a file server, a +failover replacement will be available immediately to provide +continuous data availability. +</p><p> +Windows client failover behavior is more at risk of application +interruption than other platforms because it is dependent upon an +established TCP transport connection. If the connection is interrupted + as in a file server failover a new session must be established. +It is rare for Windows client applications to be coded to recover +correctly from a transport connection loss; therefore, most applications +will experience some sort of interruption at worst, abort and +require restarting. +</p><p> +If a client session has been caching writes and reads locally due to +oplocks, it is likely that the data will be lost when the +application restarts or recovers from the TCP interrupt. When the TCP +connection drops, the client state is lost. When the file server +recovers, an oplock break is not sent to the client. In this case, the +work from the prior session is lost. Observing this scenario with +oplocks disabled, if the client was writing data to the file server +real-time, then the failover will provide the data on disk as it +existed at the time of the disconnect. +</p><p> +In mission-critical, high-availability environments, careful attention +should be given to oplocks. Ideally, comprehensive +testing should be done with all affected applications with oplocks +enabled and disabled. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386203"></a>Samba Oplocks Control</h2></div></div></div><p> +Oplocks is a unique Windows file locking feature. It is +not really file locking, but is included in most discussions of Windows +file locking, so is considered a de facto locking feature. +Oplocks is actually part of the Windows client file +caching mechanism. It is not a particularly robust or reliable feature +when implemented on the variety of customized networks that exist in +enterprise computing. +</p><p> +Like Windows, Samba implements oplocks as a server-side +component of the client caching mechanism. Because of the lightweight +nature of the Windows feature design, effective configuration of +oplocks requires a good understanding of its limitations, +and then applying that understanding when configuring data access for +each particular customized network and client usage state. +</p><p> +Oplocks essentially means that the client is allowed to download and cache +a file on its hard drive while making changes; if a second client wants to access the +file, the first client receives a break and must synchronize the file back to the server. +This can give significant performance gains in some cases; some programs insist on +synchronizing the contents of the entire file back to the server for a single change. +</p><p> +Level1 Oplocks (also known as just plain “<span class="quote">oplocks</span>”) is another term for opportunistic locking. +</p><p> +Level2 Oplocks provides opportunistic locking for a file that will be treated as +<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or +on files that the client has no initial intention to write to at time of opening the file. +</p><p> +Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with +Samba's oplocked files, although this has provided better integration of MS Windows network +file locking with the underlying OS. SGI IRIX and Linux are the only two OSs that are +oplock-aware at this time. +</p><p> +Unless your system supports kernel oplocks, you should disable oplocks if you are +accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should +always be disabled if you are sharing a database file (e.g., Microsoft Access) between +multiple clients, because any break the first client receives will affect synchronization of +the entire file (not just the single record), which will result in a noticeable performance +impairment and, more likely, problems accessing the database in the first place. Notably, +Microsoft Outlook's personal folders (*.pst) react quite badly to oplocks. If in doubt, +disable oplocks and tune your system from that point. +</p><p> +If client-side caching is desirable and reliable on your network, you will benefit from +turning on oplocks. If your network is slow and/or unreliable, or you are sharing your +files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people +will be accessing the same files frequently, you probably will not benefit from the overhead +of your client sending oplock breaks and will instead want to disable oplocks for the share. +</p><p> +Another factor to consider is the perceived performance of file access. If oplocks provide no +measurable speed benefit on your network, it might not be worth the hassle of dealing with them. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386275"></a>Example Configuration</h3></div></div></div><p> +In the following section we examine two distinct aspects of Samba locking controls. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386284"></a>Disabling Oplocks</h4></div></div></div><p> +You can disable oplocks on a per-share basis with the following: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[acctdata]</code></em></td></tr><tr><td><a class="indexterm" name="id386310"></a><em class="parameter"><code>oplocks = False</code></em></td></tr><tr><td><a class="indexterm" name="id386323"></a><em class="parameter"><code>level2 oplocks = False</code></em></td></tr></table><p> +</p><p> +The default oplock type is Level1. Level2 oplocks are enabled on a per-share basis +in the <code class="filename">smb.conf</code> file. +</p><p> +Alternately, you could disable oplocks on a per-file basis within the share: +</p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id386358"></a><em class="parameter"><code>veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/</code></em></td></tr></table><p> +</p><p> +If you are experiencing problems with oplocks, as apparent from Samba's log entries, +you may want to play it safe and disable oplocks and Level2 oplocks. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386378"></a>Disabling Kernel Oplocks</h4></div></div></div><p> +Kernel oplocks is an <code class="filename">smb.conf</code> parameter that notifies Samba (if +the UNIX kernel has the capability to send a Windows client an oplock +break) when a UNIX process is attempting to open the file that is +cached. This parameter addresses sharing files between UNIX and +Windows with oplocks enabled on the Samba server: the UNIX process +can open the file that is Oplocked (cached) by the Windows client and +the smbd process will not send an oplock break, which exposes the file +to the risk of data corruption. If the UNIX kernel has the ability to +send an oplock break, then the kernel oplocks parameter enables Samba +to send the oplock break. Kernel oplocks are enabled on a per-server +basis in the <code class="filename">smb.conf</code> file. +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id386418"></a><em class="parameter"><code>kernel oplocks = yes</code></em></td></tr></table><p> +The default is no. +</p><p> +<span class="emphasis"><em>Veto oplocks</em></span> is an <code class="filename">smb.conf</code> parameter that identifies specific files for +which oplocks are disabled. When a Windows client opens a file that +has been configured for veto oplocks, the client will not be granted +the oplock, and all operations will be executed on the original file on +disk instead of a client-cached file copy. By explicitly identifying +files that are shared with UNIX processes and disabling oplocks for +those files, the server-wide oplock configuration can be enabled to +allow Windows clients to utilize the performance benefit of file +caching without the risk of data corruption. Veto oplocks can be +enabled on a per-share basis, or globally for the entire server, in the +<code class="filename">smb.conf</code> file as shown in <a href="locking.html#far1" title="Example 17.1. Share with Some Files Oplocked">???</a>. +</p><p> +</p><div class="example"><a name="far1"></a><p class="title"><b>Example 17.1. Share with Some Files Oplocked</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id386487"></a><em class="parameter"><code>veto oplock files = /filename.htm/*.txt/</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share_name]</code></em></td></tr><tr><td><a class="indexterm" name="id386509"></a><em class="parameter"><code>veto oplock files = /*.exe/filename.ext/</code></em></td></tr></table></div></div><p><br class="example-break"> +</p><p> +<a class="indexterm" name="id386526"></a>oplock break wait time is an <code class="filename">smb.conf</code> parameter +that adjusts the time interval for Samba to reply to an oplock break request. Samba recommends: +“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>” +Oplock break wait time can only be configured globally in the <code class="filename">smb.conf</code> file as shown: +</p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id386559"></a><em class="parameter"><code>oplock break wait time = 0 (default)</code></em></td></tr></table><p> +</p><p> +<span class="emphasis"><em>Oplock break contention limit</em></span> is an <code class="filename">smb.conf</code> parameter that limits the +response of the Samba server to grant an oplock if the configured +number of contending clients reaches the limit specified by the parameter. Samba recommends +“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>” +Oplock break contention limit can be enabled on a per-share basis, or globally for +the entire server, in the <code class="filename">smb.conf</code> file as shown in <a href="locking.html#far3" title="Example 17.2. Configuration with Oplock Break Contention Limit">???</a>. +</p><p> +</p><div class="example"><a name="far3"></a><p class="title"><b>Example 17.2. Configuration with Oplock Break Contention Limit</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id386630"></a><em class="parameter"><code>oplock break contention limit = 2 (default)</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share_name]</code></em></td></tr><tr><td><a class="indexterm" name="id386652"></a><em class="parameter"><code>oplock break contention limit = 2 (default)</code></em></td></tr></table></div></div><p><br class="example-break"> +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386670"></a>MS Windows Oplocks and Caching Controls</h2></div></div></div><p> +There is a known issue when running applications (like Norton Antivirus) on a Windows 2000/ XP +workstation computer that can affect any application attempting to access shared database files +across a network. This is a result of a default setting configured in the Windows 2000/XP +operating system. When a workstation +attempts to access shared data files located on another Windows 2000/XP computer, +the Windows 2000/XP operating system will attempt to increase performance by locking the +files and caching information locally. When this occurs, the application is unable to +properly function, which results in an “<span class="quote">Access Denied</span>” + error message being displayed during network operations. +</p><p> +All Windows operating systems in the NT family that act as database servers for data files +(meaning that data files are stored there and accessed by other Windows PCs) may need to +have oplocks disabled in order to minimize the risk of data file corruption. +This includes Windows 9x/Me, Windows NT, Windows 200x, and Windows XP. +<sup>[<a name="id386694" href="#ftn.id386694">5</a>]</sup> +</p><p> +If you are using a Windows NT family workstation in place of a server, you must also +disable oplocks on that workstation. For example, if you use a +PC with the Windows NT Workstation operating system instead of Windows NT Server, and you +have data files located on it that are accessed from other Windows PCs, you may need to +disable oplocks on that system. +</p><p> +The major difference is the location in the Windows registry where the values for disabling +oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location +may be used. +</p><p> +You can verify (change or add, if necessary) this registry value using the Windows +Registry Editor. When you change this registry value, you will have to reboot the PC +to ensure that the new setting goes into effect. +</p><p> +The location of the client registry entry for oplocks has changed in +Windows 2000 from the earlier location in Microsoft Windows NT. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks +in earlier versions of Windows. +</p></div><p> +You can also deny the granting of oplocks by changing the following registry entries: +</p><p> +</p><pre class="programlisting"> + HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\MRXSmb\Parameters\ + + OplocksDisabled REG_DWORD 0 or 1 + Default: 0 (not disabled) +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The OplocksDisabled registry value configures Windows clients to either request or not +request oplocks on a remote file. To disable oplocks, the value of + OplocksDisabled must be set to 1. +</p></div><p> +</p><pre class="programlisting"> + HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (Enabled by Default) + + EnableOpLockForceClose REG_DWORD 0 or 1 + Default: 0 (Disabled by Default) +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The EnableOplocks value configures Windows-based servers (including Workstations sharing +files) to allow or deny oplocks on local files. +</p></div><p> +To force closure of open oplocks on close or program exit, EnableOpLockForceClose must be set to 1. +</p><p> +An illustration of how Level2 oplocks work follows: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Station 1 opens the file requesting oplock. + </p></li><li><p> + Since no other station has the file open, the server grants station 1 exclusive oplock. + </p></li><li><p> + Station 2 opens the file requesting oplock. + </p></li><li><p> + Since station 1 has not yet written to the file, the server asks station 1 to break + to Level2 oplock. + </p></li><li><p> + Station 1 complies by flushing locally buffered lock information to the server. + </p></li><li><p> + Station 1 informs the server that it has broken to level2 Oplock (alternately, + station 1 could have closed the file). + </p></li><li><p> + The server responds to station 2's open request, granting it Level2 oplock. + Other stations can likewise open the file and obtain Level2 oplock. + </p></li><li><p> + Station 2 (or any station that has the file open) sends a write request SMB. + The server returns the write response. + </p></li><li><p> + The server asks all stations that have the file open to break to none, meaning no + station holds any oplock on the file. Because the workstations can have no cached + writes or locks at this point, they need not respond to the break-to-none advisory; + all they need do is invalidate locally cashed read-ahead data. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386822"></a>Workstation Service Entries</h3></div></div></div><pre class="programlisting"> + \HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanWorkstation\Parameters + + UseOpportunisticLocking REG_DWORD 0 or 1 + Default: 1 (true) +</pre><p> +This indicates whether the redirector should use oplocks performance +enhancement. This parameter should be disabled only to isolate problems. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386841"></a>Server Service Entries</h3></div></div></div><pre class="programlisting"> + \HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (true) +</pre><p> +This specifies whether the server allows clients to use oplocks on files. Oplocks are a +significant performance enhancement, but have the potential to cause lost cached +data on some networks, particularly WANs. +</p><pre class="programlisting"> + MinLinkThroughput REG_DWORD 0 to infinite bytes per second + Default: 0 +</pre><p> +This specifies the minimum link throughput allowed by the server before it disables +raw I/O and oplocks for this connection. +</p><pre class="programlisting"> + MaxLinkDelay REG_DWORD 0 to 100,000 seconds + Default: 60 +</pre><p> +This specifies the maximum time allowed for a link delay. If delays exceed this number, +the server disables raw I/O and oplocks for this connection. +</p><pre class="programlisting"> + OplockBreakWait REG_DWORD 10 to 180 seconds + Default: 35 +</pre><p> +This specifies the time that the server waits for a client to respond to an oplock break +request. Smaller values can allow detection of crashed clients more quickly but can +potentially cause loss of cached data. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386898"></a>Persistent Data Corruption</h2></div></div></div><p> +If you have applied all of the settings discussed in this chapter but data corruption problems +and other symptoms persist, here are some additional things to check out. +</p><p> +We have credible reports from developers that faulty network hardware, such as a single +faulty network card, can cause symptoms similar to read caching and data corruption. +If you see persistent data corruption even after repeated re-indexing, you may have to +rebuild the data files in question. This involves creating a new data file with the +same definition as the file to be rebuilt and transferring the data from the old file +to the new one. There are several known methods for doing this that can be found in +our knowledge base. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386917"></a>Common Errors</h2></div></div></div><p> +In some sites locking problems surface as soon as a server is installed; in other sites +locking problems may not surface for a long time. Almost without exception, when a locking +problem does surface, it will cause embarrassment and potential data corruption. +</p><p> +Over the past few years there have been a number of complaints on the Samba mailing lists +that have claimed that Samba caused data corruption. Three causes have been identified +so far: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Incorrect configuration of oplocks (incompatible with the application + being used). This is a common problem even where MS Windows NT4 or MS Windows + 200x-based servers were in use. It is imperative that the software application vendors' + instructions for configuration of file locking should be followed. If in doubt, + disable oplocks on both the server and the client. Disabling of all forms of file + caching on the MS Windows client may be necessary also. + </p></li><li><p> + Defective network cards, cables, or hubs/switches. This is generally a more + prevalent factor with low-cost networking hardware, although occasionally there + have also been problems with incompatibilities in more up-market hardware. + </p></li><li><p> + There have been some random reports of Samba log files being written over data + files. This has been reported by very few sites (about five in the past 3 years) + and all attempts to reproduce the problem have failed. The Samba Team has been + unable to catch this happening and thus unable to isolate any particular + cause. Considering the millions of systems that use Samba, for the sites that have + been affected by this as well as for the Samba Team, this is a frustrating and + vexing challenge. If you see this type of thing happening, please create a bug + report on Samba <a href="https://bugzilla.samba.org" target="_top">Bugzilla</a> without delay. + Make sure that you give as much information as you possibly can to help isolate the + cause and to allow replication of the problem (an essential step in problem isolation and correction). + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386968"></a>locking.tdb Error Messages</h3></div></div></div><p> + “<span class="quote"> + We are seeing lots of errors in the Samba logs, like: + </span>” +</p><pre class="programlisting"> +tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic + 0x4d6f4b61 at offset=36116 +</pre><p> + + “<span class="quote"> + What do these mean? + </span>” + </p><p> + This error indicates a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386996"></a>Problems Saving Files in MS Office on Windows XP</h3></div></div></div><a class="indexterm" name="id387002"></a><p>This is a bug in Windows XP. More information can be + found in <a href="http://support.microsoft.com/?id=812937" target="_top">Microsoft Knowledge Base article 812937</a></p>. + + </div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387019"></a>Long Delays Deleting Files over Network with XP SP1</h3></div></div></div><p>“<span class="quote">It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied.</span>”</p><a class="indexterm" name="id387030"></a><p>This is a bug in Windows XP. More information can be found in <a href="http://support.microsoft.com/?id=811492" target="_top"> + Microsoft Knowledge Base article 811492</a></p>. + </div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387048"></a>Additional Reading</h2></div></div></div><p> +You may want to check for an updated documentation regarding file and record locking issues on the Microsoft +<a href="http://support.microsoft.com/" target="_top">Support</a> web site. Additionally, search for the word +<code class="literal">locking</code> on the Samba <a href="http://www.samba.org/" target="_top">web</a> site. +</p><p> +Section of the Microsoft MSDN Library on opportunistic locking: +</p><p> +<a class="indexterm" name="id387082"></a> +Microsoft Knowledge Base, “<span class="quote">Maintaining Transactional Integrity with OPLOCKS</span>”, +Microsoft Corporation, April 1999, <a href="http://support.microsoft.com/?id=224992" target="_top">Microsoft +KB Article 224992</a>. +</p><p> +<a class="indexterm" name="id387105"></a> +Microsoft Knowledge Base, “<span class="quote">Configuring Opportunistic Locking in Windows 2000</span>”, +Microsoft Corporation, April 2001 <a href="http://support.microsoft.com/?id=296264" target="_top">Microsoft KB Article 296264</a>. +</p><p> +<a class="indexterm" name="id387127"></a> +Microsoft Knowledge Base, “<span class="quote">PC Ext: Explanation of Opportunistic Locking on Windows NT</span>”, +Microsoft Corporation, April 1995 <a href="http://support.microsoft.com/?id=129202" target="_top">Microsoft +KB Article 129202</a>. +</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id386694" href="#id386694">5</a>] </sup>Microsoft has documented this in Knowledge Base article 300216.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 16. File, Directory, and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 18. Securing Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/migration.html b/docs/htmldocs/Samba3-HOWTO/migration.html new file mode 100644 index 0000000000..61969f5bb3 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/migration.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="cfgsmarts.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Part IV. Migration and Updating</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="upgrading-to-3.0.html">35. Updating and Upgrading Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440059">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440079">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440251">New Featuers in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440260">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id441421">New Functionality</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NT4Migration.html">36. Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><dl><dt><span class="sect1"><a href="NT4Migration.html#id442739">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442769">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id443632">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id443855">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id443938">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id444159">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SWAT.html">37. SWAT: The Samba Web Administration Tool</a></span></dt><dd><dl><dt><span class="sect1"><a href="SWAT.html#id444620">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id444732">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444749">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445330">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445475">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id445656">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id445667">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445720">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445817">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445869">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445921">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id445978">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446016">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id446034">The Password Change Page</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="cfgsmarts.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 34. Advanced Configuration Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Updating and Upgrading Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/msdfs.html b/docs/htmldocs/Samba3-HOWTO/msdfs.html new file mode 100644 index 0000000000..ec59057001 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/msdfs.html @@ -0,0 +1,94 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Hosting a Microsoft Distributed File System Tree</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships"><link rel="next" href="classicalprinting.html" title="Chapter 21. Classical Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Hosting a Microsoft Distributed File System Tree</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="classicalprinting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="msdfs"></a>Chapter 20. Hosting a Microsoft Distributed File System Tree</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Shirish</span> <span class="surname">Kalele</span></h3><div class="affiliation"><span class="orgname">Samba Team & Veritas Software<br></span><div class="address"><p><br> + <code class="email"><<a href="mailto:samba@samba.org">samba@samba.org</a>></code><br> + </p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="msdfs.html#id390330">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id390715">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id390744">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390330"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id390338"></a> +<a class="indexterm" name="id390347"></a> +<a class="indexterm" name="id390354"></a> +<a class="indexterm" name="id390361"></a> +<a class="indexterm" name="id390368"></a> + The distributed file system (DFS) provides a means of separating the logical + view of files and directories that users see from the actual physical locations + of these resources on the network. It allows for higher availability, smoother + storage expansion, load balancing, and so on. + </p><p> +<a class="indexterm" name="id390380"></a> +<a class="indexterm" name="id390387"></a> +<a class="indexterm" name="id390394"></a> + For information about DFS, refer to the <a href="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" target="_top">Microsoft + documentation</a>. This document explains how to host a DFS tree on a UNIX machine (for DFS-aware clients + to browse) using Samba. + </p><p> +<a class="indexterm" name="id390412"></a> +<a class="indexterm" name="id390418"></a> +<a class="indexterm" name="id390425"></a> +<a class="indexterm" name="id390432"></a> + A Samba server can be made a DFS server by setting the global Boolean <a class="indexterm" name="id390440"></a>host msdfs + parameter in the <code class="filename">smb.conf</code> file. You designate a share as a DFS root using the share-level Boolean + <a class="indexterm" name="id390453"></a>msdfs root parameter. A DFS root directory on Samba hosts DFS links in the form of + symbolic links that point to other servers. For example, a symbolic link + <code class="filename">junction->msdfs:storage1\share1</code> in the share directory acts as the DFS junction. When + DFS-aware clients attempt to access the junction link, they are redirected to the storage location (in this + case, <em class="parameter"><code>\\storage1\share1</code></em>). + </p><p> +<a class="indexterm" name="id390479"></a> +<a class="indexterm" name="id390485"></a> +<a class="indexterm" name="id390492"></a> +<a class="indexterm" name="id390499"></a> + DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x. + <a href="msdfs.html#dfscfg" title="Example 20.1. smb.conf with DFS Configured">The following sample configuration</a> shows how to setup a DFS tree on a Samba server. + In the <code class="filename">/export/dfsroot</code> directory, you set up your DFS links to + other servers on the network. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cd /export/dfsroot</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chown root /export/dfsroot</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>chmod 755 /export/dfsroot</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s msdfs:storageA\\shareA linka</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s msdfs:serverB\\share,serverC\\share linkb</code></strong> +</pre><p> +</p><div class="example"><a name="dfscfg"></a><p class="title"><b>Example 20.1. smb.conf with DFS Configured</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id390604"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id390617"></a><em class="parameter"><code>host msdfs = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[dfs]</code></em></td></tr><tr><td><a class="indexterm" name="id390638"></a><em class="parameter"><code>path = /export/dfsroot</code></em></td></tr><tr><td><a class="indexterm" name="id390651"></a><em class="parameter"><code>msdfs root = yes</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id390667"></a> +<a class="indexterm" name="id390673"></a> +<a class="indexterm" name="id390680"></a> + You should set up the permissions and ownership of the directory acting as the DFS root so that only + designated users can create, delete, or modify the msdfs links. Also note that symlink names should be all + lowercase. This limitation exists to have Samba avoid trying all the case combinations to get at the link + name. Finally, set up the symbolic links to point to the network shares you want and start Samba. + </p><p> +<a class="indexterm" name="id390694"></a> +<a class="indexterm" name="id390701"></a> + Users on DFS-aware clients can now browse the DFS tree on the Samba server at + <code class="constant">\\samba\dfs</code>. Accessing links linka or linkb (which appear as directories to the client) + takes users directly to the appropriate shares on the network. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390715"></a>Common Errors</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Windows clients need to be rebooted + if a previously mounted non-DFS share is made a DFS + root, or vice versa. A better way is to introduce a + new share and make it the DFS root.</p></li><li><p>Currently, there's a restriction that msdfs + symlink names should all be lowercase.</p></li><li><p>For security purposes, the directory + acting as the root of the DFS tree should have ownership + and permissions set so only designated users can + modify the symbolic links in the directory.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id390744"></a>MSDFS UNIX Path Is Case-Critical</h3></div></div></div><p> + A network administrator sent advice to the Samba mailing list + after long sessions trying to determine why DFS was not working. + His advice is worth noting. + </p><p>“<span class="quote"> + I spent some time trying to figure out why my particular + DFS root wasn't working. I noted in the documentation that + the symlink should be in all lowercase. It should be + amended that the entire path to the symlink should all be + in lowercase as well. + </span>”</p><p> + “<span class="quote">For example, I had a share defined as such:</span>” + </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pub]</code></em></td></tr><tr><td><a class="indexterm" name="id390781"></a><em class="parameter"><code>path = /export/home/Shares/public_share</code></em></td></tr><tr><td><a class="indexterm" name="id390794"></a><em class="parameter"><code>msdfs root = yes</code></em></td></tr></table><p> + “<span class="quote">and I could not make my Windows 9x/Me (with the dfs client installed) follow this symlink:</span>” + </p><pre class="screen"> + damage1 -> msdfs:damage\test-share + </pre><p> + </p><p> + “<span class="quote">Running a debug level of 10 reveals:</span>” + </p><pre class="programlisting"> + [2003/08/20 11:40:33, 5] msdfs/msdfs.c:is_msdfs_link(176) + is_msdfs_link: /export/home/shares/public_share/* does not exist. + </pre><p> + “<span class="quote">Curious. So I changed the directory name from <code class="constant">.../Shares/...</code> to + <code class="constant">.../shares/...</code> (along with my service definition) and it worked!</span>” + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="classicalprinting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. Interdomain Trust Relationships </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Classical Printing Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/optional.html b/docs/htmldocs/Samba3-HOWTO/optional.html new file mode 100644 index 0000000000..b04074e792 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/optional.html @@ -0,0 +1,7 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Advanced Configuration</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide"><link rel="next" href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Advanced Configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ChangeNotes.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="optional"></a>Part III. Advanced Configuration</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id351197"></a>Valuable Nuts and Bolts Information</h1></div></div></div><p> +Samba has several features that you might want or might not want to use. +The chapters in this part each cover specific Samba features. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="ChangeNotes.html">9. Important and Critical Change Notes for the Samba 3.x Series</a></span></dt><dd><dl><dt><span class="sect1"><a href="ChangeNotes.html#id351284">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id351294">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id351342">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351632">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351743">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351795">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id351912">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetworkBrowsing.html">10. Network Browsing</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id352162">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id352327">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id352694">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353250">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353751">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354619">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355153">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355362">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355381">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355550">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355674">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id355760">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id355994">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356273">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356324">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356540">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356550">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356676">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356873">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356946">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357120">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id357344">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id358283">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id358308">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358373">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358414">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358459">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id358640">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="passdb.html">11. Account Information Databases</a></span></dt><dd><dl><dt><span class="sect1"><a href="passdb.html#id359091">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359295">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359822">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360825">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361615">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id363976">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364023">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364340">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364485">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id366875">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id366881">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id366912">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="groupmapping.html">12. Group Mapping: MS Windows and UNIX</a></span></dt><dd><dl><dt><span class="sect1"><a href="groupmapping.html#id367144">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id367529">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367843">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367895">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368424">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id368644">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369250">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369322">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369332">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369493">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id369607">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id369618">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id369692">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetCommand.html">13. Remote and Local Management: The Net Command</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetCommand.html#id370067">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370344">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370418">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370568">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id371804">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371995">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372040">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372102">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372180">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372494">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372506">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372844">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id373053">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id373255">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id373297">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373453">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id373480">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374016">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id374226">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374244">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374303">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374407">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id374423">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id374462">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id374493">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></dd><dt><span class="chapter"><a href="idmapper.html">14. Identity Mapping (IDMAP)</a></span></dt><dd><dl><dt><span class="sect1"><a href="idmapper.html#id374968">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374992">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375050">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375941">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376159">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id376225">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id376286">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id376996">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id377571">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id378132">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="rights.html">15. User Rights and Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="rights.html#id378765">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id379021">Using the “<span class="quote">net rpc rights</span>” Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id379339">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id380042">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id380207">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AccessControls.html">16. File, Directory, and Share Access Controls</a></span></dt><dd><dl><dt><span class="sect1"><a href="AccessControls.html#id380678">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id380846">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380858">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381159">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381279">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381872">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381903">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382198">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382473">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382742">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382878">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id383200">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id383206">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383245">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383310">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383436">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383623">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id383760">Interaction with the Standard Samba “<span class="quote">create mask</span>” Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384062">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384126">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id384487">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id384497">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384805">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id384841">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="locking.html">17. File and Record Locking</a></span></dt><dd><dl><dt><span class="sect1"><a href="locking.html#id385057">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id385144">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385372">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386203">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386275">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386670">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386822">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id386841">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id386898">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id386917">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id386968">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id386996">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id387019">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id387048">Additional Reading</a></span></dt></dl></dd><dt><span class="chapter"><a href="securing-samba.html">18. Securing Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="securing-samba.html#id387214">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387302">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387436">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id387449">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387586">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387645">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388109">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id388158">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id388198">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id388210">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="InterdomainTrusts.html">19. Interdomain Trust Relationships</a></span></dt><dd><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id388758">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388824">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id389083">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id389117">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389207">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389287">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389483">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id389798">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id389981">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id390117">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id390128">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id390165">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="msdfs.html">20. Hosting a Microsoft Distributed File System Tree</a></span></dt><dd><dl><dt><span class="sect1"><a href="msdfs.html#id390330">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id390715">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id390744">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="classicalprinting.html">21. Classical Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="classicalprinting.html#id390934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id391142">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391282">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391335">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id391430">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id391698">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id391880">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id392225">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id392691">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395044">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395198">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395308">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395515">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id395788">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395912">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396001">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397714">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id397729">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398228">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398340">Always Make First Client Connection as root or “<span class="quote">printer admin</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398491">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398507">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398839">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399075">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399282">Error Message: “<span class="quote">Cannot connect under a different Name</span>”</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399380">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399581">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399675">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399708">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id399746">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399776">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399789">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id399802">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id399919">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400158">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400192">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400323">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id400350">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id400355">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id400392">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="CUPS-printing.html">22. CUPS Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="CUPS-printing.html#id400524">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400530">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400581">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400690">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id400790">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400978">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401226">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401621">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401636">Central Spooling vs. “<span class="quote">Peer-to-Peer</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401680">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401884">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable “<span class="quote">raw</span>” Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402147">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id402258">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402432">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402598">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402931">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403071">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403139">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403248">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id403283">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id403499">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403909">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404104">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404252">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404429">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404588">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404838">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404918">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405130">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405438">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405653">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405664"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405726">“<span class="quote">Raw</span>” Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405826">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406086">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406350"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406664">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407066">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407175">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407253">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407268">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407326">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407391">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407490">Network Printing (Windows Clients and UNIX/Samba Print +Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407506">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407671">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407739">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407819">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407856">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id407917">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id407928">Printer Drivers Running in “<span class="quote">Kernel Mode</span>” Cause Many +Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407959">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407973">CUPS: A “<span class="quote">Magical Stone</span>”?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408015">PostScript Drivers with No Major Problems, Even in Kernel +Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408093">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408112"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408200">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408505">CUPS “<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408727">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408838">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408858">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408912">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409192">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409387">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409517">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409621">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409757">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409864">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409942">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410020">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410229">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410395">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410555">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410647">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410767">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410975">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411854">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id411985">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412184">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412246">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412307">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412353">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412464">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412624">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413329">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413751">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413781">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413832">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413865">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413996">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414132">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414190">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414225">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414238">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414430">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id414498">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414575">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414681">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414715">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id414972">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id415081">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id415086">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop">“<span class="quote">cupsaddsmb</span>” Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415153">“<span class="quote">cupsaddsmb</span>” or “<span class="quote">rpcclient addriver</span>” Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415189">“<span class="quote">cupsaddsmb</span>” Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415259">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415282">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415360">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415399">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415434">Can't Use “<span class="quote">cupsaddsmb</span>” on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415468">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415499">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415530">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415567">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415591">Win XP-SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415632">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415896">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415949"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id415995">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416081">Print Queue Called “<span class="quote">lp</span>” Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id416144">Location of Adobe PostScript Driver Files for “<span class="quote">cupsaddsmb</span>”</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id416195">Overview of the CUPS Printing Processes</a></span></dt></dl></dd><dt><span class="chapter"><a href="VFS.html">23. Stackable VFS modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="VFS.html#id416378">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416413">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id416800">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416806">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416845">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417334">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417705">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417753">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id418589">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id418611">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418663">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id418700">vscan-clamav</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="winbind.html">24. Winbind: Use of Domain Accounts</a></span></dt><dd><dl><dt><span class="sect1"><a href="winbind.html#id418954">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419277">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419355">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419494">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419533">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id419645">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419770">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419814">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420026">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420167">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420241">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id420291">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id420297">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420404">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420546">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id422791">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id422837">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id422871">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id422905">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AdvancedNetworkManagement.html">25. Advanced Network Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423076">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423098">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423235">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423260">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423599">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id423774">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423940">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id423980">Limiting Logon Connections</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="PolicyMgmt.html">26. System and Account Policies</a></span></dt><dd><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id424107">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id424202">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id424372">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424496">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id424702">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425108">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425313">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425324">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425400">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id425437">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id425500">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id425641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id425652">Policy Does Not Work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ProfileMgmt.html">27. Desktop Profile Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id425731">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id425774">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id425822">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426376">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427615">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427643">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427726">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id428058">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428186">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id428249">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id428275">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428411">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428936">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id429398">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id429408">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429461">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429610">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id429770">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="pam.html">28. PAM-Based Distributed Authentication</a></span></dt><dd><dl><dt><span class="sect1"><a href="pam.html#id429934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id430534">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430584">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id431487">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id431757"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id431817">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id431902">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id432259">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id432269">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id432358">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="integrate-ms-networks.html">29. Integrating MS Windows Networks with Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id432559">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432576">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id432695">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432767"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432923"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432956"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433004"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433113">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433506">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433586">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433711">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433736">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433763">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id433898">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id433909">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433936">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id433974">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="unicode.html">30. Unicode/Charsets</a></span></dt><dd><dl><dt><span class="sect1"><a href="unicode.html#id434160">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434205">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434324">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434440">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434469">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id434585">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435148">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435264">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id435399">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id435405">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Backup.html">31. Backup Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="Backup.html#id435499">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id435539">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id435626">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435788">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435949">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id435992">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SambaHA.html">32. High Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="SambaHA.html#id436084">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id436191">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id436222">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id436345">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437009">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437081">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437210">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id437243">Conclusions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="largefile.html">33. Handling Large Directories</a></span></dt><dt><span class="chapter"><a href="cfgsmarts.html">34. Advanced Configuration Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="cfgsmarts.html#id437826">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id437835">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id438180">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id439141">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ChangeNotes.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. MS Windows Network Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pam.html b/docs/htmldocs/Samba3-HOWTO/pam.html new file mode 100644 index 0000000000..a58cb8bdb9 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/pam.html @@ -0,0 +1,650 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 28. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id429934">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id430534">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430584">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id431487">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id431757"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id431817">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id431902">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id432259">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id432269">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id432358">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id429865"></a> +<a class="indexterm" name="id429872"></a> +<a class="indexterm" name="id429878"></a> +<a class="indexterm" name="id429885"></a> +This chapter should help you to deploy Winbind-based authentication on any PAM-enabled +UNIX/Linux system. Winbind can be used to enable user-level application access authentication +from any MS Windows NT domain, MS Windows 200x Active Directory-based +domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access +controls that are appropriate to your Samba configuration. +</p><p> +<a class="indexterm" name="id429899"></a> +<a class="indexterm" name="id429906"></a> +In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management +possibilities and in particular how to deploy tools like <code class="filename">pam_smbpass.so</code> to your advantage. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The use of Winbind requires more than PAM configuration alone. +Please refer to <a href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for further information regarding Winbind. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id429934"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id429941"></a> +<a class="indexterm" name="id429948"></a> +<a class="indexterm" name="id429955"></a> +<a class="indexterm" name="id429961"></a> +<a class="indexterm" name="id429970"></a> +<a class="indexterm" name="id429977"></a> +<a class="indexterm" name="id429984"></a> +<a class="indexterm" name="id429991"></a> +A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, +now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, +authorization, and resource control services. Prior to the introduction of PAM, a decision +to use an alternative to the system password database (<code class="filename">/etc/passwd</code>) +would require the provision of alternatives for all programs that provide security services. +Such a choice would involve provision of alternatives to programs such as <code class="literal">login</code>, +<code class="literal">passwd</code>, <code class="literal">chown</code>, and so on. +</p><p> +<a class="indexterm" name="id430029"></a> +<a class="indexterm" name="id430035"></a> +<a class="indexterm" name="id430042"></a> +<a class="indexterm" name="id430049"></a> +PAM provides a mechanism that disconnects these security programs from the underlying +authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file, +<code class="filename">/etc/pam.conf</code> (Solaris), or by editing individual control files that are +located in <code class="filename">/etc/pam.d</code>. +</p><p> +<a class="indexterm" name="id430073"></a> +<a class="indexterm" name="id430079"></a> +On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any +authentication backend so long as the appropriate dynamically loadable library modules +are available for it. The backend may be local to the system or may be centralized on a +remote server. +</p><p> +PAM support modules are available for: +</p><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/passwd</code></span></dt><dd><p> +<a class="indexterm" name="id430107"></a> +<a class="indexterm" name="id430114"></a> +<a class="indexterm" name="id430120"></a> +<a class="indexterm" name="id430127"></a> +<a class="indexterm" name="id430134"></a> +<a class="indexterm" name="id430141"></a> + There are several PAM modules that interact with this standard UNIX user database. The most common are called + <code class="filename">pam_unix.so</code>, <code class="filename">pam_unix2.so</code>, <code class="filename">pam_pwdb.so</code> and + <code class="filename">pam_userdb.so</code>. + </p></dd><dt><span class="term">Kerberos</span></dt><dd><p> +<a class="indexterm" name="id430182"></a> +<a class="indexterm" name="id430189"></a> +<a class="indexterm" name="id430196"></a> +<a class="indexterm" name="id430202"></a> +<a class="indexterm" name="id430209"></a> + The <code class="filename">pam_krb5.so</code> module allows the use of any Kerberos-compliant server. + This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially + Microsoft Active Directory (if enabled). + </p></dd><dt><span class="term">LDAP</span></dt><dd><p> +<a class="indexterm" name="id430233"></a> +<a class="indexterm" name="id430240"></a> +<a class="indexterm" name="id430247"></a> +<a class="indexterm" name="id430254"></a> +<a class="indexterm" name="id430260"></a> +<a class="indexterm" name="id430267"></a> + The <code class="filename">pam_ldap.so</code> module allows the use of any LDAP v2- or v3-compatible backend + server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1, + Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory. + </p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p> +<a class="indexterm" name="id430292"></a> +<a class="indexterm" name="id430299"></a> +<a class="indexterm" name="id430306"></a> +<a class="indexterm" name="id430313"></a> + The <code class="filename">pam_ncp_auth.so</code> module allows authentication off any bindery-enabled + NetWare Core Protocol-based server. + </p></dd><dt><span class="term">SMB Password</span></dt><dd><p> +<a class="indexterm" name="id430336"></a> +<a class="indexterm" name="id430343"></a> +<a class="indexterm" name="id430350"></a> + This module, called <code class="filename">pam_smbpass.so</code>, allows user authentication of + the passdb backend that is configured in the Samba <code class="filename">smb.conf</code> file. + </p></dd><dt><span class="term">SMB Server</span></dt><dd><p> +<a class="indexterm" name="id430379"></a> +<a class="indexterm" name="id430386"></a> + The <code class="filename">pam_smb_auth.so</code> module is the original MS Windows networking authentication + tool. This module has been somewhat outdated by the Winbind module. + </p></dd><dt><span class="term">Winbind</span></dt><dd><p> +<a class="indexterm" name="id430410"></a> +<a class="indexterm" name="id430417"></a> +<a class="indexterm" name="id430424"></a> +<a class="indexterm" name="id430430"></a> + The <code class="filename">pam_winbind.so</code> module allows Samba to obtain authentication from any + MS Windows domain controller. It can just as easily be used to authenticate + users for access to any PAM-enabled application. + </p></dd><dt><span class="term">RADIUS</span></dt><dd><p> +<a class="indexterm" name="id430455"></a> + There is a PAM RADIUS (Remote Access Dial-In User Service) authentication + module. In most cases, administrators need to locate the source code + for this tool and compile and install it themselves. RADIUS protocols are + used by many routers and terminal servers. + </p></dd></dl></div><p> +<a class="indexterm" name="id430472"></a> +<a class="indexterm" name="id430479"></a> +Of the modules listed, Samba provides the <code class="filename">pam_smbpasswd.so</code> and the +<code class="filename">pam_winbind.so</code> modules alone. +</p><p> +<a class="indexterm" name="id430501"></a> +<a class="indexterm" name="id430508"></a> +<a class="indexterm" name="id430515"></a> +<a class="indexterm" name="id430522"></a> +Once configured, these permit a remarkable level of flexibility in the location and use +of distributed Samba domain controllers that can provide wide-area network bandwidth, +efficient authentication services for PAM-capable systems. In effect, this allows the +deployment of centrally managed and maintained distributed authentication from a +single-user account database. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id430534"></a>Technical Discussion</h2></div></div></div><p> +<a class="indexterm" name="id430542"></a> +<a class="indexterm" name="id430548"></a> +<a class="indexterm" name="id430555"></a> +<a class="indexterm" name="id430562"></a> +PAM is designed to provide system administrators with a great deal of flexibility in +configuration of the privilege-granting applications of their system. The local +configuration of system security controlled by PAM is contained in one of two places: +either the single system file <code class="filename">/etc/pam.conf</code> or the +<code class="filename">/etc/pam.d/</code> directory. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id430584"></a>PAM Configuration Syntax</h3></div></div></div><p> +<a class="indexterm" name="id430592"></a> +<a class="indexterm" name="id430599"></a> +In this section we discuss the correct syntax of and generic options respected by entries to these files. +PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case +sensitive, since they indicate a file's name and reflect the case dependence of typical file systems. The +case sensitivity of the arguments to any given module is defined for each module in turn. +</p><p> +In addition to the lines described below, there are two special characters provided for the convenience +of the system administrator: comments are preceded by a “<span class="quote">#</span>” and extend to the next end-of-line; also, +module specification lines may be extended with a “<span class="quote">\</span>”-escaped newline. +</p><p> +<a class="indexterm" name="id430625"></a> +<a class="indexterm" name="id430632"></a> +If the PAM authentication module (loadable link library file) is located in the +default location, then it is not necessary to specify the path. In the case of +Linux, the default location is <code class="filename">/lib/security</code>. If the module +is located outside the default, then the path must be specified as: +</p><pre class="programlisting"> +auth required /other_path/pam_strange_module.so +</pre><p> +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id430654"></a>Anatomy of <code class="filename">/etc/pam.d</code> Entries</h4></div></div></div><p> +The remaining information in this subsection was taken from the documentation of the Linux-PAM +project. For more information on PAM, see +<a href="http://ftp.kernel.org/pub/linux/libs/pam/" target="_top">the Official Linux-PAM home page</a>. +</p><p> +<a class="indexterm" name="id430678"></a> +A general configuration line of the <code class="filename">/etc/pam.conf</code> file has the following form: +</p><pre class="programlisting"> +service-name module-type control-flag module-path args +</pre><p> +</p><p> +We explain the meaning of each of these tokens. The second (and more recently adopted) +way of configuring Linux-PAM is via the contents of the <code class="filename">/etc/pam.d/</code> directory. +Once we have explained the meaning of the tokens, we describe this method. +</p><div class="variablelist"><dl><dt><span class="term">service-name</span></dt><dd><p> +<a class="indexterm" name="id430720"></a> +<a class="indexterm" name="id430727"></a> +<a class="indexterm" name="id430734"></a> + The name of the service associated with this entry. Frequently, the service-name is the conventional + name of the given application for example, <code class="literal">ftpd</code>, <code class="literal">rlogind</code> and + <code class="literal">su</code>, and so on. + </p><p> + There is a special service-name reserved for defining a default authentication mechanism. It has + the name <em class="parameter"><code>OTHER</code></em> and may be specified in either lower- or uppercase characters. + Note, when there is a module specified for a named service, the <em class="parameter"><code>OTHER</code></em> + entries are ignored. + </p></dd><dt><span class="term">module-type</span></dt><dd><p> + One of (currently) four types of module. The four types are as follows: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id430797"></a> +<a class="indexterm" name="id430804"></a> + <em class="parameter"><code>auth:</code></em> This module type provides two aspects of authenticating the user. + It establishes that the user is who he or she claims to be by instructing the application + to prompt the user for a password or other means of identification. Second, the module can + grant group membership (independently of the <code class="filename">/etc/groups</code> file) + or other privileges through its credential-granting properties. + </p></li><li><p> +<a class="indexterm" name="id430830"></a> +<a class="indexterm" name="id430837"></a> + <em class="parameter"><code>account:</code></em> This module performs non-authentication-based account management. + It is typically used to restrict/permit access to a service based on the time of day, currently + available system resources (maximum number of users), or perhaps the location of the user + login. For example, the “<span class="quote">root</span>” login may be permitted only on the console. + </p></li><li><p> +<a class="indexterm" name="id430861"></a> + <em class="parameter"><code>session:</code></em> Primarily, this module is associated with doing things that need + to be done for the user before and after he or she can be given service. Such things include logging + information concerning the opening and closing of some data exchange with a user, mounting + directories, and so on. + </p></li><li><p> +<a class="indexterm" name="id430880"></a> + <em class="parameter"><code>password:</code></em> This last module type is required for updating the authentication + token associated with the user. Typically, there is one module for each + “<span class="quote">challenge/response</span>” authentication <em class="parameter"><code>(auth)</code></em> module type. + </p></li></ul></div></dd><dt><span class="term">control-flag</span></dt><dd><p> + The control-flag is used to indicate how the PAM library will react to the success or failure of the + module it is associated with. Since modules can be stacked (modules of the same type execute in series, + one after another), the control-flags determine the relative importance of each module. The application + is not made aware of the individual success or failure of modules listed in the + <code class="filename">/etc/pam.conf</code> file. Instead, it receives a summary success or fail response from + the Linux-PAM library. The order of execution of these modules is that of the entries in the + <code class="filename">/etc/pam.conf</code> file; earlier entries are executed before later ones. + As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. + </p><p> +<a class="indexterm" name="id430936"></a> +<a class="indexterm" name="id430943"></a> +<a class="indexterm" name="id430950"></a> +<a class="indexterm" name="id430957"></a> + The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the + severity of concern associated with the success or failure of a specific module. There are four such + keywords: <em class="parameter"><code>required</code></em>, <em class="parameter"><code>requisite</code></em>, + <em class="parameter"><code>sufficient</code></em>, and <em class="parameter"><code>optional</code></em>. + </p><p> + The Linux-PAM library interprets these keywords in the following manner: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <em class="parameter"><code>required:</code></em> This indicates that the success of the module is required for the + module-type facility to succeed. Failure of this module will not be apparent to the user until all + of the remaining modules (of the same module-type) have been executed. + </p></li><li><p> + <em class="parameter"><code>requisite:</code></em> Like required, except that if such a module returns a + failure, control is directly returned to the application. The return value is that associated with + the first required or requisite module to fail. This flag can be used to protect against the + possibility of a user getting the opportunity to enter a password over an unsafe medium. It is + conceivable that such behavior might inform an attacker of valid accounts on a system. This + possibility should be weighed against the not insignificant concerns of exposing a sensitive + password in a hostile environment. + </p></li><li><p> + <em class="parameter"><code>sufficient:</code></em> The success of this module is deemed <em class="parameter"><code>sufficient</code></em> to satisfy + the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no + previous required module has failed, no more “<span class="quote">stacked</span>” modules of this type are invoked. + (In this case, subsequent required modules are not invoked). A failure of this module is not deemed + as fatal to satisfying the application that this module-type has succeeded. + </p></li><li><p> + <em class="parameter"><code>optional:</code></em> As its name suggests, this control-flag marks the module as not + being critical to the success or failure of the user's application for service. In general, + Linux-PAM ignores such a module when determining if the module stack will succeed or fail. + However, in the absence of any definite successes or failures of previous or subsequent stacked + modules, this module will determine the nature of the response to the application. One example of + this latter case is when the other modules return something like PAM_IGNORE. + </p></li></ul></div><p> + The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control + over how the user is authenticated. This form of the control-flag is delimited with square brackets and + consists of a series of <em class="parameter"><code>value=action</code></em> tokens: + </p><pre class="programlisting"> +[value1=action1 value2=action2 ...] +</pre><p> + Here, <em class="parameter"><code>value1</code></em> is one of the following return values: +</p><pre class="screen"> +<em class="parameter"><code>success; open_err; symbol_err; service_err; system_err; buf_err;</code></em> +<em class="parameter"><code>perm_denied; auth_err; cred_insufficient; authinfo_unavail;</code></em> +<em class="parameter"><code>user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err;</code></em> +<em class="parameter"><code>cred_unavail; cred_expired; cred_err; no_module_data; conv_err;</code></em> +<em class="parameter"><code>authtok_err; authtok_recover_err; authtok_lock_busy;</code></em> +<em class="parameter"><code>authtok_disable_aging; try_again; ignore; abort; authtok_expired;</code></em> +<em class="parameter"><code>module_unknown; bad_item;</code></em> and <em class="parameter"><code>default</code></em>. +</pre><p> +</p><p> + The last of these (<em class="parameter"><code>default</code></em>) can be used to set the action for those return values that are not explicitly defined. + </p><p> + The <em class="parameter"><code>action1</code></em> can be a positive integer or one of the following tokens: + <em class="parameter"><code>ignore</code></em>; <em class="parameter"><code>ok</code></em>; <em class="parameter"><code>done</code></em>; + <em class="parameter"><code>bad</code></em>; <em class="parameter"><code>die</code></em>; and <em class="parameter"><code>reset</code></em>. + A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the + current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated + stack of modules with a number of different paths of execution. Which path is taken can be determined by the + reactions of individual modules. + </p><div class="itemizedlist"><ul type="disc"><li><p> + <em class="parameter"><code>ignore:</code></em> When used with a stack of modules, the module's return status will not + contribute to the return code the application obtains. + </p></li><li><p> + <em class="parameter"><code>bad:</code></em> This action indicates that the return code should be thought of as indicative + of the module failing. If this module is the first in the stack to fail, its status value will be used + for that of the whole stack. + </p></li><li><p> + <em class="parameter"><code>die:</code></em> Equivalent to bad with the side effect of terminating the module stack and + PAM immediately returning to the application. + </p></li><li><p> + <em class="parameter"><code>ok:</code></em> This tells PAM that the administrator thinks this return code should + contribute directly to the return code of the full stack of modules. In other words, if the former + state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override + this value. Note, if the former state of the stack holds some value that is indicative of a module's + failure, this <em class="parameter"><code>ok</code></em> value will not be used to override that value. + </p></li><li><p> + <em class="parameter"><code>done:</code></em> Equivalent to <em class="parameter"><code>ok</code></em> with the side effect of terminating the module stack and + PAM immediately returning to the application. + </p></li><li><p> + <em class="parameter"><code>reset:</code></em> Clears all memory of the state of the module stack and starts again with + the next stacked module. + </p></li></ul></div><p> + Each of the four keywords, <em class="parameter"><code>required</code></em>; <em class="parameter"><code>requisite</code></em>; + <em class="parameter"><code>sufficient</code></em>; and <em class="parameter"><code>optional</code></em>, have an equivalent expression in terms + of the [...] syntax. They are as follows: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p> + <em class="parameter"><code>required</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok ignore=ignore default=bad]</code></em>. + </p></li><li><p> + <em class="parameter"><code>requisite</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok ignore=ignore default=die]</code></em>. + </p></li><li><p> + <em class="parameter"><code>sufficient</code></em> is equivalent to <em class="parameter"><code>[success=done new_authtok_reqd=done default=ignore]</code></em>. + </p></li><li><p> + <em class="parameter"><code>optional</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok default=ignore]</code></em>. + </p></li></ul></div><p> + </p><p> + Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, + the notion of client plug-in agents was introduced. This makes it possible for PAM to support + machine-machine authentication using the transport protocol inherent to the client/server application. With the + <em class="parameter"><code>[ ... value=action ... ]</code></em> control syntax, it is possible for an application to be configured + to support binary prompts with compliant clients, but to gracefully fail over into an alternative authentication + mode for legacy applications. + </p></dd><dt><span class="term">module-path</span></dt><dd><p> + The pathname of the dynamically loadable object file; the pluggable module itself. If the first character of the + module path is “<span class="quote">/</span>”, it is assumed to be a complete path. If this is not the case, the given module path is appended + to the default module path: <code class="filename">/lib/security</code> (but see the previous notes). + </p><p> + The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical + Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments + are ignored by a module; however, when encountering an invalid argument, the module is required to write an error + to syslog(3). For a list of generic options, see the next section. + </p><p> + If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: + </p><pre class="programlisting"> +squid auth required pam_mysql.so user=passwd_query passwd=mada \ +db=eminence [query=select user_name from internet_service where \ +user_name=“<span class="quote">%u</span>” and password=PASSWORD(“<span class="quote">%p</span>”) and service=“<span class="quote">web_proxy</span>”] +</pre><p> + When using this convention, you can include “<span class="quote">[</span>” characters inside the string, and if you wish to have a “<span class="quote">]</span>” + character inside the string that will survive the argument parsing, you should use “<span class="quote">\[</span>”. In other words, + </p><pre class="programlisting"> +[..[..\]..] --> ..[..].. +</pre><p> + Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the + side of caution) to make the authentication process fail. A corresponding error is written to the system log files + with a call to syslog(3). + </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id431487"></a>Example System Configurations</h3></div></div></div><p> +The following is an example <code class="filename">/etc/pam.d/login</code> configuration file. +This example had all options uncommented and is probably not usable +because it stacks many conditions before allowing successful completion +of the login process. Essentially, all conditions can be disabled +by commenting them out, except the calls to <code class="filename">pam_pwdb.so</code>. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id431510"></a>PAM: Original Login Config</h4></div></div></div><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# The PAM configuration file for the “<span class="quote">login</span>” service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5 +</pre><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id431534"></a>PAM: Login Using <code class="filename">pam_smbpass</code></h4></div></div></div><p> +PAM allows use of replaceable modules. Those available on a sample system include: +</p><p><code class="prompt">$</code><strong class="userinput"><code>/bin/ls /lib/security</code></strong> +</p><pre class="programlisting"> +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so +</pre><p> +The following example for the login program replaces the use of +the <code class="filename">pam_pwdb.so</code> module that uses the system +password database (<code class="filename">/etc/passwd</code>, +<code class="filename">/etc/shadow</code>, <code class="filename">/etc/group</code>) with +the module <code class="filename">pam_smbpass.so</code>, which uses the Samba +database containing the Microsoft MD4 encrypted password +hashes. This database is stored either in +<code class="filename">/usr/local/samba/private/smbpasswd</code>, +<code class="filename">/etc/samba/smbpasswd</code> or in +<code class="filename">/etc/samba.d/smbpasswd</code>, depending on the +Samba implementation for your UNIX/Linux system. The +<code class="filename">pam_smbpass.so</code> module is provided by +Samba version 2.2.1 or later. It can be compiled by specifying the +<code class="option">--with-pam_smbpass</code> options when running Samba's +<code class="literal">configure</code> script. For more information +on the <code class="filename">pam_smbpass</code> module, see the documentation +in the <code class="filename">source/pam_smbpass</code> directory of the Samba +source distribution. +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# The PAM configuration file for the “<span class="quote">login</span>” service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay +</pre><p> +The following is the PAM configuration file for a particular +Linux system. The default condition uses <code class="filename">pam_pwdb.so</code>. +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# The PAM configuration file for the “<span class="quote">samba</span>” service +# +auth required pam_pwdb.so nullok nodelay shadow audit +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_pwdb.so shadow md5 +</pre><p> +In the following example, the decision has been made to use the +<code class="literal">smbpasswd</code> database even for basic Samba authentication. Such a +decision could also be made for the <code class="literal">passwd</code> program and would +thus allow the <code class="literal">smbpasswd</code> passwords to be changed using the +<code class="literal">passwd</code> program: +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# The PAM configuration file for the “<span class="quote">samba</span>” service +# +auth required pam_smbpass.so nodelay +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within one PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implementations also +provide the <code class="filename">pam_stack.so</code> module that allows all +authentication to be configured in a single central file. The +<code class="filename">pam_stack.so</code> method has some devoted followers +on the basis that it allows for easier administration. As with all issues in +life, though, every decision has trade-offs, so you may want to examine the +PAM documentation for further helpful information. +</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id431757"></a><code class="filename">smb.conf</code> PAM Configuration</h3></div></div></div><p> +There is an option in <code class="filename">smb.conf</code> called <a class="indexterm" name="id431775"></a>obey pam restrictions. +The following is from the online help for this option in SWAT: +</p><div class="blockquote"><blockquote class="blockquote"><p> +When Samba is configured to enable PAM support (i.e., <code class="option">--with-pam</code>), this parameter will +control whether or not Samba should obey PAM's account and session management directives. The default behavior +is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always +ignores PAM for authentication in the case of <a class="indexterm" name="id431795"></a>encrypt passwords = yes. +The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB +password encryption. +</p><p>Default: <a class="indexterm" name="id431807"></a>obey pam restrictions = no</p></blockquote></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id431817"></a>Remote CIFS Authentication Using <code class="filename">winbindd.so</code></h3></div></div></div><p> +All operating systems depend on the provision of user credentials acceptable to the platform. +UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). +These are both simple integer numbers that are obtained from a password backend such +as <code class="filename">/etc/passwd</code>. +</p><p> +Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for +the domain when the user or group is created. To convert the Windows NT user or group into +a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This +is one of the jobs that winbind performs. +</p><p> +As winbind users and groups are resolved from a server, user and group IDs are allocated +from a specified range. This is done on a first come, first served basis, although all +existing users and groups will be mapped as soon as a client performs a user or group +enumeration command. The allocated UNIX IDs are stored in a database file under the Samba +lock directory and will be remembered. +</p><p> +The astute administrator will realize from this that the combination of <code class="filename">pam_smbpass.so</code>, +<code class="literal">winbindd</code>, and a distributed <a class="indexterm" name="id431866"></a>passdb backend +such as <em class="parameter"><code>ldap</code></em> will allow the establishment of a centrally managed, distributed user/password +database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have +particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) insofar as +the reduction of wide-area network authentication traffic. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +The RID to UNIX ID database is the only location where the user and group mappings are +stored by <code class="literal">winbindd</code>. If this file is deleted or corrupted, there is no way for <code class="literal">winbindd</code> +to determine which user and group IDs correspond to Windows NT user and group RIDs. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id431902"></a>Password Synchronization Using <code class="filename">pam_smbpass.so</code></h3></div></div></div><p> +<code class="filename">pam_smbpass</code> is a PAM module that can be used on conforming systems to +keep the <code class="filename">smbpasswd</code> (Samba password) database in sync with the UNIX +password file. PAM is an API supported +under some UNIX operating systems, such as Solaris, HPUX, and Linux, that provides a +generic interface to authentication mechanisms. +</p><p> +This module authenticates a local <code class="filename">smbpasswd</code> user database. If you require +support for authenticating against a remote SMB server, or if you are +concerned about the presence of SUID root binaries on your system, it is +recommended that you use <code class="filename">pam_winbind</code> instead. +</p><p> +Options recognized by this module are shown in <a href="pam.html#smbpassoptions" title="Table 28.1. Options recognized by pam_smbpass">next table</a>. +</p><div class="table"><a name="smbpassoptions"></a><p class="title"><b>Table 28.1. Options recognized by <em class="parameter"><code>pam_smbpass</code></em></b></p><div class="table-contents"><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">debug</td><td align="justify">Log more debugging info.</td></tr><tr><td align="left">audit</td><td align="justify">Like debug, but also logs unknown usernames.</td></tr><tr><td align="left">use_first_pass</td><td align="justify">Do not prompt the user for passwords; take them from PAM_ items instead.</td></tr><tr><td align="left">try_first_pass</td><td align="justify">Try to get the password from a previous PAM module; fall back to prompting the user.</td></tr><tr><td align="left">use_authtok</td><td align="justify">Like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</td></tr><tr><td align="left">not_set_pass</td><td align="justify">Do not make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="justify">dDo not insert ~1-second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="justify">Null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="justify">Null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="justify">Only meaningful in an “<span class="quote">auth</span>” context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<em class="replaceable"><code>file</code></em></td><td align="justify">Specify an alternate path to the <code class="filename">smb.conf</code> file.</td></tr></tbody></table></div></div><p><br class="table-break"> +</p><p> +The following are examples of the use of <code class="filename">pam_smbpass.so</code> in the format of the Linux +<code class="filename">/etc/pam.d/</code> files structure. Those wishing to implement this +tool on other platforms will need to adapt this appropriately. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id432107"></a>Password Synchronization Configuration</h4></div></div></div><p> +The following is a sample PAM configuration that shows the use of pam_smbpass to make +sure <code class="filename">private/smbpasswd</code> is kept in sync when <code class="filename">/etc/passwd (/etc/shadow)</code> +is changed. It is useful when an expired password might be changed by an +application (such as <code class="literal">ssh</code>). +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# password-sync +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id432147"></a>Password Migration Configuration</h4></div></div></div><p> +The following PAM configuration shows the use of <code class="filename">pam_smbpass</code> to migrate +from plaintext to encrypted passwords for Samba. Unlike other methods, +this can be used for users who have never connected to Samba shares: +password migration takes place when users <code class="literal">ftp</code> in, login using <code class="literal">ssh</code>, pop +their mail, and so on. +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# password-migration +# +auth requisite pam_nologin.so +# pam_smbpass is called IF pam_unix succeeds. +auth requisite pam_unix.so +auth optional pam_smbpass.so migrate +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password optional pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id432188"></a>Mature Password Configuration</h4></div></div></div><p> +The following is a sample PAM configuration for a mature <code class="filename">smbpasswd</code> installation. +<code class="filename">private/smbpasswd</code> is fully populated, and we consider it an error if +the SMB password does not exist or does not match the UNIX password. +</p><p> +</p><pre class="programlisting"> +#%PAM-1.0 +# password-mature +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so use_authtok use_first_pass +session required pam_unix.so +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id432223"></a>Kerberos Password Integration Configuration</h4></div></div></div><p> +The following is a sample PAM configuration that shows <em class="parameter"><code>pam_smbpass</code></em> used together with +<em class="parameter"><code>pam_krb5</code></em>. This could be useful on a Samba PDC that is also a member of +a Kerberos realm. +</p><p> + </p><pre class="programlisting"> +#%PAM-1.0 +# kdc-pdc +# +auth requisite pam_nologin.so +auth requisite pam_krb5.so +auth optional pam_smbpass.so migrate +account required pam_krb5.so +password requisite pam_cracklib.so retry=3 +password optional pam_smbpass.so nullok use_authtok try_first_pass +password required pam_krb5.so use_authtok try_first_pass +session required pam_krb5.so +</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432259"></a>Common Errors</h2></div></div></div><p> +PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from +the Samba mailing list. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id432269"></a>pam_winbind Problem</h3></div></div></div><p> + A user reported, <span class="emphasis"><em>I have the following PAM configuration</em></span>: + </p><p> +</p><pre class="programlisting"> +auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass nullok +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +password required /lib/security/pam_stack.so service=system-auth +</pre><p> +</p><p> + <span class="emphasis"><em>When I open a new console with [ctrl][alt][F1], I can't log in with my user “<span class="quote">pitie.</span>” + I have tried with user “<span class="quote">scienceu\pitie</span>” also.</em></span> + </p><p> + The problem may lie with the inclusion of <em class="parameter"><code>pam_stack.so + service=system-auth</code></em>. That file often contains a lot of stuff that may + duplicate what you are already doing. Try commenting out the <em class="parameter"><code>pam_stack</code></em> lines + for <em class="parameter"><code>auth</code></em> and <em class="parameter"><code>account</code></em> and see if things work. If they do, look at + <code class="filename">/etc/pam.d/system-auth</code> and copy only what you need from it into your + <code class="filename">/etc/pam.d/login</code> file. Alternatively, if you want all services to use + Winbind, you can put the Winbind-specific stuff in <code class="filename">/etc/pam.d/system-auth</code>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id432358"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p> + “<span class="quote"> + My <code class="filename">smb.conf</code> file is correctly configured. I have specified + <a class="indexterm" name="id432374"></a>idmap uid = 12000 + and <a class="indexterm" name="id432382"></a>idmap gid = 3000-3500, + and <code class="literal">winbind</code> is running. When I do the following it all works fine. + </span>” + </p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> +MIDEARTH\maryo +MIDEARTH\jackb +MIDEARTH\ameds +... +MIDEARTH\root + +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> +MIDEARTH\Domain Users +MIDEARTH\Domain Admins +MIDEARTH\Domain Guests +... +MIDEARTH\Accounts + +<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false +</pre><p> + “<span class="quote"> + But this command fails: + </span>” +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>chown maryo a_file</code></strong> +chown: 'maryo': invalid user +</pre><p> + “<span class="quote">This is driving me nuts! What can be wrong?</span>” + </p><p> + Your system is likely running <code class="literal">nscd</code>, the name service + caching daemon. Shut it down, do not restart it! You will find your problem resolved. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Desktop Profile Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. Integrating MS Windows Networks with Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/passdb.html b/docs/htmldocs/Samba3-HOWTO/passdb.html new file mode 100644 index 0000000000..ea5a725954 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/passdb.html @@ -0,0 +1,1670 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><code class="email"><<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id359091">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359126">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359295">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359822">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360306">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id360825">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361199">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361615">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id363976">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364023">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364094">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364340">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364485">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id366875">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id366881">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id366912">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id358906"></a> +<a class="indexterm" name="id358913"></a> +<a class="indexterm" name="id358920"></a> +<a class="indexterm" name="id358927"></a> +Early releases of Samba-3 implemented new capability to work concurrently with multiple account backends. This +capability was removed beginning with release of Samba 3.0.23. Commencing with Samba 3.0.23 it is possible to +work with only one specified passwd backend. +</p><p> +<a class="indexterm" name="id358939"></a> +<a class="indexterm" name="id358946"></a> +<a class="indexterm" name="id358952"></a> +<a class="indexterm" name="id358959"></a> +<a class="indexterm" name="id358966"></a> +<a class="indexterm" name="id358973"></a> +The three passdb backends that are fully maintained (actively supported) by the Samba Team are: +<code class="literal">smbpasswd</code> (being obsoleted), <code class="literal">tdbsam</code> (a tdb-based binary file format), +and <code class="literal">ldapsam</code> (LDAP directory). Of these, only the <code class="literal">ldapsam</code> backend +stores both POSIX (UNIX) and Samba user and group account information in a single repository. The +<code class="literal">smbpasswd</code> and <code class="literal">tdbsam</code> backends store only Samba user accounts. +</p><p> +In a strict sense, there are three supported account storage and access systems. One of these is considered +obsolete (smbpasswd). It is recommended to use the <code class="literal">tdbsam</code> method for all simple systems. Use +<code class="literal">ldapsam</code> for larger and more complex networks. +</p><p> +<a class="indexterm" name="id359038"></a> +<a class="indexterm" name="id359045"></a> +<a class="indexterm" name="id359052"></a> +<a class="indexterm" name="id359058"></a> +<a class="indexterm" name="id359065"></a> +<a class="indexterm" name="id359072"></a> +<a class="indexterm" name="id359079"></a> +In a strict and literal sense, the passdb backends are account storage mechanisms (or methods) alone. The choice +of terminology can be misleading, however we are stuck with this choice of wording. This chapter documents the +nature of the account storage system with a focus on user and trust accounts. Trust accounts have two forms, +machine trust accounts (computer accounts) and interdomain trust accounts. These are all treated as user-like +entities. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id359091"></a>Features and Benefits</h2></div></div></div><p> +Samba-3 provides for complete backward compatibility with Samba-2.2.x functionality +as follows: +<a class="indexterm" name="id359099"></a> +<a class="indexterm" name="id359109"></a> +<a class="indexterm" name="id359118"></a> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id359126"></a>Backward Compatibility Account Storage Systems</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Plaintext</span></dt><dd><p> +<a class="indexterm" name="id359142"></a> +<a class="indexterm" name="id359149"></a> +<a class="indexterm" name="id359156"></a> +<a class="indexterm" name="id359163"></a> +<a class="indexterm" name="id359170"></a> + This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass + plaintext authentication requests to the traditional UNIX/Linux <code class="filename">/etc/passwd</code> and + <code class="filename">/etc/shadow</code>-style subsystems. On systems that have Pluggable Authentication Modules + (PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the + protocol limitations imposed by MS Windows clients apply likewise. Please refer to <a href="passdb.html#passdbtech" title="Technical Information">Technical Information</a>, for more information regarding the limitations of plaintext + password usage. + </p></dd><dt><span class="term">smbpasswd</span></dt><dd><p> +<a class="indexterm" name="id359213"></a> +<a class="indexterm" name="id359220"></a> +<a class="indexterm" name="id359226"></a> +<a class="indexterm" name="id359233"></a> + This option allows continued use of the <code class="filename">smbpasswd</code> + file that maintains a plain ASCII (text) layout that includes the MS Windows + LanMan and NT-encrypted passwords as well as a field that stores some + account information. This form of password backend does not store any of + the MS Windows NT/200x SAM (Security Account Manager) information required to + provide the extended controls that are needed for more comprehensive + interoperation with MS Windows NT4/200x servers. + </p><p> + This backend should be used only for backward compatibility with older + versions of Samba. It may be deprecated in future releases. + </p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibility)</span></dt><dd><p> +<a class="indexterm" name="id359267"></a> +<a class="indexterm" name="id359273"></a> +<a class="indexterm" name="id359280"></a> + There is a password backend option that allows continued operation with + an existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension. + This option is provided primarily as a migration tool, although there is + no reason to force migration at this time. This tool will eventually + be deprecated. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id359295"></a>New Account Storage Systems</h3></div></div></div><p> +Samba-3 introduces a number of new password backend capabilities. +<a class="indexterm" name="id359304"></a> +<a class="indexterm" name="id359313"></a> +</p><div class="variablelist"><dl><dt><span class="term">tdbsam</span></dt><dd><p> +<a class="indexterm" name="id359334"></a> +<a class="indexterm" name="id359341"></a> +<a class="indexterm" name="id359347"></a> + This backend provides a rich database backend for local servers. This + backend is not suitable for multiple domain controllers (i.e., PDC + one + or more BDC) installations. + </p><p> +<a class="indexterm" name="id359359"></a> +<a class="indexterm" name="id359366"></a> +<a class="indexterm" name="id359372"></a> +<a class="indexterm" name="id359379"></a> +<a class="indexterm" name="id359386"></a> +<a class="indexterm" name="id359393"></a> + The <span class="emphasis"><em>tdbsam</em></span> password backend stores the old <span class="emphasis"><em> + smbpasswd</em></span> information plus the extended MS Windows NT/200x + SAM information into a binary format TDB (trivial database) file. + The inclusion of the extended information makes it possible for Samba-3 + to implement the same account and system access controls that are possible + with MS Windows NT4/200x-based systems. + </p><p> +<a class="indexterm" name="id359413"></a> +<a class="indexterm" name="id359420"></a> +<a class="indexterm" name="id359427"></a> + The inclusion of the <span class="emphasis"><em>tdbsam</em></span> capability is a direct + response to user requests to allow simple site operation without the overhead + of the complexities of running OpenLDAP. It is recommended to use this only + for sites that have fewer than 250 users. For larger sites or implementations, + the use of OpenLDAP or of Active Directory integration is strongly recommended. + </p></dd><dt><span class="term">ldapsam</span></dt><dd><p> +<a class="indexterm" name="id359452"></a> +<a class="indexterm" name="id359459"></a> + This provides a rich directory backend for distributed account installation. + </p><p> +<a class="indexterm" name="id359470"></a> +<a class="indexterm" name="id359476"></a> +<a class="indexterm" name="id359483"></a> +<a class="indexterm" name="id359490"></a> +<a class="indexterm" name="id359497"></a> + Samba-3 has a new and extended LDAP implementation that requires configuration + of OpenLDAP with a new format Samba schema. The new format schema file is + included in the <code class="filename">examples/LDAP</code> directory of the Samba distribution. + </p><p> +<a class="indexterm" name="id359517"></a> +<a class="indexterm" name="id359524"></a> +<a class="indexterm" name="id359531"></a> +<a class="indexterm" name="id359538"></a> +<a class="indexterm" name="id359544"></a> + The new LDAP implementation significantly expands the control abilities that + were possible with prior versions of Samba. It is now possible to specify + “<span class="quote">per-user</span>” profile settings, home directories, account access controls, and + much more. Corporate sites will see that the Samba Team has listened to their + requests both for capability and greater scalability. + </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="passdbtech"></a>Technical Information</h2></div></div></div><p> +<a class="indexterm" name="id359576"></a> +<a class="indexterm" name="id359582"></a> + Old Windows clients send plaintext passwords over the wire. Samba can check these + passwords by encrypting them and comparing them to the hash stored in the UNIX user database. + </p><p> +<a class="indexterm" name="id359594"></a> +<a class="indexterm" name="id359601"></a> +<a class="indexterm" name="id359608"></a> +<a class="indexterm" name="id359614"></a> + Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over + the wire. The newest clients will send only encrypted passwords and refuse to send plaintext passwords unless + their registry is tweaked. + </p><p> +<a class="indexterm" name="id359627"></a> +<a class="indexterm" name="id359634"></a> + Many people ask why Samba cannot simply use the UNIX password database. Windows requires + passwords that are encrypted in its own format. The UNIX passwords can't be converted to + UNIX-style encrypted passwords. Because of that, you can't use the standard UNIX user + database, and you have to store the LanMan and NT hashes somewhere else. + </p><p> +<a class="indexterm" name="id359647"></a> +<a class="indexterm" name="id359654"></a> +<a class="indexterm" name="id359660"></a> +<a class="indexterm" name="id359667"></a> + In addition to differently encrypted passwords, Windows also stores certain data for each + user that is not stored in a UNIX user database: for example, workstations the user may logon from, + the location where the user's profile is stored, and so on. Samba retrieves and stores this + information using a <a class="indexterm" name="id359677"></a>passdb backend. Commonly available backends are LDAP, + tdbsam, and plain text file. For more information, see the man page for <code class="filename">smb.conf</code> regarding the + <a class="indexterm" name="id359691"></a>passdb backend parameter. + </p><div class="figure"><a name="idmap-sid2uid"></a><p class="title"><b>Figure 11.1. IDMAP: Resolution of SIDs to UIDs.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-sid2uid.png" width="216" alt="IDMAP: Resolution of SIDs to UIDs."></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id359742"></a> +<a class="indexterm" name="id359749"></a> +<a class="indexterm" name="id359755"></a> + The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd + is not running or cannot be contacted, then only local SID/UID resolution is possible. See <a href="passdb.html#idmap-sid2uid" title="Figure 11.1. IDMAP: Resolution of SIDs to UIDs.">resolution of SIDs to UIDs</a> and <a href="passdb.html#idmap-uid2sid" title="Figure 11.2. IDMAP: Resolution of UIDs to SIDs.">resolution of UIDs + to SIDs</a> diagrams. + </p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure 11.2. IDMAP: Resolution of UIDs to SIDs.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id359822"></a>Important Notes About Security</h3></div></div></div><p> +<a class="indexterm" name="id359830"></a> +<a class="indexterm" name="id359836"></a> +<a class="indexterm" name="id359843"></a> +<a class="indexterm" name="id359850"></a> +<a class="indexterm" name="id359857"></a> + The UNIX and SMB password encryption techniques seem similar on the surface. This + similarity is, however, only skin deep. The UNIX scheme typically sends clear-text + passwords over the network when logging in. This is bad. The SMB encryption scheme + never sends the clear-text password over the network, but it does store the 16-byte + hashed values on disk. This is also bad. Why? Because the 16 byte hashed values + are a “<span class="quote">password equivalent.</span>” You cannot derive the user's password from them, but + they could potentially be used in a modified client to gain access to a server. + This would require considerable technical knowledge on behalf of the attacker but + is perfectly possible. You should therefore treat the data stored in whatever passdb + backend you use (smbpasswd file, LDAP) as though it contained the clear-text + passwords of all your users. Its contents must be kept secret, and the file should + be protected accordingly. + </p><p> +<a class="indexterm" name="id359882"></a> +<a class="indexterm" name="id359889"></a> +<a class="indexterm" name="id359896"></a> + Ideally, we would like a password scheme that involves neither plaintext passwords + on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with + having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me). + </p><p> +<a class="indexterm" name="id359908"></a> +<a class="indexterm" name="id359915"></a> + Windows NT 4.0 Service Pack 3 changed the default setting so plaintext passwords + are disabled from being sent over the wire. This mandates either the use of encrypted + password support or editing the Windows NT registry to re-enable plaintext passwords. + </p><p> +<a class="indexterm" name="id359927"></a> +<a class="indexterm" name="id359934"></a> + The following versions of Microsoft Windows do not support full domain security protocols, + although they may log onto a domain environment: + </p><div class="itemizedlist"><ul type="disc"><li><p>MS DOS Network client 3.0 with the basic network redirector installed.</p></li><li><p>Windows 95 with the network redirector update installed.</p></li><li><p>Windows 98 [Second Edition].</p></li><li><p>Windows Me.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id359970"></a> +<a class="indexterm" name="id359977"></a> +<a class="indexterm" name="id359984"></a> + MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons. + </p></div><p> + The following versions of MS Windows fully support domain security protocols. + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows NT 3.5x.</p></li><li><p>Windows NT 4.0.</p></li><li><p>Windows 2000 Professional.</p></li><li><p>Windows 200x Server/Advanced Server.</p></li><li><p>Windows XP Professional.</p></li></ul></div><p> +<a class="indexterm" name="id360026"></a> +<a class="indexterm" name="id360033"></a> +<a class="indexterm" name="id360040"></a> +<a class="indexterm" name="id360047"></a> +<a class="indexterm" name="id360053"></a> +<a class="indexterm" name="id360060"></a> + All current releases of Microsoft SMB/CIFS clients support authentication via the + SMB challenge/response mechanism described here. Enabling clear-text authentication + does not disable the ability of the client to participate in encrypted authentication. + Instead, it allows the client to negotiate either plaintext or encrypted password + handling. + </p><p> +<a class="indexterm" name="id360073"></a> +<a class="indexterm" name="id360080"></a> +<a class="indexterm" name="id360087"></a> +<a class="indexterm" name="id360094"></a> +<a class="indexterm" name="id360101"></a> + MS Windows clients will cache the encrypted password alone. Where plaintext passwords + are re-enabled through the appropriate registry change, the plaintext password is never + cached. This means that in the event that a network connections should become disconnected + (broken), only the cached (encrypted) password will be sent to the resource server to + effect an auto-reconnect. If the resource server does not support encrypted passwords, the + auto-reconnect will fail. Use of encrypted passwords is strongly advised. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id360113"></a>Advantages of Encrypted Passwords</h4></div></div></div><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id360124"></a> +<a class="indexterm" name="id360131"></a> +<a class="indexterm" name="id360138"></a> + Plaintext passwords are not passed across the network. Someone using a network sniffer + cannot just record passwords going to the SMB server. + </p></li><li><p> +<a class="indexterm" name="id360150"></a> +<a class="indexterm" name="id360157"></a> +<a class="indexterm" name="id360164"></a> + Plaintext passwords are not stored anywhere in memory or on disk. + </p></li><li><p> +<a class="indexterm" name="id360176"></a> +<a class="indexterm" name="id360183"></a> +<a class="indexterm" name="id360189"></a> +<a class="indexterm" name="id360196"></a> + Windows NT does not like talking to a server that does not support encrypted passwords. It will refuse to + browse the server if the server is also in user-level security mode. It will insist on prompting the user for + the password on each connection, which is very annoying. The only thing you can do to stop this is to use SMB + encryption. + </p></li><li><p> +<a class="indexterm" name="id360210"></a> +<a class="indexterm" name="id360217"></a> + Encrypted password support allows automatic share (resource) reconnects. + </p></li><li><p> +<a class="indexterm" name="id360229"></a> +<a class="indexterm" name="id360236"></a> + Encrypted passwords are essential for PDC/BDC operation. + </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id360246"></a>Advantages of Non-Encrypted Passwords</h4></div></div></div><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id360257"></a> + Plaintext passwords are not kept on disk and are not cached in memory. + </p></li><li><p> +<a class="indexterm" name="id360269"></a> +<a class="indexterm" name="id360276"></a> + Plaintext passwords use the same password file as other UNIX services, such as Login and FTP. + </p></li><li><p> +<a class="indexterm" name="id360287"></a> +<a class="indexterm" name="id360294"></a> + Use of other services (such as Telnet and FTP) that send plaintext passwords over + the network makes sending them for SMB not such a big deal. + </p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360306"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div></div><p> +<a class="indexterm" name="id360314"></a> +<a class="indexterm" name="id360321"></a> +<a class="indexterm" name="id360328"></a> + Every operation in UNIX/Linux requires a user identifier (UID), just as in + MS Windows NT4/200x this requires a security identifier (SID). Samba provides + two means for mapping an MS Windows user to a UNIX/Linux UID. + </p><p> +<a class="indexterm" name="id360340"></a> +<a class="indexterm" name="id360346"></a> +<a class="indexterm" name="id360353"></a> +<a class="indexterm" name="id360359"></a> +<a class="indexterm" name="id360366"></a> + First, all Samba SAM database accounts require a UNIX/Linux UID that the account will map to. As users are + added to the account information database, Samba will call the <a class="indexterm" name="id360375"></a>add user script + interface to add the account to the Samba host OS. In essence all accounts in the local SAM require a local + user account. + </p><p> + <a class="indexterm" name="id360386"></a> + <a class="indexterm" name="id360393"></a> + <a class="indexterm" name="id360400"></a> + <a class="indexterm" name="id360406"></a> + <a class="indexterm" name="id360413"></a> + <a class="indexterm" name="id360420"></a> + <a class="indexterm" name="id360426"></a> + The second way to map Windows SID to UNIX UID is via the <span class="emphasis"><em>idmap uid</em></span> and + <span class="emphasis"><em>idmap gid</em></span> parameters in <code class="filename">smb.conf</code>. Please refer to the man page for information about + these parameters. These parameters are essential when mapping users from a remote (non-member Windows client + or a member of a foreign domain) SAM server. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div></div><p> +<a class="indexterm" name="id360462"></a> +<a class="indexterm" name="id360469"></a> +<a class="indexterm" name="id360475"></a> +<a class="indexterm" name="id360482"></a> +<a class="indexterm" name="id360489"></a> +<a class="indexterm" name="id360495"></a> + Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs + on all servers in a distributed network. A distributed network is one where there exists + a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important? + This is important if files are being shared over more than one protocol (e.g., NFS) and where + users are copying files across UNIX/Linux systems using tools such as <code class="literal">rsync</code>. + </p><p> +<a class="indexterm" name="id360515"></a> +<a class="indexterm" name="id360521"></a> +<a class="indexterm" name="id360528"></a> +<a class="indexterm" name="id360535"></a> +<a class="indexterm" name="id360541"></a> +<a class="indexterm" name="id360548"></a> +<a class="indexterm" name="id360555"></a> + <a class="indexterm" name="id360562"></a> + The special facility is enabled using a parameter called <em class="parameter"><code>idmap backend</code></em>. + The default setting for this parameter is an empty string. Technically it is possible to use + an LDAP-based idmap backend for UIDs and GIDs, but it makes most sense when this is done for + network configurations that also use LDAP for the SAM backend. + <a href="passdb.html#idmapbackendexample" title="Example 11.1. Example Configuration with the LDAP idmap Backend">Example Configuration with the LDAP idmap Backend</a> + shows that configuration. + </p><a class="indexterm" name="id360587"></a><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. Example Configuration with the LDAP idmap Backend</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id360619"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap-server.quenya.org:636</code></em></td></tr><tr><td># Alternatively, this could be specified as:</td></tr><tr><td><a class="indexterm" name="id360635"></a><em class="parameter"><code>idmap backend = ldap:ldaps://ldap-server.quenya.org</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id360651"></a> +<a class="indexterm" name="id360658"></a> + A network administrator who wants to make significant use of LDAP backends will sooner or later be + exposed to the excellent work done by PADL Software. PADL <a href="http://www.padl.com" target="_top">http://www.padl.com</a> have + produced and released to open source an array of tools that might be of interest. These tools include: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id360679"></a> +<a class="indexterm" name="id360686"></a> +<a class="indexterm" name="id360693"></a> +<a class="indexterm" name="id360699"></a> +<a class="indexterm" name="id360706"></a> +<a class="indexterm" name="id360713"></a> +<a class="indexterm" name="id360720"></a> +<a class="indexterm" name="id360726"></a> + <span class="emphasis"><em>nss_ldap:</em></span> An LDAP name service switch (NSS) module to provide native + name service support for AIX, Linux, Solaris, and other operating systems. This tool + can be used for centralized storage and retrieval of UIDs and GIDs. + </p></li><li><p> +<a class="indexterm" name="id360745"></a> +<a class="indexterm" name="id360751"></a> +<a class="indexterm" name="id360758"></a> +<a class="indexterm" name="id360765"></a> + <span class="emphasis"><em>pam_ldap:</em></span> A PAM module that provides LDAP integration for UNIX/Linux + system access authentication. + </p></li><li><p> +<a class="indexterm" name="id360782"></a> +<a class="indexterm" name="id360789"></a> +<a class="indexterm" name="id360796"></a> +<a class="indexterm" name="id360803"></a> + <span class="emphasis"><em>idmap_ad:</em></span> An IDMAP backend that supports the Microsoft Services for + UNIX RFC 2307 schema available from the PADL Web + <a href="http://www.padl.com/download/xad_oss_plugins.tar.gz" target="_top">site</a>. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360825"></a>Comments Regarding LDAP</h3></div></div></div><p> +<a class="indexterm" name="id360832"></a> +<a class="indexterm" name="id360842"></a> +<a class="indexterm" name="id360848"></a> +<a class="indexterm" name="id360855"></a> + There is much excitement and interest in LDAP directories in the information technology world + today. The LDAP architecture was designed to be highly scalable. It was also designed for + use across a huge number of potential areas of application encompassing a wide range of operating + systems and platforms. LDAP technologies are at the heart of the current generations of Federated + Identity Management (FIM) solutions that can underlie a corporate Single Sign-On (SSO) environment. + </p><p> +<a class="indexterm" name="id360869"></a> +<a class="indexterm" name="id360876"></a> +<a class="indexterm" name="id360882"></a> +<a class="indexterm" name="id360889"></a> + LDAP implementations have been built across a wide variety of platforms. It lies at the core of Microsoft + Windows Active Directory services (ADS), Novell's eDirectory, as well as many others. Implementation of the + directory services LDAP involves interaction with legacy as well as new generation applications, all of which + depend on some form of authentication services. + </p><p> +<a class="indexterm" name="id360902"></a> +<a class="indexterm" name="id360909"></a> +<a class="indexterm" name="id360916"></a> +<a class="indexterm" name="id360923"></a> +<a class="indexterm" name="id360929"></a> +<a class="indexterm" name="id360936"></a> +<a class="indexterm" name="id360943"></a> +<a class="indexterm" name="id360950"></a> +<a class="indexterm" name="id360957"></a> +<a class="indexterm" name="id360963"></a> +<a class="indexterm" name="id360970"></a> +<a class="indexterm" name="id360977"></a> +<a class="indexterm" name="id360984"></a> +<a class="indexterm" name="id360991"></a> + UNIX services can utilize LDAP directory information for authentication and access controls + through intermediate tools and utilities. The total environment that consists of the LDAP directory + and the middle-ware tools and utilities makes it possible for all user access to the UNIX platform + to be managed from a central environment and yet distributed to wherever the point of need may + be physically located. Applications that benefit from this infrastructure include: UNIX login + shells, mail and messaging systems, quota controls, printing systems, DNS servers, DHCP servers, + and also Samba. + </p><p> +<a class="indexterm" name="id361006"></a> +<a class="indexterm" name="id361013"></a> +<a class="indexterm" name="id361019"></a> +<a class="indexterm" name="id361026"></a> +<a class="indexterm" name="id361033"></a> +<a class="indexterm" name="id361040"></a> + Many sites are installing LDAP for the first time in order to provide a scalable passdb backend + for Samba. Others are faced with the need to adapt an existing LDAP directory to new uses such + as for the Samba SAM backend. Whatever your particular need and attraction to Samba may be, + decisions made in respect of the design of the LDAP directory structure and its implementation + are of a durable nature for the site. These have far-reaching implications that affect long-term + information systems management costs. + </p><p> +<a class="indexterm" name="id361054"></a> +<a class="indexterm" name="id361061"></a> + Do not rush into an LDAP deployment. Take the time to understand how the design of the Directory + Information Tree (DIT) may impact current and future site needs, as well as the ability to meet + them. The way that Samba SAM information should be stored within the DIT varies from site to site + and with each implementation new experience is gained. It is well understood by LDAP veterans that + first implementations create awakening, second implementations of LDAP create fear, and + third-generation deployments bring peace and tranquility. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id361076"></a>Caution Regarding LDAP and Samba</h4></div></div></div><p> +<a class="indexterm" name="id361084"></a> +<a class="indexterm" name="id361091"></a> +<a class="indexterm" name="id361097"></a> +<a class="indexterm" name="id361104"></a> +<a class="indexterm" name="id361111"></a> +<a class="indexterm" name="id361118"></a> +<a class="indexterm" name="id361125"></a> + Samba requires UNIX POSIX identity information as well as a place to store information that is + specific to Samba and the Windows networking environment. The most used information that must + be dealt with includes: user accounts, group accounts, machine trust accounts, interdomain + trust accounts, and intermediate information specific to Samba internals. + </p><p> +<a class="indexterm" name="id361138"></a> +<a class="indexterm" name="id361145"></a> +<a class="indexterm" name="id361152"></a> + The example deployment guidelines in this book, as well as other books and HOWTO documents + available from the internet may not fit with established directory designs and implementations. + The existing DIT may not be able to accommodate the simple information layout proposed in common + sources. Additionally, you may find that the common scripts and tools that are used to provision + the LDAP directory for use with Samba may not suit your needs. + </p><p> +<a class="indexterm" name="id361166"></a> + It is not uncommon, for sites that have existing LDAP DITs to find necessity to generate a + set of site-specific scripts and utilities to make it possible to deploy Samba within the + scope of site operations. The way that user and group accounts are distributed throughout + the DIT may make this a challenging matter. The solution will, of course, be rewarding, but + the journey to it may be challenging. Take time to understand site needs and do not rush + into deployment. + </p><p> +<a class="indexterm" name="id361180"></a> +<a class="indexterm" name="id361186"></a> + Above all, do not blindly use scripts and tools that are not suitable for your site. Check + and validate all scripts before you execute them to make sure that the existing infrastructure + will not be damaged by inadvertent use of an inappropriate tool. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id361199"></a>LDAP Directories and Windows Computer Accounts</h3></div></div></div><p> +<a class="indexterm" name="id361207"></a> +<a class="indexterm" name="id361214"></a> +<a class="indexterm" name="id361220"></a> + Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and + configuration of an LDAP directory prior to integration with Samba. A working knowledge + of LDAP makes Samba integration easy, and the lack of a working knowledge of LDAP can make + it a frustrating experience. + </p><p> +<a class="indexterm" name="id361233"></a> +<a class="indexterm" name="id361240"></a> +<a class="indexterm" name="id361247"></a> + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject + to some constraints that are described in this chapter. + </p><p> +<a class="indexterm" name="id361258"></a> +<a class="indexterm" name="id361265"></a> +<a class="indexterm" name="id361272"></a> +<a class="indexterm" name="id361278"></a> +<a class="indexterm" name="id361285"></a> +<a class="indexterm" name="id361292"></a> +<a class="indexterm" name="id361299"></a> + The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba. + Thus, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats + them. A user account and a machine account are indistinquishable from each other, except that + the machine account ends in a $ character, as do trust accounts. + </p><p> +<a class="indexterm" name="id361312"></a> +<a class="indexterm" name="id361319"></a> +<a class="indexterm" name="id361326"></a> +<a class="indexterm" name="id361332"></a> +<a class="indexterm" name="id361339"></a> + The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX + UID is a design decision that was made a long way back in the history of Samba development. It + is unlikely that this decision will be reversed or changed during the remaining life of the + Samba-3.x series. + </p><p> +<a class="indexterm" name="id361352"></a> +<a class="indexterm" name="id361358"></a> +<a class="indexterm" name="id361365"></a> + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that + must refer back to the host operating system on which Samba is running. The NSS is the preferred + mechanism that shields applications (like Samba) from the need to know everything about every + host OS it runs on. + </p><p> +<a class="indexterm" name="id361377"></a> +<a class="indexterm" name="id361384"></a> +<a class="indexterm" name="id361391"></a> +<a class="indexterm" name="id361397"></a> +<a class="indexterm" name="id361404"></a> +<a class="indexterm" name="id361411"></a> +<a class="indexterm" name="id361418"></a> + Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”, + and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool + for achieving this is left up to the UNIX administrator to determine. It is not imposed by + Samba. Samba provides winbindd with its support libraries as one method. It is + possible to do this via LDAP, and for that Samba provides the appropriate hooks so that + all account entities can be located in an LDAP directory. + </p><p> +<a class="indexterm" name="id361442"></a> +<a class="indexterm" name="id361449"></a> +<a class="indexterm" name="id361456"></a> +<a class="indexterm" name="id361462"></a> +<a class="indexterm" name="id361469"></a> + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must + be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That + is fundamentally an LDAP design question. The information provided on the Samba list and + in the documentation is directed at providing working examples only. The design + of an LDAP directory is a complex subject that is beyond the scope of this documentation. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div></div><p> +<a class="indexterm" name="id361499"></a> +<a class="indexterm" name="id361505"></a> +<a class="indexterm" name="id361512"></a> +Samba provides two tools for management of user and machine accounts: +<code class="literal">smbpasswd</code> and <code class="literal">pdbedit</code>. +</p><p> +<a class="indexterm" name="id361534"></a> +<a class="indexterm" name="id361541"></a> +<a class="indexterm" name="id361548"></a> +The <code class="literal">pdbedit</code> can be used to manage account policies in addition to +Samba user account information. The policy management capability is used to administer +domain default settings for password aging and management controls to handle failed login +attempts. +</p><p> +<a class="indexterm" name="id361566"></a> +<a class="indexterm" name="id361573"></a> +<a class="indexterm" name="id361580"></a> +<a class="indexterm" name="id361587"></a> +Some people are confused when reference is made to <code class="literal">smbpasswd</code> because the +name refers to a storage mechanism for SambaSAMAccount information, but it is also the name +of a utility tool. That tool is destined to eventually be replaced by new functionality that +is being added to the <code class="literal">net</code> toolset (see <a href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">the Net Command</a>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id361615"></a>The <code class="literal">smbpasswd</code> Tool</h3></div></div></div><p> +<a class="indexterm" name="id361629"></a> +<a class="indexterm" name="id361635"></a> +<a class="indexterm" name="id361642"></a> +<a class="indexterm" name="id361649"></a> +<a class="indexterm" name="id361656"></a> + The <code class="literal">smbpasswd</code> utility is similar to the <code class="literal">passwd</code> + and <code class="literal">yppasswd</code> programs. It maintains the two 32 byte password + fields in the passdb backend. This utility operates independently of the actual + account and password storage methods used (as specified by the <em class="parameter"><code>passdb + backend</code></em> in the <code class="filename">smb.conf</code> file. + </p><p> +<a class="indexterm" name="id361698"></a> +<a class="indexterm" name="id361704"></a> + <code class="literal">smbpasswd</code> works in a client-server mode where it contacts the + local smbd to change the user's password on its behalf. This has enormous benefits. + </p><p> +<a class="indexterm" name="id361722"></a> +<a class="indexterm" name="id361728"></a> + <code class="literal">smbpasswd</code> has the capability to change passwords on Windows NT + servers (this only works when the request is sent to the NT PDC if changing an NT + domain user's password). + </p><p> + <a class="indexterm" name="id361746"></a> + <a class="indexterm" name="id361752"></a> + <code class="literal">smbpasswd</code> can be used to: + </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>add</em></span> user or machine accounts.</p></li><li><p><span class="emphasis"><em>delete</em></span> user or machine accounts.</p></li><li><p><span class="emphasis"><em>enable</em></span> user or machine accounts.</p></li><li><p><span class="emphasis"><em>disable</em></span> user or machine accounts.</p></li><li><p><span class="emphasis"><em>set to NULL</em></span> user passwords.</p></li><li><p><span class="emphasis"><em>manage</em></span> interdomain trust accounts.</p></li></ul></div><p> + To run smbpasswd as a normal user, just type: + </p><p> +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd</code></strong> +<code class="prompt">Old SMB password: </code><strong class="userinput"><code><em class="replaceable"><code>secret</code></em></code></strong> +</pre><p> + For <em class="replaceable"><code>secret</code></em>, type the old value here or press return if + there is no old password. +</p><pre class="screen"> +<code class="prompt">New SMB Password: </code><strong class="userinput"><code><em class="replaceable"><code>new secret</code></em></code></strong> +<code class="prompt">Repeat New SMB Password: </code><strong class="userinput"><code><em class="replaceable"><code>new secret</code></em></code></strong> +</pre><p> + </p><p> + If the old value does not match the current value stored for that user, or the two + new values do not match each other, then the password will not be changed. + </p><p> +<a class="indexterm" name="id361888"></a> + When invoked by an ordinary user, the command will allow only the user to change his or her own + SMB password. + </p><p> +<a class="indexterm" name="id361899"></a> +<a class="indexterm" name="id361906"></a> + When run by root, <code class="literal">smbpasswd</code> may take an optional argument specifying + the username whose SMB password you wish to change. When run as root, <code class="literal">smbpasswd</code> + does not prompt for or check the old password value, thus allowing root to set passwords + for users who have forgotten their passwords. + </p><p> +<a class="indexterm" name="id361930"></a> +<a class="indexterm" name="id361936"></a> +<a class="indexterm" name="id361943"></a> +<a class="indexterm" name="id361950"></a> + <code class="literal">smbpasswd</code> is designed to work in the way familiar to UNIX + users who use the <code class="literal">passwd</code> or <code class="literal">yppasswd</code> commands. + While designed for administrative use, this tool provides essential user-level + password change capabilities. + </p><p> +<a class="indexterm" name="id361979"></a> + For more details on using <code class="literal">smbpasswd</code>, refer to the man page (the + definitive reference). + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <code class="literal">pdbedit</code> Tool</h3></div></div></div><p> + <a class="indexterm" name="id362013"></a> + <a class="indexterm" name="id362020"></a> + <a class="indexterm" name="id362026"></a> + <a class="indexterm" name="id362033"></a> + <code class="literal">pdbedit</code> is a tool that can be used only by root. It is used to + manage the passdb backend, as well as domain-wide account policy settings. <code class="literal">pdbedit</code> + can be used to: + </p><div class="itemizedlist"><ul type="disc"><li><p>add, remove, or modify user accounts.</p></li><li><p>list user accounts.</p></li><li><p>migrate user accounts.</p></li><li><p>migrate group accounts.</p></li><li><p>manage account policies.</p></li><li><p>manage domain access policy settings.</p></li></ul></div><p> + <a class="indexterm" name="id362089"></a> + Under the terms of the Sarbanes-Oxley Act of 2002, American businesses and organizations are mandated to + implement a series of <code class="literal">internal controls</code> and procedures to communicate, store, + and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of: + </p><div class="orderedlist"><ol type="1"><li><p>Who has access to information systems that store financial data.</p></li><li><p>How personal and financial information is treated among employees and business + partners.</p></li><li><p>How security vulnerabilities are managed.</p></li><li><p>Security and patch level maintenance for all information systems.</p></li><li><p>How information systems changes are documented and tracked.</p></li><li><p>How information access controls are implemented and managed.</p></li><li><p>Auditability of all information systems in respect of change and security.</p></li><li><p>Disciplinary procedures and controls to ensure privacy.</p></li></ol></div><p> + <a class="indexterm" name="id362155"></a> + <a class="indexterm" name="id362162"></a> + In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of + business related information systems so as to ensure the compliance of all information systems that + are used to store personal information and particularly for financial records processing. Similar + accountabilities are being demanded around the world. + </p><p> + <a class="indexterm" name="id362175"></a> + <a class="indexterm" name="id362182"></a> + <a class="indexterm" name="id362188"></a> + <a class="indexterm" name="id362195"></a> + <a class="indexterm" name="id362202"></a> + The need to be familiar with the Samba tools and facilities that permit information systems operation + in compliance with government laws and regulations is clear to all. The <code class="literal">pdbedit</code> is + currently the only Samba tool that provides the capacity to manage account and systems access controls + and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may + be implemented to aid in this important area. + </p><p> + Domain global policy controls available in Windows NT4 compared with Samba + is shown in <a href="passdb.html#policycontrols" title="Table 11.1. NT4 Domain v's Samba Policy Controls">NT4 Domain v's Samba Policy Controls</a>. + </p><div class="table"><a name="policycontrols"></a><p class="title"><b>Table 11.1. NT4 Domain v's Samba Policy Controls</b></p><div class="table-contents"><table summary="NT4 Domain v's Samba Policy Controls" border="1"><colgroup><col align="left"><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="left"><p>NT4 policy Name</p></th><th align="left"><p>Samba Policy Name</p></th><th align="center"><p>NT4 Range</p></th><th align="center"><p>Samba Range</p></th><th align="center"><p>Samba Default</p></th></tr></thead><tbody><tr><td align="left"><p>Maximum Password Age</p></td><td align="left"><p>maximum password age</p></td><td align="center"><p>0 - 999 (days)</p></td><td align="center"><p>0 - 4294967295 (sec)</p></td><td align="center"><p>4294967295</p></td></tr><tr><td align="left"><p>Minimum Password Age</p></td><td align="left"><p>minimum password age</p></td><td align="center"><p>0 - 999 (days)</p></td><td align="center"><p>0 - 4294967295 (sec)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Mimimum Password Length</p></td><td align="left"><p>min password length</p></td><td align="center"><p>1 - 14 (Chars)</p></td><td align="center"><p>0 - 4294967295 (Chars)</p></td><td align="center"><p>5</p></td></tr><tr><td align="left"><p>Password Uniqueness</p></td><td align="left"><p>password history</p></td><td align="center"><p>0 - 23 (#)</p></td><td align="center"><p>0 - 4294967295 (#)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Account Lockout - Reset count after</p></td><td align="left"><p>reset count minutes</p></td><td align="center"><p>1 - 99998 (min)</p></td><td align="center"><p>0 - 4294967295 (min)</p></td><td align="center"><p>30</p></td></tr><tr><td align="left"><p>Lockout after bad logon attempts</p></td><td align="left"><p>bad lockout attempt</p></td><td align="center"><p>0 - 998 (#)</p></td><td align="center"><p>0 - 4294967295 (#)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>*** Not Known ***</p></td><td align="left"><p>disconnect time</p></td><td align="center"><p>TBA</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Lockout Duration</p></td><td align="left"><p>lockout duration</p></td><td align="center"><p>1 - 99998 (min)</p></td><td align="center"><p>0 - 4294967295 (min)</p></td><td align="center"><p>30</p></td></tr><tr><td align="left"><p>Users must log on in order to change password</p></td><td align="left"><p>user must logon to change password</p></td><td align="center"><p>0/1</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>*** Registry Setting ***</p></td><td align="left"><p>refuse machine password change</p></td><td align="center"><p>0/1</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr></tbody></table></div></div><br class="table-break"><p> + <a class="indexterm" name="id362570"></a> +<a class="indexterm" name="id362577"></a> +<a class="indexterm" name="id362584"></a> +<a class="indexterm" name="id362591"></a> + The <code class="literal">pdbedit</code> tool is the only one that can manage the account + security and policy settings. It is capable of all operations that smbpasswd can + do as well as a superset of them. + </p><p> + <a class="indexterm" name="id362608"></a> +<a class="indexterm" name="id362615"></a> +<a class="indexterm" name="id362622"></a> + One particularly important purpose of the <code class="literal">pdbedit</code> is to allow + the import/export of account information from one passdb backend to another. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id362637"></a>User Account Management</h4></div></div></div><p> +<a class="indexterm" name="id362645"></a> +<a class="indexterm" name="id362651"></a> +<a class="indexterm" name="id362658"></a> +<a class="indexterm" name="id362665"></a> +<a class="indexterm" name="id362672"></a> +<a class="indexterm" name="id362679"></a> +<a class="indexterm" name="id362685"></a> + The <code class="literal">pdbedit</code> tool, like the <code class="literal">smbpasswd</code> tool, requires + that a POSIX user account already exists in the UNIX/Linux system accounts database (backend). + Neither tool will call out to the operating system to create a user account because this is + considered to be the responsibility of the system administrator. When the Windows NT4 domain + user manager is used to add an account, Samba will implement the <code class="literal">add user script</code> + (as well as the other interface scripts) to ensure that user, group and machine accounts are + correctly created and changed. The use of the <code class="literal">pdbedit</code> tool does not + make use of these interface scripts. + </p><p> +<a class="indexterm" name="id362724"></a> +<a class="indexterm" name="id362731"></a> + Before attempting to use the <code class="literal">pdbedit</code> tool to manage user and machine + accounts, make certain that a system (POSIX) account has already been created. + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id362746"></a>Listing User and Machine Accounts</h5></div></div></div><p> +<a class="indexterm" name="id362754"></a> +<a class="indexterm" name="id362761"></a> + The following is an example of the user account information that is stored in + a tdbsam password backend. This listing was produced by running: +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>pdbedit -Lv met</code></strong> +UNIX username: met +NT username: met +Account Flags: [U ] +User SID: S-1-5-21-1449123459-1407424037-3116680435-2004 +Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201 +Full Name: Melissa E Terpstra +Home Directory: \\frodo\met\Win9Profile +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\frodo\Profiles\met +Domain: MIDEARTH +Account desc: +Workstations: melbelle +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Sat, 14 Dec 2002 14:37:03 GMT +Password can change: Sat, 14 Dec 2002 14:37:03 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +</pre><p> + </p><p> +<a class="indexterm" name="id362794"></a> + Accounts can also be listed in the older <code class="literal">smbpasswd</code> format: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>pdbedit -Lw</code></strong> +root:0:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-42681AB8: +jht:1000:6BBC4159020A52741486235A2333E4D2: + CC099521AD554A3C3CF2556274DBCFBC:[U ]:LCT-40D75B5B: +rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE: + BB0F2C39B04CA6100F0E535DF8314B43:[U ]:LCT-40D7C5A3: +afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE: + CE92C2F9471594CDC4E7860CA6BC62DB:[T ]:LCT-40DA501F: +met:1004:A2848CB7E076B435AAD3B435B51404EE: + F25F5D3405085C555236B80B7B22C0D2:[U ]:LCT-4244FAB8: +aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB: + 060DE593EA638B8ACC4A19F14D2FF2BB:[W ]:LCT-4173E5CC: +temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + A96703C014E404E33D4049F706C45EE9:[W ]:LCT-42BF0C57: +vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + 88A30A095160072784C88F811E89F98A:[W ]:LCT-41C3878D: +frodo$:1008:15891DC6B843ECA41249940C814E316B: + B68EADCCD18E17503D3DAD3E6B0B9A75:[W ]:LCT-42B7979F: +marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3: + C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4 +</pre><p> +<a class="indexterm" name="id362842"></a> +<a class="indexterm" name="id362849"></a> +<a class="indexterm" name="id362856"></a> +<a class="indexterm" name="id362862"></a> +<a class="indexterm" name="id362869"></a> +<a class="indexterm" name="id362876"></a> + The account information that was returned by this command in order from left to right + consists of the following colon separated data: + </p><div class="itemizedlist"><ul type="disc"><li><p>Login ID.</p></li><li><p>UNIX UID.</p></li><li><p>Microsoft LanManager password hash (password converted to upper-case then hashed.</p></li><li><p>Microsoft NT password hash (hash of the case-preserved password).</p></li><li><p>Samba SAM Account Flags.</p></li><li><p>The LCT data (password last change time).</p></li></ul></div><p> +<a class="indexterm" name="id362923"></a> +<a class="indexterm" name="id362930"></a> + The Account Flags parameters are documented in the <code class="literal">pdbedit</code> man page, and are + briefly documented in <a href="passdb.html#TOSHARG-acctflags" title="Account Flags Management">the Account Flags Management section</a>. + </p><p> +<a class="indexterm" name="id362955"></a> + The LCT data consists of 8 hexadecimal characters representing the time since January 1, 1970, of + the time when the password was last changed. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id362965"></a>Adding User Accounts</h5></div></div></div><p> +<a class="indexterm" name="id362973"></a> +<a class="indexterm" name="id362980"></a> +<a class="indexterm" name="id362986"></a> +<a class="indexterm" name="id362993"></a> +<a class="indexterm" name="id363000"></a> + The <code class="literal">pdbedit</code> can be used to add a user account to a standalone server + or to a domain. In the example shown here the account for the user <code class="literal">vlaan</code> + has been created before attempting to add the SambaSAMAccount. +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -a vlaan +new password: secretpw +retype new password: secretpw +Unix username: vlaan +NT username: vlaan +Account Flags: [U ] +User SID: S-1-5-21-726309263-4128913605-1168186429-3014 +Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 +Full Name: Victor Laan +Home Directory: \\frodo\vlaan +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\frodo\profiles\vlaan +Domain: MIDEARTH +Account desc: Guest User +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 29 Jun 2005 19:35:12 GMT +Password can change: Wed, 29 Jun 2005 19:35:12 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id363042"></a>Deleting Accounts</h5></div></div></div><p> +<a class="indexterm" name="id363050"></a> +<a class="indexterm" name="id363056"></a> +<a class="indexterm" name="id363063"></a> +<a class="indexterm" name="id363070"></a> + An account can be deleted from the SambaSAMAccount database +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -x vlaan +</pre><p> + The account is removed without further screen output. The account is removed only from the + SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend. + </p><p> +<a class="indexterm" name="id363094"></a> +<a class="indexterm" name="id363101"></a> + The use of the NT4 domain user manager to delete an account will trigger the <em class="parameter"><code>delete user + script</code></em>, but not the <code class="literal">pdbedit</code> tool. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id363122"></a>Changing User Accounts</h5></div></div></div><p> +<a class="indexterm" name="id363130"></a> + Refer to the <code class="literal">pdbedit</code> man page for a full synopsis of all operations + that are available with this tool. + </p><p> +<a class="indexterm" name="id363147"></a> + An example of a simple change in the user account information is the change of the full name + information shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -r --fullname="Victor Aluicious Laan" vlaan +... +Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 +Full Name: Victor Aluicious Laan +Home Directory: \\frodo\vlaan +... +</pre><p> + </p><p> +<a class="indexterm" name="id363171"></a> +<a class="indexterm" name="id363178"></a> +<a class="indexterm" name="id363185"></a> + Let us assume for a moment that a user's password has expired and the user is unable to + change the password at this time. It may be necessary to give the user additional grace time + so that it is possible to continue to work with the account and the original password. This + demonstrates how the password expiration settings may be updated +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lv vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 03 Jan 2002 15:08:35 GMT +Last bad password : Thu, 03 Jan 2002 15:08:35 GMT +Bad password count : 2 +... +</pre><p> +<a class="indexterm" name="id363208"></a> +<a class="indexterm" name="id363215"></a> + The user has recorded 2 bad logon attempts and the next will lock the account, but the + password is also expired. Here is how this account can be reset: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -z vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 03 Jan 2002 15:08:35 GMT +Last bad password : 0 +Bad password count : 0 +... +</pre><p> + The <code class="literal">Password must change:</code> parameter can be reset like this: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit --pwd-must-change-time=1200000000 vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 10 Jan 2008 14:20:00 GMT +... +</pre><p> + Another way to use this tools is to set the date like this: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit --pwd-must-change-time="2010-01-01" \ + --time-format="%Y-%m-%d" vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Fri, 01 Jan 2010 00:00:00 GMT +... +</pre><p> +<a class="indexterm" name="id363270"></a> +<a class="indexterm" name="id363277"></a> + Refer to the strptime man page for specific time format information. + </p><p> +<a class="indexterm" name="id363288"></a> +<a class="indexterm" name="id363294"></a> + Please refer to the pdbedit man page for further information relating to SambaSAMAccount + management. + </p><div class="sect5" lang="en"><div class="titlepage"><div><div><h6 class="title"><a name="TOSHARG-acctflags"></a>Account Flags Management</h6></div></div></div><p> +<a class="indexterm" name="id363314"></a> +<a class="indexterm" name="id363321"></a> +<a class="indexterm" name="id363330"></a> +<a class="indexterm" name="id363337"></a> + The Samba SAM account flags are properly called the ACB (account control block) within + the Samba source code. In some parts of the Samba source code they are referred to as the + account encode_bits, and also as the account control flags. + </p><p> +<a class="indexterm" name="id363349"></a> +<a class="indexterm" name="id363356"></a> +<a class="indexterm" name="id363362"></a> +<a class="indexterm" name="id363369"></a> +<a class="indexterm" name="id363376"></a> + The manual adjustment of user, machine (workstation or server) or an inter-domain trust + account account flgas should not be necessary under normal conditions of use of Samba. On the other hand, + where this information becomes corrupted for some reason, the ability to correct the damaged data is certainly + useful. The tool of choice by which such correction can be affected is the <code class="literal">pdbedit</code> utility. + </p><p> +<a class="indexterm" name="id363395"></a> +<a class="indexterm" name="id363402"></a> + There have been a few requests for information regarding the account flags from developers + who are creating their own Samba management tools. An example of a need for information regarding + the proper management of the account flags is evident when developing scripts that will be used + to manage an LDAP directory. + </p><p> +<a class="indexterm" name="id363415"></a> +<a class="indexterm" name="id363422"></a> + The account flag field can contain up to 16 characters. Presently, only 11 are in use. + These are listed in <a href="passdb.html#accountflags" title="Table 11.2. Samba SAM Account Control Block Flags">Samba SAM Account Control Block Flags</a>. + The order in which the flags are specified to the <code class="literal">pdbedit</code> command is not important. + In fact, they can be set without problem in any order in the SambaAcctFlags record in the LDAP directory. + </p><div class="table"><a name="accountflags"></a><p class="title"><b>Table 11.2. Samba SAM Account Control Block Flags</b></p><div class="table-contents"><table summary="Samba SAM Account Control Block Flags" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Flag</th><th align="center">Description</th></tr></thead><tbody><tr><td align="center">D</td><td align="left">Account is disabled.</td></tr><tr><td align="center">H</td><td align="left">A home directory is required.</td></tr><tr><td align="center">I</td><td align="left">An inter-domain trust account.</td></tr><tr><td align="center">L</td><td align="left">Account has been auto-locked.</td></tr><tr><td align="center">M</td><td align="left">An MNS (Microsoft network service) logon account.</td></tr><tr><td align="center">N</td><td align="left">Password not required.</td></tr><tr><td align="center">S</td><td align="left">A server trust account.</td></tr><tr><td align="center">T</td><td align="left">Temporary duplicate account entry.</td></tr><tr><td align="center">U</td><td align="left">A normal user account.</td></tr><tr><td align="center">W</td><td align="left">A workstation trust account.</td></tr><tr><td align="center">X</td><td align="left">Password does not expire.</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id363643"></a> +<a class="indexterm" name="id363650"></a> + An example of use of the <code class="literal">pdbedit</code> utility to set the account control flags + is shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -r -c "[DLX]" jht +Unix username: jht +NT username: jht +Account Flags: [DHULX ] +User SID: S-1-5-21-729263-4123605-1186429-3000 +Primary Group SID: S-1-5-21-729263-4123605-1186429-513 +Full Name: John H Terpstra,Utah Office +Home Directory: \\aurora\jht +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\aurora\profiles\jht +Domain: MIDEARTH +Account desc: BluntObject +Workstations: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: 0 +Password last set: Sun, 03 Jul 2005 23:19:18 GMT +Password can change: Sun, 03 Jul 2005 23:19:18 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> +<a class="indexterm" name="id363682"></a> + The flags can be reset to the default settings by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -r -c "[]" jht +Unix username: jht +NT username: jht +Account Flags: [U ] +User SID: S-1-5-21-729263-4123605-1186429-3000 +Primary Group SID: S-1-5-21-729263-4123605-1186429-513 +Full Name: John H Terpstra,Utah Office +Home Directory: \\aurora\jht +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\aurora\profiles\jht +Domain: MIDEARTH +Account desc: BluntObject +Workstations: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: 0 +Password last set: Sun, 03 Jul 2005 23:19:18 GMT +Password can change: Sun, 03 Jul 2005 23:19:18 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> + </p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id363711"></a>Domain Account Policy Managment</h5></div></div></div><p> +<a class="indexterm" name="id363719"></a> +<a class="indexterm" name="id363726"></a> + To view the domain account access policies that may be configured execute: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -P ? +No account policy by that name +Account policy names are : +min password length +password history +user must logon to change password +maximum password age +minimum password age +lockout duration +reset count minutes +bad lockout attempt +disconnect time +refuse machine password change +</pre><p> + </p><p> + Commands will be executed to establish controls for our domain as follows: + </p><div class="orderedlist"><ol type="1"><li><p>min password length = 8 characters.</p></li><li><p>password history = last 4 passwords.</p></li><li><p>maximum password age = 90 days.</p></li><li><p>minimum password age = 7 days.</p></li><li><p>bad lockout attempt = 8 bad logon attempts.</p></li><li><p>lockout duration = forever, account must be manually reenabled.</p></li></ol></div><p> + The following command execution will achieve these settings: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -P "min password length" -C 8 +account policy value for min password length was 5 +account policy value for min password length is now 8 +<code class="prompt">root# </code> pdbedit -P "password history" -C 4 +account policy value for password history was 0 +account policy value for password history is now 4 +<code class="prompt">root# </code> pdbedit -P "maximum password age" -C 7776000 +account policy value for maximum password age was 4294967295 +account policy value for maximum password age is now 7776000 +<code class="prompt">root# </code> pdbedit -P "minimum password age" -C 7 +account policy value for minimum password age was 0 +account policy value for minimum password age is now 7 +<code class="prompt">root# </code> pdbedit -P "bad lockout attempt" -C 8 +account policy value for bad lockout attempt was 0 +account policy value for bad lockout attempt is now 8 +<code class="prompt">root# </code> pdbedit -P "lockout duration" -C -1 +account policy value for lockout duration was 30 +account policy value for lockout duration is now 4294967295 +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +To set the maximum (infinite) lockout time use the value of -1. +</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Account policies must be set individually on each PDC and BDC. At this time (Samba 3.0.11 to Samba 3.0.14a) +account policies are not replicated automatically. This may be fixed before Samba 3.0.20 ships or some +time there after. Please check the WHATSNEW.txt file in the Samba-3 tarball for specific update notiations +regarding this facility. +</p></div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363855"></a>Account Import/Export</h4></div></div></div><p> + <a class="indexterm" name="id363862"></a> +<a class="indexterm" name="id363869"></a> +<a class="indexterm" name="id363876"></a> + The <code class="literal">pdbedit</code> tool allows import/export of authentication (account) + databases from one backend to another. For example, to import/export accounts from an + old <code class="filename">smbpasswd</code> database to a <em class="parameter"><code>tdbsam</code></em> + backend: + </p><div class="procedure"><ol type="1"><li><p> +<a class="indexterm" name="id363911"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>pdbedit -i smbpasswd -e tdbsam</code></strong> +</pre><p> + </p></li><li><p> +<a class="indexterm" name="id363940"></a> + Replace the <em class="parameter"><code>smbpasswd</code></em> with <em class="parameter"><code>tdbsam</code></em> in the + <em class="parameter"><code>passdb backend</code></em> configuration in <code class="filename">smb.conf</code>. + </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id363976"></a>Password Backends</h2></div></div></div><p> +<a class="indexterm" name="id363984"></a> +<a class="indexterm" name="id363991"></a> +Samba offers flexibility in backend account database design. The flexibility is immediately obvious as one +begins to explore this capability. Recent changes to Samba (since 3.0.23) have removed the mulitple backend +feature in order to simplify problems that broke some installations. This removal has made the internal +operation of Samba-3 more consistent and predictable. +</p><p> +<a class="indexterm" name="id364004"></a> +<a class="indexterm" name="id364011"></a> +Beginning with Samba 3.0.23 it is no longer possible to specify use of mulitple passdb backends. Earlier +versions of Samba-3 made it possible to specify multiple password backends, and even multiple +backends of the same type. The multiple passdb backend capability caused many problems with name to SID and +SID to name ID resolution. The Samba team wrestled with the challenges and decided that this feature needed +to be removed. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364023"></a>Plaintext</h3></div></div></div><p> +<a class="indexterm" name="id364030"></a> +<a class="indexterm" name="id364037"></a> +<a class="indexterm" name="id364044"></a> +<a class="indexterm" name="id364051"></a> +<a class="indexterm" name="id364058"></a> +<a class="indexterm" name="id364064"></a> + Older versions of Samba retrieved user information from the UNIX user database + and eventually some other fields from the file <code class="filename">/etc/samba/smbpasswd</code> + or <code class="filename">/etc/smbpasswd</code>. When password encryption is disabled, no + SMB-specific data is stored at all. Instead, all operations are conducted via the way + that the Samba host OS will access its <code class="filename">/etc/passwd</code> database. + On most Linux systems, for example, all user and group resolution is done via PAM. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364094"></a>smbpasswd: Encrypted Password Database</h3></div></div></div><p> + <a class="indexterm" name="id364102"></a> +<a class="indexterm" name="id364111"></a> +<a class="indexterm" name="id364118"></a> +<a class="indexterm" name="id364125"></a> + Traditionally, when configuring <a class="indexterm" name="id364132"></a>encrypt passwords = yes + in Samba's <code class="filename">smb.conf</code> file, user account information such as username, LM/NT password hashes, + password change times, and account flags have been stored in the <code class="filename">smbpasswd(5)</code> + file. There are several disadvantages to this approach for sites with large numbers of users + (counted in the thousands). + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id364160"></a> + The first problem is that all lookups must be performed sequentially. Given that + there are approximately two lookups per domain logon (one during intial logon validation + and one for a session connection setup, such as when mapping a network drive or printer), this + is a performance bottleneck for large sites. What is needed is an indexed approach + such as that used in databases. + </p></li><li><p> +<a class="indexterm" name="id364174"></a> +<a class="indexterm" name="id364181"></a> +<a class="indexterm" name="id364188"></a> +<a class="indexterm" name="id364195"></a> +<a class="indexterm" name="id364201"></a> + The second problem is that administrators who desire to replicate an smbpasswd file + to more than one Samba server are left to use external tools such as + <code class="literal">rsync(1)</code> and <code class="literal">ssh(1)</code> and write custom, + in-house scripts. + </p></li><li><p> +<a class="indexterm" name="id364226"></a> +<a class="indexterm" name="id364233"></a> +<a class="indexterm" name="id364240"></a> +<a class="indexterm" name="id364246"></a> +<a class="indexterm" name="id364253"></a> + Finally, the amount of information that is stored in an smbpasswd entry leaves + no room for additional attributes such as a home directory, password expiration time, + or even a relative identifier (RID). + </p></li></ul></div><p> +<a class="indexterm" name="id364268"></a> +<a class="indexterm" name="id364275"></a> +<a class="indexterm" name="id364282"></a> +<a class="indexterm" name="id364288"></a> + As a result of these deficiencies, a more robust means of storing user attributes + used by smbd was developed. The API that defines access to user accounts + is commonly referred to as the samdb interface (previously, this was called the passdb + API and is still so named in the Samba source code trees). + </p><p> +<a class="indexterm" name="id364301"></a> +<a class="indexterm" name="id364308"></a> +<a class="indexterm" name="id364315"></a> +<a class="indexterm" name="id364322"></a> +<a class="indexterm" name="id364328"></a> + Samba provides an enhanced set of passdb backends that overcome the deficiencies + of the smbpasswd plaintext database. These are tdbsam and ldapsam. + Of these, ldapsam will be of most interest to large corporate or enterprise sites. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364340"></a>tdbsam</h3></div></div></div><p> + <a class="indexterm" name="id364347"></a> +<a class="indexterm" name="id364356"></a> +<a class="indexterm" name="id364365"></a> + Samba can store user and machine account data in a “<span class="quote">TDB</span>” (trivial database). + Using this backend does not require any additional configuration. This backend is + recommended for new installations that do not require LDAP. + </p><p> +<a class="indexterm" name="id364381"></a> +<a class="indexterm" name="id364388"></a> +<a class="indexterm" name="id364394"></a> +<a class="indexterm" name="id364401"></a> + As a general guide, the Samba Team does not recommend using the tdbsam backend for sites + that have 250 or more users. Additionally, tdbsam is not capable of scaling for use + in sites that require PDB/BDC implementations that require replication of the account + database. Clearly, for reason of scalability, the use of ldapsam should be encouraged. + </p><p> +<a class="indexterm" name="id364414"></a> +<a class="indexterm" name="id364420"></a> +<a class="indexterm" name="id364427"></a> + The recommendation of a 250-user limit is purely based on the notion that this + would generally involve a site that has routed networks, possibly spread across + more than one physical location. The Samba Team has not at this time established + the performance-based scalability limits of the tdbsam architecture. + </p><p> +<a class="indexterm" name="id364440"></a> +<a class="indexterm" name="id364447"></a> +<a class="indexterm" name="id364454"></a> +<a class="indexterm" name="id364460"></a> + There are sites that have thousands of users and yet require only one server. + One site recently reported having 4,500 user accounts on one UNIX system and + reported excellent performance with the <code class="literal">tdbsam</code> passdb backend. + The limitation of where the <code class="literal">tdbsam</code> passdb backend can be used + is not one pertaining to a limitation in the TDB storage system, it is based + only on the need for a reliable distribution mechanism for the SambaSAMAccount + backend. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364485"></a>ldapsam</h3></div></div></div><p> +<a class="indexterm" name="id364493"></a> +<a class="indexterm" name="id364500"></a> + <a class="indexterm" name="id364506"></a> + There are a few points to stress that the ldapsam does not provide. The LDAP + support referred to in this documentation does not include: + </p><div class="itemizedlist"><ul type="disc"><li><p>A means of retrieving user account information from + a Windows 200x Active Directory server.</p></li><li><p>A means of replacing /etc/passwd.</p></li></ul></div><p> +<a class="indexterm" name="id364533"></a> +<a class="indexterm" name="id364540"></a> +<a class="indexterm" name="id364547"></a> +<a class="indexterm" name="id364553"></a> + The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be + obtained from <a href="http://www.padl.com/" target="_top">PADL Software</a>. More information about the + configuration of these packages may be found in <a href="http://safari.oreilly.com/?XmlId=1-56592-491-6" target="_top"> + <span class="emphasis"><em>LDAP, System Administration</em></span> by Gerald Carter, Chapter 6, Replacing NIS"</a>. + </p><p> +<a class="indexterm" name="id364581"></a> +<a class="indexterm" name="id364588"></a> +<a class="indexterm" name="id364595"></a> + This document describes how to use an LDAP directory for storing Samba user + account information traditionally stored in the smbpasswd(5) file. It is + assumed that the reader already has a basic understanding of LDAP concepts + and has a working directory server already installed. For more information + on LDAP architectures and directories, please refer to the following sites: + </p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www.openldap.org/" target="_top">OpenLDAP</a></p></li><li><p><a href="http://www.sun.com/software/products/directory_srvr_ee/index.xml" target="_top"> + Sun One Directory Server</a></p></li><li><p><a href="http://www.novell.com/products/edirectory/" target="_top">Novell eDirectory</a></p></li><li><p><a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">IBM + Tivoli Directory Server</a></p></li><li><p><a href="http://www.redhat.com/software/rha/directory/" target="_top">Red Hat Directory + Server</a></p></li><li><p><a href="http://www.linuxsecurity.com/content/view/119229" target="_top">Fedora Directory + Server</a></p></li></ul></div><p> + Two additional Samba resources that may prove to be helpful are: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id364668"></a> + The <a href="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" target="_top">Samba-PDC-LDAP-HOWTO</a> + maintained by Ignacio Coupeau. + </p></li><li><p> +<a class="indexterm" name="id364685"></a> +<a class="indexterm" name="id364692"></a> +<a class="indexterm" name="id364699"></a> + The NT migration scripts from <a href="http://samba.idealx.org/" target="_top">IDEALX</a> that are + geared to manage users and groups in such a Samba-LDAP domain controller configuration. + Idealx also produced the smbldap-tools and the Interactive Console Management tool. + </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id364716"></a>Supported LDAP Servers</h4></div></div></div><p> +<a class="indexterm" name="id364724"></a> +<a class="indexterm" name="id364730"></a> +<a class="indexterm" name="id364737"></a> +<a class="indexterm" name="id364744"></a> + The LDAP ldapsam code was developed and tested using the OpenLDAP 2.x server and + client libraries. The same code should work with Netscape's Directory Server and client SDK. + However, there are bound to be compile errors and bugs. These should not be hard to fix. + Please submit fixes via the process outlined in <a href="bugreport.html" title="Chapter 40. Reporting Bugs">Reporting Bugs</a>. + </p><p> + Samba is capable of working with any standards-compliant LDAP server. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id364767"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div></div><p> + Samba-3.0 includes the necessary schema file for OpenLDAP 2.x in the + <code class="filename">examples/LDAP/samba.schema</code> directory of the source code distribution + tarball. The schema entry for the sambaSamAccount ObjectClass is shown here: +</p><pre class="programlisting"> +ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY + DESC 'Samba-3.0 Auxiliary SAM Account' + MUST ( uid $ sambaSID ) + MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ + sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ + sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ + displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ + sambaProfilePath $ description $ sambaUserWorkstations $ + sambaPrimaryGroupSID $ sambaDomainName )) +</pre><p> + </p><p> +<a class="indexterm" name="id364796"></a> +<a class="indexterm" name="id364803"></a> +<a class="indexterm" name="id364810"></a> + The <code class="filename">samba.schema</code> file has been formatted for OpenLDAP 2.0/2.1. + The Samba Team owns the OID space used by the above schema and recommends its use. + If you translate the schema to be used with Netscape DS, please submit the modified + schema file as a patch to <a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>. + </p><p> +<a class="indexterm" name="id364834"></a> +<a class="indexterm" name="id364840"></a> +<a class="indexterm" name="id364847"></a> +<a class="indexterm" name="id364854"></a> +<a class="indexterm" name="id364861"></a> +<a class="indexterm" name="id364868"></a> +<a class="indexterm" name="id364874"></a> + Just as the smbpasswd file is meant to store information that provides information + additional to a user's <code class="filename">/etc/passwd</code> entry, so is the sambaSamAccount + object meant to supplement the UNIX user account information. A sambaSamAccount is an + <code class="constant">AUXILIARY</code> ObjectClass, so it can be used to augment existing + user account information in the LDAP directory, thus providing information needed + for Samba account handling. However, there are several fields (e.g., uid) that overlap + with the posixAccount ObjectClass outlined in RFC 2307. This is by design. + </p><p> +<a class="indexterm" name="id364899"></a> +<a class="indexterm" name="id364905"></a> +<a class="indexterm" name="id364912"></a> +<a class="indexterm" name="id364919"></a> +<a class="indexterm" name="id364926"></a> +<a class="indexterm" name="id364933"></a> +<a class="indexterm" name="id364939"></a> +<a class="indexterm" name="id364946"></a> +<a class="indexterm" name="id364953"></a> + In order to store all user account information (UNIX and Samba) in the directory, + it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in + combination. However, <code class="literal">smbd</code> will still obtain the user's UNIX account + information via the standard C library calls, such as getpwnam(). + This means that the Samba server must also have the LDAP NSS library installed + and functioning correctly. This division of information makes it possible to + store all Samba account information in LDAP, but still maintain UNIX account + information in NIS while the network is transitioning to a full LDAP infrastructure. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id364973"></a>OpenLDAP Configuration</h4></div></div></div><p> +<a class="indexterm" name="id364980"></a> +<a class="indexterm" name="id364987"></a> +<a class="indexterm" name="id364994"></a> +<a class="indexterm" name="id365001"></a> + To include support for the sambaSamAccount object in an OpenLDAP directory + server, first copy the samba.schema file to slapd's configuration directory. + The samba.schema file can be found in the directory <code class="filename">examples/LDAP</code> + in the Samba source distribution. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cp samba.schema /etc/openldap/schema/</code></strong> +</pre><p> + </p><p> +<a class="indexterm" name="id365035"></a> +<a class="indexterm" name="id365042"></a> +<a class="indexterm" name="id365048"></a> +<a class="indexterm" name="id365055"></a> +<a class="indexterm" name="id365062"></a> +<a class="indexterm" name="id365069"></a> +<a class="indexterm" name="id365075"></a> +<a class="indexterm" name="id365082"></a> + Next, include the <code class="filename">samba.schema</code> file in <code class="filename">slapd.conf</code>. + The sambaSamAccount object contains two attributes that depend on other schema + files. The <em class="parameter"><code>uid</code></em> attribute is defined in <code class="filename">cosine.schema</code> and + the <em class="parameter"><code>displayName</code></em> attribute is defined in the <code class="filename">inetorgperson.schema</code> + file. Both of these must be included before the <code class="filename">samba.schema</code> file. +</p><pre class="programlisting"> +## /etc/openldap/slapd.conf + +## schema files (core.schema is required by default) +include /etc/openldap/schema/core.schema + +## needed for sambaSamAccount +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema +.... +</pre><p> + </p><p> +<a class="indexterm" name="id365144"></a> +<a class="indexterm" name="id365151"></a> +<a class="indexterm" name="id365158"></a> +<a class="indexterm" name="id365165"></a> + It is recommended that you maintain some indices on some of the most useful attributes, + as in the following example, to speed up searches made on sambaSamAccount ObjectClasses + (and possibly posixAccount and posixGroup as well): + </p><p> +</p><pre class="programlisting"> +# Indices to maintain +## required by OpenLDAP +index objectclass eq + +index cn pres,sub,eq +index sn pres,sub,eq +## required to support pdb_getsampwnam +index uid pres,sub,eq +## required to support pdb_getsambapwrid() +index displayName pres,sub,eq + +## uncomment these if you are storing posixAccount and +## posixGroup entries in the directory as well +##index uidNumber eq +##index gidNumber eq +##index memberUid eq + +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre><p> +</p><p> + Create the new index by executing: +</p><pre class="screen"> +<code class="prompt">root# </code>./sbin/slapindex -f slapd.conf +</pre><p> + </p><p> + Remember to restart slapd after making these changes: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/etc/init.d/slapd restart</code></strong> +</pre><p> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365225"></a>Initialize the LDAP Database</h4></div></div></div><p> +<a class="indexterm" name="id365233"></a> +<a class="indexterm" name="id365240"></a> +<a class="indexterm" name="id365247"></a> +<a class="indexterm" name="id365253"></a> + Before you can add accounts to the LDAP database, you must create the account containers + that they will be stored in. The following LDIF file should be modified to match your + needs (DNS entries, and so on): +</p><pre class="programlisting"> +# Organization for Samba Base +dn: dc=quenya,dc=org +objectclass: dcObject +objectclass: organization +dc: quenya +o: Quenya Org Network +description: The Samba-3 Network LDAP Example + +# Organizational Role for Directory Management +dn: cn=Manager,dc=quenya,dc=org +objectclass: organizationalRole +cn: Manager +description: Directory Manager + +# Setting up container for Users OU +dn: ou=People,dc=quenya,dc=org +objectclass: top +objectclass: organizationalUnit +ou: People + +# Setting up admin handle for People OU +dn: cn=admin,ou=People,dc=quenya,dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz + +# Setting up container for groups +dn: ou=Groups,dc=quenya,dc=org +objectclass: top +objectclass: organizationalUnit +ou: Groups + +# Setting up admin handle for Groups OU +dn: cn=admin,ou=Groups,dc=quenya,dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz + +# Setting up container for computers +dn: ou=Computers,dc=quenya,dc=org +objectclass: top +objectclass: organizationalUnit +ou: Computers + +# Setting up admin handle for Computers OU +dn: cn=admin,ou=Computers,dc=quenya,dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +</pre><p> + </p><p> +<a class="indexterm" name="id365282"></a> +<a class="indexterm" name="id365289"></a> + The userPassword shown above should be generated using <code class="literal">slappasswd</code>. + </p><p> +<a class="indexterm" name="id365306"></a> +<a class="indexterm" name="id365313"></a> + The following command will then load the contents of the LDIF file into the LDAP + database. +<a class="indexterm" name="id365320"></a> +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>slapadd -v -l initldap.dif</code></strong> +</pre><p> + </p><p> + Do not forget to secure your LDAP server with an adequate access control list + as well as an admin password. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id365351"></a> + Before Samba can access the LDAP server, you need to store the LDAP admin password + in the Samba-3 <code class="filename">secrets.tdb</code> database by: +<a class="indexterm" name="id365365"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w <em class="replaceable"><code>secret</code></em></code></strong> +</pre><p> + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365392"></a>Configuring Samba</h4></div></div></div><p> +<a class="indexterm" name="id365400"></a> +<a class="indexterm" name="id365407"></a> + The following parameters are available in <code class="filename">smb.conf</code> only if your version of Samba was built with + LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The + best method to verify that Samba was built with LDAP support is: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep LDAP + HAVE_LDAP_H + HAVE_LDAP + HAVE_LDAP_DOMAIN2HOSTLIST + HAVE_LDAP_INIT + HAVE_LDAP_INITIALIZE + HAVE_LDAP_SET_REBIND_PROC + HAVE_LIBLDAP + LDAP_SET_REBIND_PROC_ARGS +</pre><p> + If the build of the <code class="literal">smbd</code> command you are using does not produce output + that includes <code class="literal">HAVE_LDAP_H</code> it is necessary to discover why the LDAP headers + and libraries were not found during compilation. + </p><p>LDAP-related smb.conf options include these: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id365458"></a><em class="parameter"><code>passdb backend = ldapsam:url</code></em></td></tr><tr><td><a class="indexterm" name="id365470"></a><em class="parameter"><code>ldap admin dn</code></em></td></tr><tr><td><a class="indexterm" name="id365483"></a><em class="parameter"><code>ldap delete dn</code></em></td></tr><tr><td><a class="indexterm" name="id365495"></a><em class="parameter"><code>ldap filter</code></em></td></tr><tr><td><a class="indexterm" name="id365508"></a><em class="parameter"><code>ldap group suffix</code></em></td></tr><tr><td><a class="indexterm" name="id365520"></a><em class="parameter"><code>ldap idmap suffix</code></em></td></tr><tr><td><a class="indexterm" name="id365533"></a><em class="parameter"><code>ldap machine suffix</code></em></td></tr><tr><td><a class="indexterm" name="id365545"></a><em class="parameter"><code>ldap passwd sync</code></em></td></tr><tr><td><a class="indexterm" name="id365558"></a><em class="parameter"><code>ldap ssl</code></em></td></tr><tr><td><a class="indexterm" name="id365570"></a><em class="parameter"><code>ldap suffix</code></em></td></tr><tr><td><a class="indexterm" name="id365583"></a><em class="parameter"><code>ldap user suffix</code></em></td></tr><tr><td><a class="indexterm" name="id365596"></a><em class="parameter"><code>ldap replication sleep</code></em></td></tr><tr><td><a class="indexterm" name="id365608"></a><em class="parameter"><code>ldap timeout</code></em></td></tr><tr><td><a class="indexterm" name="id365621"></a><em class="parameter"><code>ldap page size</code></em></td></tr></table><p> + </p><p> + These are described in the <code class="filename">smb.conf</code> man page and so are not repeated here. However, an example + for use with an LDAP directory is shown in <a href="passdb.html#confldapex" title="Example 11.2. Configuration with LDAP">the Configuration with LDAP.</a> + </p><div class="example"><a name="confldapex"></a><p class="title"><b>Example 11.2. Configuration with LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365676"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id365689"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id365701"></a><em class="parameter"><code>netbios name = MORIA</code></em></td></tr><tr><td><a class="indexterm" name="id365714"></a><em class="parameter"><code>workgroup = NOLDOR</code></em></td></tr><tr><td># LDAP related parameters:</td></tr><tr><td># Define the DN used when binding to the LDAP servers.</td></tr><tr><td># The password for this DN is not stored in smb.conf</td></tr><tr><td># Set it using 'smbpasswd -w secret' to store the</td></tr><tr><td># passphrase in the secrets.tdb file.</td></tr><tr><td># If the "ldap admin dn" value changes, it must be reset.</td></tr><tr><td><a class="indexterm" name="id365748"></a><em class="parameter"><code>ldap admin dn = "cn=Manager,dc=quenya,dc=org"</code></em></td></tr><tr><td># SSL directory connections can be configured by:</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><a class="indexterm" name="id365769"></a><em class="parameter"><code>ldap ssl = start tls</code></em></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><a class="indexterm" name="id365785"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><a class="indexterm" name="id365802"></a><em class="parameter"><code>ldap delete dn = no</code></em></td></tr><tr><td># The machine and user suffix are added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><a class="indexterm" name="id365822"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id365834"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id365847"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td># Trust UNIX account information in LDAP</td></tr><tr><td># (see the smb.conf man page for details)</td></tr><tr><td># Specify the base DN to use when searching the directory</td></tr><tr><td><a class="indexterm" name="id365871"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365886"></a>Accounts and Groups Management</h4></div></div></div><p> + <a class="indexterm" name="id365894"></a> + <a class="indexterm" name="id365901"></a> + Because user accounts are managed through the sambaSamAccount ObjectClass, you should + modify your existing administration tools to deal with sambaSamAccount attributes. + </p><p> +<a class="indexterm" name="id365915"></a> +<a class="indexterm" name="id365921"></a> +<a class="indexterm" name="id365928"></a> + Machine accounts are managed with the sambaSamAccount ObjectClass, just + like user accounts. However, it is up to you to store those accounts + in a different tree of your LDAP namespace. You should use + “<span class="quote">ou=Groups,dc=quenya,dc=org</span>” to store groups and + “<span class="quote">ou=People,dc=quenya,dc=org</span>” to store users. Just configure your + NSS and PAM accordingly (usually, in the <code class="filename">/etc/openldap/sldap.conf</code> + configuration file). + </p><p> +<a class="indexterm" name="id365955"></a> +<a class="indexterm" name="id365961"></a> +<a class="indexterm" name="id365968"></a> +<a class="indexterm" name="id365975"></a> + In Samba-3, the group management system is based on POSIX + groups. This means that Samba makes use of the posixGroup ObjectClass. + For now, there is no NT-like group system management (global and local + groups). Samba-3 knows only about <code class="constant">Domain Groups</code> + and, unlike MS Windows 2000 and Active Directory, Samba-3 does not + support nested groups. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365990"></a>Security and sambaSamAccount</h4></div></div></div><p> +<a class="indexterm" name="id365998"></a> + There are two important points to remember when discussing the security + of sambaSAMAccount entries in the directory. + </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Never</em></span> retrieve the SambaLMPassword or +<a class="indexterm" name="id366015"></a> + SambaNTPassword attribute values over an unencrypted LDAP session.</p></li><li><p><span class="emphasis"><em>Never</em></span> allow non-admin users to + view the SambaLMPassword or SambaNTPassword attribute values.</p></li></ul></div><p> +<a class="indexterm" name="id366035"></a> +<a class="indexterm" name="id366041"></a> +<a class="indexterm" name="id366048"></a> + These password hashes are clear-text equivalents and can be used to impersonate + the user without deriving the original clear-text strings. For more information + on the details of LM/NT password hashes, refer to <a href="passdb.html" title="Chapter 11. Account Information Databases">the + Account Information Database section</a>. + </p><p> +<a class="indexterm" name="id366067"></a> +<a class="indexterm" name="id366074"></a> +<a class="indexterm" name="id366081"></a> +<a class="indexterm" name="id366088"></a> + To remedy the first security issue, the <a class="indexterm" name="id366095"></a>ldap ssl <code class="filename">smb.conf</code> + parameter defaults to require an encrypted session (<a class="indexterm" name="id366109"></a>ldap ssl = on) using the default port of <code class="constant">636</code> when + contacting the directory server. When using an OpenLDAP server, it + is possible to use the StartTLS LDAP extended operation in the place of LDAPS. + In either case, you are strongly encouraged to use secure communications protocols + (so do not set <a class="indexterm" name="id366121"></a>ldap ssl = off). + </p><p> +<a class="indexterm" name="id366132"></a> +<a class="indexterm" name="id366138"></a> +<a class="indexterm" name="id366145"></a> + Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS + extended operation. However, the OpenLDAP library still provides support for + the older method of securing communication between clients and servers. + </p><p> +<a class="indexterm" name="id366157"></a> +<a class="indexterm" name="id366164"></a> +<a class="indexterm" name="id366171"></a> + The second security precaution is to prevent non-administrative users from + harvesting password hashes from the directory. This can be done using the + following ACL in <code class="filename">slapd.conf</code>: + </p><p> +</p><pre class="programlisting"> +## allow the "ldap admin dn" access, but deny everyone else +access to attrs=SambaLMPassword,SambaNTPassword + by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write + by * none +</pre><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366198"></a>LDAP Special Attributes for sambaSamAccounts</h4></div></div></div><p> The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: <a href="passdb.html#attribobjclPartA" title="Table 11.3. Attributes in the sambaSamAccount ObjectClass (LDAP), Part A">Part A</a>, and <a href="passdb.html#attribobjclPartB" title="Table 11.4. Attributes in the sambaSamAccount ObjectClass (LDAP), Part B">Part B</a>. + </p><div class="table"><a name="attribobjclPartA"></a><p class="title"><b>Table 11.3. Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</b></p><div class="table-contents"><table summary="Attributes in the sambaSamAccount ObjectClass (LDAP), Part A" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><code class="constant">sambaLMPassword</code></td><td align="justify">The LanMan password 16-byte hash stored as a character + representation of a hexadecimal string.</td></tr><tr><td align="left"><code class="constant">sambaNTPassword</code></td><td align="justify">The NT password 16-byte hash stored as a character + representation of a hexadecimal string.</td></tr><tr><td align="left"><code class="constant">sambaPwdLastSet</code></td><td align="justify">The integer time in seconds since 1970 when the + <code class="constant">sambaLMPassword</code> and <code class="constant">sambaNTPassword</code> attributes were last set. + </td></tr><tr><td align="left"><code class="constant">sambaAcctFlags</code></td><td align="justify">String of 11 characters surrounded by square brackets [ ] + representing account flags such as U (user), W (workstation), X (no password expiration), + I (domain trust account), H (home dir required), S (server trust account), + and D (disabled).</td></tr><tr><td align="left"><code class="constant">sambaLogonTime</code></td><td align="justify">Integer value currently unused.</td></tr><tr><td align="left"><code class="constant">sambaLogoffTime</code></td><td align="justify">Integer value currently unused.</td></tr><tr><td align="left"><code class="constant">sambaKickoffTime</code></td><td align="justify">Specifies the time (UNIX time format) when the user + will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire. + Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to + expire completely on an exact date.</td></tr><tr><td align="left"><code class="constant">sambaPwdCanChange</code></td><td align="justify">Specifies the time (UNIX time format) + after which the user is allowed to change his password. If this attribute is not set, the user will be free + to change his password whenever he wants.</td></tr><tr><td align="left"><code class="constant">sambaPwdMustChange</code></td><td align="justify">Specifies the time (UNIX time format) when the user is + forced to change his password. If this value is set to 0, the user will have to change his password at first login. + If this attribute is not set, then the password will never expire.</td></tr><tr><td align="left"><code class="constant">sambaHomeDrive</code></td><td align="justify">Specifies the drive letter to which to map the + UNC path specified by sambaHomePath. The drive letter must be specified in the form “<span class="quote">X:</span>” + where X is the letter of the drive to map. Refer to the “<span class="quote">logon drive</span>” parameter in the + smb.conf(5) man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaLogonScript</code></td><td align="justify">The sambaLogonScript property specifies the path of + the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path + is relative to the netlogon share. Refer to the <a class="indexterm" name="id366369"></a>logon script parameter in the + <code class="filename">smb.conf</code> man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaProfilePath</code></td><td align="justify">Specifies a path to the user's profile. + This value can be a null string, a local absolute path, or a UNC path. Refer to the + <a class="indexterm" name="id366391"></a>logon path parameter in the <code class="filename">smb.conf</code> man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaHomePath</code></td><td align="justify">The sambaHomePath property specifies the path of + the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies + a drive letter, sambaHomePath should be a UNC path. The path must be a network + UNC path of the form <code class="filename">\\server\share\directory</code>. This value can be a null string. + Refer to the <code class="literal">logon home</code> parameter in the <code class="filename">smb.conf</code> man page for more information. + </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="attribobjclPartB"></a><p class="title"><b>Table 11.4. Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</b></p><div class="table-contents"><table summary="Attributes in the sambaSamAccount ObjectClass (LDAP), Part B" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><code class="constant">sambaUserWorkstations</code></td><td align="justify">Here you can give a comma-separated list of machines + on which the user is allowed to login. You may observe problems when you try to connect to a Samba domain member. + Because domain members are not in this list, the domain controllers will reject them. Where this attribute is omitted, + the default implies no restrictions. + </td></tr><tr><td align="left"><code class="constant">sambaSID</code></td><td align="justify">The security identifier(SID) of the user. + The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="left"><code class="constant">sambaPrimaryGroupSID</code></td><td align="justify">The security identifier (SID) of the primary group + of the user.</td></tr><tr><td align="left"><code class="constant">sambaDomainName</code></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="id366507"></a> +<a class="indexterm" name="id366514"></a> + The majority of these parameters are only used when Samba is acting as a PDC of + a domain (refer to <a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>, for details on + how to configure Samba as a PDC). The following four attributes + are only stored with the sambaSamAccount entry if the values are non-default values: + </p><div class="itemizedlist"><a class="indexterm" name="id366533"></a><a class="indexterm" name="id366540"></a><a class="indexterm" name="id366547"></a><a class="indexterm" name="id366554"></a><ul type="disc"><li><p>sambaHomePath</p></li><li><p>sambaLogonScript</p></li><li><p>sambaProfilePath</p></li><li><p>sambaHomeDrive</p></li></ul></div><p> +<a class="indexterm" name="id366582"></a> +<a class="indexterm" name="id366588"></a> +<a class="indexterm" name="id366595"></a> + These attributes are only stored with the sambaSamAccount entry if + the values are non-default values. For example, assume MORIA has now been + configured as a PDC and that <a class="indexterm" name="id366603"></a>logon home = \\%L\%u was defined in + its <code class="filename">smb.conf</code> file. When a user named “<span class="quote">becky</span>” logs on to the domain, + the <a class="indexterm" name="id366621"></a>logon home string is expanded to \\MORIA\becky. + If the smbHome attribute exists in the entry “<span class="quote">uid=becky,ou=People,dc=samba,dc=org</span>”, + this value is used. However, if this attribute does not exist, then the value + of the <a class="indexterm" name="id366633"></a>logon home parameter is used in its place. Samba + will only write the attribute value to the directory entry if the value is + something other than the default (e.g., <code class="filename">\\MOBY\becky</code>). + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366650"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div></div><p> + The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass: +</p><pre class="programlisting"> +dn: uid=guest2, ou=People,dc=quenya,dc=org +sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7 +sambaPwdMustChange: 2147483647 +sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513 +sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE +sambaPwdLastSet: 1010179124 +sambaLogonTime: 0 +objectClass: sambaSamAccount +uid: guest2 +sambaKickoffTime: 2147483647 +sambaAcctFlags: [UX ] +sambaLogoffTime: 2147483647 +sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006 +sambaPwdCanChange: 0 +</pre><p> + </p><p> + The following is an LDIF entry for using both the sambaSamAccount and + posixAccount ObjectClasses: +</p><pre class="programlisting"> +dn: uid=gcarter, ou=People,dc=quenya,dc=org +sambaLogonTime: 0 +displayName: Gerald Carter +sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE +sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201 +objectClass: posixAccount +objectClass: sambaSamAccount +sambaAcctFlags: [UX ] +userPassword: {crypt}BpM2ej8Rkzogo +uid: gcarter +uidNumber: 9000 +cn: Gerald Carter +loginShell: /bin/bash +logoffTime: 2147483647 +gidNumber: 100 +sambaKickoffTime: 2147483647 +sambaPwdLastSet: 1010179230 +sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004 +homeDirectory: /home/moria/gcarter +sambaPwdCanChange: 0 +sambaPwdMustChange: 2147483647 +sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 +</pre><p> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366686"></a>Password Synchronization</h4></div></div></div><p> + Samba-3 and later can update the non-Samba (LDAP) password stored with an account. When + using pam_ldap, this allows changing both UNIX and Windows passwords at once. + </p><p>The <a class="indexterm" name="id366699"></a>ldap passwd sync options can have the values shown in + <a href="passdb.html#ldappwsync" title="Table 11.5. Possible ldap passwd sync Values">Possible <span class="emphasis"><em>ldap passwd sync</em></span> Values</a>.</p><div class="table"><a name="ldappwsync"></a><p class="title"><b>Table 11.5. Possible <em class="parameter"><code>ldap passwd sync</code></em> Values</b></p><div class="table-contents"><table summary="Possible ldap passwd sync Values" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Value</th><th align="center">Description</th></tr></thead><tbody><tr><td align="left">yes</td><td align="justify"><p>When the user changes his password, update + <code class="constant">SambaNTPassword</code>, <code class="constant">SambaLMPassword</code>, + and the <code class="constant">password</code> fields.</p></td></tr><tr><td align="left">no</td><td align="justify"><p>Only update <code class="constant">SambaNTPassword</code> and + <code class="constant">SambaLMPassword</code>.</p></td></tr><tr><td align="left">only</td><td align="justify"><p>Only update the LDAP password and let the LDAP server + worry about the other fields. This option is only available on some LDAP servers and + only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div></div><br class="table-break"><p>More information can be found in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366827"></a>Using OpenLDAP Overlay for Password Syncronization</h4></div></div></div><p> + Howard Chu has written a special overlay called <code class="literal">smbk5pwd</code>. This tool modifies the + <code class="literal">SambaNTPassword</code>, <code class="literal">SambaLMPassword</code> and <code class="literal">Heimdal</code> + hashes in an OpenLDAP entry when an LDAP_EXOP_X_MODIFY_PASSWD operation is performed. + </p><p> + The overlay is shipped with OpenLDAP-2.3 and can be found in the + <code class="filename">contrib/slapd-modules/smbk5pwd</code> subdirectory. This module can also be used with + OpenLDAP-2.2. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id366875"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id366881"></a>Users Cannot Logon</h3></div></div></div><p>“<span class="quote">I've installed Samba, but now I can't log on with my UNIX account! </span>”</p><p>Make sure your user has been added to the current Samba <a class="indexterm" name="id366894"></a>passdb backend. + Read the <a href="passdb.html#acctmgmttools" title="Account Management Tools">Account Management Tools,</a> for details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id366912"></a>Configuration of <em class="parameter"><code>auth methods</code></em></h3></div></div></div><p> + When explicitly setting an <a class="indexterm" name="id366924"></a>auth methods parameter, + <em class="parameter"><code>guest</code></em> must be specified as the first entry on the line + for example, <a class="indexterm" name="id366941"></a>auth methods = guest sam. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Network Browsing </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Group Mapping: MS Windows and UNIX</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr01.html b/docs/htmldocs/Samba3-HOWTO/pr01.html new file mode 100644 index 0000000000..0ea794f4b1 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/pr01.html @@ -0,0 +1,30 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>About the Cover Artwork</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="next" href="pr02.html" title="Attribution"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">About the Cover Artwork</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id282150"></a>About the Cover Artwork</h2></div></div></div><p> + The cover artwork of this book continues the freedom theme of the first edition of “<span class="quote">The Official Samba-3 + HOWTO and Reference Guide</span>”. We may look back upon the past to question the motives of those who have + gone before us. Seldom do we realise that the past owes us no answer, and despite what we may think of the + actions of those who have travelled lifes' road before us, we must feel a sense of pride and gratitude for + those who, in the past, have protected our liberties. + </p><p> + Developments in information technology continue to move at an alarming pace. Human nature causes us + to adopt and embrace new developments that appear to answer the needs of the moment, but that can entrap + us at a future date. There are many examples in the short history of information technology. MS-DOS was + seen as a tool that liberated users from the tyrany of large computer system operating costs, and that + made possible the rapid progres we are beneficiaries of today. Yet today we are inclined to look back with + disdain on MS-DOS as an obsolete and constraining technology that belongs are an era that is best + forgotten. + </p><p> + The embrace of Windows networking, Windows NT4, and MS Active Directory in more recent times, may seem + modern and progressive today, but sooner or later something better will replace them. The current + preoccupation with extended identity management solutions and with directories is not unexpected. + The day will come that these too will be evaluated, and what may seem refreshing and powerful may + be better recogized as the chilly winds of the night. To argue against progress is unthinkable, + no matter what may lie ahead. + </p><p> + The development of Samba is moving forwards. The changes since Samba 3.0.0 are amazing, yet many + users would like to see more and faster progress. The benefits of recent developments can be realized + quickly, but documentation is necessary to unlock the pandoras' box. It is our hope that this book + will help the network administrator to rapidly deploy the new features with minimum effort. As you + deploy and gain mileage from the new enablement, take the time to think through what may lie ahead. + Above all, take stock of the freedom of choice that Samba provides in your world, and enjoy the new + potential for seamless interoperability. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">The Official Samba 3.2.x HOWTO and Reference Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Attribution</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr02.html b/docs/htmldocs/Samba3-HOWTO/pr02.html new file mode 100644 index 0000000000..405ba30457 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/pr02.html @@ -0,0 +1,93 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Attribution</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="pr01.html" title="About the Cover Artwork"><link rel="next" href="pr03.html" title="Foreword"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Attribution</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id282196"></a>Attribution</h2></div></div></div><p><a href="install.html" title="Chapter 1. How to Install and Test SAMBA">How to Install and Test SAMBA</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Karl Auer <<a href="mailto:kauer@biplane.com.au" target="_top">kauer@biplane.com.au</a>></p></li><li><p>Dan Shearer <<a href="mailto:dan@samba.org" target="_top">dan@samba.org</a>></p></li></ul></div><p> +</p><p><a href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience">Fast Start: Cure for Impatience</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="ServerType.html" title="Chapter 3. Server Types and Security Modes">Server Types and Security Modes</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li><li><p>Guenther Deschner <<a href="mailto:gd@suse.de" target="_top">gd@suse.de</a>> (LDAP updates) </p></li></ul></div><p> +</p><p><a href="samba-bdc.html" title="Chapter 5. Backup Domain Control">Backup Domain Control</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Volker Lendecke <<a href="mailto:Volker.Lendecke@SerNet.DE" target="_top">Volker.Lendecke@SerNet.DE</a>></p></li><li><p>Guenther Deschner <<a href="mailto:gd@suse.de" target="_top">gd@suse.de</a>> (LDAP updates) </p></li></ul></div><p> +</p><p><a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Guenther Deschner <<a href="mailto:gd@suse.de" target="_top">gd@suse.de</a>> (LDAP updates) </p></li></ul></div><p> +</p><p><a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">Standalone Servers</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide">MS Windows Network Configuration Guide</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series">Important and Critical Change Notes for the Samba 3.x Series</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div><p> +</p><p><a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Jonathan Johnson <<a href="mailto:jon@sutinen.com" target="_top">jon@sutinen.com</a>></p></li></ul></div><p> +</p><p><a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Guenther Deschner <<a href="mailto:gd@suse.de" target="_top">gd@suse.de</a>> (LDAP updates) </p></li><li><p>Olivier (lem) Lemaire <<a href="mailto:olem@IDEALX.org" target="_top">olem@IDEALX.org</a>></p></li></ul></div><p> +</p><p><a href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows and UNIX</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jean François Micouleau</p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div><p> +</p><p><a href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">Remote and Local Management: The Net Command</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Volker Lendecke <<a href="mailto:Volker.Lendecke@SerNet.DE" target="_top">Volker.Lendecke@SerNet.DE</a>></p></li><li><p>Guenther Deschner <<a href="mailto:gd@suse.de" target="_top">gd@suse.de</a>></p></li></ul></div><p> +</p><p><a href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)">Identity Mapping (IDMAP)</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">File, Directory, and Share Access Controls</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawing) </p></li></ul></div><p> +</p><p><a href="locking.html" title="Chapter 17. File and Record Locking">File and Record Locking</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Eric Roseme <<a href="mailto:eric.roseme@hp.com" target="_top">eric.roseme@hp.com</a>></p></li></ul></div><p> +</p><p><a href="securing-samba.html" title="Chapter 18. Securing Samba">Securing Samba</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships">Interdomain Trust Relationships</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Rafal Szczesniak <<a href="mailto:mimir@samba.org" target="_top">mimir@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawing) </p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div><p> +</p><p><a href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree">Hosting a Microsoft Distributed File System Tree</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Shirish Kalele <<a href="mailto:samba@samba.org" target="_top">samba@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing Support</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Ciprian Vizitiu <<a href="mailto:CVizitiu@gbif.org" target="_top">CVizitiu@gbif.org</a>> (drawings) </p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawings) </p></li></ul></div><p> +</p><p><a href="VFS.html" title="Chapter 23. Stackable VFS modules">Stackable VFS modules</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Tim Potter <<a href="mailto:tpot@samba.org" target="_top">tpot@samba.org</a>></p></li><li><p>Simo Sorce (original vfs_skel README) </p></li><li><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li><p>Stefan Metzmacher (Update for multiple modules) </p></li><li><p>Ed Riddle (original shadow_copy docs) </p></li></ul></div><p> +</p><p><a href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Tim Potter <<a href="mailto:tpot@linuxcare.com.au" target="_top">tpot@linuxcare.com.au</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Naag Mummaneni <<a href="mailto:getnag@rediffmail.com" target="_top">getnag@rediffmail.com</a>> (Notes for Solaris) </p></li><li><p>John Trostel <<a href="mailto:jtrostel@snapserver.com" target="_top">jtrostel@snapserver.com</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management">Advanced Network Management</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management">Desktop Profile Management</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">PAM-Based Distributed Authentication</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div><p> +</p><p><a href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba">Integrating MS Windows Networks with Samba</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="unicode.html" title="Chapter 30. Unicode/Charsets">Unicode/Charsets</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>TAKAHASHI Motonobu <<a href="mailto:monyo@home.monyo.com" target="_top">monyo@home.monyo.com</a>> (Japanese character support) </p></li></ul></div><p> +</p><p><a href="Backup.html" title="Chapter 31. Backup Techniques">Backup Techniques</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="SambaHA.html" title="Chapter 32. High Availability">High Availability</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li></ul></div><p> +</p><p><a href="largefile.html" title="Chapter 33. Handling Large Directories">Handling Large Directories</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques">Advanced Configuration Techniques</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba">Updating and Upgrading Samba</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div><p> +</p><p><a href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC">Migration from NT4 PDC to Samba-3 PDC</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool">SWAT: The Samba Web Administration Tool</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Dan Shearer <<a href="mailto:dan@samba.org" target="_top">dan@samba.org</a>></p></li></ul></div><p> +</p><p><a href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems">Analyzing and Solving Samba Problems</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li><li><p>Dan Shearer <<a href="mailto:dan@samba.org" target="_top">dan@samba.org</a>></p></li></ul></div><p> +</p><p><a href="bugreport.html" title="Chapter 40. Reporting Bugs">Reporting Bugs</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li></ul></div><p> +</p><p><a href="compiling.html" title="Chapter 41. How to Compile Samba">How to Compile Samba</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li></ul></div><p> +</p><p><a href="Portability.html" title="Chapter 42. Portability">Portability</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="Other-Clients.html" title="Chapter 43. Samba and Other CIFS Clients">Samba and Other CIFS Clients</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Dan Shearer <<a href="mailto:dan@samba.org" target="_top">dan@samba.org</a>></p></li><li><p>Jim McDonough <<a href="mailto:jmcd@us.ibm.com" target="_top">jmcd@us.ibm.com</a>> (OS/2) </p></li></ul></div><p> +</p><p><a href="speed.html" title="Chapter 44. Samba Performance Tuning">Samba Performance Tuning</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Paul Cochrane <<a href="mailto:paulc@dth.scot.nhs.uk" target="_top">paulc@dth.scot.nhs.uk</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p><p><a href="ch-ldap-tls.html" title="Chapter 45. LDAP and Transport Layer Security">LDAP and Transport Layer Security</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Gavin Henry <<a href="mailto:ghenry@suretecsystems.com" target="_top">ghenry@suretecsystems.com</a>></p></li></ul></div><p> +</p><p><a href="DNSDHCP.html" title="Chapter 47. DNS and DHCP Configuration Guide">DNS and DHCP Configuration Guide</a> + </p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p> +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">About the Cover Artwork </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Foreword</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr03.html b/docs/htmldocs/Samba3-HOWTO/pr03.html new file mode 100644 index 0000000000..2eaa67ef6b --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/pr03.html @@ -0,0 +1,54 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Foreword</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="pr02.html" title="Attribution"><link rel="next" href="TOSHpreface.html" title="Preface"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Foreword</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="TOSHpreface.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id324824"></a>Foreword</h2></div></div></div><p> +When John first asked me to write an introductory piece for his latest book, I was somewhat mystified as to +why he chose me. A conversation with John provided some of the rationale, and he left it to me to fill in the +<span class="emphasis"><em>rest</em></span> of the story. So, if you are willing to endure a little bit of background, I will +provide the part of the story that John wouldn't provide. +</p><p> +I am the Director of Corporate Standards at Sun Microsystems, and manage Sun's standards portfolio. Before +that, I was the Director of Standards at Netscape, which was when I met John. Before Sun, there was Digital +Equipment Corporation, also standards. I've written several books on standards, and tend to observe (and +occasionally help) the technical and business trends that drive standardization as a discipline. I tend to see +standardization as a management tool, not as a technical discipline and this is part of the rationale that +John provided. +</p><p> +The book that you have before you focuses on a particular standardized way of doing something hence, it is a +book about a standard. The most important thing to keep in mind about a standard is the rationale for its +creation. Standards are created not for technical reasons, not for business reasons, but for a deeper and much +more compelling reason. Standards are created and used to allow people to communicate in a meaningful way. +Every standard, if it is a true standard, has as its entire (and only) goal set the increasing of relevant +communication between people. +</p><p> +This primary goal cannot be met however, unless the standard is documented. I have been involved in too many +standardization efforts when it became apparent that <span class="emphasis"><em>everybody knows</em></span> was the dominant +emotion of those providing documentation. <span class="emphasis"><em>They</em></span> of the ever present <span class="emphasis"><em>they +say</em></span> and <span class="emphasis"><em>they know</em></span> are the bane of good standards. If <span class="emphasis"><em>they +know</em></span>, why are you doing a standard? +</p><p> +A <span class="emphasis"><em>good standard</em></span> survives because people know how to use it. People know how to use a +standard when it is so transparent, so obvious, and so easy that it become invisible. And a standard becomes +invisible only when the documentation describing how to deploy it is clear, unambiguous, and correct. These +three elements must be present for a standard to be useful, allowing communication and interaction between two +separate and distinct entities to occur without obvious effort. As you read this book, look for the evidence +of these three characteristics and notice how they are seamlessly woven into John's text. Clarity and +unambiguity without <span class="emphasis"><em>correctness</em></span> provide a technical nightmare. Correctness and clarity +with ambiguity create <span class="emphasis"><em>maybe bits,</em></span> and correctness and unambiguity without clarity provide +a <span class="emphasis"><em>muddle through</em></span> scenario. +</p><p> +And this is <span class="emphasis"><em>the rest of the story</em></span> that John couldn't (or wouldn't) bring himself to +state. This book provides a clear, concise, unambiguous, and technically valid presentation of Samba to make +it useful to a user to someone who wants to use the standard to increase communication and the capability +for communication between two or more entities whether person-machine, machine-machine, or person-person. +The intent of this book is not to convince anyone of any agenda political, technical, or social. The intent +is to provide documentation for users who need to know about Samba, how to use it, and how to get on with +their primary responsibilities. While there is pride on John's part because of the tremendous success of +the Samba documentation, he writes for the person who needs a tool to accomplish a particular job, and who has +selected Samba to be that tool. +</p><p> +The book is a monument to John's perseverance and dedication to Samba and in my opinion to the goal of +standardization. By writing this book, John has provided the users of Samba those that want to deploy it to +make things better a clear, easy, and ultimately valuable resource. Additionally, he has increased the +understanding and utility of a highly useful standard, and for this, as much as for the documentation, he is +owed a debt of gratitude by those of us who rely on standards to make our lives more manageable. +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Carl Cargill, Senior Director</td></tr><tr><td>Corporate Standardization, The Office of the CTO</td></tr><tr><td>Sun Microsystems</td></tr></table><p> +</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="TOSHpreface.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Attribution </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Preface</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/problems.html b/docs/htmldocs/Samba3-HOWTO/problems.html new file mode 100644 index 0000000000..f8e4d44e2f --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/problems.html @@ -0,0 +1,174 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 39. Analyzing and Solving Samba Problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="diagnosis.html" title="Chapter 38. The Samba Checklist"><link rel="next" href="bugreport.html" title="Chapter 40. Reporting Bugs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 39. Analyzing and Solving Samba Problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 39. Analyzing and Solving Samba Problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="problems.html#id448088">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id448137">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id448378">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id448426">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id448565">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id448871">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id448906">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id449061">How to Get Off the Mailing Lists</a></span></dt></dl></div><p> +<a class="indexterm" name="id448065"></a> +<a class="indexterm" name="id448072"></a> +<a class="indexterm" name="id448079"></a> +There are many sources of information available in the form of mailing lists, RFCs, and documentation. The +documentation that comes with the Samba distribution contains good explanations of general SMB topics such as +browsing. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448088"></a>Diagnostics Tools</h2></div></div></div><p> +<a class="indexterm" name="id448096"></a> +<a class="indexterm" name="id448103"></a> +<a class="indexterm" name="id448110"></a> +<a class="indexterm" name="id448116"></a> +<a class="indexterm" name="id448123"></a> +With SMB networking, it is often not immediately clear what the cause is of a certain problem. Samba itself +provides rather useful information, but in some cases you might have to fall back to using a +<span class="emphasis"><em>sniffer</em></span>. A sniffer is a program that listens on your LAN, analyzes the data sent on it, +and displays it on the screen. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id448137"></a>Debugging with Samba Itself</h3></div></div></div><p> +<a class="indexterm" name="id448145"></a> +<a class="indexterm" name="id448152"></a> +<a class="indexterm" name="id448159"></a> +<a class="indexterm" name="id448166"></a> +<a class="indexterm" name="id448172"></a> +<a class="indexterm" name="id448179"></a> +<a class="indexterm" name="id448186"></a> +One of the best diagnostic tools for debugging problems is Samba itself. You can use the <code class="option">-d +option</code> for both <span class="application">smbd</span> and <span class="application">nmbd</span> to specify the <a class="indexterm" name="id448210"></a>debug level at which to run. +See the man pages for <code class="literal">smbd, nmbd</code>, and <code class="filename">smb.conf</code> for more information regarding debugging +options. The debug level (log level) can range from 1 (the default) to 10 (100 for debugging passwords). +</p><p> +<a class="indexterm" name="id448233"></a> +<a class="indexterm" name="id448240"></a> +<a class="indexterm" name="id448246"></a> +<a class="indexterm" name="id448253"></a> +<a class="indexterm" name="id448260"></a> +<a class="indexterm" name="id448267"></a> +<a class="indexterm" name="id448274"></a> +Another helpful method of debugging is to compile Samba using the <code class="literal">gcc -g </code> flag. This will +include debug information in the binaries and allow you to attach <code class="literal">gdb</code> to the running +<code class="literal">smbd/nmbd</code> process. To attach <code class="literal">gdb</code> to an <code class="literal">smbd</code> process +for an NT workstation, first get the workstation to make the connection. Pressing ctrl-alt-delete and going +down to the domain box is sufficient (at least, the first time you join the domain) to generate a +<em class="parameter"><code>LsaEnumTrustedDomains</code></em>. Thereafter, the workstation maintains an open connection and +there will be an smbd process running (assuming that you haven't set a really short smbd idle timeout). So, in +between pressing <code class="literal">ctrl-alt-delete</code> and actually typing in your password, you can attach +<code class="literal">gdb</code> and continue. +</p><p> +Some useful Samba commands worth investigating are: +<a class="indexterm" name="id448336"></a> +<a class="indexterm" name="id448343"></a> +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>testparm | more</code></strong> +<code class="prompt">$ </code><strong class="userinput"><code>smbclient -L //{netbios name of server}</code></strong> +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id448378"></a>Tcpdump</h3></div></div></div><p> +<a class="indexterm" name="id448385"></a> +<a class="indexterm" name="id448392"></a> +<a class="indexterm" name="id448399"></a> +<a href="http://www.tcpdump.org/" target="_top">Tcpdump</a> was the first +UNIX sniffer with SMB support. It is a command-line utility and +now, its SMB support is somewhat lagging that of <code class="literal">ethereal</code> +and <code class="literal">tethereal</code>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id448426"></a>Ethereal</h3></div></div></div><p> +<a class="indexterm" name="id448434"></a> +<a href="http://www.ethereal.com/" target="_top">Ethereal</a> is a graphical sniffer, available for both UNIX (Gtk) +and Windows. Ethereal's SMB support is quite good. For details on the use of <code class="literal">ethereal</code>, read +the well-written Ethereal User Guide. +</p><div class="figure"><a name="ethereal1"></a><p class="title"><b>Figure 39.1. Starting a Capture.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ethereal1.png" alt="Starting a Capture."></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="id448495"></a> +Listen for data on ports 137, 138, 139, and 445. For example, use the filter <strong class="userinput"><code>port 137, port 138, +port 139, or port 445</code></strong> as seen in <a href="problems.html#ethereal1" title="Figure 39.1. Starting a Capture.">Starting a Capture</a> snapshot. +</p><p> +A console version of ethereal is available as well and is called <code class="literal">tethereal</code>. +</p><div class="figure"><a name="ethereal2"></a><p class="title"><b>Figure 39.2. Main Ethereal Data Window.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ethereal2.png" alt="Main Ethereal Data Window."></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id448565"></a>The Windows Network Monitor</h3></div></div></div><p> +<a class="indexterm" name="id448573"></a> +<a class="indexterm" name="id448580"></a> +<a class="indexterm" name="id448587"></a> +<a class="indexterm" name="id448594"></a> +<a class="indexterm" name="id448601"></a> +<a class="indexterm" name="id448607"></a> +For tracing things on Microsoft Windows NT, Network Monitor (aka Netmon) is available on Microsoft Developer +Network CDs, the Windows NT Server install CD, and the SMS CDs. The version of Netmon that ships with SMS +allows for dumping packets between any two computers (i.e., placing the network interface in promiscuous +mode). The version on the NT Server install CD will only allow monitoring of network traffic directed to the +local NT box and broadcasts on the local subnet. Be aware that Ethereal can read and write Netmon formatted +files. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id448620"></a>Installing Network Monitor on an NT Workstation</h4></div></div></div><p> +<a class="indexterm" name="id448628"></a> +Installing Netmon on an NT workstation requires a couple of steps. The following are instructions for +installing Netmon V4.00.349, which comes with Microsoft Windows NT Server 4.0, on Microsoft Windows NT +Workstation 4.0. The process should be similar for other versions of Windows NT version of Netmon. You will +need both the Microsoft Windows NT Server 4.0 Install CD and the Workstation 4.0 Install CD. +</p><p> +<a class="indexterm" name="id448641"></a> +Initially you will need to install <span class="application">Network Monitor Tools and Agent</span> +on the NT Server to do this: +</p><div class="itemizedlist"><ul type="disc"><li><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> <span class="guibutton">Control Panel</span> -> + <span class="guibutton">Network</span> -> <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li><p>Select the <span class="guilabel">Network Monitor Tools and Agent</span> and click on <span class="guibutton">OK</span>.</p></li><li><p>Click on <span class="guibutton">OK</span> on the Network Control Panel.</p></li><li><p>Insert the Windows NT Server 4.0 install CD when prompted.</p></li></ul></div><p> +At this point, the Netmon files should exist in <code class="filename">%SYSTEMROOT%\System32\netmon\*.*</code>. +Two subdirectories exist as well: <code class="filename">parsers\</code>, which contains the necessary DLLs +for parsing the Netmon packet dump, and <code class="filename">captures\</code>. +</p><p> +To install the Netmon tools on an NT Workstation, you will first need to install the +Network Monitor Agent from the Workstation install CD. +</p><div class="itemizedlist"><ul type="disc"><li><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> + <span class="guibutton">Control Panel</span> -> <span class="guibutton">Network</span> -> + <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li><p>Select the <span class="guilabel">Network Monitor Agent</span>, click on + <span class="guibutton">OK</span>.</p></li><li><p>Click on <span class="guibutton">OK</span> in the Network Control Panel. + </p></li><li><p>Insert the Windows NT Workstation 4.0 install CD when prompted.</p></li></ul></div><p> +Now copy the files from the NT Server in <code class="filename">%SYSTEMROOT%\System32\netmon</code> +to <code class="filename">%SYSTEMROOT%\System32\netmon</code> on the workstation and set permissions +as you deem appropriate for your site. You will need administrative rights on the NT box to run Netmon. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id448851"></a>Installing Network Monitor on Windows 9x/Me</h4></div></div></div><p> +To install Netmon on Windows 9x/Me, install the Network Monitor Agent +from the Windows 9x/Me CD (<code class="filename">\admin\nettools\netmon</code>). +There is a readme file included with the Netmon driver files on the CD if you need +information on how to do this. Copy the files from a working Netmon installation. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448871"></a>Useful URLs</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>See how Scott Merrill simulates a BDC behavior at + <a href="http://www.skippy.net/linux/smb-howto.html" target="_top"> + http://www.skippy.net/linux/smb-howto.html</a>. </p></li><li><p>FTP site for older SMB specs, + <a href="ftp://ftp.microsoft.com/developr/drg/CIFS/" target="_top"> + ftp://ftp.microsoft.com/developr/drg/CIFS/</a></p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448906"></a>Getting Mailing List Help</h2></div></div></div><p> +There are a number of Samba-related mailing lists. Go to <a href="http://samba.org" target="_top">http://samba.org</a>, click on your nearest mirror, +and then click on <code class="literal">Support</code>. Next, click on <code class="literal"> +Samba-related mailing lists</code>. +</p><p> +For questions relating to Samba TNG, go to +<a href="http://www.samba-tng.org/" target="_top">http://www.samba-tng.org/</a>. +It has been requested that you do not post questions about Samba-TNG to the +mainstream Samba lists.</p><p> +If you do post a message to one of the lists, please observe the following guidelines: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id448958"></a> + Always remember that the developers are volunteers; they are + not paid and they never guarantee to produce a particular feature at + a particular time. Any timelines are “<span class="quote">best guess,</span>” and nothing more. + </p></li><li><p> +<a class="indexterm" name="id448974"></a> + Always mention what version of Samba you are using and what + operating system it's running under. You should list the relevant sections of + your <code class="filename">smb.conf</code> file, at least the options in <em class="parameter"><code>[global]</code></em> + that affect PDC support. + </p></li><li><p>In addition to the version, if you obtained Samba via + CVS, mention the date when you last checked it out.</p></li><li><p> Try to make your questions clear and brief. Lots of long, + convoluted questions get deleted before they are completely read! + Do not post HTML-encoded messages. Most people on mailing lists simply delete + them. + </p></li><li><p> If you run one of those nifty “<span class="quote">I'm on holiday</span>” things when + you are away, make sure its configured to not answer mailing list traffic. Autoresponses + to mailing lists really irritate the thousands of people who end up having to deal + with such bad netiquet bahavior. + </p></li><li><p> +<a class="indexterm" name="id449020"></a> + Don't cross post. Work out which is the best list to post to + and see what happens. Do not post to both samba-ntdom and samba-technical. + Many people active on the lists subscribe to more + than one list and get annoyed to see the same message two or more times. + Often someone who thinks a message would be better dealt + with on another list will forward it on for you.</p></li><li><p>You might include <span class="emphasis"><em>partial</em></span> + log files written at a log level set to as much as 20. + Please do not send the entire log but just enough to give the context of the + error messages.</p></li><li><p>If you have a complete Netmon trace (from the opening of + the pipe to the error), you can send the *.CAP file as well.</p></li><li><p>Please think carefully before attaching a document to an email. + Consider pasting the relevant parts into the body of the message. The Samba + mailing lists go to a huge number of people. Do they all need a copy of your + <code class="filename">smb.conf</code> in their attach directory?</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449061"></a>How to Get Off the Mailing Lists</h2></div></div></div><p>To have your name removed from a Samba mailing list, go to the same +place where you went to +subscribe to it, go to <a href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>, +click on your nearest mirror, click on <code class="literal">Support</code>, and +then click on <code class="literal">Samba-related mailing lists</code>. +</p><p> +Please do not post messages to the list asking to be removed. You will only +be referred to the above address (unless that process failed in some way). +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 38. The Samba Checklist </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 40. Reporting Bugs</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/rights.html b/docs/htmldocs/Samba3-HOWTO/rights.html new file mode 100644 index 0000000000..fb3bbceb5a --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/rights.html @@ -0,0 +1,413 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. User Rights and Privileges</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"><link rel="next" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. User Rights and Privileges</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="rights"></a>Chapter 15. User Rights and Privileges</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="rights.html#id378765">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id379021">Using the “<span class="quote">net rpc rights</span>” Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id379339">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id379625">Privileges Suppored by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id380042">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id380207">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id380212">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id378508"></a> +<a class="indexterm" name="id378514"></a> +<a class="indexterm" name="id378521"></a> +<a class="indexterm" name="id378528"></a> +The administration of Windows user, group, and machine accounts in the Samba +domain-controlled network necessitates interfacing between the MS Windows +networking environment and the UNIX operating system environment. The right +(permission) to add machines to the Windows security domain can be assigned +(set) to non-administrative users both in Windows NT4 domains and +Active Directory domains. +</p><p> +<a class="indexterm" name="id378541"></a> +<a class="indexterm" name="id378548"></a> +<a class="indexterm" name="id378555"></a> +<a class="indexterm" name="id378562"></a> +The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the +creation of a machine account for each machine added. The machine account is +a necessity that is used to validate that the machine can be trusted to permit +user logons. +</p><p> +<a class="indexterm" name="id378574"></a> +<a class="indexterm" name="id378581"></a> +<a class="indexterm" name="id378587"></a> +<a class="indexterm" name="id378594"></a> +<a class="indexterm" name="id378601"></a> +<a class="indexterm" name="id378608"></a> +Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is +hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account. +Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a +<code class="literal">$</code> sign. An additional difference is that this type of account should not ever be able to +log into the UNIX environment as a system user and therefore is set to have a shell of +<code class="literal">/bin/false</code> and a home directory of <code class="literal">/dev/null.</code> The machine +account is used only to authenticate domain member machines during start-up. This security measure +is designed to block man-in-the-middle attempts to violate network integrity. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id378642"></a> +<a class="indexterm" name="id378649"></a> +<a class="indexterm" name="id378656"></a> +<a class="indexterm" name="id378663"></a> +<a class="indexterm" name="id378670"></a> +Machine (computer) accounts are used in the Windows NT OS family to store security +credentials for domain member servers and workstations. When the domain member +starts up, it goes through a validation process that includes an exchange of +credentials with a domain controller. If the domain member fails to authenticate +using the credentials known for it by domain controllers, the machine will be refused +all access by domain users. The computer account is essential to the way that MS +Windows secures authentication. +</p></div><p> +<a class="indexterm" name="id378684"></a> +<a class="indexterm" name="id378691"></a> +<a class="indexterm" name="id378698"></a> +<a class="indexterm" name="id378704"></a> +The creation of UNIX system accounts has traditionally been the sole right of +the system administrator, better known as the <code class="constant">root</code> account. +It is possible in the UNIX environment to create multiple users who have the +same UID. Any UNIX user who has a UID=0 is inherently the same as the +<code class="constant">root</code> account user. +</p><p> +<a class="indexterm" name="id378724"></a> +<a class="indexterm" name="id378731"></a> +<a class="indexterm" name="id378738"></a> +<a class="indexterm" name="id378745"></a> +All versions of Samba call system interface scripts that permit CIFS function +calls that are used to manage users, groups, and machine accounts +in the UNIX environment. All versions of Samba up to and including version 3.0.10 +required the use of a Windows administrator account that unambiguously maps to +the UNIX <code class="constant">root</code> account to permit the execution of these +interface scripts. The requirement to do this has understandably met with some +disdain and consternation among Samba administrators, particularly where it became +necessary to permit people who should not possess <code class="constant">root</code>-level +access to the UNIX host system. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id378765"></a>Rights Management Capabilities</h2></div></div></div><p> +<a class="indexterm" name="id378773"></a> +<a class="indexterm" name="id378780"></a> +<a class="indexterm" name="id378786"></a> +<a class="indexterm" name="id378793"></a> +Samba 3.0.11 introduced support for the Windows privilege model. This model +allows certain rights to be assigned to a user or group SID. In order to enable +this feature, <a class="indexterm" name="id378801"></a>enable privileges = yes +must be defined in the <em class="parameter"><code>global</code></em> section of the <code class="filename">smb.conf</code> file. +</p><p> +<a class="indexterm" name="id378824"></a> +<a class="indexterm" name="id378831"></a> +<a class="indexterm" name="id378837"></a> +Currently, the rights supported in Samba-3 are listed in <a href="rights.html#rp-privs" title="Table 15.1. Current Privilege Capabilities">???</a>. +The remainder of this chapter explains how to manage and use these privileges on Samba servers. +</p><a class="indexterm" name="id378853"></a><a class="indexterm" name="id378860"></a><a class="indexterm" name="id378867"></a><a class="indexterm" name="id378873"></a><a class="indexterm" name="id378880"></a><a class="indexterm" name="id378887"></a><div class="table"><a name="rp-privs"></a><p class="title"><b>Table 15.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr><tr><td align="right"><p>SeTakeOwnershipPrivilege</p></td><td align="left"><p>Take ownership of files or other objects</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id379021"></a>Using the “<span class="quote">net rpc rights</span>” Utility</h3></div></div></div><p> +<a class="indexterm" name="id379033"></a> +<a class="indexterm" name="id379040"></a> +<a class="indexterm" name="id379046"></a> +<a class="indexterm" name="id379053"></a> +<a class="indexterm" name="id379060"></a> +There are two primary means of managing the rights assigned to users and groups +on a Samba server. The <code class="literal">NT4 User Manager for Domains</code> may be +used from any Windows NT4, 2000, or XP Professional domain member client to +connect to a Samba domain controller and view/modify the rights assignments. +This application, however, appears to have bugs when run on a client running +Windows 2000 or later; therefore, Samba provides a command-line utility for +performing the necessary administrative actions. +</p><p> +The <code class="literal">net rpc rights</code> utility in Samba 3.0.11 has three new subcommands: +</p><div class="variablelist"><dl><dt><span class="term">list [name|accounts]</span></dt><dd><p> +<a class="indexterm" name="id379098"></a> +<a class="indexterm" name="id379109"></a> +<a class="indexterm" name="id379116"></a> +<a class="indexterm" name="id379122"></a> + When called with no arguments, <code class="literal">net rpc list</code> + simply lists the available rights on the server. When passed + a specific user or group name, the tool lists the privileges + currently assigned to the specified account. When invoked using + the special string <code class="constant">accounts</code>, + <code class="literal">net rpc rights list</code> returns a list of all + privileged accounts on the server and the assigned rights. + </p></dd><dt><span class="term">grant <user> <right [right ...]></span></dt><dd><p> +<a class="indexterm" name="id379158"></a> +<a class="indexterm" name="id379165"></a> +<a class="indexterm" name="id379172"></a> +<a class="indexterm" name="id379178"></a> + When called with no arguments, this function is used to assign + a list of rights to a specified user or group. For example, + to grant the members of the Domain Admins group on a Samba domain controller, + the capability to add client machines to the domain, one would run: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S server -U domadmin rpc rights grant \ + 'DOMAIN\Domain Admins' SeMachineAccountPrivilege +</pre><p> + The following syntax has the same result: +<a class="indexterm" name="id379200"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc rights grant 'DOMAIN\Domain Admins' \ + SeMachineAccountPrivilege -S server -U domadmin +</pre><p> + More than one privilege can be assigned by specifying a + list of rights separated by spaces. The parameter 'Domain\Domain Admins' + must be quoted with single ticks or using double-quotes to prevent + the backslash and the space from being interpreted by the system shell. + </p></dd><dt><span class="term">revoke <user> <right [right ...]></span></dt><dd><p> + This command is similar in format to <code class="literal">net rpc rights grant</code>. Its + effect is to remove an assigned right (or list of rights) from a user or group. + </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id379250"></a> +<a class="indexterm" name="id379256"></a> +<a class="indexterm" name="id379263"></a> +You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned +to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no +default rights and privileges, except the ability for a member of the Domain Admins group to assign them. +This means that all administrative rights and privileges (other than the ability to assign them) must be +explicitly assigned, even for the Domain Admins group. +</p></div><p> +<a class="indexterm" name="id379278"></a> +<a class="indexterm" name="id379284"></a> +<a class="indexterm" name="id379291"></a> +<a class="indexterm" name="id379298"></a> +By default, no privileges are initially assigned to any account because certain actions will be performed as +root once smbd determines that a user has the necessary rights. For example, when joining a client to a +Windows domain, <em class="parameter"><code>add machine script</code></em> must be executed with superuser rights in most +cases. For this reason, you should be very careful about handing out privileges to accounts. +</p><p> +<a class="indexterm" name="id379316"></a> +<a class="indexterm" name="id379322"></a> +<a class="indexterm" name="id379329"></a> +Access as the root user (UID=0) bypasses all privilege checks. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id379339"></a>Description of Privileges</h3></div></div></div><p> +<a class="indexterm" name="id379347"></a> +<a class="indexterm" name="id379354"></a> +<a class="indexterm" name="id379360"></a> +The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that +additional privileges may be implemented in later releases of Samba. It is also likely that any privileges +currently implemented but not used may be removed from future releases as a housekeeping matter, so it is +important that the successful as well as unsuccessful use of these facilities should be reported on the Samba +mailing lists. +</p><div class="variablelist"><dl><dt><span class="term">SeAddUsersPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379382"></a> +<a class="indexterm" name="id379389"></a> +<a class="indexterm" name="id379396"></a> + This right determines whether or not smbd will allow the + user to create new user or group accounts via such tools + as <code class="literal">net rpc user add</code> or + <code class="literal">NT4 User Manager for Domains.</code> + </p></dd><dt><span class="term">SeDiskOperatorPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379425"></a> +<a class="indexterm" name="id379432"></a> +<a class="indexterm" name="id379439"></a> + Accounts that possess this right will be able to execute + scripts defined by the <code class="literal">add/delete/change</code> + share command in <code class="filename">smb.conf</code> file as root. Such users will + also be able to modify the ACL associated with file shares + on the Samba server. + </p></dd><dt><span class="term">SeMachineAccountPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379469"></a> +<a class="indexterm" name="id379476"></a> +<a class="indexterm" name="id379483"></a> + This right controls whether or not the user can join client + machines to a Samba-controlled domain. + </p></dd><dt><span class="term">SePrintOperatorPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379501"></a> +<a class="indexterm" name="id379508"></a> +<a class="indexterm" name="id379514"></a> +<a class="indexterm" name="id379521"></a> +<a class="indexterm" name="id379528"></a> + This privilege operates identically to the <a class="indexterm" name="id379535"></a>printer admin + option in the <code class="filename">smb.conf</code> file (see section 5 man page for <code class="filename">smb.conf</code>) + except that it is a global right (not on a per-printer basis). + Eventually the smb.conf option will be deprecated and administrative + rights to printers will be controlled exclusively by this right and + the security descriptor associated with the printer object in the + <code class="filename">ntprinters.tdb</code> file. + </p></dd><dt><span class="term">SeRemoteShutdownPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379573"></a> +<a class="indexterm" name="id379580"></a> +<a class="indexterm" name="id379586"></a> + Samba provides two hooks for shutting down or rebooting + the server and for aborting a previously issued shutdown + command. Since this is an operation normally limited by + the operating system to the root user, an account must possess this + right to be able to execute either of these hooks. + </p></dd><dt><span class="term">SeTakeOwnershipPrivilege</span></dt><dd><p> +<a class="indexterm" name="id379606"></a> +<a class="indexterm" name="id379613"></a> + This right permits users to take ownership of files and directories. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id379625"></a>Privileges Suppored by Windows 2000 Domain Controllers</h3></div></div></div><p> + For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following + privileges: +<a class="indexterm" name="id379634"></a> +<a class="indexterm" name="id379641"></a> +<a class="indexterm" name="id379648"></a> +<a class="indexterm" name="id379654"></a> +<a class="indexterm" name="id379661"></a> +<a class="indexterm" name="id379668"></a> +<a class="indexterm" name="id379675"></a> +<a class="indexterm" name="id379682"></a> +<a class="indexterm" name="id379689"></a> +<a class="indexterm" name="id379696"></a> +<a class="indexterm" name="id379702"></a> +<a class="indexterm" name="id379709"></a> +<a class="indexterm" name="id379716"></a> +<a class="indexterm" name="id379723"></a> +<a class="indexterm" name="id379730"></a> +<a class="indexterm" name="id379737"></a> +<a class="indexterm" name="id379744"></a> +<a class="indexterm" name="id379751"></a> +<a class="indexterm" name="id379757"></a> +<a class="indexterm" name="id379764"></a> +<a class="indexterm" name="id379771"></a> +<a class="indexterm" name="id379778"></a> +<a class="indexterm" name="id379785"></a> +</p><pre class="screen"> + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system +</pre><p> + And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges: +<a class="indexterm" name="id379810"></a> +<a class="indexterm" name="id379817"></a> +<a class="indexterm" name="id379824"></a> +<a class="indexterm" name="id379830"></a> +<a class="indexterm" name="id379837"></a> +<a class="indexterm" name="id379844"></a> +<a class="indexterm" name="id379851"></a> +<a class="indexterm" name="id379858"></a> +<a class="indexterm" name="id379865"></a> +<a class="indexterm" name="id379872"></a> +<a class="indexterm" name="id379878"></a> +<a class="indexterm" name="id379885"></a> +<a class="indexterm" name="id379892"></a> +<a class="indexterm" name="id379899"></a> +<a class="indexterm" name="id379906"></a> +<a class="indexterm" name="id379913"></a> +<a class="indexterm" name="id379920"></a> +<a class="indexterm" name="id379927"></a> +<a class="indexterm" name="id379933"></a> +<a class="indexterm" name="id379940"></a> +<a class="indexterm" name="id379947"></a> +<a class="indexterm" name="id379954"></a> +<a class="indexterm" name="id379961"></a> +<a class="indexterm" name="id379968"></a> +<a class="indexterm" name="id379974"></a> +<a class="indexterm" name="id379981"></a> +<a class="indexterm" name="id379988"></a> +<a class="indexterm" name="id379995"></a> +<a class="indexterm" name="id380002"></a> +</p><pre class="screen"> + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system + SeUndockPrivilege Remove computer from docking station + SeSyncAgentPrivilege Synchronize directory service data + SeEnableDelegationPrivilege Enable computer and user accounts to + be trusted for delegation + SeManageVolumePrivilege Perform volume maintenance tasks + SeImpersonatePrivilege Impersonate a client after authentication + SeCreateGlobalPrivilege Create global objects +</pre><p> +<a class="indexterm" name="id380030"></a> + The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux + environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380042"></a>The Administrator Domain SID</h2></div></div></div><p> +<a class="indexterm" name="id380049"></a> +<a class="indexterm" name="id380056"></a> +<a class="indexterm" name="id380063"></a> +<a class="indexterm" name="id380070"></a> +<a class="indexterm" name="id380076"></a> +Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions +commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges +(see <a href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a>). An account in the server's passdb backend can +be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain +controller, run the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net getlocalsid +SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 +</pre><p> +<a class="indexterm" name="id380106"></a> +You may assign the domain administrator RID to an account using the <code class="literal">pdbedit</code> +command as shown here: +<a class="indexterm" name="id380119"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id380142"></a> +<a class="indexterm" name="id380149"></a> +<a class="indexterm" name="id380156"></a> +<a class="indexterm" name="id380163"></a> +The RID 500 is the well known standard value of the default Administrator account. It is the RID +that confers the rights and privileges that the Administrator account has on a Windows machine +or domain. Under UNIX/Linux the equivalent is UID=0 (the root account). +</p></div><p> +<a class="indexterm" name="id380175"></a> +<a class="indexterm" name="id380182"></a> +<a class="indexterm" name="id380189"></a> +<a class="indexterm" name="id380196"></a> +Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account +provided equivalent rights and privileges have been established for a Windows user or a Windows +group account. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380207"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id380212"></a>What Rights and Privileges Will Permit Windows Client Administration?</h3></div></div></div><p> +<a class="indexterm" name="id380220"></a> +<a class="indexterm" name="id380227"></a> +<a class="indexterm" name="id380234"></a> +<a class="indexterm" name="id380241"></a> + When a Windows NT4 (or later) client joins a domain, the domain global <code class="literal">Domain Admins</code> group + is added to the membership of the local <code class="literal">Administrators</code> group on the client. Any user who is + a member of the domain global <code class="literal">Domain Admins</code> group will have administrative rights on the + Windows client. + </p><p> +<a class="indexterm" name="id380271"></a> +<a class="indexterm" name="id380277"></a> +<a class="indexterm" name="id380284"></a> +<a class="indexterm" name="id380291"></a> +<a class="indexterm" name="id380298"></a> + This is often not the most desirable solution because it means that the user will have administrative + rights and privileges on domain servers also. The <code class="literal">Power Users</code> group on Windows client + workstations permits local administration of the workstation alone. Any domain global user or domain global + group can be added to the membership of the local workstation group <code class="literal">Power Users</code>. + </p><p> +<a class="indexterm" name="id380323"></a> +<a class="indexterm" name="id380330"></a> +<a class="indexterm" name="id380337"></a> +<a class="indexterm" name="id380343"></a> + See <a href="NetCommand.html#nestedgrpmgmgt" title="Nested Group Support">Nested Group Support</a> for an example of how to add domain users + and groups to a local group that is on a Windows workstation. The use of the <code class="literal">net</code> + command permits this to be done from the Samba server. + </p><p> +<a class="indexterm" name="id380368"></a> +<a class="indexterm" name="id380375"></a> +<a class="indexterm" name="id380382"></a> + Another way this can be done is to log onto the Windows workstation as the user + <code class="literal">Administrator</code>, then open a <code class="literal">cmd</code> shell, then execute: +</p><pre class="screen"> +<code class="prompt">C:\> </code> net localgroup administrators /add <strong class="userinput"><code>domain_name\entity</code></strong> +</pre><p> + where <code class="literal">entity</code> is either a domain user or a domain group account name. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Identity Mapping (IDMAP) </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. File, Directory, and Share Access Controls</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba-bdc.html b/docs/htmldocs/Samba3-HOWTO/samba-bdc.html new file mode 100644 index 0000000000..8b6c8f7aba --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/samba-bdc.html @@ -0,0 +1,557 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-pdc.html" title="Chapter 4. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 6. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 5. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="samba-bdc.html#id339320">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id339696">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340717">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341471">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341906">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342144">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></div><p> +Before you continue reading this section, please make sure that you are comfortable +with configuring a Samba domain controller as described in <a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id339320"></a>Features and Benefits</h2></div></div></div><p> +This is one of the most difficult chapters to summarize. It does not matter what we say here, for someone will +still draw conclusions and/or approach the Samba Team with expectations that are either not yet capable of +being delivered or that can be achieved far more effectively using a totally different approach. In the event +that you should have a persistent concern that is not addressed in this book, please email <a href="mailto:jht@samba.org" target="_top">John H. Terpstra</a> clearly setting out your requirements and/or question, and +we will do our best to provide a solution. +</p><p> +<a class="indexterm" name="id339341"></a> +<a class="indexterm" name="id339351"></a> +<a class="indexterm" name="id339357"></a> +<a class="indexterm" name="id339364"></a> +<a class="indexterm" name="id339373"></a> +Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain Controller (PDC). A +Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be either a common master LDAP +server or a slave server. The use of a slave LDAP server has the benefit that when the master is down, clients +may still be able to log onto the network. This effectively gives Samba a high degree of scalability and is +an effective solution for large organizations. If you use an LDAP slave server for a PDC, you will need to +ensure the master's continued availability if the slave finds its master down at the wrong time, +you will have stability and operational problems. +</p><p> +<a class="indexterm" name="id339392"></a> +<a class="indexterm" name="id339400"></a> +<a class="indexterm" name="id339409"></a> +<a class="indexterm" name="id339419"></a> +While it is possible to run a Samba-3 BDC with a non-LDAP backend, that backend must allow some form of +"two-way" propagation of changes from the BDC to the master. At this time only LDAP delivers the capability +to propagate identity database changes from the BDC to the PDC. The BDC can use a slave LDAP server, while it +is preferable for the PDC to use as its primary an LDAP master server. +</p><p> +<a class="indexterm" name="id339432"></a> +<a class="indexterm" name="id339441"></a> +<a class="indexterm" name="id339450"></a> +<a class="indexterm" name="id339462"></a> +<a class="indexterm" name="id339469"></a> +<a class="indexterm" name="id339475"></a> +<a class="indexterm" name="id339482"></a> +The use of a non-LDAP backend SAM database is particularly problematic because domain member +servers and workstations periodically change the Machine Trust Account password. The new +password is then stored only locally. This means that in the absence of a centrally stored +accounts database (such as that provided with an LDAP-based solution) if Samba-3 is running +as a BDC, the BDC instance of the domain member trust account password will not reach the +PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs, this results in +overwriting the SAM that contains the updated (changed) trust account password with resulting +breakage of the domain trust. +</p><p> +<a class="indexterm" name="id339498"></a> +<a class="indexterm" name="id339506"></a> +<a class="indexterm" name="id339516"></a> +<a class="indexterm" name="id339525"></a> +Considering the number of comments and questions raised concerning how to configure a BDC, +let's consider each possible option and look at the pros and cons for each possible solution. +<a href="samba-bdc.html#pdc-bdc-table" title="Table 5.1. Domain Backend Account Distribution Options">The Domain Backend Account Distribution Options table below</a> lists +possible design configurations for a PDC/BDC infrastructure. +</p><div class="table"><a name="pdc-bdc-table"></a><p class="title"><b>Table 5.1. Domain Backend Account Distribution Options</b></p><div class="table-contents"><table summary="Domain Backend Account Distribution Options" border="1"><colgroup><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="center">PDC Backend</th><th align="center">BDC Backend</th><th align="left">Notes/Discussion</th></tr></thead><tbody><tr><td align="center"><p>Master LDAP Server</p></td><td align="center"><p>Slave LDAP Server</p></td><td align="left"><p>The optimal solution that provides high integrity. The SAM will be + replicated to a common master LDAP server.</p></td></tr><tr><td align="center"><p>Single Central LDAP Server</p></td><td align="center"><p>Single Central LDAP Server</p></td><td align="left"><p> + A workable solution without failover ability. This is a usable solution, but not optimal. + </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <code class="literal">net rpc vampire</code></p></td><td align="left"><p> + Does not work with Samba-3.0; Samba does not implement the + server-side protocols required. + </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <code class="literal">rsync</code></p></td><td align="left"><p> + Do not use this configuration. + Does not work because the TDB files are live and data may not + have been flushed to disk. Furthermore, this will cause + domain trust breakdown. + </p></td></tr><tr><td align="center"><p>smbpasswd file</p></td><td align="center"><p>smbpasswd file</p></td><td align="left"><p> + Do not use this configuration. + Not an elegant solution due to the delays in synchronization + and also suffers + from the issue of domain trust breakdown. + </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id339696"></a>Essential Background Information</h2></div></div></div><p> +<a class="indexterm" name="id339704"></a> +<a class="indexterm" name="id339711"></a> +<a class="indexterm" name="id339718"></a> +<a class="indexterm" name="id339724"></a> +A domain controller is a machine that is able to answer logon requests from network +workstations. Microsoft LanManager and IBM LanServer were two early products that +provided this capability. The technology has become known as the LanMan Netlogon service. +</p><p> +<a class="indexterm" name="id339737"></a> +<a class="indexterm" name="id339748"></a> +When MS Windows NT3.10 was first released, it supported a new style of Domain Control +and with it a new form of the network logon service that has extended functionality. +This service became known as the NT NetLogon Service. The nature of this service has +changed with the evolution of MS Windows NT and today provides a complex array of +services that are implemented over an intricate spectrum of technologies. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339760"></a>MS Windows NT4-style Domain Control</h3></div></div></div><p> +<a class="indexterm" name="id339768"></a> +<a class="indexterm" name="id339774"></a> +<a class="indexterm" name="id339781"></a> +<a class="indexterm" name="id339788"></a> +<a class="indexterm" name="id339795"></a> +<a class="indexterm" name="id339801"></a> +<a class="indexterm" name="id339810"></a> +Whenever a user logs into a Windows NT4/200x/XP Professional workstation, +the workstation connects to a domain controller (authentication server) to validate that +the username and password the user entered are valid. If the information entered +does not match account information that has been stored in the domain +control database (the SAM, or Security Account Manager database), a set of error +codes is returned to the workstation that has made the authentication request. +</p><p> +<a class="indexterm" name="id339827"></a> +<a class="indexterm" name="id339834"></a> +<a class="indexterm" name="id339840"></a> +<a class="indexterm" name="id339847"></a> +<a class="indexterm" name="id339854"></a> +When the username/password pair has been validated, the domain controller +(authentication server) will respond with full enumeration of the account information +that has been stored regarding that user in the user and machine accounts database +for that domain. This information contains a complete network access profile for +the user but excludes any information that is particular to the user's desktop profile, +or for that matter it excludes all desktop profiles for groups that the user may +belong to. It does include password time limits, password uniqueness controls, +network access time limits, account validity information, machine names from which the +user may access the network, and much more. All this information was stored in the SAM +in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0). +</p><p> +<a class="indexterm" name="id339871"></a> +<a class="indexterm" name="id339880"></a> +<a class="indexterm" name="id339887"></a> +<a class="indexterm" name="id339894"></a> +<a class="indexterm" name="id339900"></a> +The account information (user and machine) on domain controllers is stored in two files, +one containing the security information and the other the SAM. These are stored in files +by the same name in the <code class="filename">%SystemRoot%\System32\config</code> directory. +This normally translates to the path <code class="filename">C:\WinNT\System32\config</code>. These +are the files that are involved in replication of the SAM database where BDCs are present +on the network. +</p><p> +There are two situations in which it is desirable to install BDCs: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id339932"></a> + <a class="indexterm" name="id339939"></a> + On the local network that the PDC is on, if there are many + workstations and/or where the PDC is generally very busy. In this case the BDCs + will pick up network logon requests and help to add robustness to network services. + </p></li><li><p> + <a class="indexterm" name="id339952"></a> + At each remote site, to reduce wide-area network traffic and to add stability to + remote network operations. The design of the network, and the strategic placement of + BDCs, together with an implementation that localizes as much of network to client + interchange as possible, will help to minimize wide-area network bandwidth needs + (and thus costs). + </p></li></ul></div><p> +<a class="indexterm" name="id339968"></a> +<a class="indexterm" name="id339975"></a> +<a class="indexterm" name="id339981"></a> +<a class="indexterm" name="id339988"></a> +<a class="indexterm" name="id339994"></a> +The interoperation of a PDC and its BDCs in a true Windows NT4 environment is worth +mentioning here. The PDC contains the master copy of the SAM. In the event that an +administrator makes a change to the user account database while physically present +on the local network that has the PDC, the change will likely be made directly to +the PDC instance of the master copy of the SAM. In the event that this update may +be performed in a branch office, the change will likely be stored in a delta file +on the local BDC. The BDC will then send a trigger to the PDC to commence the process +of SAM synchronization. The PDC will then request the delta from the BDC and apply +it to the master SAM. The PDC will then contact all the BDCs in the domain and +trigger them to obtain the update and then apply that to their own copy of the SAM. +</p><p> +<a class="indexterm" name="id340012"></a> +<a class="indexterm" name="id340020"></a> +<a class="indexterm" name="id340029"></a> +<a class="indexterm" name="id340036"></a> +Samba-3 cannot participate in true SAM replication and is therefore not able to +employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will +not create SAM update delta files. It will not interoperate with a PDC (NT4 or Samba) +to synchronize the SAM from delta files that are held by BDCs. +</p><p> +<a class="indexterm" name="id340048"></a> +<a class="indexterm" name="id340055"></a> +Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 cannot +function correctly as a PDC to an MS Windows NT4 BDC. Both Samba-3 and MS Windows +NT4 can function as a BDC to its own type of PDC. +</p><p> +<a class="indexterm" name="id340066"></a> +<a class="indexterm" name="id340073"></a> +<a class="indexterm" name="id340080"></a> +The BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which +it is able to process network logon requests and authenticate users. The BDC can +continue to provide this service, particularly while, for example, the wide-area +network link to the PDC is down. A BDC plays a very important role in both the +maintenance of domain security as well as in network integrity. +</p><p> +<a class="indexterm" name="id340096"></a> +<a class="indexterm" name="id340103"></a> +<a class="indexterm" name="id340110"></a> +<a class="indexterm" name="id340116"></a> +In the event that the NT4 PDC should need to be taken out of service, or if it dies, one of the NT4 BDCs can +be promoted to a PDC. If this happens while the original NT4 PDC is online, it is automatically demoted to an +NT4 BDC. This is an important aspect of domain controller management. The tool that is used to effect a +promotion or a demotion is the Server Manager for Domains. It should be noted that Samba-3 BDCs cannot be +promoted in this manner because reconfiguration of Samba requires changes to the <code class="filename">smb.conf</code> file. It is easy +enough to manuall change the <code class="filename">smb.conf</code> file and then restart relevant Samba network services. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340141"></a>Example PDC Configuration</h4></div></div></div><p> +<a class="indexterm" name="id340149"></a> +<a class="indexterm" name="id340156"></a> +Beginning with Version 2.2, Samba officially supports domain logons for all current Windows clients, including +Windows NT4, 2003, and XP Professional. For Samba to be enabled as a PDC, some parameters in the +<em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> have to be set. Refer to <a href="samba-bdc.html#minimalPDC" title="Example 5.1. Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC">the Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC +section</a> for an example of the minimum required settings. +</p><div class="example"><a name="minimalPDC"></a><p class="title"><b>Example 5.1. Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id340206"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id340218"></a><em class="parameter"><code>passdb backend = ldapsam://localhost:389</code></em></td></tr><tr><td><a class="indexterm" name="id340231"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id340244"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id340256"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id340269"></a><em class="parameter"><code>ldap user suffix = ou=Users</code></em></td></tr><tr><td><a class="indexterm" name="id340282"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id340294"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td><a class="indexterm" name="id340307"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id340320"></a><em class="parameter"><code>ldap admin dn = cn=sambadmin,dc=quenya,dc=org</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id340336"></a> +<a class="indexterm" name="id340342"></a> +Several other things like a <em class="parameter"><code>[homes]</code></em> and a <em class="parameter"><code>[netlogon]</code></em> share +also need to be set along with settings for the profile path, the user's home drive, and so on. This is not +covered in this chapter; for more information please refer to <a href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>. +Refer to <a href="samba-pdc.html" title="Chapter 4. Domain Control">the Domain Control chapter</a> for specific recommendations for PDC +configuration. Alternately, fully documented working example network configurations using OpenLDAP and Samba +as available in the <a href="http://www.samba.org/samba/docs/Samba3-ByExample" target="_top">book</a> “<span class="quote">Samba-3 +by Example</span>” that may be obtained from local and on-line book stores. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id340392"></a>LDAP Configuration Notes</h3></div></div></div><p> +<a class="indexterm" name="id340399"></a> +<a class="indexterm" name="id340409"></a> +<a class="indexterm" name="id340418"></a> +When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server +for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers; however, +many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs +may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the +entire network. +</p><p> +<a class="indexterm" name="id340431"></a> +<a class="indexterm" name="id340440"></a> +<a class="indexterm" name="id340450"></a> +<a class="indexterm" name="id340456"></a> +<a class="indexterm" name="id340463"></a> +When configuring a master LDAP server that will have slave LDAP servers, do not forget to configure this in +the <code class="filename">/etc/openldap/slapd.conf</code> file. It must be noted that the DN of a server certificate +must use the CN attribute to name the server, and the CN must carry the servers' fully qualified domain name. +Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details +on server certificate names are in RFC2830. +</p><p> +<a class="indexterm" name="id340482"></a> +<a class="indexterm" name="id340489"></a> +<a class="indexterm" name="id340496"></a> +<a class="indexterm" name="id340503"></a> +<a class="indexterm" name="id340512"></a> +<a class="indexterm" name="id340519"></a> +<a class="indexterm" name="id340525"></a> +It does not really fit within the scope of this document, but a working LDAP installation is basic to +LDAP-enabled Samba operation. When using an OpenLDAP server with Transport Layer Security (TLS), the machine +name in <code class="filename">/etc/ssl/certs/slapd.pem</code> must be the same as in +<code class="filename">/etc/openldap/sldap.conf</code>. The Red Hat Linux startup script creates the +<code class="filename">slapd.pem</code> file with hostname “<span class="quote">localhost.localdomain.</span>” It is impossible to +access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the certificate is re-created with +a correct hostname. +</p><p> +<a class="indexterm" name="id340561"></a> +<a class="indexterm" name="id340568"></a> +<a class="indexterm" name="id340574"></a> +<a class="indexterm" name="id340581"></a> +<a class="indexterm" name="id340588"></a> +<a class="indexterm" name="id340595"></a> +Do not install a Samba PDC so that is uses an LDAP slave server. Joining client machines to the domain +will fail in this configuration because the change to the machine account in the LDAP tree must take place on +the master LDAP server. This is not replicated rapidly enough to the slave server that the PDC queries. It +therefore gives an error message on the client machine about not being able to set up account credentials. The +machine account is created on the LDAP server, but the password fields will be empty. Unfortunately, some +sites are unable to avoid such configurations, and these sites should review the <a class="indexterm" name="id340607"></a>ldap replication sleep parameter, intended to slow down Samba sufficiently for the replication to catch up. +This is a kludge, and one that the administrator must manually duplicate in any scripts (such as the +<a class="indexterm" name="id340616"></a>add machine script) that they use. +</p><p> +Possible PDC/BDC plus LDAP configurations include: +</p><div class="itemizedlist"><ul type="disc"><li><p> + PDC+BDC -> One Central LDAP Server. + </p></li><li><p> + PDC -> LDAP master server, BDC -> LDAP slave server. + </p></li><li><p> + PDC -> LDAP master, with secondary slave LDAP server. + </p><p> + BDC -> LDAP master, with secondary slave LDAP server. + </p></li><li><p> + PDC -> LDAP master, with secondary slave LDAP server. + </p><p> + BDC -> LDAP slave server, with secondary master LDAP server. + </p></li></ul></div><p> +In order to have a fallback configuration (secondary) LDAP server, you would specify +the secondary LDAP server in the <code class="filename">smb.conf</code> file as shown in <a href="samba-bdc.html#mulitldapcfg" title="Example 5.2. Multiple LDAP Servers in smb.conf">the Multiple LDAP +Servers in <code class="filename">smb.conf</code> example</a>. +</p><div class="example"><a name="mulitldapcfg"></a><p class="title"><b>Example 5.2. Multiple LDAP Servers in <code class="filename">smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id340702"></a><em class="parameter"><code>passdb backend = ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id340717"></a>Active Directory Domain Control</h3></div></div></div><p> +<a class="indexterm" name="id340725"></a> +<a class="indexterm" name="id340732"></a> +<a class="indexterm" name="id340738"></a> +<a class="indexterm" name="id340745"></a> +<a class="indexterm" name="id340752"></a> +<a class="indexterm" name="id340758"></a> +As of the release of MS Windows 2000 and Active Directory, this information is now stored +in a directory that can be replicated and for which partial or full administrative control +can be delegated. Samba-3 is not able to be a domain controller within an Active Directory +tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot +act as a BDC to an Active Directory domain controller. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id340771"></a>What Qualifies a Domain Controller on the Network?</h3></div></div></div><p> +<a class="indexterm" name="id340779"></a> +<a class="indexterm" name="id340786"></a> +<a class="indexterm" name="id340792"></a> +<a class="indexterm" name="id340799"></a> +Every machine that is a domain controller for the domain MIDEARTH has to register the NetBIOS +group name MIDEARTH<1C> with the WINS server and/or by broadcast on the local network. +The PDC also registers the unique NetBIOS name MIDEARTH<1B> with the WINS server. +The name type <1B> name is normally reserved for the Domain Master Browser (DMB), a role +that has nothing to do with anything related to authentication, but the Microsoft domain +implementation requires the DMB to be on the same machine as the PDC. +</p><p> +<a class="indexterm" name="id340815"></a> +<a class="indexterm" name="id340822"></a> +<a class="indexterm" name="id340828"></a> +Where a WINS server is not used, broadcast name registrations alone must suffice. Refer to +<a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>,<a href="NetworkBrowsing.html#netdiscuss" title="Discussion">Discussion</a> +for more information regarding TCP/IP network protocols and how SMB/CIFS names are handled. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id340853"></a>How Does a Workstation find its Domain Controller?</h3></div></div></div><p> +<a class="indexterm" name="id340861"></a> +<a class="indexterm" name="id340868"></a> +There are two different mechanisms to locate a domain controller: one method is used when +NetBIOS over TCP/IP is enabled and the other when it has been disabled in the TCP/IP +network configuration. +</p><p> +<a class="indexterm" name="id340880"></a> +<a class="indexterm" name="id340887"></a> +Where NetBIOS over TCP/IP is disabled, all name resolution involves the use of DNS, broadcast +messaging over UDP, as well as Active Directory communication technologies. In this type of +environment all machines require appropriate DNS entries. More information may be found in +<a href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340905"></a>NetBIOS Over TCP/IP Enabled</h4></div></div></div><p> +<a class="indexterm" name="id340913"></a> +<a class="indexterm" name="id340920"></a> +<a class="indexterm" name="id340926"></a> +<a class="indexterm" name="id340933"></a> +An MS Windows NT4/200x/XP Professional workstation in the domain MIDEARTH that wants a +local user to be authenticated has to find the domain controller for MIDEARTH. It does this +by doing a NetBIOS name query for the group name MIDEARTH<1C>. It assumes that each +of the machines it gets back from the queries is a domain controller and can answer logon +requests. To not open security holes, both the workstation and the selected domain controller +authenticate each other. After that the workstation sends the user's credentials (name and +password) to the local domain controller for validation. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340956"></a>NetBIOS Over TCP/IP Disabled</h4></div></div></div><p> +<a class="indexterm" name="id340964"></a> +<a class="indexterm" name="id340971"></a> +<a class="indexterm" name="id340978"></a> +<a class="indexterm" name="id340984"></a> +An MS Windows NT4/200x/XP Professional workstation in the realm <code class="constant">quenya.org</code> +that has a need to affect user logon authentication will locate the domain controller by +re-querying DNS servers for the <code class="constant">_ldap._tcp.pdc._msdcs.quenya.org</code> record. +More information regarding this subject may be found in <a href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id341012"></a>Backup Domain Controller Configuration</h2></div></div></div><p> +<a class="indexterm" name="id341020"></a> +The creation of a BDC requires some steps to prepare the Samba server before +<span class="application">smbd</span> is executed for the first time. These steps are as follows: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id341040"></a> + <a class="indexterm" name="id341046"></a> + <a class="indexterm" name="id341053"></a> + <a class="indexterm" name="id341059"></a> + <a class="indexterm" name="id341066"></a> + <a class="indexterm" name="id341073"></a> + The domain SID has to be the same on the PDC and the BDC. In Samba versions pre-2.2.5, the domain SID was + stored in the file <code class="filename">private/MACHINE.SID</code>. For all versions of Samba released since 2.2.5 + the domain SID is stored in the file <code class="filename">private/secrets.tdb</code>. This file is unique to each + server and cannot be copied from a PDC to a BDC; the BDC will generate a new SID at startup. It will overwrite + the PDC domain SID with the newly created BDC SID. There is a procedure that will allow the BDC to aquire the + domain SID. This is described here. + </p><p> + <a class="indexterm" name="id341099"></a> + <a class="indexterm" name="id341106"></a> + <a class="indexterm" name="id341112"></a> + <a class="indexterm" name="id341119"></a> + <a class="indexterm" name="id341126"></a> + To retrieve the domain SID from the PDC or an existing BDC and store it in the + <code class="filename">secrets.tdb</code>, execute: + </p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net rpc getsid</code></strong> +</pre></li><li><p> + <a class="indexterm" name="id341165"></a> + <a class="indexterm" name="id341172"></a> + <a class="indexterm" name="id341178"></a> + Specification of the <a class="indexterm" name="id341186"></a>ldap admin dn is obligatory. + This also requires the LDAP administration password to be set in the <code class="filename">secrets.tdb</code> + using the <code class="literal">smbpasswd -w <em class="replaceable"><code>mysecret</code></em></code>. + </p></li><li><p> + The <a class="indexterm" name="id341212"></a>ldap suffix parameter and the <a class="indexterm" name="id341219"></a>ldap idmap suffix + parameter must be specified in the <code class="filename">smb.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id341237"></a> + <a class="indexterm" name="id341246"></a> + <a class="indexterm" name="id341253"></a> + <a class="indexterm" name="id341259"></a> + The UNIX user database has to be synchronized from the PDC to the + BDC. This means that both the <code class="filename">/etc/passwd</code> and + <code class="filename">/etc/group</code> have to be replicated from the PDC + to the BDC. This can be done manually whenever changes are made. + Alternately, the PDC is set up as an NIS master server and the BDC as an NIS slave + server. To set up the BDC as a mere NIS client would not be enough, + as the BDC would not be able to access its user database in case of + a PDC failure. NIS is by no means the only method to synchronize + passwords. An LDAP solution would also work. + </p></li><li><p> + <a class="indexterm" name="id341288"></a> + <a class="indexterm" name="id341294"></a> + <a class="indexterm" name="id341301"></a> + <a class="indexterm" name="id341308"></a> + <a class="indexterm" name="id341314"></a> + <a class="indexterm" name="id341321"></a> + <a class="indexterm" name="id341328"></a> + <a class="indexterm" name="id341335"></a> + The Samba password database must be replicated from the PDC to the BDC. + Although it is possible to synchronize the <code class="filename">smbpasswd</code> + file with <code class="literal">rsync</code> and <code class="literal">ssh</code>, this method + is broken and flawed, and is therefore not recommended. A better solution + is to set up slave LDAP servers for each BDC and a master LDAP server for the PDC. + The use of rsync is inherently flawed by the fact that the data will be replicated + at timed intervals. There is no guarantee that the BDC will be operating at all + times with correct and current machine and user account information. This means that + this method runs the risk of users being inconvenienced by discontinuity of access + to network services due to inconsistent security data. It must be born in mind that + Windows workstations update (change) the machine trust account password at regular + intervals administrators are not normally aware that this is happening + or when it takes place. + </p><p> + <a class="indexterm" name="id341372"></a> + <a class="indexterm" name="id341379"></a> + <a class="indexterm" name="id341386"></a> + <a class="indexterm" name="id341393"></a> + The use of LDAP for both the POSIX (UNIX user and group) accounts and for the + SambaSAMAccount data automatically ensures that all account change information + will be written to the shared directory. This eliminates the need for any special + action to synchronize account information because LDAP will meet that requirement. + </p></li><li><p> + <a class="indexterm" name="id341407"></a> + <a class="indexterm" name="id341414"></a> + <a class="indexterm" name="id341420"></a> + <a class="indexterm" name="id341427"></a> + <a class="indexterm" name="id341434"></a> + <a class="indexterm" name="id341440"></a> + The netlogon share has to be replicated from the PDC to the BDC. This can be done manually whenever login + scripts are changed, or it can be done automatically using a <code class="literal">cron</code> job that will replicate + the directory structure in this share using a tool like <code class="literal">rsync</code>. The use of + <code class="literal">rsync</code> for replication of the netlogon data is not critical to network security and is one + that can be manually managed given that the administrator will make all changes to the netlogon share as part + of a conscious move. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id341471"></a>Example Configuration</h3></div></div></div><p> +Finally, the BDC has to be capable of being found by the workstations. This can be done by configuring the +Samba <code class="filename">smb.conf</code> file <em class="parameter"><code>[global]</code></em> section as shown in <a href="samba-bdc.html#minim-bdc" title="Example 5.3. Minimal Setup for Being a BDC">Minimal +Setup for Being a BDC</a>. +</p><div class="example"><a name="minim-bdc"></a><p class="title"><b>Example 5.3. Minimal Setup for Being a BDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id341515"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id341527"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://slave-ldap.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id341540"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id341553"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id341565"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id341578"></a><em class="parameter"><code>ldap user suffix = ou=Users</code></em></td></tr><tr><td><a class="indexterm" name="id341591"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id341603"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td><a class="indexterm" name="id341616"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id341629"></a><em class="parameter"><code>ldap admin dn = cn=sambadmin,dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id341641"></a><em class="parameter"><code>idmap backend = ldap:ldap://master-ldap.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id341654"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id341667"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table></div></div><br class="example-break"><p> +Fully documented working example network configurations using OpenLDAP and Samba +as available in the <a href="http://www.samba.org/samba/docs/Samba3-ByExample" target="_top">book</a> “<span class="quote">Samba-3 +by Example</span>” that may be obtained from local and on-line book stores. +</p><p> +<a class="indexterm" name="id341697"></a> +<a class="indexterm" name="id341703"></a> +<a class="indexterm" name="id341710"></a> +<a class="indexterm" name="id341717"></a> +This configuration causes the BDC to register only the name MIDEARTH<1C> with the WINS server. This is +not a problem, as the name MIDEARTH<1C> is a NetBIOS group name that is meant to be registered by more +than one machine. The parameter <a class="indexterm" name="id341726"></a>domain master = no forces the BDC not to +register MIDEARTH<1B>, which is a unique NetBIOS name that is reserved for the PDC. +</p><p> +<a class="indexterm" name="id341739"></a> +<a class="indexterm" name="id341746"></a> +<a class="indexterm" name="id341753"></a> +<a class="indexterm" name="id341760"></a> +<a class="indexterm" name="id341766"></a> +<a class="indexterm" name="id341773"></a> +<a class="indexterm" name="id341780"></a> +<a class="indexterm" name="id341786"></a> +<a class="indexterm" name="id341793"></a> +The <em class="parameter"><code>idmap backend</code></em> will redirect the <code class="literal">winbindd</code> utility to use the LDAP +database to store all mappings for Windows SIDs to UIDs and GIDs for UNIX accounts in a repository that is +shared. The BDC will however depend on local resolution of UIDs and GIDs via NSS and the +<code class="literal">nss_ldap</code> utility. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id341824"></a> +<a class="indexterm" name="id341833"></a> +<a class="indexterm" name="id341840"></a> +<a class="indexterm" name="id341847"></a> +Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it +allows greater flexibility in how user and group IDs are handled in respect to NT domain user and group +SIDs. One of the new facilities provides for explicitly ensuring that UNIX/Linux UID and GID values +will be consistent on the PDC, all BDCs, and all domain member servers. The parameter that controls this +is called <em class="parameter"><code>idmap backend</code></em>. Please refer to the man page for <code class="filename">smb.conf</code> for more information +regarding its behavior. +</p></div><p> +<a class="indexterm" name="id341873"></a> +<a class="indexterm" name="id341879"></a> +<a class="indexterm" name="id341886"></a> +The use of the <a class="indexterm" name="id341893"></a>idmap backend = ldap:ldap://master.quenya.org +option on a BDC only makes sense where ldapsam is used on a PDC. The purpose of an LDAP-based idmap backend is +also to allow a domain member (without its own passdb backend) to use winbindd to resolve Windows network users +and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on domain +member servers. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id341906"></a>Common Errors</h2></div></div></div><p> +<a class="indexterm" name="id341914"></a> +Domain control was a new area for Samba, but there are now many examples that we may refer to. +Updated information will be published as they become available and may be found in later Samba releases or +from the Samba Web <a href="http://samba.org" target="_top">site</a>; refer in particular to the +<code class="filename">WHATSNEW.txt</code> in the Samba release tarball. The book, “<span class="quote">Samba-3 by Example</span>” +documents well tested and proven configuration examples. You can obtain a copy of this +<a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">book</a> for the Samba web site. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id341947"></a>Machine Accounts Keep Expiring</h3></div></div></div><p> +<a class="indexterm" name="id341955"></a> +<a class="indexterm" name="id341962"></a> +<a class="indexterm" name="id341969"></a> +<a class="indexterm" name="id341975"></a> +This problem will occur when the passdb (SAM) files are copied from a central +server but the local BDC is acting as a PDC. This results in the application of +Local Machine Trust Account password updates to the local SAM. Such updates +are not copied back to the central server. The newer machine account password is then +overwritten when the SAM is recopied from the PDC. The result is that the domain member machine +on startup will find that its passwords do not match the one now in the database, and +since the startup security check will now fail, this machine will not allow logon attempts +to proceed and the account expiry error will be reported. +</p><p> +The solution is to use a more robust passdb backend, such as the ldapsam backend, setting up +a slave LDAP server for each BDC and a master LDAP server for the PDC. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id341995"></a>Can Samba Be a Backup Domain Controller to an NT4 PDC?</h3></div></div></div><p> +<a class="indexterm" name="id342003"></a> +<a class="indexterm" name="id342012"></a> +No. The native NT4 SAM replication protocols have not yet been fully implemented. +</p><p> +<a class="indexterm" name="id342022"></a> +<a class="indexterm" name="id342029"></a> +<a class="indexterm" name="id342035"></a> +Can I get the benefits of a BDC with Samba? Yes, but only to a Samba PDC.The +main reason for implementing a BDC is availability. If the PDC is a Samba +machine, a second Samba machine can be set up to service logon requests whenever +the PDC is down. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id342046"></a>How Do I Replicate the smbpasswd File?</h3></div></div></div><p> +<a class="indexterm" name="id342054"></a> +<a class="indexterm" name="id342063"></a> +<a class="indexterm" name="id342070"></a> +Replication of the smbpasswd file is sensitive. It has to be done whenever changes +to the SAM are made. Every user's password change is done in the smbpasswd file and +has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary. +</p><p> +<a class="indexterm" name="id342082"></a> +<a class="indexterm" name="id342089"></a> +<a class="indexterm" name="id342095"></a> +As the smbpasswd file contains plaintext password equivalents, it must not be +sent unencrypted over the wire. The best way to set up smbpasswd replication from +the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport. +<code class="literal">ssh</code> itself can be set up to accept <span class="emphasis"><em>only</em></span> +<code class="literal">rsync</code> transfer without requiring the user to type a password. +</p><p> +<a class="indexterm" name="id342123"></a> +<a class="indexterm" name="id342130"></a> +As said a few times before, use of this method is broken and flawed. Machine trust +accounts will go out of sync, resulting in a broken domain. This method is +<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id342144"></a>Can I Do This All with LDAP?</h3></div></div></div><p> +<a class="indexterm" name="id342152"></a> +<a class="indexterm" name="id342159"></a> +The simple answer is yes. Samba's pdb_ldap code supports binding to a replica +LDAP server and will also follow referrals and rebind to the master if it ever +needs to make a modification to the database. (Normally BDCs are read-only, so +this will not occur often). +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Domain Membership</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba-pdc.html b/docs/htmldocs/Samba3-HOWTO/samba-pdc.html new file mode 100644 index 0000000000..2497843a22 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/samba-pdc.html @@ -0,0 +1,890 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="ServerType.html" title="Chapter 3. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 4. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="samba-pdc.html#id335204">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id336284">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336302">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336759">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id337966">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id338009">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338026">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id338778">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338784">“<span class="quote">$</span>” Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338878">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338937">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339004">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339105">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339131">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339147">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></div><p> +There are many who approach MS Windows networking with incredible misconceptions. +That's okay, because it gives the rest of us plenty of opportunity to be of assistance. +Those who really want help are well advised to become familiar with information +that is already available. +</p><p> +<a class="indexterm" name="id335083"></a> +You are advised not to tackle this section without having first understood +and mastered some basics. MS Windows networking is not particularly forgiving of +misconfiguration. Users of MS Windows networking are likely to complain +of persistent niggles that may be caused by a broken network configuration. +To a great many people, however, MS Windows networking starts with a domain controller +that in some magical way is expected to solve all network operational ills. +</p><p> +<a href="samba-pdc.html#domain-example" title="Figure 4.1. An Example Domain.">The Example Domain Illustration</a> shows a typical MS Windows domain security +network environment. Workstations A, B, and C are representative of many physical MS Windows +network clients. +</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 4.1. An Example Domain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/domain.png" width="216" alt="An Example Domain."></div></div></div><br class="figure-break"><p> +From the Samba mailing list we can readily identify many common networking issues. +If you are not clear on the following subjects, then it will do much good to read the +sections of this HOWTO that deal with it. These are the most common causes of MS Windows +networking problems: +</p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration.</p></li><li><p>NetBIOS name resolution.</p></li><li><p>Authentication configuration.</p></li><li><p>User and group configuration.</p></li><li><p>Basic file and directory permission control in UNIX/Linux.</p></li><li><p>Understanding how MS Windows clients interoperate in a network environment.</p></li></ul></div><p> +Do not be put off; on the surface of it MS Windows networking seems so simple that anyone +can do it. In fact, it is not a good idea to set up an MS Windows network with +inadequate training and preparation. But let's get our first indelible principle out of the +way: <span class="emphasis"><em>It is perfectly okay to make mistakes!</em></span> In the right place and at +the right time, mistakes are the essence of learning. It is very much not okay to make +mistakes that cause loss of productivity and impose an avoidable financial burden on an +organization. +</p><p> +Where is the right place to make mistakes? Only out of harms way. If you are going to +make mistakes, then please do it on a test network, away from users, and in such a way as +to not inflict pain on others. Do your learning on a test network. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335204"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id335212"></a> +<span class="emphasis"><em>What is the key benefit of Microsoft Domain Security?</em></span> +</p><p> +<a class="indexterm" name="id335225"></a> +<a class="indexterm" name="id335234"></a> +<a class="indexterm" name="id335241"></a> +<a class="indexterm" name="id335248"></a> +In a word, <span class="emphasis"><em>single sign-on</em></span>, or SSO for short. To many, this is the Holy Grail of MS +Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that +is a member of the domain that contains their user account (or in a domain that has an appropriate trust +relationship with the domain they are visiting) and they will be able to log onto the network and access +resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a +feature of the domain security protocols. +</p><p> +<a class="indexterm" name="id335271"></a> +<a class="indexterm" name="id335278"></a> +<a class="indexterm" name="id335284"></a> +<a class="indexterm" name="id335293"></a> +<a class="indexterm" name="id335302"></a> +The benefits of domain security are available to those sites that deploy a Samba PDC. A domain provides a +unique network security identifier (SID). Domain user and group security identifiers are comprised of the +network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network +SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide +organizational access control. UNIX systems recognize only local security identifiers. +</p><p> +<a class="indexterm" name="id335316"></a> +A SID represents a security context. For example, every Windows machine has local accounts within the security +context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that +exist within the domain security context which is defined by the domain SID. +</p><p> +<a class="indexterm" name="id335329"></a> +<a class="indexterm" name="id335335"></a> +A domain member server will have a SID that differs from the domain SID. The domain member server can be +configured to regard all domain users as local users. It can also be configured to recognize domain users and +groups as non-local. SIDs are persistent. A typical domain of user SID looks like this: +</p><pre class="screen"> +S-1-5-21-726309263-4128913605-1168186429 +</pre><p> +Every account (user, group, machine, trust, etc.) is assigned a RID. This is done automatically as an account +is created. Samba produces the RID algorithmically. The UNIX operating system uses a separate name space for +user and group identifiers (the UID and GID) but Windows allocates the RID from a single name space. A Windows +user and a Windows group can not have the same RID. Just as the UNIX user <code class="literal">root</code> has the +UID=0, the Windows Administrator has the well-known RID=500. The RID is catenated to the Windows domain SID, +so Administrator account for a domain that has the above SID will have the user SID +</p><pre class="screen"> +S-1-5-21-726309263-4128913605-1168186429-500 +</pre><p> +The result is that every account in the Windows networking world has a globally unique security identifier. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id335373"></a> +<a class="indexterm" name="id335382"></a> +<a class="indexterm" name="id335389"></a> +Network clients of an MS Windows domain security environment must be domain members to be able to gain access +to the advanced features provided. Domain membership involves more than just setting the workgroup name to the +domain name. It requires the creation of a domain trust account for the workstation (called a machine +account). Refer to <a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a> for more information. +</p></div><p> +The following functionalities are new to the Samba-3 release: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335418"></a> + Samba-3 supports the use of a choice of backends that may be used in which user, group and machine + accounts may be stored. Multiple passwd backends can be used in combination, either as additive backend + data sets, or as fail-over data sets. + </p><p> + <a class="indexterm" name="id335433"></a> + <a class="indexterm" name="id335440"></a> + <a class="indexterm" name="id335446"></a> + <a class="indexterm" name="id335453"></a> + <a class="indexterm" name="id335460"></a> + An LDAP passdb backend confers the benefit that the account backend can be distributed and replicated, + which is of great value because it confers scalability and provides a high degree of reliability. + </p></li><li><p> + <a class="indexterm" name="id335473"></a> + <a class="indexterm" name="id335484"></a> + <a class="indexterm" name="id335494"></a> + Windows NT4 domain trusts. Samba-3 supports workstation and server (machine) trust accounts. It also + supports Windows NT4 style interdomain trust accounts, which further assists in network scalability + and interoperability. + </p></li><li><p> + <a class="indexterm" name="id335507"></a> + <a class="indexterm" name="id335514"></a> + <a class="indexterm" name="id335520"></a> + <a class="indexterm" name="id335527"></a> + <a class="indexterm" name="id335536"></a> + <a class="indexterm" name="id335546"></a> + Operation without NetBIOS over TCP/IP, rather using the raw SMB over TCP/IP. Note, this is feasible + only when operating as a Microsoft active directory domain member server. When acting as a Samba domain + controller the use of NetBIOS is necessary to provide network browsing support. + </p></li><li><p> + <a class="indexterm" name="id335562"></a> + <a class="indexterm" name="id335568"></a> + <a class="indexterm" name="id335575"></a> + Samba-3 provides NetBIOS name services (WINS), NetBIOS over TCP/IP (TCP port 139) session services, SMB over + TCP/IP (TCP port 445) session services, and Microsoft compatible ONC DCE RPC services (TCP port 135) + services. + </p></li><li><p> + <a class="indexterm" name="id335588"></a> + Management of users and groups via the User Manager for Domains. This can be done on any MS Windows client + using the <code class="filename">Nexus.exe</code> toolkit for Windows 9x/Me, or using the SRVTOOLS.EXE package for MS + Windows NT4/200x/XP platforms. These packages are available from Microsoft's Web site. + </p></li><li><p> + Implements full Unicode support. This simplifies cross-locale internationalization support. It also opens up + the use of protocols that Samba-2.2.x had but could not use due to the need to fully support Unicode. + </p></li></ul></div><p> +The following functionalities are not provided by Samba-3: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335621"></a> + <a class="indexterm" name="id335627"></a> + SAM replication with Windows NT4 domain controllers (i.e., a Samba PDC and a Windows NT BDC, or vice versa). + This means Samba cannot operate as a BDC when the PDC is Microsoft-based Windows NT PDC. Samba-3 can not + participate in replication of account data to Windows PDCs and BDCs. + </p></li><li><p> + <a class="indexterm" name="id335641"></a> + <a class="indexterm" name="id335648"></a> + Acting as a Windows 2000 active directory domain controller (i.e., Kerberos and Active Directory). In point of + fact, Samba-3 does have some Active Directory domain control ability that is at this time purely experimental. + Active directory domain control is one of the features that is being developed in Samba-4, the next + generation Samba release. At this time there are no plans to enable active directory domain control + support during the Samba-3 series life-cycle. + </p></li><li><p> + <a class="indexterm" name="id335667"></a> + <a class="indexterm" name="id335673"></a> + <a class="indexterm" name="id335680"></a> + The Windows 200x/XP Microsoft Management Console (MMC) cannot be used to manage a Samba-3 server. For this you + can use only the MS Windows NT4 Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are + part of the SVRTOOLS.EXE package mentioned later. + </p></li></ul></div><p> +<a class="indexterm" name="id335696"></a> +<a class="indexterm" name="id335703"></a> +Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined in this chapter. The +protocol for support of Windows 9x/Me-style network (domain) logons is completely different from NT4/Windows +200x-type domain logons and has been officially supported for some time. These clients use the old LanMan +network logon facilities that are supported in Samba since approximately the Samba-1.9.15 series. +</p><p> +<a class="indexterm" name="id335716"></a> +Samba-3 implements group mapping between Windows NT groups and UNIX groups (this is really quite complicated +to explain in a short space). This is discussed more fully in <a href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS +Windows and UNIX</a>. +</p><p> +<a class="indexterm" name="id335737"></a> +<a class="indexterm" name="id335744"></a> +<a class="indexterm" name="id335753"></a> +Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust +Account information in a suitable backend data-store. Refer to <a href="domain-member.html#machine-trust-accounts" title="MS Windows Workstation/Server Machine Trust Accounts">MS +Windows Workstation/Server Machine Trust Accounts</a>. With Samba-3 there can be multiple backends for +this. A complete discussion of account database backends can be found in <a href="passdb.html" title="Chapter 11. Account Information Databases">Account +Information Databases</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335780"></a>Single Sign-On and Domain Security</h2></div></div></div><p> +<a class="indexterm" name="id335788"></a> +<a class="indexterm" name="id335796"></a> +<a class="indexterm" name="id335803"></a> +<a class="indexterm" name="id335810"></a> +<a class="indexterm" name="id335816"></a> +<a class="indexterm" name="id335823"></a> +<a class="indexterm" name="id335830"></a> +When network administrators are asked to describe the benefits of Windows NT4 and active directory networking +the most often mentioned feature is that of single sign-on (SSO). Many companies have implemented SSO +solutions. The mode of implementation of a single sign-on solution is an important factor in the practice of +networking in general, and is critical in respect of Windows networking. A company may have a wide variety of +information systems, each of which requires a form of user authentication and validation, thus it is not +uncommon that users may need to remember more than ten login IDs and passwords. This problem is compounded +when the password for each system must be changed at regular intervals, and particularly so where password +uniqueness and history limits are applied. +</p><p> +<a class="indexterm" name="id335847"></a> +There is a broadly held perception that SSO is the answer to the problem of users having to deal with too many +information system access credentials (username/password pairs). Many elaborate schemes have been devised to +make it possible to deliver a user-friendly SSO solution. The trouble is that if this implementation is not +done correctly, the site may end up paying dearly by way of complexity and management overheads. Simply put, +many SSO solutions are an administrative nightmare. +</p><p> +<a class="indexterm" name="id335861"></a> +<a class="indexterm" name="id335868"></a> +<a class="indexterm" name="id335875"></a> +SSO implementations utilize centralization of all user account information. Depending on environmental +complexity and the age of the systems over which a SSO solution is implemented, it may not be possible to +change the solution architecture so as to accomodate a new identity management and user authentication system. +Many SSO solutions involving legacy systems consist of a new super-structure that handles authentication on +behalf of the user. The software that gets layered over the old system may simply implement a proxy +authentication system. This means that the addition of SSO increases over-all information systems complexity. +Ideally, the implementation of SSO should reduce complexity and reduce administative overheads. +</p><p> +<a class="indexterm" name="id335891"></a> +<a class="indexterm" name="id335898"></a> +<a class="indexterm" name="id335907"></a> +<a class="indexterm" name="id335916"></a> +<a class="indexterm" name="id335923"></a> +The initial goal of many network administrators is often to create and use a centralized identity management +system. It is often assumed that such a centralized system will use a single authentication infrastructure +that can be used by all information systems. The Microsoft Windows NT4 security domain architecture and the +Micrsoft active directory service are often put forward as the ideal foundation for such a system. It is +conceptually simple to install an external authentication agent on each of the disparate infromation systems +that can then use the Microsoft (NT4 domain or ads service) for user authentication and access control. The +wonderful dream of a single centralized authentication service is commonly broken when realities are realized. +The problem with legacy systems is often the inability to externalize the authentication and access control +system it uses because its implementation will be excessively invasive from a re-engineering perspective, or +because application software has built-in dependencies on particular elements of the way user authentication +and access control were designed and built. +</p><p> +<a class="indexterm" name="id335942"></a> +<a class="indexterm" name="id335949"></a> +<a class="indexterm" name="id335956"></a> +<a class="indexterm" name="id335963"></a> +<a class="indexterm" name="id335970"></a> +<a class="indexterm" name="id335976"></a> +<a class="indexterm" name="id335983"></a> +<a class="indexterm" name="id335990"></a> +Over the past decade an industry has been developed around the various methods that have been built to get +around the key limitations of legacy information technology systems. One approach that is often used involves +the use of a meta-directory. The meta-directory stores user credentials for all disparate information systems +in the format that is particular to each system. An elaborate set of management procedures is coupled with a +rigidly enforced work-flow protocol for managing user rights and privileges within the maze of systems that +are provisioned by the new infrastructure makes possible user access to all systems using a single set of user +credentials. +</p><p> +<a class="indexterm" name="id336011"></a> +<a class="indexterm" name="id336021"></a> +<a class="indexterm" name="id336030"></a> +<a class="indexterm" name="id336039"></a> +The Organization for the Advancement of Structured Information Standards (OASIS) has developed the Security +Assertion Markup Language (SAML), a structured method for communication of authentication information. The +over-all umbrella name for the technologies and methods that deploy SAML is called Federated Identity +Management (FIM). FIM depends on each system in the complex maze of disparate information systems to +authenticate their respective users and vouch for secure access to the services each provides. +</p><p> +<a class="indexterm" name="id336054"></a> +<a class="indexterm" name="id336063"></a> +<a class="indexterm" name="id336070"></a> +<a class="indexterm" name="id336077"></a> +<a class="indexterm" name="id336084"></a> +<a class="indexterm" name="id336089"></a> +SAML documents can be wrapped in a Simple Object Access Protocol (SOAP) message for the computer-to-computer +communications needed for Web services. Or they may be passed between Web servers of federated organizations +that share live services. The Liberty Alliance, an industry group formed to promote federated-identity +standards, has adopted SAML 1.1 as part of its application framework. Microsoft and IBM have proposed an +alternative specification called WS-Security. Some believe that the competing technologies and methods may +converge when the SAML 2.0 standard is introduced. A few Web access-management products support SAML today, +but implemention of the technology mostly requires customization to integrate applications and develop user +interfaces. In a nust-shell, that is why FIM is a big and growing industry. +</p><p> +<a class="indexterm" name="id336105"></a> +<a class="indexterm" name="id336112"></a> +<a class="indexterm" name="id336118"></a> +<a class="indexterm" name="id336125"></a> +<a class="indexterm" name="id336132"></a> +Ignoring the bigger picture, which is beyond the scope of this book, the migration of all user and group +management to a centralized system is a step in the right direction. It is essential for interoperability +reasons to locate the identity management system data in a directory such as Microsoft Active Directory +Service (ADS), or any proprietary or open source system that provides a standard protocol for information +access (such as LDAP) and that can be coupled with a flexible array of authentication mechanisms (such as +kerberos) that use the protocols that are defined by the various general security service application +programming interface (GSSAPI) services. +</p><p> +<a class="indexterm" name="id336150"></a> +<a class="indexterm" name="id336157"></a> +<a class="indexterm" name="id336164"></a> +A growing number of companies provide authentication agents for disparate legacy platforms to permit the use +of LDAP systems. Thus the use of OpenLDAP, the dominant open source software implementation of the light +weight directory access protocol standard. This fact, means that by providing support in Samba for the use of +LDAP and Microsoft ADS make Samba a highly scalable and forward reaching organizational networking technology. +</p><p> +<a class="indexterm" name="id336177"></a> +<a class="indexterm" name="id336184"></a> +<a class="indexterm" name="id336191"></a> +<a class="indexterm" name="id336198"></a> +<a class="indexterm" name="id336204"></a> +<a class="indexterm" name="id336211"></a> +Microsoft ADS provides purely proprietary services that, with limitation, can be extended to provide a +centralized authentication infrastructure. Samba plus LDAP provides a similar opportunity for extension of a +centralized authentication architecture, but it is the fact that the Samba Team are pro-active in introducing +the extension of authentication services, using LDAP or otherwise, to applications such as SQUID (the open +source proxy server) through tools such as the <code class="literal">ntlm_auth</code> utility, that does much to create +sustainable choice and competition in the FIM market place. +</p><p> +<a class="indexterm" name="id336232"></a> +<a class="indexterm" name="id336238"></a> +<a class="indexterm" name="id336245"></a> +Primary domain control, if it is to be scalable to meet the needs of large sites, must therefore be capable of +using LDAP. The rapid adoption of OpenLDAP, and Samba configurations that use it, is ample proof that the era +of the directory has started. Samba-3 does not demand the use of LDAP, but the demand for a mechanism by which +user and group identity information can be distributed makes it an an unavoidable option. +</p><p> +<a class="indexterm" name="id336259"></a> +<a class="indexterm" name="id336265"></a> +<a class="indexterm" name="id336272"></a> +At this time, the use of Samba based BDCs, necessitates the use of LDAP. The most commonly used LDAP +implementation used by Samba sites is OpenLDAP. It is possible to use any standards compliant LDAP server. +Those known to work includes those manufactured by: IBM, CA, Novell (e-Directory), and others. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336284"></a>Basics of Domain Control</h2></div></div></div><p> +<a class="indexterm" name="id336292"></a> +Over the years, public perceptions of what domain control really is has taken on an almost mystical nature. +Before we branch into a brief overview of domain control, there are three basic types of domain controllers. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336302"></a>Domain Controller Types</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>NT4 style Primary Domain Controller</p></li><li><p>NT4 style Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p> +<a class="indexterm" name="id336326"></a> +<a class="indexterm" name="id336333"></a> +<a class="indexterm" name="id336340"></a> +<a class="indexterm" name="id336349"></a> +The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in MS Windows NT4. In +Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that +because of its role in the MS Windows network, the domain controller should be the most powerful and most +capable machine in the network. As strange as it may seem to say this here, good overall network performance +dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone +(domain member) servers than in the domain controllers. +</p><p> +<a class="indexterm" name="id336372"></a> +<a class="indexterm" name="id336379"></a> +<a class="indexterm" name="id336385"></a> +<a class="indexterm" name="id336392"></a> +<a class="indexterm" name="id336399"></a> +In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database. +This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key +part in NT4-type domain user authentication and in synchronization of the domain authentication +database with BDCs. +</p><p> +<a class="indexterm" name="id336414"></a> +<a class="indexterm" name="id336426"></a> +<a class="indexterm" name="id336432"></a> +<a class="indexterm" name="id336442"></a> +With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential +hierarchy of domain controllers, each with its own area of delegated control. The master domain +controller has the ability to override any downstream controller, but a downline controller has +control only over its downline. With Samba-3, this functionality can be implemented using an +LDAP-based user and machine account backend. +</p><p> +<a class="indexterm" name="id336455"></a> +<a class="indexterm" name="id336462"></a> +New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM +database (one of the registry files)<sup>[<a name="id336470" href="#ftn.id336470">1</a>]</sup> +</p><p> +<a class="indexterm" name="id336486"></a> +<a class="indexterm" name="id336492"></a> +<a class="indexterm" name="id336499"></a> +<a class="indexterm" name="id336506"></a> +<a class="indexterm" name="id336512"></a> +<a class="indexterm" name="id336519"></a> +The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network authentication +requests. The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has +a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon +requests when the BDC is too busy (high load). When a user logs onto a Windows domain member client the +workstation will query the network to locate the nearest network logon server. Where a WINS server is used, +this is done via a query to the WINS server. If a netlogon server can not be found from the WINS query, or in +the absence of a WINS server, the workstation will perform a NetBIOS name lookup via a mailslot broadcast over +the UDP broadcast protocol. This means that the netlogon server that the windows client will use is influenced +by a number of variables, thus there is no simple determinant of whether a PDC or a BDC will serve a +particular logon authentication request. +</p><p> +<a class="indexterm" name="id336541"></a> +<a class="indexterm" name="id336548"></a> +A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC, +the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic operation; the PDC +and BDC must be manually configured, and other appropriate changes also need to be made. +</p><p> +<a class="indexterm" name="id336561"></a> +With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. +It is possible to promote a BDC to a PDC, and vice versa. The only method Microsoft provide to convert a +Windows NT4 domain controller to a domain member server or a standalone server is to reinstall it. The install +time choices offered are: +</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> the one that seeds the domain SAM.</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> one that obtains a copy of the domain SAM.</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> one that has no copy of the domain SAM; rather + it obtains authentication from a domain controller for all access controls.</p></li><li><p><span class="emphasis"><em>Standalone Server</em></span> one that plays no part in SAM synchronization, + has its own authentication database, and plays no role in domain security.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id336624"></a> +Algin Technology LLC provide a commercial tool that makes it possible to promote a Windows NT4 standalone +server to a PDC or a BDC, and also permits this process to be reversed. Refer to the <a href="http://utools.com/UPromote.asp" target="_top">Algin</a> web site for further information. +</p></div><p> +<a class="indexterm" name="id336641"></a> +<a class="indexterm" name="id336653"></a> +Samba-3 servers can readily be converted to and from domain controller roles through simple changes to the +<code class="filename">smb.conf</code> file. Samba-3 is capable of acting fully as a native member of a Windows 200x server Active +Directory domain. +</p><p> +<a class="indexterm" name="id336671"></a> +For the sake of providing a complete picture, MS Windows 2000 domain control configuration is done after the server has been +installed. Please refer to Microsoft documentation for the procedures that should be followed to convert a +domain member server to or from a domain control, and to install or remove active directory service support. +</p><p> +<a class="indexterm" name="id336686"></a> +<a class="indexterm" name="id336695"></a> +New to Samba-3 is the ability to function fully as an MS Windows NT4-style domain controller, +excluding the SAM replication components. However, please be aware that Samba-3 also supports the +MS Windows 200x domain control protocols. +</p><p> +<a class="indexterm" name="id336709"></a> +At this time any appearance that Samba-3 is capable of acting as a <span class="emphasis"><em>domain controller</em></span> in +native ADS mode is limited and experimental in nature. This functionality should not be used until the Samba +Team offers formal support for it. At such a time, the documentation will be revised to duly reflect all +configuration and management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP +environment. However, there are certain compromises: +</p><div class="itemizedlist"><ul type="disc"><li><p>No machine policy files.</p></li><li><p>No Group Policy Objects.</p></li><li><p>No synchronously executed Active Directory logon scripts.</p></li><li><p>Can't use Active Directory management tools to manage users and machines.</p></li><li><p>Registry changes tattoo the main registry, while with Active Directory they do not leave + permanent changes in effect.</p></li><li><p>Without Active Directory you cannot perform the function of exporting specific + applications to specific users or groups.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336759"></a>Preparing for Domain Control</h3></div></div></div><p> +<a class="indexterm" name="id336766"></a> +<a class="indexterm" name="id336773"></a> +<a class="indexterm" name="id336780"></a> +<a class="indexterm" name="id336787"></a> +There are two ways that MS Windows machines may interact with each other, with other servers, +and with domain controllers: either as <span class="emphasis"><em>standalone</em></span> systems, more commonly +called <span class="emphasis"><em>workgroup</em></span> members, or as full participants in a security system, +more commonly called <span class="emphasis"><em>domain</em></span> members. +</p><p> +<a class="indexterm" name="id336810"></a> +<a class="indexterm" name="id336817"></a> +<a class="indexterm" name="id336826"></a> +It should be noted that workgroup membership involves no special configuration other than the machine being +configured so the network configuration has a commonly used name for its workgroup entry. It is not uncommon +for the name WORKGROUP to be used for this. With this mode of configuration, there are no Machine Trust +Accounts, and any concept of membership as such is limited to the fact that all machines appear in the network +neighborhood to be logically grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not +involve security machine accounts</em></span>. +</p><p> +<a class="indexterm" name="id336844"></a> +<a class="indexterm" name="id336851"></a> +<a class="indexterm" name="id336860"></a> +Domain member machines have a machine trust account in the domain accounts database. A special procedure +must be followed on each machine to effect domain membership. This procedure, which can be done +only by the local machine Administrator account, creates the domain machine account (if it does +not exist), and then initializes that account. When the client first logs onto the +domain, a machine trust account password change will be automatically triggered. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id336875"></a> +When Samba is configured as a domain controller, secure network operation demands that +all MS Windows NT4/200x/XP Professional clients should be configured as domain members. +If a machine is not made a member of the domain, then it will operate like a workgroup +(standalone) machine. Please refer to <a href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, for +information regarding domain membership. +</p></div><p> +The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows +NT4/200x/XP clients: +</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li><p>Correct designation of the server role (<a class="indexterm" name="id336908"></a>security = user).</p></li><li><p>Consistent configuration of name resolution.<sup>[<a name="id336920" href="#ftn.id336920">2</a>]</sup></p></li><li><p>Domain logons for Windows NT4/200x/XP Professional clients.</p></li><li><p>Configuration of roaming profiles or explicit configuration to force local profile usage.</p></li><li><p>Configuration of network/system policies.</p></li><li><p>Adding and managing domain user accounts.</p></li><li><p>Configuring MS Windows NT4/2000 Professional and Windows XP Professional client machines to become domain members.</p></li></ul></div><p> +The following provisions are required to serve MS Windows 9x/Me clients: +</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li><p>Correct designation of the server role (<a class="indexterm" name="id336980"></a>security = user).</p></li><li><p>Network logon configuration (since Windows 9x/Me/XP Home are not technically domain + members, they do not really participate in the security aspects of Domain logons as such).</p></li><li><p>Roaming profile configuration.</p></li><li><p>Configuration of system policy handling.</p></li><li><p>Installation of the network driver “<span class="quote">Client for MS Windows Networks</span>” and configuration + to log onto the domain.</p></li><li><p>Placing Windows 9x/Me clients in user-level security if it is desired to allow + all client-share access to be controlled according to domain user/group identities.</p></li><li><p>Adding and managing domain user accounts.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id337029"></a> +<a class="indexterm" name="id337036"></a> +Roaming profiles and system/network policies are advanced network administration topics +that are covered in <a href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management">Desktop Profile Management</a> and +<a href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a> of this document. However, these are not +necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts. +</p></div><p> +A domain controller is an SMB/CIFS server that: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id337069"></a> + <a class="indexterm" name="id337078"></a> + <a class="indexterm" name="id337085"></a> + <a class="indexterm" name="id337092"></a> + <a class="indexterm" name="id337098"></a> + Registers and advertises itself as a domain controller (through NetBIOS broadcasts + as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast, + to a WINS server over UDP unicast, or via DNS and Active Directory). + </p></li><li><p> + <a class="indexterm" name="id337112"></a> + <a class="indexterm" name="id337118"></a> + Provides the NETLOGON service. (This is actually a collection of services that runs over + multiple protocols. These include the LanMan logon service, the Netlogon service, + the Local Security Account service, and variations of them.) + </p></li><li><p> + Provides a share called NETLOGON. + </p></li></ul></div><p> +<a class="indexterm" name="id337136"></a> +<a class="indexterm" name="id337148"></a> +<a class="indexterm" name="id337160"></a> +<a class="indexterm" name="id337166"></a> +<a class="indexterm" name="id337173"></a> +It is rather easy to configure Samba to provide these. Each Samba domain controller must provide the NETLOGON +service that Samba calls the <a class="indexterm" name="id337181"></a>domain logons functionality (after the name of the +parameter in the <code class="filename">smb.conf</code> file). Additionally, one server in a Samba-3 domain must advertise itself as the +domain master browser.<sup>[<a name="id337195" href="#ftn.id337195">3</a>]</sup> This causes the PDC to claim a domain-specific NetBIOS name that identifies +it as a DMB for its given domain or workgroup. Local master browsers (LMBs) in the same domain or workgroup on +broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide-area network. +Browser clients then contact their LMB, and will receive the domain-wide browse list instead of just the list +for their broadcast-isolated subnet. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id337213"></a>Domain Control: Example Configuration</h2></div></div></div><p> +The first step in creating a working Samba PDC is to understand the parameters necessary +in <code class="filename">smb.conf</code>. An example <code class="filename">smb.conf</code> for acting as a PDC can be found in <a href="samba-pdc.html#pdc-example" title="Example 4.1. smb.conf for being a PDC">the +smb.conf file for an example PDC</a>. +</p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 4.1. smb.conf for being a PDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id337266"></a><em class="parameter"><code>netbios name</code></em></td></tr><tr><td><a class="indexterm" name="id337279"></a><em class="parameter"><code>workgroup</code></em></td></tr><tr><td><a class="indexterm" name="id337291"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id337304"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id337316"></a><em class="parameter"><code>preferred master = auto</code></em></td></tr><tr><td><a class="indexterm" name="id337329"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337341"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337354"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id337366"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337379"></a><em class="parameter"><code>logon path = \\%N\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id337392"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id337404"></a><em class="parameter"><code>logon home = \\homeserver\%U\winprofile</code></em></td></tr><tr><td><a class="indexterm" name="id337417"></a><em class="parameter"><code>logon script = logon.cmd</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id337438"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id337451"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337464"></a><em class="parameter"><code>write list</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id337485"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id337498"></a><em class="parameter"><code>read only = no</code></em></td></tr><tr><td><a class="indexterm" name="id337510"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id337523"></a><em class="parameter"><code>directory mask = 0700</code></em></td></tr></table></div></div><br class="example-break"><p> +The basic options shown in <a href="samba-pdc.html#pdc-example" title="Example 4.1. smb.conf for being a PDC">this example</a> are explained as follows: +</p><div class="variablelist"><dl><dt><span class="term">passdb backend </span></dt><dd><p> + <a class="indexterm" name="id337557"></a> + <a class="indexterm" name="id337566"></a> + <a class="indexterm" name="id337573"></a> + <a class="indexterm" name="id337580"></a> + <a class="indexterm" name="id337586"></a> + <a class="indexterm" name="id337593"></a> + This contains all the user and group account information. Acceptable values for a PDC + are: <span class="emphasis"><em>smbpasswd, tdbsam, and ldapsam</em></span>. The “<span class="quote">guest</span>” entry provides + default accounts and is included by default; there is no need to add it explicitly. + </p><p> + <a class="indexterm" name="id337613"></a> + <a class="indexterm" name="id337619"></a> + <a class="indexterm" name="id337626"></a> + <a class="indexterm" name="id337633"></a> + Where use of BDCs is intended, the only logical choice is + to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files + cannot effectively be distributed and therefore should not be used. + </p></dd><dt><span class="term">Domain Control Parameters </span></dt><dd><p> + <a class="indexterm" name="id337652"></a> + <a class="indexterm" name="id337659"></a> + <a class="indexterm" name="id337665"></a> + <a class="indexterm" name="id337672"></a> + The parameters <span class="emphasis"><em>os level, preferred master, domain master, security, + encrypt passwords</em></span>, and <span class="emphasis"><em>domain logons</em></span> play a central role in assuring domain + control and network logon support. + </p><p> + <a class="indexterm" name="id337693"></a> + <a class="indexterm" name="id337700"></a> + The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A domain controller + must be the DMB, must be set in <span class="emphasis"><em>user</em></span> mode security, + must support Microsoft-compatible encrypted passwords, and must provide the network logon + service (domain logons). Encrypted passwords must be enabled. For more details on how + to do this, refer to <a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a>. + </p></dd><dt><span class="term">Environment Parameters </span></dt><dd><p> + <a class="indexterm" name="id337734"></a> + <a class="indexterm" name="id337741"></a> + <a class="indexterm" name="id337747"></a> + <a class="indexterm" name="id337754"></a> + The parameters <span class="emphasis"><em>logon path, logon home, logon drive</em></span>, and <span class="emphasis"><em>logon script</em></span> are + environment support settings that help to facilitate client logon operations and that help + to provide automated control facilities to ease network management overheads. Please refer + to the man page information for these parameters. + </p></dd><dt><span class="term">NETLOGON Share </span></dt><dd><p> + <a class="indexterm" name="id337781"></a> + <a class="indexterm" name="id337787"></a> + <a class="indexterm" name="id337794"></a> + <a class="indexterm" name="id337801"></a> + <a class="indexterm" name="id337808"></a> + <a class="indexterm" name="id337815"></a> + The NETLOGON share plays a central role in domain logon and domain membership support. + This share is provided on all Microsoft domain controllers. It is used to provide logon + scripts, to store group policy files (NTConfig.POL), as well as to locate other common + tools that may be needed for logon processing. This is an essential share on a domain controller. + </p></dd><dt><span class="term">PROFILE Share </span></dt><dd><p> + <a class="indexterm" name="id337834"></a> + <a class="indexterm" name="id337841"></a> + <a class="indexterm" name="id337848"></a> + <a class="indexterm" name="id337855"></a> + <a class="indexterm" name="id337861"></a> + This share is used to store user desktop profiles. Each user must have a directory at the root + of this share. This directory must be write-enabled for the user and must be globally read-enabled. + Samba-3 has a VFS module called “<span class="quote">fake_permissions</span>” that may be installed on this share. This will + allow a Samba administrator to make the directory read-only to everyone. Of course this is useful + only after the profile has been properly created. + </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The above parameters make for a full set of functionality that may define the server's mode +of operation. The following <code class="filename">smb.conf</code> parameters are the essentials alone: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id337897"></a><em class="parameter"><code>netbios name = BELERIAND</code></em></td></tr><tr><td><a class="indexterm" name="id337909"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id337922"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id337934"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id337947"></a><em class="parameter"><code>security = User</code></em></td></tr></table><p> +</p><p> +The additional parameters shown in the longer listing in this section just make for +a more complete explanation. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id337966"></a>Samba ADS Domain Control</h2></div></div></div><p> +<a class="indexterm" name="id337974"></a> +Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory +PDC. The protocols for some of the functionality of Active Directory domain controllers has been partially +implemented on an experimental only basis. Please do not expect Samba-3 to support these protocols. Do not +depend on any such functionality either now or in the future. The Samba Team may remove these experimental +features or may change their behavior. This is mentioned for the benefit of those who have discovered secret +capabilities in Samba-3 and who have asked when this functionality will be completed. The answer is maybe +someday or maybe never! +</p><p> +<a class="indexterm" name="id337990"></a> +<a class="indexterm" name="id337996"></a> +To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style +domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have +a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it +is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple +enough for all to understand. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338009"></a>Domain and Network Logon Configuration</h2></div></div></div><p> +<a class="indexterm" name="id338017"></a> +The subject of network or domain logons is discussed here because it forms +an integral part of the essential functionality that is provided by a domain controller. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338026"></a>Domain Network Logon Service</h3></div></div></div><p> +<a class="indexterm" name="id338034"></a> +All domain controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span> +in Samba). One domain controller must be configured with <a class="indexterm" name="id338046"></a>domain master = Yes +(the PDC); on all BDCs set the parameter <a class="indexterm" name="id338053"></a>domain master = No. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id338061"></a>Example Configuration</h4></div></div></div><div class="example"><a name="PDC-config"></a><p class="title"><b>Example 4.2. smb.conf for being a PDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id338090"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id338102"></a><em class="parameter"><code>domain master = (Yes on PDC, No on BDCs)</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id338124"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id338137"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id338150"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id338162"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id338177"></a>The Special Case of MS Windows XP Home Edition</h4></div></div></div><p> +<a class="indexterm" name="id338185"></a> +To be completely clear: If you want MS Windows XP Home Edition to integrate with your +MS Windows NT4 or Active Directory domain security, understand it cannot be done. +The only option is to purchase the upgrade from MS Windows XP Home Edition to +MS Windows XP Professional. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +MS Windows XP Home Edition does not have the ability to join any type of domain +security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely +lacks the ability to log onto a network. +</p></div><p> +Now that this has been said, please do not ask the mailing list or email any of the +Samba Team members with your questions asking how to make this work. It can't be done. +If it can be done, then to do so would violate your software license agreement with +Microsoft, and we recommend that you do not do that. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id338208"></a>The Special Case of Windows 9x/Me</h4></div></div></div><p> +<a class="indexterm" name="id338216"></a> +<a class="indexterm" name="id338223"></a> +<a class="indexterm" name="id338230"></a> +<a class="indexterm" name="id338236"></a> +<a class="indexterm" name="id338243"></a> +A domain and a workgroup are exactly the same in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server. Samba-3 does this +now in the same way as MS Windows NT/200x. +</p><p> +<a class="indexterm" name="id338256"></a> +The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +Network browsing functionality of domains and workgroups is identical and +is explained in this documentation under the browsing discussions. +It should be noted that browsing is totally orthogonal to logon support. +</p><p> +<a class="indexterm" name="id338273"></a> +<a class="indexterm" name="id338279"></a> +<a class="indexterm" name="id338286"></a> +Issues related to the single-logon network model are discussed in this +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for Workgroups and MS Windows 9x/Me clients, +which are the focus of this section. +</p><p> +<a class="indexterm" name="id338298"></a> +When an SMB client in a domain wishes to log on, it broadcasts requests for a logon server. The first one to +reply gets the job and validates its password using whatever mechanism the Samba administrator has installed. +It is possible (but ill advised) to create a domain where the user database is not shared between servers; +that is, they are effectively workgroup servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely involved with domains. +</p><p> +Using these features, you can make your clients verify their logon via +the Samba server, make clients run a batch file when they log on to +the network and download their preferences, desktop, and start menu. +</p><p><span class="emphasis"><em> +MS Windows XP Home edition is not able to join a domain and does not permit the use of domain logons. +</em></span></p><p> +Before launching into the configuration instructions, it is worthwhile to look at how a Windows 9x/Me client +performs a logon: +</p><div class="orderedlist"><ol type="1"><li><p> + <a class="indexterm" name="id338336"></a> + <a class="indexterm" name="id338343"></a> + The client broadcasts (to the IP broadcast address of the subnet it is in) + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1C> at the + NetBIOS layer. The client chooses the first response it receives, which + contains the NetBIOS name of the logon server to use in the format of + <code class="filename">\\SERVER</code>. The <code class="literal">1C</code> name is the name + type that is registered by domain controllers (SMB/CIFS servers that provide + the netlogon service). + </p></li><li><p> + <a class="indexterm" name="id338376"></a> + <a class="indexterm" name="id338383"></a> + <a class="indexterm" name="id338390"></a> + The client connects to that server, logs on (does an SMBsessetupX) and + then connects to the IPC$ share (using an SMBtconX). + </p></li><li><p> + <a class="indexterm" name="id338404"></a> + The client does a NetWkstaUserLogon request, which retrieves the name + of the user's logon script. + </p></li><li><p> + The client then connects to the NetLogon share and searches for said script. + If it is found and can be read, it is retrieved and executed by the client. + After this, the client disconnects from the NetLogon share. + </p></li><li><p> + <a class="indexterm" name="id338427"></a> + <a class="indexterm" name="id338434"></a> + The client sends a NetUserGetInfo request to the server to retrieve + the user's home share, which is used to search for profiles. Since the + response to the NetUserGetInfo request does not contain much more than + the user's home share, profiles for Windows 9x clients must reside in the user + home directory. + </p></li><li><p> + <a class="indexterm" name="id338450"></a> + The client connects to the user's home share and searches for the + user's profile. As it turns out, you can specify the user's home share as + a share name and path. For example, <code class="filename">\\server\fred\.winprofile</code>. + If the profiles are found, they are implemented. + </p></li><li><p> + <a class="indexterm" name="id338471"></a> + The client then disconnects from the user's home share and reconnects to + the NetLogon share and looks for <code class="filename">CONFIG.POL</code>, the policies file. If this is + found, it is read and implemented. + </p></li></ol></div><p> +The main difference between a PDC and a Windows 9x/Me logon server configuration is: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id338498"></a> + <a class="indexterm" name="id338507"></a> + Password encryption is not required for a Windows 9x/Me logon server. But note + that beginning with MS Windows 98 the default setting is that plaintext + password support is disabled. It can be re-enabled with the registry + changes that are documented in <a href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a>. + </p></li><li><p> + <a class="indexterm" name="id338527"></a> + Windows 9x/Me clients do not require and do not use Machine Trust Accounts. + </p></li></ul></div><p> +<a class="indexterm" name="id338539"></a> +A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the +network logon services that MS Windows 9x/Me expect to find. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id338551"></a> +Use of plaintext passwords is strongly discouraged. Where used they are easily detected +using a sniffer tool to examine network traffic. +</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338563"></a>Security Mode and Master Browsers</h3></div></div></div><p> +<a class="indexterm" name="id338571"></a> +<a class="indexterm" name="id338577"></a> +<a class="indexterm" name="id338584"></a> +There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue +of whether it is okay to configure Samba as a domain controller that operates with security mode other than +user-mode. The only security mode that will not work due to technical reasons is share-mode security. Domain +and server mode security are really just a variation on SMB user-level security. +</p><p> +<a class="indexterm" name="id338598"></a> +<a class="indexterm" name="id338605"></a> +<a class="indexterm" name="id338611"></a> +<a class="indexterm" name="id338618"></a> +<a class="indexterm" name="id338624"></a> +<a class="indexterm" name="id338631"></a> +<a class="indexterm" name="id338638"></a> +Actually, this issue is also closely tied to the debate on whether Samba must be the DMB for its workgroup +when operating as a domain controller. In a pure Microsoft Windows NT domain, the PDC wins the election to be +the DMB, and then registers the DOMAIN<1B> NetBIOS name. This is not the name used by Windows clients +to locate the domain controller, all domain controllers register the DOMAIN<1C> name and Windows clients +locate a network logon server by seraching for the DOMAIN<1C> name. A DMB is a Domain Master Browser + see <a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">The Network Browsing Chapter</a>, <a href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">Configuring WORKGROUP Browsing</a>; Microsoft PDCs expect to win the election to become the +DMB, if it loses that election it will report a continuous and rapid sequence of warning messages to its +Windows event logger complaining that it has lost the election to become a DMB. For this reason, in networks +where a Samba server is the PDC it is wise to configure the Samba domain controller as the DMB. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id338679"></a> +<a class="indexterm" name="id338685"></a> +<a class="indexterm" name="id338692"></a> +<a class="indexterm" name="id338699"></a> +<a class="indexterm" name="id338706"></a> +SMB/CIFS servers that register the DOMAIN<1C> name do so because they provide the network logon +service. Server that register the DOMAIN<1B> name are DMBs meaning that they are responsible +for browse list synchronization across all machines that have registered the DOMAIN<1D> name. The later +are LMBs that have the responsibility to listen to all NetBIOS name registrations that occur locally to their +own network segment. The network logon service (NETLOGON) is germane to domain control and has nothing to do +with network browsing and browse list management. The 1C and 1B/1D name services are orthogonal to each +other. +</p></div><p> +Now back to the issue of configuring a Samba domain controller to use a mode other than <a class="indexterm" name="id338737"></a>security = user. If a Samba host is configured to use another SMB server or domain +controller in order to validate user connection requests, it is a fact that some other machine on the network +(the <a class="indexterm" name="id338745"></a>password server) knows more about the user than the Samba host. About 99 percent +of the time, this other host is a domain controller. Now to operate in domain mode security, the +<a class="indexterm" name="id338754"></a>workgroup parameter must be set to the name of the Windows NT domain (which already +has a domain controller). If the domain does not already have a domain controller, you do not yet have a +domain. +</p><p> +Configuring a Samba box as a domain controller for a domain that already by definition has a +PDC is asking for trouble. Therefore, you should always configure the Samba domain controller +to be the DMB for its domain and set <a class="indexterm" name="id338767"></a>security = user. +This is the only officially supported mode of operation. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338778"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338784"></a>“<span class="quote">$</span>” Cannot Be Included in Machine Name</h3></div></div></div><p> +<a class="indexterm" name="id338794"></a> +<a class="indexterm" name="id338800"></a> +<a class="indexterm" name="id338807"></a> +A machine account, typically stored in <code class="filename">/etc/passwd</code>, takes the form of the machine +name with a “<span class="quote">$</span>” appended. Some BSD systems will not create a user with a “<span class="quote">$</span>” in the name. +Recent versions of FreeBSD have removed this limitation, but older releases are still in common use. +</p><p> +<a class="indexterm" name="id338832"></a> +The problem is only in the program used to make the entry. Once made, it works perfectly. Create a user +without the “<span class="quote">$</span>”. Then use <code class="literal">vipw</code> to edit the entry, adding the “<span class="quote">$</span>”. +Or create the whole entry with vipw if you like; make sure you use a unique user login ID. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The machine account must have the exact name that the workstation has.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The UNIX tool <code class="literal">vipw</code> is a common tool for directly editing the <code class="filename">/etc/passwd</code> file. +The use of vipw will ensure that shadow files (where used) will remain current with the passwd file. This is +important for security reasons. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338878"></a>Joining Domain Fails Because of Existing Machine Account</h3></div></div></div><p> +<a class="indexterm" name="id338887"></a> +“<span class="quote">I get told, `You already have a connection to the Domain....' or `Cannot join domain, the +credentials supplied conflict with an existing set...' when creating a Machine Trust Account.</span>” +</p><p> +This happens if you try to create a Machine Trust Account from the machine itself and already have a +connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all +network drive connections: +</p><pre class="screen"> +<code class="prompt">C:\> </code><strong class="userinput"><code>net use * /d</code></strong> +</pre><p> +This will break all network connections. +</p><p> +Further, if the machine is already a “<span class="quote">member of a workgroup</span>” that is the same name as the domain +you are joining (bad idea), you will get this message. Change the workgroup name to something else +it does not matter what reboot, and try again. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338937"></a>The System Cannot Log You On (C000019B)</h3></div></div></div><p>“<span class="quote"> +I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, +<span class="errorname">`The system cannot log you on (C000019B). Please try again or consult your system +administrator</span> when attempting to logon.'</span>” +</p><p> +<a class="indexterm" name="id338955"></a> +This occurs when the domain SID stored in the secrets.tdb database is changed. The most common cause of a +change in domain SID is when the domain name and/or the server name (NetBIOS name) is changed. The only way +to correct the problem is to restore the original domain SID or remove the domain client from the domain and +rejoin. The domain SID may be reset using either the net or rpcclient utilities. +</p><p> +To reset or change the domain SID you can use the net command as follows: + +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>net getlocalsid 'OLDNAME'</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>net setlocalsid 'SID'</code></strong> +</pre><p> +</p><p> +Workstation Machine Trust Accounts work only with the domain (or network) SID. If this SID changes, +domain members (workstations) will not be able to log onto the domain. The original domain SID +can be recovered from the secrets.tdb file. The alternative is to visit each workstation to rejoin +it to the domain. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339004"></a>The Machine Trust Account Is Not Accessible</h3></div></div></div><p> +“<span class="quote">When I try to join the domain I get the message, <span class="errorname">"The machine account +for this computer either does not exist or is not accessible</span>." What's wrong?</span>” +</p><p> +This problem is caused by the PDC not having a suitable Machine Trust Account. If you are using the +<a class="indexterm" name="id339024"></a>add machine script method to create accounts, then this would indicate that it has not +worked. Ensure the domain admin user system is working. +</p><p> +Alternately, if you are creating account entries manually, then they have not been created correctly. Make +sure that you have the entry correct for the Machine Trust Account in <code class="filename">smbpasswd</code> file on +the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure +that the account name is the machine NetBIOS name with a “<span class="quote">$</span>” appended to it (i.e., +computer_name$). There must be an entry in both the POSIX UNIX system account backend as well as in the +SambaSAMAccount backend. The default backend for Samba-3 (i.e., the parameter <em class="parameter"><code>passdb +backend</code></em> is not specified in the <code class="filename">smb.conf</code> file, or if specified is set to +<code class="literal">smbpasswd</code>, are respectively the <code class="filename">/etc/passwd</code> and +<code class="filename">/etc/samba/smbpasswd</code> (or <code class="filename">/usr/local/samba/lib/private/smbpasswd</code> if +compiled using Samba Team default settings). The use of the <code class="filename">/etc/passwd</code> can be overridden +by alternative settings in the NSS <code class="filename">/etc/nsswitch.conf</code> file. +</p><p> +Some people have also reported that inconsistent subnet masks between the Samba server and the NT +client can cause this problem. Make sure that these are consistent for both client and server. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339105"></a>Account Disabled</h3></div></div></div><p>“<span class="quote">When I attempt to log in to a Samba domain from a NT4/W200x workstation, +I get a message about my account being disabled.</span>”</p><p> +Enable the user accounts with <strong class="userinput"><code>smbpasswd -e <em class="replaceable"><code>username</code></em> +</code></strong>. This is normally done as an account is created. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339131"></a>Domain Controller Unavailable</h3></div></div></div><p>“<span class="quote">Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable'</span>”</p><p> +A domain controller has to announce its role on the network. This usually takes a while. Be patient for up to 15 minutes, +then try again. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id339147"></a>Cannot Log onto Domain Member Workstation After Joining Domain</h3></div></div></div><p> +<a class="indexterm" name="id339155"></a> +<a class="indexterm" name="id339162"></a> +After successfully joining the domain, user logons fail with one of two messages: one to the +effect that the domain controller cannot be found; the other claims that the account does not +exist in the domain or that the password is incorrect. This may be due to incompatible +settings between the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span> +(secure channel) settings or <span class="emphasis"><em>smb signing</em></span> settings. Check your Samba +settings for <span class="emphasis"><em>client schannel</em></span>, <span class="emphasis"><em>server schannel</em></span>, +<span class="emphasis"><em>client signing</em></span>, <span class="emphasis"><em>server signing</em></span> by executing: +</p><pre class="screen"> +<code class="literal">testparm -v | grep channel</code> and looking for the value of these parameters. +</pre><p> +</p><p> +Also use the MMC Local Security Settings. This tool is available from the +Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by +<span class="emphasis"><em>Secure Channel:..., and Digitally sign...</em></span>. +</p><p> +It is important that these be set consistently with the Samba-3 server settings. +</p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id336470" href="#id336470">1</a>] </sup>See also <a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information +Databases</a>.</p>.</div><div class="footnote"><p><sup>[<a name="ftn.id336920" href="#id336920">2</a>] </sup>See <a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>, and + <a href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba">Integrating MS Windows Networks with Samba</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id337195" href="#id337195">3</a>] </sup>See <a href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network +Browsing</a>.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Backup Domain Control</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba.css b/docs/htmldocs/Samba3-HOWTO/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/htmldocs/Samba3-HOWTO/securing-samba.html b/docs/htmldocs/Samba3-HOWTO/securing-samba.html new file mode 100644 index 0000000000..d0f7f2c62e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/securing-samba.html @@ -0,0 +1,263 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Securing Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="locking.html" title="Chapter 17. File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 18. Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 18. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="securing-samba.html#id387214">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387302">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id387436">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id387449">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387586">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387645">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id387974">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388109">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id388158">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id388198">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id388210">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id388235">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387214"></a>Introduction</h2></div></div></div><p> +<a class="indexterm" name="id387222"></a> +<a class="indexterm" name="id387228"></a> +<a class="indexterm" name="id387235"></a> +<a class="indexterm" name="id387242"></a> +<a class="indexterm" name="id387249"></a> +<a class="indexterm" name="id387256"></a> +<a class="indexterm" name="id387262"></a> +The information contained in this chapter applies in general to all Samba installations. Security is +everyone's concern in the information technology world. A surprising number of Samba servers are being +installed on machines that have direct internet access, thus security is made more critical than it would have been had the +server been located behind a firewall and on a private network. Paranoia regarding server security is causing +some network administrators to insist on the installation of robust firewalls even on servers that are located +inside secured networks. This chapter provides information to assist the administrator who understands +how to create the needed barriers and deterents against “<span class="quote">the enemy</span>”, no matter where [s]he may +come from. +</p><div class="blockquote"><blockquote class="blockquote"><p> +A new apprentice reported for duty to the chief engineer of a boiler house. He said, “<span class="quote">Here I am, +if you will show me the boiler I'll start working on it.</span>” Then engineer replied, “<span class="quote">You're leaning +on it!</span>” +</p></blockquote></div><p> +Security concerns are just like that. You need to know a little about the subject to appreciate +how obvious most of it really is. The challenge for most of us is to discover that first morsel +of knowledge with which we may unlock the secrets of the masters. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387302"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id387309"></a> +<a class="indexterm" name="id387316"></a> +<a class="indexterm" name="id387323"></a> +<a class="indexterm" name="id387330"></a> +There are three levels at which security principles must be observed in order to render a site +at least moderately secure. They are the perimeter firewall, the configuration of the host +server that is running Samba, and Samba itself. +</p><p> +Samba permits a most flexible approach to network security. As far as possible Samba implements +the latest protocols to permit more secure MS Windows file and print operations. +</p><p> +<a class="indexterm" name="id387347"></a> +<a class="indexterm" name="id387353"></a> +<a class="indexterm" name="id387360"></a> +Samba can be secured from connections that originate from outside the local network. This can be done using +<span class="emphasis"><em>host-based protection</em></span>, using Samba's implementation of a technology known as +“<span class="quote">tcpwrappers,</span>” or it may be done be using <span class="emphasis"><em>interface-based exclusion</em></span> so +<span class="application">smbd</span> will bind only to specifically permitted interfaces. It is also possible to set specific share- or +resource-based exclusions, for example, on the <em class="parameter"><code>[IPC$]</code></em> autoshare. The <em class="parameter"><code>[IPC$]</code></em> share is used for browsing purposes as well as to establish TCP/IP connections. +</p><p> +<a class="indexterm" name="id387403"></a> +<a class="indexterm" name="id387412"></a> +<a class="indexterm" name="id387418"></a> +Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access +Control List (ACL) on the shares themselves. This is discussed in +<a href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">File, Directory, and Share Access Controls</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387436"></a>Technical Discussion of Protective Measures and Issues</h2></div></div></div><p> +The key challenge of security is that protective measures suffice at best +only to close the door on known exploits and breach techniques. Never assume that +because you have followed these few measures, the Samba server is now an impenetrable +fortress! Given the history of information systems so far, it is only a matter of time +before someone will find yet another vulnerability. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387449"></a>Using Host-Based Protection</h3></div></div></div><p> +<a class="indexterm" name="id387456"></a> +<a class="indexterm" name="id387463"></a> +<a class="indexterm" name="id387470"></a> + In many installations of Samba, the greatest threat comes from outside + your immediate network. By default, Samba accepts connections from + any host, which means that if you run an insecure version of Samba on + a host that is directly connected to the Internet, you can be + especially vulnerable. + </p><p> +<a class="indexterm" name="id387482"></a> +<a class="indexterm" name="id387489"></a> + One of the simplest fixes in this case is to use the <a class="indexterm" name="id387497"></a>hosts allow and + <a class="indexterm" name="id387504"></a>hosts deny options in the Samba <code class="filename">smb.conf</code> configuration file to + allow access to your server only from a specific range of hosts. An example might be: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id387523"></a><em class="parameter"><code>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</code></em></td></tr><tr><td><a class="indexterm" name="id387536"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p> + </p><p> +<a class="indexterm" name="id387552"></a> +<a class="indexterm" name="id387558"></a> +<a class="indexterm" name="id387565"></a> + The above will allow SMB connections only from <code class="constant">localhost</code> (your own + computer) and from the two private networks 192.168.2 and 192.168.3. All other + connections will be refused as soon as the client sends its first packet. The refusal + will be marked as <code class="literal">not listening on called name</code> error. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387586"></a>User-Based Protection</h3></div></div></div><p> + If you want to restrict access to your server to valid users only, then the following + method may be of use. In the <code class="filename">smb.conf</code> <em class="parameter"><code>[global]</code></em> section put: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id387612"></a><em class="parameter"><code>valid users = @smbusers, jacko</code></em></td></tr></table><p> + </p><p> +<a class="indexterm" name="id387628"></a> + This restricts all server access either to the user <span class="emphasis"><em>jacko</em></span> + or to members of the system group <span class="emphasis"><em>smbusers</em></span>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387645"></a>Using Interface Protection</h3></div></div></div><p> +<a class="indexterm" name="id387653"></a> +<a class="indexterm" name="id387659"></a> +<a class="indexterm" name="id387666"></a> + By default, Samba accepts connections on any network interface that + it finds on your system. That means if you have an ISDN line or a PPP + connection to the Internet then Samba will accept connections on those + links. This may not be what you want. + </p><p> + You can change this behavior using options like this: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id387685"></a><em class="parameter"><code>interfaces = eth* lo</code></em></td></tr><tr><td><a class="indexterm" name="id387697"></a><em class="parameter"><code>bind interfaces only = yes</code></em></td></tr></table><p> + </p><p> +<a class="indexterm" name="id387713"></a> +<a class="indexterm" name="id387720"></a> +<a class="indexterm" name="id387727"></a> +<a class="indexterm" name="id387733"></a> + This tells Samba to listen for connections only on interfaces with a name starting with + <code class="constant">eth</code> such as <code class="constant">eth0</code> or <code class="constant">eth1</code>, plus on the loopback interface called + <code class="constant">lo</code>. The name you will need to use depends on what OS you are using. In the above, I used + the common name for Ethernet adapters on Linux. + </p><p> +<a class="indexterm" name="id387760"></a> +<a class="indexterm" name="id387767"></a> +<a class="indexterm" name="id387774"></a> +<a class="indexterm" name="id387780"></a> + If you use the above and someone tries to make an SMB connection to your host over a PPP interface called + <code class="constant">ppp0</code>, then [s]he will get a TCP connection refused reply. In that case, no Samba code + is run at all, because the operating system has been told not to pass connections from that interface to any + Samba process. However, the refusal helps a would-be cracker by confirming that the IP address provides + valid active services. + </p><p> +<a class="indexterm" name="id387798"></a> +<a class="indexterm" name="id387805"></a> +<a class="indexterm" name="id387811"></a> +<a class="indexterm" name="id387818"></a> +<a class="indexterm" name="id387825"></a> + A better response would be to ignore the connection (from, for example, ppp0) altogether. The + advantage of ignoring the connection attempt, as compared with refusing it, is that it foils those who + probe an interface with the sole intention of finding valid IP addresses for later use in exploitation + or denial of service attacks. This method of dealing with potential malicious activity demands the + use of appropriate firewall mechanisms. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="firewallports"></a>Using a Firewall</h3></div></div></div><p> +<a class="indexterm" name="id387849"></a> +<a class="indexterm" name="id387856"></a> +<a class="indexterm" name="id387863"></a> + Many people use a firewall to deny access to services they do not want exposed outside their network. This can + be a good idea, although I recommend using it in conjunction with the above methods so you are protected even + if your firewall is not active for some reason. + </p><p> + If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses + the following: +<a class="indexterm" name="id387877"></a> +<a class="indexterm" name="id387883"></a> +<a class="indexterm" name="id387890"></a> +<a class="indexterm" name="id387897"></a> +<a class="indexterm" name="id387904"></a> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td>Port 135/TCP - used by smbd</td></tr><tr><td>Port 137/UDP - used by nmbd</td></tr><tr><td>Port 138/UDP - used by nmbd</td></tr><tr><td>Port 139/TCP - used by smbd</td></tr><tr><td>Port 445/TCP - used by smbd</td></tr></table><p> +<a class="indexterm" name="id387937"></a> + The last one is important because many older firewall setups may not be aware of it, given that this port + was only added to the protocol in recent years. + </p><p> +<a class="indexterm" name="id387949"></a> +<a class="indexterm" name="id387956"></a> +<a class="indexterm" name="id387962"></a> + When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and + therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order + ports except for established connections. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387974"></a>Using IPC$ Share-Based Denials </h3></div></div></div><p> +<a class="indexterm" name="id387982"></a> +<a class="indexterm" name="id387988"></a> +<a class="indexterm" name="id387995"></a> + If the above methods are not suitable, then you could also place a more specific deny on the IPC$ share that + is used in the recently discovered security hole. This allows you to offer access to other shares while + denying access to IPC$ from potentially untrustworthy hosts. + </p><p> + To do this you could use: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id388022"></a><em class="parameter"><code>hosts allow = 192.168.115.0/24 127.0.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id388035"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p> + </p><p> +<a class="indexterm" name="id388051"></a> +<a class="indexterm" name="id388058"></a> +<a class="indexterm" name="id388065"></a> + This instructs Samba that IPC$ connections are not allowed from anywhere except the two listed network + addresses (localhost and the 192.168.115 subnet). Connections to other shares are still allowed. Because the + IPC$ share is the only share that is always accessible anonymously, this provides some level of protection + against attackers who do not know a valid username/password for your host. + </p><p> +<a class="indexterm" name="id388078"></a> +<a class="indexterm" name="id388085"></a> +<a class="indexterm" name="id388092"></a> + If you use this method, then clients will be given an <code class="literal">`access denied'</code> reply when they try + to access the IPC$ share. Those clients will not be able to browse shares and may also be unable to access + some other resources. This is not recommended unless for some reason you cannot use one of the other methods + just discussed. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388109"></a>NTLMv2 Security</h3></div></div></div><p> +<a class="indexterm" name="id388117"></a> + To configure NTLMv2 authentication, the following registry keys are worth knowing about: + </p><p> + </p><pre class="screen"> + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] + "lmcompatibilitylevel"=dword:00000003 + </pre><p> + </p><p> + The value 0x00000003 means to send NTLMv2 response only. Clients will use NTLMv2 authentication; + use NTLMv2 session security if the server supports it. Domain controllers accept LM, + NTLM, and NTLMv2 authentication. + </p><p> + </p><pre class="screen"> + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] + "NtlmMinClientSec"=dword:00080000 + </pre><p> + </p><p> + The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or + NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2 + session security is negotiated. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388158"></a>Upgrading Samba</h2></div></div></div><p> +<a class="indexterm" name="id388165"></a> +<a class="indexterm" name="id388172"></a> +<a class="indexterm" name="id388179"></a> +Please check regularly on <a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> for +updates and important announcements. Occasionally security releases are made, and it is highly recommended to +upgrade Samba promptly when a security vulnerability is discovered. Check with your OS vendor for OS-specific +upgrades. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388198"></a>Common Errors</h2></div></div></div><p> +If all Samba and host platform configurations were really as intuitive as one might like them to be, this +chapter would not be necessary. Security issues are often vexing for a support person to resolve, not because +of the complexity of the problem, but because most administrators who post what turns out to be a security +problem request are totally convinced that the problem is with Samba. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388210"></a>Smbclient Works on Localhost, but the Network Is Dead</h3></div></div></div><p> + This is a common problem. Linux vendors tend to install a default firewall. + With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1) + is allowed through the firewall. + </p><p> + The solution is either to remove the firewall (stop it) or modify the firewall script to + allow SMB networking traffic through. See <a href="securing-samba.html#firewallports" title="Using a Firewall">the Using a + Firewall</a> section. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388235"></a>Why Can Users Access Other Users' Home Directories?</h3></div></div></div><p> + “<span class="quote"> +<a class="indexterm" name="id388245"></a> +<a class="indexterm" name="id388252"></a> + We are unable to keep individual users from mapping to any other user's home directory once they have + supplied a valid password! They only need to enter their own password. I have not found any method to + configure Samba so that users may map only their own home directory. + </span>” + </p><p>“<span class="quote"> + User xyzzy can map his home directory. Once mapped, user xyzzy can also map anyone else's home directory. + </span>”</p><p> +<a class="indexterm" name="id388270"></a> +<a class="indexterm" name="id388277"></a> + This is not a security flaw, it is by design. Samba allows users to have exactly the same access to the UNIX + file system as when they were logged on to the UNIX box, except that it only allows such views onto the file + system as are allowed by the defined shares. + </p><p> +<a class="indexterm" name="id388290"></a> +<a class="indexterm" name="id388296"></a> + If your UNIX home directories are set up so that one user can happily <code class="literal">cd</code> + into another user's directory and execute <code class="literal">ls</code>, the UNIX security solution is to change file + permissions on the user's home directories so that the <code class="literal">cd</code> and <code class="literal">ls</code> are denied. + </p><p> +<a class="indexterm" name="id388331"></a> +<a class="indexterm" name="id388338"></a> + Samba tries very hard not to second guess the UNIX administrator's security policies and + trusts the UNIX admin to set the policies and permissions he or she desires. + </p><p> + Samba allows the behavior you require. Simply put the <a class="indexterm" name="id388350"></a>only user = %S + option in the <em class="parameter"><code>[homes]</code></em> share definition. + </p><p> + The <a class="indexterm" name="id388367"></a>only user works in conjunction with the <a class="indexterm" name="id388374"></a>users = list, + so to get the behavior you require, add the line: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id388387"></a><em class="parameter"><code>users = %S</code></em></td></tr></table><p> + This is equivalent to adding + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id388406"></a><em class="parameter"><code>valid users = %S</code></em></td></tr></table><p> + to the definition of the <em class="parameter"><code>[homes]</code></em> share, as recommended in + the <code class="filename">smb.conf</code> man page. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 17. File and Record Locking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 19. Interdomain Trust Relationships</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/speed.html b/docs/htmldocs/Samba3-HOWTO/speed.html new file mode 100644 index 0000000000..809c443b48 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/speed.html @@ -0,0 +1,174 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 44. Samba Performance Tuning</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Other-Clients.html" title="Chapter 43. Samba and Other CIFS Clients"><link rel="next" href="ch-ldap-tls.html" title="Chapter 45. LDAP and Transport Layer Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 44. Samba Performance Tuning</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch-ldap-tls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 44. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><code class="email"><<a href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="speed.html#id452955">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452984">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id453061">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id453095">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id453133">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id453152">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453197">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id453234">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id453252">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id453271">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id453354">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id453443">Samba Performance is Very Slow</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452955"></a>Comparisons</h2></div></div></div><p> +The Samba server uses TCP to talk to the client, so if you are +trying to see if it performs well, you should really compare it to +programs that use the same protocol. The most readily available +programs for file transfer that use TCP are ftp or another TCP-based +SMB server. +</p><p> +If you want to test against something like an NT or Windows for Workgroups server, then +you will have to disable all but TCP on either the client or +server. Otherwise, you may well be using a totally different protocol +(such as NetBEUI) and comparisons may not be valid. +</p><p> +Generally, you should find that Samba performs similarly to ftp at raw +transfer speed. It should perform quite a bit faster than NFS, +although this depends on your system. +</p><p> +Several people have done comparisons between Samba and Novell, NFS, or +Windows NT. In some cases Samba performed the best, in others the worst. I +suspect the biggest factor is not Samba versus some other system, but the +hardware and drivers used on the various systems. Given similar +hardware, Samba should certainly be competitive in speed with other +systems. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452984"></a>Socket Options</h2></div></div></div><p> +There are a number of socket options that can greatly affect the +performance of a TCP-based server like Samba. +</p><p> +The socket options that Samba uses are settable both on the command +line with the <code class="option">-O</code> option and in the <code class="filename">smb.conf</code> file. +</p><p> +The <a class="indexterm" name="id453010"></a>socket options section of the <code class="filename">smb.conf</code> manual page describes how +to set these and gives recommendations. +</p><p> +Getting the socket options correct can make a big difference to your +performance, but getting them wrong can degrade it by just as +much. The correct settings are very dependent on your local network. +</p><p> +The socket option TCP_NODELAY is the one that seems to make the biggest single difference +for most networks. Many people report that adding +<a class="indexterm" name="id453033"></a>socket options = TCP_NODELAY +doubles the read performance of a Samba drive. The best explanation I have seen for +this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs. +</p><p> +There have been reports that setting <em class="parameter"><code>socket options = SO_RCVBUF=8192</code></em> in smb.conf +can seriously degrade Samba performance on the loopback adaptor (IP Address 127.0.0.1). It is strongly +recommended that before specifying any settings for <em class="parameter"><code>socket options</code></em>, the effect +first be quantitatively measured on the server being configured. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453061"></a>Read Size</h2></div></div></div><p> +The option <a class="indexterm" name="id453069"></a>read size affects the overlap of disk +reads/writes with network reads/writes. If the amount of data being +transferred in several of the SMB commands (currently SMBwrite, SMBwriteX, and +SMBreadbraw) is larger than this value, then the server begins writing +the data before it has received the whole packet from the network, or +in the case of SMBreadbraw, it begins writing to the network before +all the data has been read from disk. +</p><p> +This overlapping works best when the speeds of disk and network access +are similar, having little effect when the speed of one is much +greater than the other. +</p><p> +The default value is 16384, but little experimentation has been +done as yet to determine the optimal value, and it is likely that the best +value will vary greatly between systems anyway. A value over 65536 is +pointless and will cause you to allocate memory unnecessarily. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453095"></a>Max Xmit</h2></div></div></div><p> + At startup the client and server negotiate a <em class="parameter"><code>maximum transmit</code></em> size, +which limits the size of nearly all SMB commands. You can set the +maximum size that Samba will negotiate using the <a class="indexterm" name="id453111"></a>max xmit option +in <code class="filename">smb.conf</code>. Note that this is the maximum size of SMB requests that +Samba will accept, but not the maximum size that the client will accept. +The client maximum receive size is sent to Samba by the client, and Samba +honors this limit. +</p><p> +It defaults to 65536 bytes (the maximum), but it is possible that some +clients may perform better with a smaller transmit unit. Trying values +of less than 2048 is likely to cause severe problems. +In most cases the default is the best option. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453133"></a>Log Level</h2></div></div></div><p> +If you set the log level (also known as <a class="indexterm" name="id453141"></a>debug level) higher than 2, +then you may suffer a large drop in performance. This is because the +server flushes the log file after each operation, which can be quite +expensive. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453152"></a>Read Raw</h2></div></div></div><p> +The <a class="indexterm" name="id453160"></a>read raw operation is designed to be an optimized, low-latency +file read operation. A server may choose to not support it, +however, and Samba makes support for <a class="indexterm" name="id453168"></a>read raw optional, with it +being enabled by default. +</p><p> +In some cases clients do not handle <a class="indexterm" name="id453179"></a>read raw very well and actually +get lower performance using it than they get using the conventional +read operations, so you might like to try <a class="indexterm" name="id453187"></a>read raw = no and see what happens on your +network. It might lower, raise, or not affect your performance. Only +testing can really tell. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453197"></a>Write Raw</h2></div></div></div><p> +The <a class="indexterm" name="id453205"></a>write raw operation is designed to be an optimized, low-latency +file write operation. A server may choose to not support it, however, and Samba makes support for +<a class="indexterm" name="id453214"></a>write raw optional, with it being enabled by default. +</p><p> +Some machines may find <a class="indexterm" name="id453224"></a>write raw slower than normal write, in which +case you may wish to change this option. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453234"></a>Slow Logins</h2></div></div></div><p> +Slow logins are almost always due to the password checking time. Using +the lowest practical <a class="indexterm" name="id453243"></a>password level will improve things. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453252"></a>Client Tuning</h2></div></div></div><p> +Often a speed problem can be traced to the client. The client (for +example Windows for Workgroups) can often be tuned for better TCP +performance. Check the sections on the various clients in +<a href="Other-Clients.html" title="Chapter 43. Samba and Other CIFS Clients">Samba and Other CIFS Clients</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453271"></a>Samba Performance Problem Due to Changing Linux Kernel</h2></div></div></div><p> +A user wrote the following to the mailing list: +</p><div class="blockquote"><blockquote class="blockquote"><p> +<a class="indexterm" name="id453285"></a> +<a class="indexterm" name="id453291"></a> +I am running Gentoo on my server and Samba 2.2.8a. Recently I changed kernel versions from +<code class="filename">linux-2.4.19-gentoo-r10</code> to <code class="filename">linux-2.4.20-wolk4.0s</code>. Now I have a +performance issue with Samba. Many of you will probably say, “<span class="quote">Move to vanilla sources!</span>” Well, I +tried that and it didn't work. I have a 100MB LAN and two computers (Linux and Windows 2000). The Linux server +shares directories with DivX files, the client (Windows 2000) plays them via LAN. Before, when I was running +the 2.4.19 kernel, everything was fine, but now movies freeze and stop. I tried moving files between the +server and Windows, and it is terribly slow. +</p></blockquote></div><p> +The answer he was given is: +</p><div class="blockquote"><blockquote class="blockquote"><p> +<a class="indexterm" name="id453328"></a> +<a class="indexterm" name="id453335"></a> +<a class="indexterm" name="id453342"></a> +Grab the mii-tool and check the duplex settings on the NIC. My guess is that it is a link layer issue, not an +application layer problem. Also run ifconfig and verify that the framing error, collisions, and so on, look +normal for ethernet. +</p></blockquote></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453354"></a>Corrupt tdb Files</h2></div></div></div><p> +<a class="indexterm" name="id453362"></a> +<a class="indexterm" name="id453368"></a> +<a class="indexterm" name="id453375"></a> +Our Samba PDC server has been hosting three TB of data to our 500+ users [Windows NT/XP] for the last three +years using Samba without a problem. Today all shares went very slow. Also, the main smbd kept spawning new +processes, so we had 1600+ running SMDB's (normally we average 250). It crashed the SUN E3500 cluster twice. +After a lot of searching, I decided to <code class="literal">rm /var/locks/*.tdb</code>. Happy again. +</p><p> +<span class="emphasis"><em>Question:</em></span> Is there any method of keeping the *.tdb files in top condition, or +how can I detect early corruption? +</p><p> +<a class="indexterm" name="id453402"></a> +<a class="indexterm" name="id453409"></a> +<span class="emphasis"><em>Answer:</em></span> Yes, run <code class="literal">tdbbackup</code> each time after stopping nmbd and before starting nmbd. +</p><p> +<span class="emphasis"><em>Question:</em></span> What I also would like to mention is that the service latency seems +a lot lower than before the locks cleanup. Any ideas on keeping it top notch? +</p><p> +<span class="emphasis"><em>Answer:</em></span> Yes. Same answer as for previous question! +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453443"></a>Samba Performance is Very Slow</h2></div></div></div><p> +<a class="indexterm" name="id453451"></a> +A site reported experiencing very baffling symptoms with MYOB Premier opening and +accessing its data files. Some operations on the file would take between 40 and +45 seconds. +</p><p> +<a class="indexterm" name="id453463"></a> +<a class="indexterm" name="id453470"></a> +It turned out that the printer monitor program running on the Windows +clients was causing the problems. From the logs, we saw activity coming +through with pauses of about 1 second. +</p><p> +<a class="indexterm" name="id453481"></a> +<a class="indexterm" name="id453488"></a> +Stopping the monitor software resulted in the networks access at normal +(quick) speed. Restarting the program caused the speed to slow down +again. The printer was a Canon LBP-810 and the relevant task was +something like CAPON (not sure on spelling). The monitor software +displayed a "printing now" dialog on the client during printing. +</p><p> +We discovered this by starting with a clean install of Windows and +trying the application at every step of the installation of other software +process (we had to do this many times). +</p><p> +Moral of the story: Check everything (other software included)! +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch-ldap-tls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 43. Samba and Other CIFS Clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 45. LDAP and Transport Layer Security</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/troubleshooting.html b/docs/htmldocs/Samba3-HOWTO/troubleshooting.html new file mode 100644 index 0000000000..de8c782355 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/troubleshooting.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 38. The Samba Checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Part V. Troubleshooting</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="diagnosis.html">38. The Samba Checklist</a></span></dt><dd><dl><dt><span class="sect1"><a href="diagnosis.html#id446161">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446194">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id446476">The Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="problems.html">39. Analyzing and Solving Samba Problems</a></span></dt><dd><dl><dt><span class="sect1"><a href="problems.html#id448088">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id448137">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id448378">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id448426">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id448565">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id448871">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id448906">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id449061">How to Get Off the Mailing Lists</a></span></dt></dl></dd><dt><span class="chapter"><a href="bugreport.html">40. Reporting Bugs</a></span></dt><dd><dl><dt><span class="sect1"><a href="bugreport.html#id449187">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449267">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id449471">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id449670">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449791">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id449906">Patches</a></span></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. SWAT: The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. The Samba Checklist</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/type.html b/docs/htmldocs/Samba3-HOWTO/type.html new file mode 100644 index 0000000000..98a6ceb8b3 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/type.html @@ -0,0 +1,5 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Server Configuration Basics</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="prev" href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience"><link rel="next" href="ServerType.html" title="Chapter 3. Server Types and Security Modes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Server Configuration Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Part II. Server Configuration Basics</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id332776"></a>First Steps in Server Configuration</h1></div></div></div><p> +Samba can operate in various modes within SMB networks. This HOWTO section contains information on +configuring Samba to function as the type of server your network requires. Please read this +section carefully. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="ServerType.html">3. Server Types and Security Modes</a></span></dt><dd><dl><dt><span class="sect1"><a href="ServerType.html#id332909">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333060">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id333211">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id333359">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333519">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id333691">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334182">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334332">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id334587">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id334759">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id334776">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334805">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334843">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334868">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id334909">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-pdc.html">4. Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-pdc.html#id335204">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335780">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id336284">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336302">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336759">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id337213">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id337966">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id338009">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338026">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338563">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id338778">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id338784">“<span class="quote">$</span>” Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338878">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id338937">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339004">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339105">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339131">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id339147">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-bdc.html">5. Backup Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-bdc.html#id339320">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id339696">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339760">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340392">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340717">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340771">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id340853">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341012">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341471">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id341906">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id341947">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id341995">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342046">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id342144">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="domain-member.html">6. Domain Membership</a></span></dt><dd><dl><dt><span class="sect1"><a href="domain-member.html#id342376">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id343010">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343425">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343687">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id343788">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344216">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344900">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id345150">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id345329">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346362">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id346431">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id346622">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id346656">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346726">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id346934">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="StandAloneServer.html">7. Standalone Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="StandAloneServer.html#id347049">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347134">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id347312">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id348271">Common Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="ClientConfig.html">8. MS Windows Network Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="ClientConfig.html#id348335">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id348389">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id348430">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350125">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id350634">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id351062">Common Errors</a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Fast Start: Cure for Impatience </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Server Types and Security Modes</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/unicode.html b/docs/htmldocs/Samba3-HOWTO/unicode.html new file mode 100644 index 0000000000..b461f6c311 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/unicode.html @@ -0,0 +1,317 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Unicode/Charsets</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"><link rel="next" href="Backup.html" title="Chapter 31. Backup Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Unicode/Charsets</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 30. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><span class="contrib">Japanese character support</span> <div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>></code></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unicode.html#id434160">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434205">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434324">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434440">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id434469">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id434585">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435148">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id435264">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id435399">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id435405">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434160"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id434168"></a> +Every industry eventually matures. One of the great areas of maturation is in +the focus that has been given over the past decade to make it possible for anyone +anywhere to use a computer. It has not always been that way. In fact, not so long +ago, it was common for software to be written for exclusive use in the country of +origin. +</p><p> +Of all the effort that has been brought to bear on providing native +language support for all computer users, the efforts of the +<a href="http://www.openi18n.org/" target="_top">Openi18n organization</a> +is deserving of special mention. +</p><p> +<a class="indexterm" name="id434191"></a> +Samba-2.x supported a single locale through a mechanism called +<span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truly transglobal +file- and printer-sharing platform. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434205"></a>What Are Charsets and Unicode?</h2></div></div></div><p> +<a class="indexterm" name="id434213"></a> +Computers communicate in numbers. In texts, each number is +translated to a corresponding letter. The meaning that will be assigned +to a certain number depends on the <span class="emphasis"><em>character set (charset) +</em></span> that is used. +</p><p> +<a class="indexterm" name="id434229"></a> +<a class="indexterm" name="id434236"></a> +A charset can be seen as a table that is used to translate numbers to +letters. Not all computers use the same charset (there are charsets +with German umlauts, Japanese characters, and so on). The American Standard Code +for Information Interchange (ASCII) encoding system has been the normative character +encoding scheme used by computers to date. This employs a charset that contains +256 characters. Using this mode of encoding, each character takes exactly one byte. +</p><p> +<a class="indexterm" name="id434250"></a> +<a class="indexterm" name="id434256"></a> +There are also charsets that support extended characters, but those need at least +twice as much storage space as does ASCII encoding. Such charsets can contain +<code class="literal">256 * 256 = 65536</code> characters, which is more than all possible +characters one could think of. They are called multibyte charsets because they use +more then one byte to store one character. +</p><p> +<a class="indexterm" name="id434275"></a> +One standardized multibyte charset encoding scheme is known as +<a href="http://www.unicode.org/" target="_top">unicode</a>. A big advantage of using a +multibyte charset is that you only need one. There is no need to make sure two +computers use the same charset when they are communicating. +</p><p> +<a class="indexterm" name="id434293"></a> +<a class="indexterm" name="id434300"></a> +<a class="indexterm" name="id434307"></a> +Old Windows clients use single-byte charsets, named +<em class="parameter"><code>codepages</code></em>, by Microsoft. However, there is no support for +negotiating the charset to be used in the SMB/CIFS protocol. Thus, you +have to make sure you are using the same charset when talking to an older client. +Newer clients (Windows NT, 200x, XP) talk Unicode over the wire. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434324"></a>Samba and Charsets</h2></div></div></div><p> +<a class="indexterm" name="id434332"></a> +<a class="indexterm" name="id434339"></a> +As of Samba-3, Samba can (and will) talk Unicode over the wire. Internally, +Samba knows of three kinds of character sets: +</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id434353"></a>unix charset</span></dt><dd><p> +<a class="indexterm" name="id434365"></a> +<a class="indexterm" name="id434372"></a> + This is the charset used internally by your operating system. + The default is <code class="constant">UTF-8</code>, which is fine for most + systems and covers all characters in all languages. The default + in previous Samba releases was to save filenames in the encoding of the + clients for example, CP850 for Western European countries. + </p></dd><dt><span class="term"><a class="indexterm" name="id434393"></a>display charset</span></dt><dd><p>This is the charset Samba uses to print messages + on your screen. It should generally be the same as the <em class="parameter"><code>unix charset</code></em>. + </p></dd><dt><span class="term"><a class="indexterm" name="id434416"></a>dos charset</span></dt><dd><p>This is the charset Samba uses when communicating with + DOS and Windows 9x/Me clients. It will talk Unicode to all newer clients. + The default depends on the charsets you have installed on your system. + Run <code class="literal">testparm -v | grep "dos charset"</code> to see + what the default is on your system. + </p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434440"></a>Conversion from Old Names</h2></div></div></div><p> +<a class="indexterm" name="id434448"></a> +Because previous Samba versions did not do any charset conversion, +characters in filenames are usually not correct in the UNIX charset but only +for the local charset used by the DOS/Windows clients. +</p><p>Bjoern Jacke has written a utility named <a href="http://j3e.de/linux/convmv/" target="_top">convmv</a> +that can convert whole directory structures to different charsets with one single command. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434469"></a>Japanese Charsets</h2></div></div></div><p> +Setting up Japanese charsets is quite difficult. This is mainly because: +</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id434484"></a> + The Windows character set is extended from the original legacy Japanese + standard (JIS X 0208) and is not standardized. This means that the strictly + standardized implementation cannot support the full Windows character set. + </p></li><li><p> +<a class="indexterm" name="id434497"></a> +<a class="indexterm" name="id434504"></a> +<a class="indexterm" name="id434511"></a> +<a class="indexterm" name="id434518"></a> +<a class="indexterm" name="id434524"></a> + Mainly for historical reasons, there are several encoding methods in + Japanese, which are not fully compatible with each other. There are + two major encoding methods. One is the Shift_JIS series used in Windows + and some UNIXes. The other is the EUC-JP series used in most UNIXes + and Linux. Moreover, Samba previously also offered several unique encoding + methods, named CAP and HEX, to keep interoperability with CAP/NetAtalk and + UNIXes that can't use Japanese filenames. Some implementations of the + EUC-JP series can't support the full Windows character set. + </p></li><li><p>There are some code conversion tables between Unicode and legacy + Japanese character sets. One is compatible with Windows, another one + is based on the reference of the Unicode consortium, and others are + a mixed implementation. The Unicode consortium does not officially + define any conversion tables between Unicode and legacy character + sets, so there cannot be standard one. + </p></li><li><p>The character set and conversion tables available in iconv() depend + on the iconv library that is available. Next to that, the Japanese locale + names may be different on different systems. This means that the value of + the charset parameters depends on the implementation of iconv() you are using. + </p><p> +<a class="indexterm" name="id434554"></a> +<a class="indexterm" name="id434560"></a> +<a class="indexterm" name="id434567"></a> +<a class="indexterm" name="id434574"></a> + Though 2-byte fixed UCS-2 encoding is used in Windows internally, + Shift_JIS series encoding is usually used in Japanese environments + as ASCII encoding is in English environments. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id434585"></a>Basic Parameter Setting</h3></div></div></div><p> +<a class="indexterm" name="id434591"></a> + The <a class="indexterm" name="id434598"></a>dos charset and + <a class="indexterm" name="id434605"></a>display charset + should be set to the locale compatible with the character set + and encoding method used on Windows. This is usually CP932 + but sometimes has a different name. + </p><p> +<a class="indexterm" name="id434617"></a> +<a class="indexterm" name="id434624"></a> +<a class="indexterm" name="id434631"></a> + The <a class="indexterm" name="id434638"></a>unix charset can be either Shift_JIS series, + EUC-JP series, or UTF-8. UTF-8 is always available, but the availability of other locales + and the name itself depends on the system. + </p><p> + Additionally, you can consider using the Shift_JIS series as the + value of the <a class="indexterm" name="id434650"></a>unix charset + parameter by using the vfs_cap module, which does the same thing as + setting “<span class="quote">coding system = CAP</span>” in the Samba 2.2 series. + </p><p> + Where to set <a class="indexterm" name="id434665"></a>unix charset + to is a difficult question. Here is a list of details, advantages, and + disadvantages of using a certain value. + </p><div class="variablelist"><dl><dt><span class="term">Shift_JIS series</span></dt><dd><p> + Shift_JIS series means a locale that is equivalent to <code class="constant">Shift_JIS</code>, + used as a standard on Japanese Windows. In the case of <code class="constant">Shift_JIS</code>, + for example, if a Japanese filename consists of 0x8ba4 and 0x974c + (a 4-bytes Japanese character string meaning “<span class="quote">share</span>”) and “<span class="quote">.txt</span>” + is written from Windows on Samba, the filename on UNIX becomes + 0x8ba4, 0x974c, “<span class="quote">.txt</span>” (an 8-byte BINARY string), same as Windows. + </p><p>Since Shift_JIS series is usually used on some commercial-based + UNIXes; hp-ux and AIX as the Japanese locale (however, it is also possible + to use the EUC-JP locale series). To use Shift_JIS series on these platforms, + Japanese filenames created from Windows can be referred to also on + UNIX.</p><p> + If your UNIX is already working with Shift_JIS and there is a user + who needs to use Japanese filenames written from Windows, the + Shift_JIS series is the best choice. However, broken filenames + may be displayed, and some commands that cannot handle non-ASCII + filenames may be aborted during parsing filenames. Especially, there + may be “<span class="quote">\ (0x5c)</span>” in filenames, which need to be handled carefully. + It is best to not touch filenames written from Windows on UNIX. + </p><p> + Note that most Japanized free software actually works with EUC-JP + only. It is good practice to verify that the Japanized free software can work + with Shift_JIS. + </p></dd><dt><span class="term">EUC-JP series</span></dt><dd><p> +<a class="indexterm" name="id434738"></a> +<a class="indexterm" name="id434745"></a> + EUC-JP series means a locale that is equivalent to the industry + standard called EUC-JP, widely used in Japanese UNIX (although EUC + contains specifications for languages other than Japanese, such as + EUC-KR). In the case of EUC-JP series, for example, if a Japanese + filename consists of 0x8ba4 and 0x974c and “<span class="quote">.txt</span>” is written from + Windows on Samba, the filename on UNIX becomes 0xb6a6, 0xcdad, + “<span class="quote">.txt</span>” (an 8-byte BINARY string). + </p><p> +<a class="indexterm" name="id434766"></a> +<a class="indexterm" name="id434772"></a> +<a class="indexterm" name="id434779"></a> +<a class="indexterm" name="id434786"></a> +<a class="indexterm" name="id434793"></a> +<a class="indexterm" name="id434800"></a> +<a class="indexterm" name="id434806"></a> +<a class="indexterm" name="id434813"></a> +<a class="indexterm" name="id434820"></a> +<a class="indexterm" name="id434827"></a> + Since EUC-JP is usually used on open source UNIX, Linux, and FreeBSD, and on commercial-based UNIX, Solaris, + IRIX, and Tru64 UNIX as Japanese locale (however, it is also possible on Solaris to use Shift_JIS and UTF-8, + and on Tru64 UNIX it is possible to use Shift_JIS). To use EUC-JP series, most Japanese filenames created from + Windows can be referred to also on UNIX. Also, most Japanized free software works mainly with EUC-JP only. + </p><p> + It is recommended to choose EUC-JP series when using Japanese filenames on UNIX. + </p><p> + Although there is no character that needs to be carefully treated + like “<span class="quote">\ (0x5c)</span>”, broken filenames may be displayed and some + commands that cannot handle non-ASCII filenames may be aborted + during parsing filenames. + </p><p> +<a class="indexterm" name="id434854"></a> + Moreover, if you built Samba using differently installed libiconv, + the eucJP-ms locale included in libiconv and EUC-JP series locale + included in the operating system may not be compatible. In this case, you may need to + avoid using incompatible characters for filenames. + </p></dd><dt><span class="term">UTF-8</span></dt><dd><p> + UTF-8 means a locale equivalent to UTF-8, the international standard defined by the Unicode consortium. In + UTF-8, a <em class="parameter"><code>character</code></em> is expressed using 1 to 3 bytes. In case of the Japanese language, + most characters are expressed using 3 bytes. Since on Windows Shift_JIS, where a character is expressed with 1 + or 2 bytes is used to express Japanese, basically a byte length of a UTF-8 string the length of the UTF-8 + string is 1.5 times that of the original Shift_JIS string. In the case of UTF-8, for example, if a Japanese + filename consists of 0x8ba4 and 0x974c, and “<span class="quote">.txt</span>” is written from Windows on Samba, the filename + on UNIX becomes 0xe585, 0xb1e6, 0x9c89, “<span class="quote">.txt</span>” (a 10-byte BINARY string). + </p><p> + For systems where iconv() is not available or where iconv()'s locales + are not compatible with Windows, UTF-8 is the only locale available. + </p><p> + There are no systems that use UTF-8 as the default locale for Japanese. + </p><p> + Some broken filenames may be displayed, and some commands that + cannot handle non-ASCII filenames may be aborted during parsing + filenames. Especially, there may be “<span class="quote">\ (0x5c)</span>” in filenames, which + must be handled carefully, so you had better not touch filenames + written from Windows on UNIX. + </p><p> +<a class="indexterm" name="id434914"></a> +<a class="indexterm" name="id434921"></a> +<a class="indexterm" name="id434928"></a> + In addition, although it is not directly concerned with Samba, since + there is a delicate difference between the iconv() function, which is + generally used on UNIX, and the functions used on other platforms, + such as Windows and Java, so far is concerens the conversion between + Shift_JIS and Unicode UTF-8 must be done with care and recognition + of the limitations involved in the process. + </p><p> +<a class="indexterm" name="id434941"></a> + Although Mac OS X uses UTF-8 as its encoding method for filenames, + it uses an extended UTF-8 specification that Samba cannot handle, so + UTF-8 locale is not available for Mac OS X. + </p></dd><dt><span class="term">Shift_JIS series + vfs_cap (CAP encoding)</span></dt><dd><p> +<a class="indexterm" name="id434961"></a> +<a class="indexterm" name="id434968"></a> +<a class="indexterm" name="id434974"></a> + CAP encoding means a specification used in CAP and NetAtalk, file + server software for Macintosh. In the case of CAP encoding, for + example, if a Japanese filename consists of 0x8ba4 and 0x974c, and + “<span class="quote">.txt</span>” is written from Windows on Samba, the filename on UNIX + becomes “<span class="quote">:8b:a4:97L.txt</span>” (a 14 bytes ASCII string). + </p><p> + For CAP encoding, a byte that cannot be expressed as an ASCII + character (0x80 or above) is encoded in an “<span class="quote">:xx</span>” form. You need to take + care of containing a “<span class="quote">\(0x5c)</span>” in a filename, but filenames are not + broken in a system that cannot handle non-ASCII filenames. + </p><p> + The greatest merit of CAP encoding is the compatibility of encoding + filenames with CAP or NetAtalk. These are respectively the Columbia Appletalk + Protocol, and the NetAtalk Open Source software project. + Since these software applications write a file name on UNIX with CAP encoding, if a + directory is shared with both Samba and NetAtalk, you need to use + CAP encoding to avoid non-ASCII filenames from being broken. + </p><p> + However, recently, NetAtalk has been + patched on some systems to write filenames with EUC-JP (e.g., Japanese original Vine Linux). + In this case, you need to choose EUC-JP series instead of CAP encoding. + </p><p> + vfs_cap itself is available for non-Shift_JIS series locales for + systems that cannot handle non-ASCII characters or systems that + share files with NetAtalk. + </p><p> + To use CAP encoding on Samba-3, you should use the unix charset parameter and VFS + as in <a href="unicode.html#vfscap-intl" title="Example 30.1. VFS CAP">the VFS CAP smb.conf file</a>. + </p><div class="example"><a name="vfscap-intl"></a><p class="title"><b>Example 30.1. VFS CAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># the locale name "CP932" may be different</td></tr><tr><td><a class="indexterm" name="id435060"></a><em class="parameter"><code>dos charset = CP932</code></em></td></tr><tr><td><a class="indexterm" name="id435073"></a><em class="parameter"><code>unix charset = CP932</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[cap-share]</code></em></td></tr><tr><td><a class="indexterm" name="id435094"></a><em class="parameter"><code>vfs option = cap</code></em></td></tr></table></div></div><br class="example-break"><p> +<a class="indexterm" name="id435110"></a> +<a class="indexterm" name="id435117"></a> +<a class="indexterm" name="id435124"></a> +<a class="indexterm" name="id435130"></a> + You should set CP932 if using GNU libiconv for unix charset. With this setting, + filenames in the “<span class="quote">cap-share</span>” share are written with CAP encoding. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435148"></a>Individual Implementations</h3></div></div></div><p> +Here is some additional information regarding individual implementations: +</p><div class="variablelist"><dl><dt><span class="term">GNU libiconv</span></dt><dd><p> + To handle Japanese correctly, you should apply the patch + <a href="http://www2d.biglobe.ne.jp/~msyk/software/libiconv-patch.html" target="_top">libiconv-1.8-cp932-patch.diff.gz</a> + to libiconv-1.8. + </p><p> + Using the patched libiconv-1.8, these settings are available: + </p><pre class="programlisting"> +dos charset = CP932 +unix charset = CP932 / eucJP-ms / UTF-8 + | | + | +-- EUC-JP series + +-- Shift_JIS series +display charset = CP932 +</pre><p> + Other Japanese locales (for example, Shift_JIS and EUC-JP) should not + be used because of the lack of the compatibility with Windows. + </p></dd><dt><span class="term">GNU glibc</span></dt><dd><p> + To handle Japanese correctly, you should apply a <a href="http://www2d.biglobe.ne.jp/~msyk/software/glibc/" target="_top">patch</a> + to glibc-2.2.5/2.3.1/2.3.2 or should use the patch-merged versions, glibc-2.3.3 or later. + </p><p> + Using the above glibc, these setting are available: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id435216"></a><em class="parameter"><code>dos charset = CP932</code></em></td></tr><tr><td><a class="indexterm" name="id435229"></a><em class="parameter"><code>unix charset = CP932 / eucJP-ms / UTF-8</code></em></td></tr><tr><td><a class="indexterm" name="id435242"></a><em class="parameter"><code>display charset = CP932</code></em></td></tr></table><p> + </p><p> + Other Japanese locales (for example, Shift_JIS and EUC-JP) should not + be used because of the lack of the compatibility with Windows. + </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435264"></a>Migration from Samba-2.2 Series</h3></div></div></div><p> +Prior to Samba-2.2 series, the “<span class="quote">coding system</span>” parameter was used. The default codepage in Samba +2.x was code page 850. In the Samba-3 series this has been replaced with the <a class="indexterm" name="id435277"></a>unix charset parameter. <a href="unicode.html#japancharsets" title="Table 30.1. Japanese Character Sets in Samba-2.2 and Samba-3">Japanese Character Sets in Samba-2.2 and Samba-3</a> +shows the mapping table when migrating from the Samba-2.2 series to Samba-3. +</p><div class="table"><a name="japancharsets"></a><p class="title"><b>Table 30.1. Japanese Character Sets in Samba-2.2 and Samba-3</b></p><div class="table-contents"><table summary="Japanese Character Sets in Samba-2.2 and Samba-3" border="1"><colgroup><col align="center"><col align="center"></colgroup><thead><tr><th align="center">Samba-2.2 Coding System</th><th align="center">Samba-3 unix charset</th></tr></thead><tbody><tr><td align="center">SJIS</td><td align="center">Shift_JIS series</td></tr><tr><td align="center">EUC</td><td align="center">EUC-JP series</td></tr><tr><td align="center">EUC3<sup>[<a name="id435349" href="#ftn.id435349">a</a>]</sup></td><td align="center">EUC-JP series</td></tr><tr><td align="center">CAP</td><td align="center">Shift_JIS series + VFS</td></tr><tr><td align="center">HEX</td><td align="center">currently none</td></tr><tr><td align="center">UTF8</td><td align="center">UTF-8</td></tr><tr><td align="center">UTF8-Mac<sup>[<a name="id435380" href="#ftn.id435380">b</a>]</sup></td><td align="center">currently none</td></tr><tr><td align="center">others</td><td align="center">none</td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote"><p><sup>[<a name="ftn.id435349" href="#id435349">a</a>] </sup>Only exists in Japanese Samba version</p></div><div class="footnote"><p><sup>[<a name="ftn.id435380" href="#id435380">b</a>] </sup>Only exists in Japanese Samba version</p></div></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id435399"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id435405"></a>CP850.so Can't Be Found</h3></div></div></div><p>“<span class="quote">Samba is complaining about a missing <code class="filename">CP850.so</code> file.</span>”</p><p> + CP850 is the default <a class="indexterm" name="id435424"></a>dos charset. + The <a class="indexterm" name="id435431"></a>dos charset is used to convert data to the codepage used by your DOS clients. + If you do not have any DOS clients, you can safely ignore this message. </p><p> + CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed. + If you compiled Samba from source, make sure that the configure process found iconv. This can be + confirmed by checking the <code class="filename">config.log</code> file that is generated when + <code class="literal">configure</code> is executed.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. Integrating MS Windows Networks with Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Backup Techniques</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html b/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html new file mode 100644 index 0000000000..86ec0e2a4e --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html @@ -0,0 +1,313 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Updating and Upgrading Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Updating and Upgrading Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 35. Updating and Upgrading Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">August 16, 2007</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440059">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440079">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440125">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id440251">New Featuers in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440260">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440270">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id441421">New Functionality</a></span></dt></dl></dd></dl></div><p> +This chapter provides a detailed record of changes made during the 3.x series releases. At this time this +series consists of the 3.0.x series that is under the GNU GPL version 2 license, and the Samba 3.2.x series +that is being released under the terms of the GNU GPL version 3 license. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id440059"></a>Key Update Requirements</h2></div></div></div><p> +Samba is a fluid product in which there may be significant changes between releases. Some of these changes are +brought about as a result of changes in the protocols that are used by Microsoft Windows network clients as a +result of security or functionality updates through official Microsoft patches and updates. Samba must track +such changes, particularly where they affect the internal operation of Samba itself. +</p><p> +Please refer to any notes below that make explicit mention of the version of Samba you are using. In general, +all changes that apply to a new release will apply to follow-on releases also. For example, changes to Samba +3.0.23 affect all releases up to an including 3.0.25 and later. Samba 3.2.x was originaly cut from Samba +3.0.25 before 3.2.0-specific changes were applied. Unless a 3.0.x series feature is specifically revoked, the +behavior of the 3.2.x series can be expected to follow the earlier pattern. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id440079"></a>Upgrading from Samba-3.0.x to Samba-3.2.0</h3></div></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="oldupdatenotes"></a>Upgrading from Samba-2.x to Samba-3.0.25</h3></div></div></div><p> +<a class="indexterm" name="id440100"></a> +<a class="indexterm" name="id440107"></a> +<a class="indexterm" name="id440114"></a> +This chapter deals exclusively with the differences between Samba-3.0.25 and Samba-2.2.8a. +It points out where configuration parameters have changed, and provides a simple guide for +the move from 2.2.x to 3.0.25. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id440125"></a>Quick Migration Guide</h3></div></div></div><p> +Samba-3.0.25 default behavior should be approximately the same as Samba-2.2.x. +The default behavior when the new parameter <a class="indexterm" name="id440134"></a>passdb backend +is not defined in the <code class="filename">smb.conf</code> file provides the same default behavior as Samba-2.2.x +with <a class="indexterm" name="id440147"></a>encrypt passwords = Yes and +will use the <code class="filename">smbpasswd</code> database. +</p><p> +<a class="indexterm" name="id440164"></a> +<a class="indexterm" name="id440171"></a> +So why say that <span class="emphasis"><em>behavior should be approximately the same as Samba-2.2.x</em></span>? Because +Samba-3.0.25 can negotiate new protocols, such as support for native Unicode, that may result in +differing protocol code paths being taken. The new behavior under such circumstances is not +exactly the same as the old one. The good news is that the domain and machine SIDs will be +preserved across the upgrade. +</p><p> +<a class="indexterm" name="id440188"></a> +<a class="indexterm" name="id440194"></a> +<a class="indexterm" name="id440201"></a> +<a class="indexterm" name="id440208"></a> +If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP +database, then make sure that <a class="indexterm" name="id440216"></a>passdb backend = ldapsam_compat +is specified in the <code class="filename">smb.conf</code> file. For the rest, behavior should remain more or less the same. +At a later date, when there is time to implement a new Samba-3-compatible LDAP backend, it is possible +to migrate the old LDAP database to the new one through use of the <code class="literal">pdbedit</code>. +See <a href="passdb.html#pdbeditthing" title="The pdbedit Tool">The <span class="emphasis"><em>pdbedit</em></span> Command</a>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id440251"></a>New Featuers in Samba-3.x Series</h2></div></div></div><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id440260"></a>New Features in Samba-3.2.x Series</h3></div></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id440270"></a>New Features in Samba-3.0.x</h3></div></div></div><p> +The major new features are: +</p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id440292"></a> +<a class="indexterm" name="id440298"></a> + Active Directory support. This release is able to join an ADS realm + as a member server and authenticate users using LDAP/Kerberos. + </p></li><li><p> +<a class="indexterm" name="id440311"></a> +<a class="indexterm" name="id440317"></a> + Unicode support. Samba will now negotiate Unicode on the wire, and + internally there is a much better infrastructure for multibyte + and Unicode character sets. + </p></li><li><p> +<a class="indexterm" name="id440330"></a> + New authentication system. The internal authentication system has + been almost completely rewritten. Most of the changes are internal, + but the new authoring system is also very configurable. + </p></li><li><p> +<a class="indexterm" name="id440343"></a> + New filename mangling system. The filename mangling system has been + completely rewritten. An internal database now stores mangling maps + persistently. + </p></li><li><p> +<a class="indexterm" name="id440355"></a> + New “<span class="quote">net</span>” command. A new “<span class="quote">net</span>” command has been added. It is + somewhat similar to the “<span class="quote">net</span>” command in Windows. Eventually, we + plan to replace a bunch of other utilities (such as smbpasswd) + with subcommands in “<span class="quote">net</span>”. + </p></li><li><p> +<a class="indexterm" name="id440382"></a> + Samba now negotiates NT-style status32 codes on the wire. This + considerably improves error handling. + </p></li><li><p> +<a class="indexterm" name="id440394"></a> + Better Windows 200x/XP printing support, including publishing + printer attributes in Active Directory. + </p></li><li><p> +<a class="indexterm" name="id440406"></a> +<a class="indexterm" name="id440413"></a> +<a class="indexterm" name="id440420"></a> + New loadable RPC modules for passdb backends and character sets. + </p></li><li><p> +<a class="indexterm" name="id440431"></a> + New default dual-daemon winbindd support for better performance. + </p></li><li><p> +<a class="indexterm" name="id440443"></a> +<a class="indexterm" name="id440450"></a> +<a class="indexterm" name="id440457"></a> + Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group, and domain SIDs. + </p></li><li><p> +<a class="indexterm" name="id440469"></a> +<a class="indexterm" name="id440475"></a> + Support for establishing trust relationships with Windows NT 4.0 + domain controllers. + </p></li><li><p> +<a class="indexterm" name="id440487"></a> +<a class="indexterm" name="id440494"></a> +<a class="indexterm" name="id440501"></a> + Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to UID/GID mappings. + </p></li><li><p> + Major updates to the Samba documentation tree. + </p></li><li><p> +<a class="indexterm" name="id440518"></a> +<a class="indexterm" name="id440525"></a> + Full support for client and server SMB signing to ensure + compatibility with default Windows 2003 security settings. + </p></li></ol></div><p> +Plus lots of other improvements! +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id440539"></a>Configuration Parameter Changes</h4></div></div></div><p> +This section contains a brief listing of changes to <code class="filename">smb.conf</code> options since the Samba-2.2.x series up to and +including Samba-3.0.25. +</p><p> +Please refer to the smb.conf(5) man page for complete descriptions of new or modified +parameters. +</p><p> +Whenever a Samba update or upgrade is performed it is highly recommended to read the file called +<span class="emphasis"><em>WHATSNEW.txt</em></span> that is part of the Samba distribution tarball. This file may also +be obtain on-line from the Samba <a href="http://www.samba.org/samba/" target="_top">web site</a>, in +the right column, under Current Stable Release, by clicking on <span class="emphasis"><em>Release Notes</em></span>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id440578"></a>Removed Parameters</h4></div></div></div><a class="indexterm" name="id440584"></a><p> +In alphabetical order, these are the parameters eliminated from Samba-2.2.x through 3.0.25. +</p><div class="itemizedlist"><ul type="disc"><li><p>admin log</p></li><li><p>alternate permissions</p></li><li><p>character set</p></li><li><p>client codepage</p></li><li><p>code page directory</p></li><li><p>coding system</p></li><li><p>domain admin group</p></li><li><p>domain guest group</p></li><li><p>enable rid algorithm</p></li><li><p>enable svcctl</p></li><li><p>force unknown acl user</p></li><li><p>hosts equiv</p></li><li><p>ldap filter</p></li><li><p>min password length</p></li><li><p>nt smb support</p></li><li><p>post script</p></li><li><p>printer admin</p></li><li><p>printer driver</p></li><li><p>printer driver file</p></li><li><p>printer driver location</p></li><li><p>read size</p></li><li><p>source environment</p></li><li><p>status </p></li><li><p>strip dot </p></li><li><p>total print jobs</p></li><li><p>unicode</p></li><li><p>use rhosts</p></li><li><p>valid chars</p></li><li><p>vfs options</p></li><li><p>winbind enable local accounts</p></li><li><p>winbind max idle children</p></li><li><p>wins partners</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id440744"></a>New Parameters</h4></div></div></div><p>The following new parameters have been released up to and including Samba 3.0.25 (grouped by function:)</p><p>Remote Management</p><a class="indexterm" name="id440758"></a><div class="itemizedlist"><ul type="disc"><li><p>abort shutdown script</p></li><li><p>shutdown script</p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul type="disc"><li><p>add group script</p></li><li><p>add machine script</p></li><li><p>add user to group script</p></li><li><p>algorithmic rid base</p></li><li><p>delete group script</p></li><li><p>delete user from group script</p></li><li><p>passdb backend</p></li><li><p>rename user script</p></li><li><p>set primary group script</p></li><li><p>username map script</p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul type="disc"><li><p>auth methods</p></li><li><p>ldap password sync</p></li><li><p>passdb expand explicit</p></li><li><p>realm</p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul type="disc"><li><p>add port command</p></li><li><p>afs token lifetime</p></li><li><p>client lanman auth</p></li><li><p>client NTLMv2 auth</p></li><li><p>client schannel</p></li><li><p>client signing</p></li><li><p>client use spnego</p></li><li><p>defer sharing violations</p></li><li><p>disable netbios</p></li><li><p>dmapi support</p></li><li><p>enable privileges</p></li><li><p>use kerberos keytab</p></li><li><p>log nt token command</p></li><li><p>ntlm auth</p></li><li><p>paranoid server security </p></li><li><p>sendfile</p></li><li><p>server schannel</p></li><li><p>server signing</p></li><li><p>smb ports</p></li><li><p>svcctl list</p></li><li><p>use spnego</p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul type="disc"><li><p>allocation roundup size</p></li><li><p>acl check permissions</p></li><li><p>acl group control</p></li><li><p>acl map full control</p></li><li><p>aio read size</p></li><li><p>aio write size</p></li><li><p>dfree cache time</p></li><li><p>dfree command</p></li><li><p>ea support</p></li><li><p>enable asu support</p></li><li><p>fam change notify</p></li><li><p>force unknown acl user</p></li><li><p>get quota command</p></li><li><p>hide special files</p></li><li><p>hide unwriteable files</p></li><li><p>inherit owner</p></li><li><p>hostname lookups</p></li><li><p>kernel change notify</p></li><li><p>mangle prefix</p></li><li><p>map acl inherit</p></li><li><p>map read only</p></li><li><p>max stat cache size</p></li><li><p>msdfs proxy</p></li><li><p>open files database hash size</p></li><li><p>set quota command</p></li><li><p>store dos attributes</p></li><li><p>use sendfile</p></li><li><p>usershare allow guests</p></li><li><p>usershare max shares</p></li><li><p>usershare owner only</p></li><li><p>usershare path</p></li><li><p>usershare prefix allow list</p></li><li><p>usershare prefix deny list</p></li><li><p>usershare template share</p></li><li><p>vfs objects</p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul type="disc"><li><p>cups options</p></li><li><p>cups server</p></li><li><p>force printername</p></li><li><p>iprint server</p></li><li><p>max reported print jobs</p></li><li><p>printcap cache time</p></li></ul></div><p>Unicode and Character Sets</p><div class="itemizedlist"><ul type="disc"><li><p>display charset</p></li><li><p>dos charset</p></li><li><p>UNIX charset</p></li></ul></div><p>SID to UID/GID Mappings</p><div class="itemizedlist"><ul type="disc"><li><p>idmap backend</p></li><li><p>idmap gid</p></li><li><p>idmap uid</p></li><li><p>username map script</p></li><li><p>winbind nss info</p></li><li><p>winbind offline logon</p></li><li><p>winbind refresh tickets</p></li><li><p>winbind trusted domains only</p></li><li><p>template primary group</p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul type="disc"><li><p>ldap delete dn</p></li><li><p>ldap group suffix</p></li><li><p>ldap idmap suffix</p></li><li><p>ldap machine suffix</p></li><li><p>ldap passwd sync</p></li><li><p>ldap replication sleep</p></li><li><p>ldap timeout</p></li><li><p>ldap user suffix</p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul type="disc"><li><p>eventlog list</p></li><li><p>preload modules</p></li><li><p>reset on zero vc</p></li><li><p>privatedir</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id441293"></a>Modified Parameters (Changes in Behavior)</h4></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>acl group control (new default is No, deprecated parameter)</p></li><li><p>change notify timeout (scope changed)</p></li><li><p>dos filemode (disabled by default)</p></li><li><p>dos filetimes (enabled by default)</p></li><li><p>enable asu support (disabled by default)</p></li><li><p>enable privileges (enabled by default)</p></li><li><p>encrypt passwords (enabled by default) </p></li><li><p>host msdfs (enabled by default)</p></li><li><p>mangling method (set to hash2 by default) </p></li><li><p>map to guest</p></li><li><p>only user (deprecated)</p></li><li><p>passwd chat</p></li><li><p>passwd program</p></li><li><p>password server</p></li><li><p>restrict anonymous (integer value)</p></li><li><p>security (new ads value)</p></li><li><p>strict locking (auto by default)</p></li><li><p>winbind cache time (increased to 5 minutes)</p></li><li><p>winbind enum groups (disabled by default)</p></li><li><p>winbind enum users (disabled by default)</p></li><li><p>winbind nested groups (enabled by default)</p></li><li><p>winbind uid (deprecated in favor of idmap uid)</p></li><li><p>winbind gid (deprecated in favor of idmap gid)</p></li><li><p>winbindd nss info</p></li><li><p>write cache (deprecated)</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id441421"></a>New Functionality</h3></div></div></div><p> +<a class="indexterm" name="id441429"></a> + The major changes in behavior since that Samba-2.2.x series are documented in this section. + Please refer to the <code class="filename">WHATSNEW.txt</code> file that ships with every release of + Samba to obtain detailed information regarding the changes that have been made during the + life of the current Samba release. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id441445"></a>TDB Data Files</h4></div></div></div><a class="indexterm" name="id441451"></a><p> + Refer to <a href="install.html" title="Chapter 1. How to Install and Test SAMBA">Installation, Chapter 1</a>, <a href="install.html#tdbdocs" title="TDB Database File Information">Chapter 1</a> + for information pertaining to the Samba-3 data files, their location and the information that must be + preserved across server migrations, updates and upgrades. + </p><p> +<a class="indexterm" name="id441478"></a> + Please remember to back up your existing ${lock directory}/*tdb before upgrading to Samba-3. If necessary, + Samba will upgrade databases as they are opened. Downgrading from Samba-3 to 2.2, or reversion to an earlier + version of Samba-3 from a later release, is an unsupported path. + </p><p> +<a class="indexterm" name="id441491"></a> + The old Samba-2.2.x tdb files are described in <a href="upgrading-to-3.0.html#oldtdbfiledesc" title="Table 35.1. Samba-2.2.x TDB File Descriptions">the next table</a>. + </p><div class="table"><a name="oldtdbfiledesc"></a><p class="title"><b>Table 35.1. Samba-2.2.x TDB File Descriptions</b></p><div class="table-contents"><table summary="Samba-2.2.x TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">brlock</td><td align="justify">Byte-range file locking information.</td><td align="left">no</td></tr><tr><td align="left">connections</td><td align="justify"><p>Client connection information</p></td><td align="left">no</td></tr><tr><td align="left">locking</td><td align="justify">Temporary file locking data.</td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer driver information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer forms information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td><td align="left">yes</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only Samba registry skeleton that provides support for + exporting various database tables via the winreg RPCs.</p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information.</p></td><td align="left">no</td></tr><tr><td align="left">share_info</td><td align="justify">Share ACL settings.</td><td align="left">yes</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Packets received for which no process was listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of identity information received from an NT4 or an ADS domain.</p></td><td align="left">yes</td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>New ID map table from SIDS to UNIX UIDs/GIDs.</p></td><td align="left">yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id441782"></a>Changes in Behavior</h4></div></div></div><p> + The following issues are known changes in behavior between Samba-2.2 and + Samba-3 that may affect certain installations of Samba. + </p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id441802"></a> +<a class="indexterm" name="id441809"></a> +<a class="indexterm" name="id441816"></a> + When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC + to the “<span class="quote">guest account</span>” if a UID could not be obtained via the getpwnam() call. Samba-3 rejects + the connection with the error message “<span class="quote">NT_STATUS_LOGON_FAILURE.</span>” There is no current workaround + to re-establish the Samba-2.2 behavior. + </p></li><li><p> +<a class="indexterm" name="id441837"></a> +<a class="indexterm" name="id441844"></a> + When adding machines to a Samba-2.2 controlled domain, the + “<span class="quote">add user script</span>” was used to create the UNIX identity of the + machine trust account. Samba-3 introduces a new “<span class="quote">add machine + script</span>” that must be specified for this purpose. Samba-3 will + not fall back to using the “<span class="quote">add user script</span>” in the absence of + an “<span class="quote">add machine script</span>”. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id441871"></a>Passdb Backends and Authentication</h4></div></div></div><p> + There have been a few new changes that Samba administrators should be + aware of when moving to Samba-3. + </p><div class="orderedlist"><ol type="1"><li><p> +<a class="indexterm" name="id441890"></a> + Encrypted passwords have been enabled by default in order to + interoperate better with out-of-the-box Windows client + installations. This does mean that either (a) a Samba account + must be created for each user, or (b) “<span class="quote">encrypt passwords = no</span>” + must be explicitly defined in <code class="filename">smb.conf</code>. + </p></li><li><p> +<a class="indexterm" name="id441913"></a> +<a class="indexterm" name="id441920"></a> +<a class="indexterm" name="id441927"></a> + Inclusion of new <a class="indexterm" name="id441934"></a>security = ads option for integration + with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols. + </p></li></ol></div><p> +<a class="indexterm" name="id441946"></a> + Samba-3 also includes the possibility of setting up chains of authentication methods (<a class="indexterm" name="id441954"></a>auth methods) and account storage backends (<a class="indexterm" name="id441961"></a>passdb backend). Please refer to + the <code class="filename">smb.conf</code> man page and <a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a>, for + details. While both parameters assume sane default values, it is likely that you will need to understand what + the values actually mean in order to ensure Samba operates correctly. + </p><p> +<a class="indexterm" name="id441986"></a> +<a class="indexterm" name="id441993"></a> +<a class="indexterm" name="id442000"></a> + Certain functions of the <code class="literal">smbpasswd</code> tool have been split between the + new <code class="literal">smbpasswd</code> utility, the <code class="literal">net</code> tool, and the new <code class="literal">pdbedit</code> + utility. See the respective man pages for details. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id442033"></a>LDAP</h4></div></div></div><p> + This section outlines the new features effecting Samba/LDAP integration. + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id442043"></a>New Schema</h5></div></div></div><p> +<a class="indexterm" name="id442051"></a> +<a class="indexterm" name="id442057"></a> +<a class="indexterm" name="id442064"></a> +<a class="indexterm" name="id442071"></a> + A new object class (sambaSamAccount) has been introduced to replace + the old sambaAccount. This change aids in the renaming of attributes + to prevent clashes with attributes from other vendors. There is a + conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF + file to the new schema. + </p><p> + Example: +<a class="indexterm" name="id442084"></a> + </p><pre class="screen"> + <code class="prompt">$ </code>ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif + <code class="prompt">$ </code>convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif + </pre><p> +<a class="indexterm" name="id442114"></a> + The <DOM SID> can be obtained by running +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>net getlocalsid <DOMAINNAME></code></strong> +</pre><p> +<a class="indexterm" name="id442140"></a> + on the Samba PDC as root. + </p><p> + Under Samba-2.x the domain SID can be obtained by executing: +<a class="indexterm" name="id442151"></a> +</p><pre class="screen"> +<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd -S <DOMAINNAME></code></strong> +</pre><p> + </p><p> +<a class="indexterm" name="id442176"></a> +<a class="indexterm" name="id442183"></a> +<a class="indexterm" name="id442190"></a> +<a class="indexterm" name="id442197"></a> + The old <code class="literal">sambaAccount</code> schema may still be used by specifying the + <em class="parameter"><code>ldapsam_compat</code></em> passdb backend. However, the sambaAccount and + associated attributes have been moved to the historical section of + the schema file and must be uncommented before use if needed. + The Samba-2.2 object class declaration for a <code class="literal">sambaAccount</code> has not changed + in the Samba-3 <code class="filename">samba.schema</code> file. + </p><p> + Other new object classes and their uses include: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id442240"></a> +<a class="indexterm" name="id442247"></a> +<a class="indexterm" name="id442254"></a> +<a class="indexterm" name="id442260"></a> +<a class="indexterm" name="id442267"></a> +<a class="indexterm" name="id442274"></a> + <code class="literal">sambaDomain</code> domain information used to allocate RIDs + for users and groups as necessary. The attributes are added + in “<span class="quote">ldap suffix</span>” directory entry automatically if + an idmap UID/GID range has been set and the “<span class="quote">ldapsam</span>” + passdb backend has been selected. + </p></li><li><p> +<a class="indexterm" name="id442303"></a> +<a class="indexterm" name="id442309"></a> +<a class="indexterm" name="id442316"></a> + sambaGroupMapping an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the “<span class="quote">ldap + group suffix</span>” and managed by the “<span class="quote">net groupmap</span>” command. + </p></li><li><p> +<a class="indexterm" name="id442339"></a> +<a class="indexterm" name="id442346"></a> +<a class="indexterm" name="id442352"></a> +<a class="indexterm" name="id442359"></a> + <code class="literal">sambaUNIXIdPool</code> created in the “<span class="quote">ldap idmap suffix</span>” entry + automatically and contains the next available “<span class="quote">idmap UID</span>” and + “<span class="quote">idmap GID</span>”. + </p></li><li><p> +<a class="indexterm" name="id442390"></a> +<a class="indexterm" name="id442397"></a> + <code class="literal">sambaIdmapEntry</code> object storing a mapping between a + SID and a UNIX UID/GID. These objects are created by the + idmap_ldap module as needed. + </p></li></ul></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id442417"></a>New Suffix for Searching</h5></div></div></div><p> +<a class="indexterm" name="id442425"></a> +<a class="indexterm" name="id442431"></a> +<a class="indexterm" name="id442438"></a> +<a class="indexterm" name="id442445"></a> +<a class="indexterm" name="id442452"></a> +<a class="indexterm" name="id442458"></a> +<a class="indexterm" name="id442465"></a> + The following new <code class="filename">smb.conf</code> parameters have been added to aid in directing + certain LDAP queries when <em class="parameter"><code>passdb backend = ldapsam://...</code></em> has been + specified. + </p><div class="itemizedlist"><ul type="disc"><li><p>ldap suffix used to search for user and computer accounts.</p></li><li><p>ldap user suffix used to store user accounts.</p></li><li><p>ldap machine suffix used to store machine trust accounts.</p></li><li><p>ldap group suffix location of posixGroup/sambaGroupMapping entries.</p></li><li><p>ldap idmap suffix location of sambaIdmapEntry objects.</p></li></ul></div><p> +<a class="indexterm" name="id442529"></a> +<a class="indexterm" name="id442535"></a> + If an <em class="parameter"><code>ldap suffix</code></em> is defined, it will be appended to all of the + remaining subsuffix parameters. In this case, the order of the suffix + listings in <code class="filename">smb.conf</code> is important. Always place the <em class="parameter"><code>ldap suffix</code></em> first + in the list. + </p><p> + Due to a limitation in Samba's <code class="filename">smb.conf</code> parsing, you should not surround + the domain names with quotation marks. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id442574"></a>IdMap LDAP Support</h5></div></div></div><p> +<a class="indexterm" name="id442582"></a> + Samba-3 supports an LDAP backend for the idmap subsystem. The + following options inform Samba that the idmap table should be + stored on the directory server <span class="emphasis"><em>onterose</em></span> in the ou=Idmap,dc=quenya,dc=org partition. + </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id442613"></a><em class="parameter"><code>idmap backend = ldap:ldap://onterose/</code></em></td></tr><tr><td><a class="indexterm" name="id442625"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id442638"></a><em class="parameter"><code>idmap uid = 40000-50000</code></em></td></tr><tr><td><a class="indexterm" name="id442650"></a><em class="parameter"><code>idmap gid = 40000-50000</code></em></td></tr></table><p> +<a class="indexterm" name="id442665"></a> + This configuration allows Winbind installations on multiple servers to + share a UID/GID number space, thus avoiding the interoperability problems + with NFS that were present in Samba-2.2. + </p></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/winbind.html b/docs/htmldocs/Samba3-HOWTO/winbind.html new file mode 100644 index 0000000000..689f7fe3b9 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/winbind.html @@ -0,0 +1,1037 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="VFS.html" title="Chapter 23. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 24. Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span> <div class="affiliation"><div class="address"><p><code class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><code class="email"><<a href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 15, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="winbind.html#id418954">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419277">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id419355">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419494">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419533">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id419645">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id419692">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419770">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id419814">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420026">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420167">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420241">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id420291">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id420297">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420404">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id420546">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id422791">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id422837">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id422871">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id422905">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id418954"></a>Features and Benefits</h2></div></div></div><p> +<a class="indexterm" name="id418962"></a> +<a class="indexterm" name="id418968"></a> + Integration of UNIX and Microsoft Windows NT through a unified logon has + been considered a “<span class="quote">holy grail</span>” in heterogeneous computing environments for + a long time. + </p><p> +<a class="indexterm" name="id418984"></a> +<a class="indexterm" name="id418990"></a> +<a class="indexterm" name="id418997"></a> +<a class="indexterm" name="id419004"></a> + There is one other facility without which UNIX and Microsoft Windows network + interoperability would suffer greatly. It is imperative that there be a + mechanism for sharing files across UNIX systems and to be able to assign + domain user and group ownerships with integrity. + </p><p> +<a class="indexterm" name="id419016"></a> +<a class="indexterm" name="id419025"></a> +<a class="indexterm" name="id419032"></a> +<a class="indexterm" name="id419039"></a> + <span class="emphasis"><em>winbind</em></span> is a component of the Samba suite of programs that + solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft + RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to + allow Windows NT domain users to appear and operate as UNIX users on a UNIX + machine. This chapter describes the Winbind system, the functionality + it provides, how it is configured, and how it works internally. + </p><p> + Winbind provides three separate functions: + </p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="id419063"></a> +<a class="indexterm" name="id419069"></a> + Authentication of user credentials (via PAM). This makes it possible to + log onto a UNIX/Linux system using user and group accounts from a Windows + NT4 (including a Samba domain) or an Active Directory domain. + </p></li><li><p> +<a class="indexterm" name="id419082"></a> +<a class="indexterm" name="id419089"></a> + Identity resolution (via NSS). This is the default when winbind is not used. + </p></li><li><p> +<a class="indexterm" name="id419101"></a> +<a class="indexterm" name="id419107"></a> +<a class="indexterm" name="id419114"></a> +<a class="indexterm" name="id419120"></a> +<a class="indexterm" name="id419127"></a> +<a class="indexterm" name="id419134"></a> +<a class="indexterm" name="id419141"></a> + Winbind maintains a database called winbind_idmap.tdb in which it stores + mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only + for users and groups that do not have a local UID/GID. It stores the UID/GID + allocated from the idmap uid/gid range that it has mapped to the NT SID. + If <em class="parameter"><code>idmap backend</code></em> has been specified as <code class="constant">ldap:ldap://hostname[:389]</code>, + then instead of using a local mapping, Winbind will obtain this information + from the LDAP database. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id419166"></a> + <a class="indexterm" name="id419173"></a> +<a class="indexterm" name="id419182"></a> +<a class="indexterm" name="id419189"></a> +<a class="indexterm" name="id419196"></a> +<a class="indexterm" name="id419202"></a> + If <code class="literal">winbindd</code> is not running, smbd (which calls <code class="literal">winbindd</code>) will fall back to + using purely local information from <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> and no dynamic + mapping will be used. On an operating system that has been enabled with the NSS, + the resolution of user and group information will be accomplished via NSS. + </p></div><div class="figure"><a name="winbind_idmap"></a><p class="title"><b>Figure 24.1. Winbind Idmap</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap_winbind_no_loop.png" width="243" alt="Winbind Idmap"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id419277"></a>Introduction</h2></div></div></div><p>It is well known that UNIX and Microsoft Windows NT have + different models for representing user and group information and + use different technologies for implementing them. This fact has + made it difficult to integrate the two systems in a satisfactory + manner.</p><p> +<a class="indexterm" name="id419291"></a> +<a class="indexterm" name="id419298"></a> + One common solution in use today has been to create + identically named user accounts on both the UNIX and Windows systems + and use the Samba suite of programs to provide file and print services + between the two. This solution is far from perfect, however, because + adding and deleting users on both sets of machines becomes a chore, + and two sets of passwords are required both of which + can lead to synchronization problems between the UNIX and Windows + systems and confusion for users.</p><p>We divide the unified logon problem for UNIX machines into + three smaller problems:</p><div class="itemizedlist"><ul type="disc"><li><p>Obtaining Windows NT user and group information. + </p></li><li><p>Authenticating Windows NT users. + </p></li><li><p>Password changing for Windows NT users. + </p></li></ul></div><p> +<a class="indexterm" name="id419336"></a> +<a class="indexterm" name="id419343"></a> + Ideally, a prospective solution to the unified logon problem + would satisfy all the above components without duplication of + information on the UNIX machines and without creating additional + tasks for the system administrator when maintaining users and + groups on either system. The Winbind system provides a simple + and elegant solution to all three components of the unified logon + problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id419355"></a>What Winbind Provides</h2></div></div></div><p> +<a class="indexterm" name="id419363"></a> +<a class="indexterm" name="id419370"></a> +<a class="indexterm" name="id419377"></a> +<a class="indexterm" name="id419383"></a> + Winbind unifies UNIX and Windows NT account management by + allowing a UNIX box to become a full member of an NT domain. Once + this is done, the UNIX box will see NT users and groups as if + they were “<span class="quote">native</span>” UNIX users and groups, allowing the NT domain + to be used in much the same manner that NIS+ is used within + UNIX-only environments.</p><p> +<a class="indexterm" name="id419400"></a> +<a class="indexterm" name="id419407"></a> +<a class="indexterm" name="id419414"></a> +<a class="indexterm" name="id419420"></a> + The end result is that whenever a + program on the UNIX machine asks the operating system to look up + a user or group name, the query will be resolved by asking the + NT domain controller for the specified domain to do the lookup. + Because Winbind hooks into the operating system at a low level + (via the NSS name resolution modules in the C library), this + redirection to the NT domain controller is completely + transparent.</p><p> +<a class="indexterm" name="id419434"></a> +<a class="indexterm" name="id419441"></a> + Users on the UNIX machine can then use NT user and group + names as they would “<span class="quote">native</span>” UNIX names. They can chown files + so they are owned by NT domain users or even login to the + UNIX machine and run a UNIX X-Window session as a domain user.</p><p> +<a class="indexterm" name="id419456"></a> + The only obvious indication that Winbind is being used is + that user and group names take the form <code class="constant">DOMAIN\user</code> and + <code class="constant">DOMAIN\group</code>. This is necessary because it allows Winbind to determine + that redirection to a domain controller is wanted for a particular + lookup and which trusted domain is being referenced.</p><p> +<a class="indexterm" name="id419476"></a> +<a class="indexterm" name="id419483"></a> + Additionally, Winbind provides an authentication service that hooks into the PAM system + to provide authentication via an NT domain to any PAM-enabled + applications. This capability solves the problem of synchronizing + passwords between systems, since all passwords are stored in a single + location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id419494"></a>Target Uses</h3></div></div></div><p> +<a class="indexterm" name="id419501"></a> + Winbind is targeted at organizations that have an + existing NT-based domain infrastructure into which they wish + to put UNIX workstations or servers. Winbind will allow these + organizations to deploy UNIX workstations without having to + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into an NT-based organization.</p><p> +<a class="indexterm" name="id419515"></a> +<a class="indexterm" name="id419522"></a> + Another interesting way in which we expect Winbind to + be used is as a central part of UNIX-based appliances. Appliances + that provide file and print services to Microsoft-based networks + will be able to use Winbind to provide seamless integration of + the appliance into the domain.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id419533"></a>Handling of Foreign SIDs</h3></div></div></div><p> +<a class="indexterm" name="id419541"></a> + The term <span class="emphasis"><em>foreign SID</em></span> is often met with the reaction that it + is not relevant to a particular environment. The following documents an interchange + that took place on the Samba mailing list. It is a good example of the confusion + often expressed regarding the use of winbind. + </p><p> +<a class="indexterm" name="id419557"></a> + Fact: Winbind is needed to handle users who use workstations that are NOT part + of the local domain. + </p><p> +<a class="indexterm" name="id419568"></a> + Response: “<span class="quote">Why? I've used Samba with workstations that are not part of my domains + lots of times without using winbind. I thought winbind was for using Samba as a member server + in a domain controlled by another Samba/Windows PDC.</span>” + </p><p> +<a class="indexterm" name="id419583"></a> +<a class="indexterm" name="id419590"></a> +<a class="indexterm" name="id419596"></a> + If the Samba server will be accessed from a domain other than the local Samba domain, or + if there will be access from machines that are not local domain members, winbind will + permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity + of the foreign user separate from users that are members of the Samba domain. + </p><p> +<a class="indexterm" name="id419609"></a> +<a class="indexterm" name="id419616"></a> +<a class="indexterm" name="id419623"></a> +<a class="indexterm" name="id419630"></a> + This means that winbind is eminently useful in cases where a single + Samba PDC on a local network is combined with both domain member and domain non-member workstations. + If winbind is not used, the user george on a Windows workstation that is not a domain + member will be able to access the files of a user called george in the account database + of the Samba server that is acting as a PDC. When winbind is used, the default condition + is that the local user george will be treated as the account DOMAIN\george and the + foreign (non-member of the domain) account will be treated as MACHINE\george because + each has a different SID. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id419645"></a>How Winbind Works</h2></div></div></div><p> +<a class="indexterm" name="id419652"></a> +<a class="indexterm" name="id419659"></a> +<a class="indexterm" name="id419666"></a> +<a class="indexterm" name="id419673"></a> + The Winbind system is designed around a client/server + architecture. A long-running <code class="literal">winbindd</code> daemon + listens on a UNIX domain socket waiting for requests + to arrive. These requests are generated by the NSS and PAM + clients and are processed sequentially.</p><p>The technologies used to implement Winbind are described + in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id419692"></a>Microsoft Remote Procedure Calls</h3></div></div></div><p> +<a class="indexterm" name="id419700"></a> +<a class="indexterm" name="id419709"></a> +<a class="indexterm" name="id419716"></a> +<a class="indexterm" name="id419723"></a> +<a class="indexterm" name="id419730"></a> + Over the last few years, efforts have been underway by various Samba Team members to implement various aspects of + the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network-related operations + between Windows NT machines, including remote management, user authentication, and print spooling. Although + initially this work was done to aid the implementation of Primary Domain Controller (PDC) functionality in + Samba, it has also yielded a body of code that can be used for other purposes. + </p><p> +<a class="indexterm" name="id419744"></a> +<a class="indexterm" name="id419751"></a> +<a class="indexterm" name="id419758"></a> + Winbind uses various MSRPC calls to enumerate domain users and groups and to obtain detailed information about + individual users or groups. Other MSRPC calls can be used to authenticate NT domain users and to change user + passwords. By directly querying a Windows PDC for user and group information, Winbind maps the NT account + information onto UNIX user and group names. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id419770"></a>Microsoft Active Directory Services</h3></div></div></div><p> +<a class="indexterm" name="id419778"></a> +<a class="indexterm" name="id419785"></a> +<a class="indexterm" name="id419791"></a> +<a class="indexterm" name="id419798"></a> + Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its “<span class="quote">native + mode</span>” protocols rather than the NT4 RPC services. Using LDAP and Kerberos, a domain member running + Winbind can enumerate users and groups in exactly the same way as a Windows 200x client would, and in so doing + provide a much more efficient and effective Winbind implementation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id419814"></a>Name Service Switch</h3></div></div></div><p> +<a class="indexterm" name="id419822"></a> +<a class="indexterm" name="id419828"></a> +<a class="indexterm" name="id419835"></a> +<a class="indexterm" name="id419842"></a> + The NSS is a feature that is present in many UNIX operating systems. It allows system + information such as hostnames, mail aliases, and user information + to be resolved from different sources. For example, a standalone + UNIX workstation may resolve system information from a series of + flat files stored on the local file system. A networked workstation + may first attempt to resolve system information from local files, + and then consult an NIS database for user information or a DNS server + for hostname information.</p><p> +<a class="indexterm" name="id419856"></a> +<a class="indexterm" name="id419862"></a> +<a class="indexterm" name="id419869"></a> +<a class="indexterm" name="id419876"></a> +<a class="indexterm" name="id419883"></a> + The NSS application programming interface allows Winbind to present itself as a source of system + information when resolving UNIX usernames and groups. Winbind uses this interface and information obtained + from a Windows NT server using MSRPC calls to provide a new source of account enumeration. Using standard UNIX + library calls, you can enumerate the users and groups on a UNIX machine running Winbind and see all users and + groups in an NT domain plus any trusted domain as though they were local users and groups. + </p><p> +<a class="indexterm" name="id419897"></a> +<a class="indexterm" name="id419904"></a> +<a class="indexterm" name="id419911"></a> + The primary control file for NSS is <code class="filename">/etc/nsswitch.conf</code>. When a UNIX application + makes a request to do a lookup, the C library looks in <code class="filename">/etc/nsswitch.conf</code> for a line that + matches the service type being requested; for example, the “<span class="quote">passwd</span>” service type is used when + user or group names are looked up. This config line specifies which implementations of that service should be + tried and in what order. If the passwd config line is: +</p><pre class="screen"> +passwd: files example +</pre><p> +<a class="indexterm" name="id419942"></a> +<a class="indexterm" name="id419949"></a> +<a class="indexterm" name="id419956"></a> + then the C library will first load a module called <code class="filename">/lib/libnss_files.so</code> followed + by the module <code class="filename">/lib/libnss_example.so</code>. The C library will dynamically load each of these + modules in turn and call resolver functions within the modules to try to resolve the request. Once the request + is resolved, the C library returns the result to the application. + </p><p> +<a class="indexterm" name="id419980"></a> +<a class="indexterm" name="id419987"></a> +<a class="indexterm" name="id419993"></a> + This NSS interface provides an easy way for Winbind to hook into the operating system. All that needs + to be done is to put <code class="filename">libnss_winbind.so</code> in <code class="filename">/lib/</code> then add + “<span class="quote">winbind</span>” into <code class="filename">/etc/nsswitch.conf</code> at the appropriate place. The C library + will then call Winbind to resolve user and group names. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420026"></a>Pluggable Authentication Modules</h3></div></div></div><p> +<a class="indexterm" name="id420034"></a> +<a class="indexterm" name="id420040"></a> +<a class="indexterm" name="id420047"></a> +<a class="indexterm" name="id420054"></a> + PAMs provide a system for abstracting authentication and authorization technologies. With a PAM + module, it is possible to specify different authentication methods for different system applications without + having to recompile these applications. PAM is also useful for implementing a particular policy for + authorization. For example, a system administrator may only allow console logins from users stored in the + local password file but only allow users resolved from an NIS database to log in over the network. + </p><p> +<a class="indexterm" name="id420068"></a> +<a class="indexterm" name="id420075"></a> +<a class="indexterm" name="id420082"></a> +<a class="indexterm" name="id420089"></a> +<a class="indexterm" name="id420096"></a> + Winbind uses the authentication management and password management PAM interface to integrate Windows + NT users into a UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated + against a suitable PDC. These users can also change their passwords and have this change take effect directly + on the PDC. + </p><p> +<a class="indexterm" name="id420108"></a> +<a class="indexterm" name="id420115"></a> +<a class="indexterm" name="id420122"></a> +<a class="indexterm" name="id420128"></a> + PAM is configured by providing control files in the directory <code class="filename">/etc/pam.d/</code> for + each of the services that require authentication. When an authentication request is made by an application, + the PAM code in the C library looks up this control file to determine what modules to load to do the + authentication check and in what order. This interface makes adding a new authentication service for Winbind + very easy: simply copy the <code class="filename">pam_winbind.so</code> module to <code class="filename">/lib/security/</code>, + and the PAM control files for relevant services are updated to allow authentication via Winbind. See the PAM + documentation in <a href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">PAM-Based Distributed Authentication</a>, for more information. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420167"></a>User and Group ID Allocation</h3></div></div></div><p> +<a class="indexterm" name="id420175"></a> +<a class="indexterm" name="id420181"></a> +<a class="indexterm" name="id420188"></a> + When a user or group is created under Windows NT/200x, it is allocated a numerical relative identifier + (RID). This is slightly different from UNIX, which has a range of numbers that are used to identify users and + the same range used to identify groups. It is Winbind's job to convert RIDs to UNIX ID numbers and vice versa. + When Winbind is configured, it is given part of the UNIX user ID space and a part of the UNIX group ID space + in which to store Windows NT users and groups. If a Windows NT user is resolved for the first time, it is + allocated the next UNIX ID from the range. The same process applies for Windows NT groups. Over time, Winbind + will have mapped all Windows NT users and groups to UNIX user IDs and group IDs. + </p><p> +<a class="indexterm" name="id420210"></a> +<a class="indexterm" name="id420217"></a> +<a class="indexterm" name="id420224"></a> +<a class="indexterm" name="id420231"></a> + The results of this mapping are stored persistently in an ID mapping database held in a tdb database. + This ensures that RIDs are mapped to UNIX IDs in a consistent way. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420241"></a>Result Caching</h3></div></div></div><p> +<a class="indexterm" name="id420249"></a> +<a class="indexterm" name="id420255"></a> +<a class="indexterm" name="id420262"></a> +<a class="indexterm" name="id420269"></a> +<a class="indexterm" name="id420275"></a> + An active directory system can generate a lot of user and group name lookups. To reduce the network + cost of these lookups, Winbind uses a caching scheme based on the SAM sequence number supplied by NT domain + controllers. User or group information returned by a PDC is cached by Winbind along with a sequence number + also returned by the PDC. This sequence number is incremented by Windows NT whenever any user or group + information is modified. If a cached entry has expired, the sequence number is requested from the PDC and + compared against the sequence number of the cached entry. If the sequence numbers do not match, then the + cached information is discarded and up-to-date information is requested directly from the PDC. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id420291"></a>Installation and Configuration</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420297"></a>Introduction</h3></div></div></div><p> +<a class="indexterm" name="id420305"></a> +<a class="indexterm" name="id420312"></a> +<a class="indexterm" name="id420318"></a> +This section describes the procedures used to get Winbind up and running. Winbind is capable of providing +access and authentication control for Windows Domain users through an NT or Windows 200x PDC for regular +services, such as telnet and ftp, as well for Samba services. +</p><div class="itemizedlist"><ul type="disc"><li><p> + <span class="emphasis"><em>Why should I do this?</em></span> + </p><p> +<a class="indexterm" name="id420342"></a> +<a class="indexterm" name="id420348"></a> +<a class="indexterm" name="id420355"></a> +<a class="indexterm" name="id420362"></a> +This allows the Samba administrator to rely on the authentication mechanisms on the Windows NT/200x PDC +for the authentication of domain members. Windows NT/200x users no longer need to have separate accounts on +the Samba server. + </p></li><li><p> + <span class="emphasis"><em>Who should be reading this document?</em></span> + </p><p> +<a class="indexterm" name="id420384"></a> +<a class="indexterm" name="id420391"></a> +This document is designed for system administrators. If you are implementing Samba on a file server and wish +to (fairly easily) integrate existing Windows NT/200x users from your PDC onto the Samba server, this document +is for you. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420404"></a>Requirements</h3></div></div></div><p> +<a class="indexterm" name="id420412"></a> +<a class="indexterm" name="id420418"></a> +<a class="indexterm" name="id420425"></a> +If you have a Samba configuration file that you are currently using, <span class="emphasis"><em>BACK IT UP!</em></span> +If your system already uses PAM, <span class="emphasis"><em>back up the <code class="filename">/etc/pam.d</code> directory +contents!</em></span> If you haven't already made a boot disk, <span class="emphasis"><em>MAKE ONE NOW!</em></span> +</p><p> +<a class="indexterm" name="id420453"></a> +<a class="indexterm" name="id420460"></a> +<a class="indexterm" name="id420467"></a> +Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's +why you want to be able to boot back into your machine in single-user mode and restore your +<code class="filename">/etc/pam.d</code> to the original state it was in if you get frustrated with the +way things are going. +</p><p> +<a class="indexterm" name="id420485"></a> +<a class="indexterm" name="id420492"></a> +The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <a href="http://samba.org/" target="_top">main Samba Web page</a>, or better yet, your closest Samba mirror site for +instructions on downloading the source code. +</p><p> +<a class="indexterm" name="id420509"></a> +<a class="indexterm" name="id420516"></a> +<a class="indexterm" name="id420523"></a> +<a class="indexterm" name="id420529"></a> +To allow domain users the ability to access Samba shares and files, as well as potentially other services +provided by your Samba machine, PAM must be set up properly on your +machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed +on your system. Please refer to the PAM Web site <a href="http://www.kernel.org/pub/linux/libs/pam/" target="_top">http://www.kernel.org/pub/linux/libs/pam/</a>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420546"></a>Testing Things Out</h3></div></div></div><p> +<a class="indexterm" name="id420554"></a> +<a class="indexterm" name="id420560"></a> +<a class="indexterm" name="id420567"></a> +<a class="indexterm" name="id420574"></a> +<a class="indexterm" name="id420581"></a> +Before starting, it is probably best to kill off all the Samba-related daemons running on your server. +Kill off all <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may be running. To use PAM, +make sure that you have the standard PAM package that supplies the <code class="filename">/etc/pam.d</code> +directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries, +and the <code class="filename">/usr/doc</code> and <code class="filename">/usr/man</code> entries for PAM. Winbind is built +better in Samba if the pam-devel package is also installed. This package includes the header files +needed to compile PAM-aware applications. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id420628"></a>Configure <code class="filename">nsswitch.conf</code> and the Winbind Libraries on Linux and Solaris</h4></div></div></div><p> +<a class="indexterm" name="id420642"></a> +<a class="indexterm" name="id420649"></a> +<a class="indexterm" name="id420656"></a> +<a class="indexterm" name="id420662"></a> +PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install +the <code class="filename">pam-devel</code> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3 +may auto-install the Winbind files into their correct locations on your system, so before you get too far down +the track, be sure to check if the following configuration is really +necessary. You may only need to configure +<code class="filename">/etc/nsswitch.conf</code>. +</p><p> +The libraries needed to run the <span class="application">winbindd</span> daemon through nsswitch need to be copied to their proper locations: +</p><p> +<a class="indexterm" name="id420698"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cp ../samba/source/nsswitch/libnss_winbind.so /lib</code></strong> +</pre><p> +</p><p> +I also found it necessary to make the following symbolic link: +</p><p> +<code class="prompt">root# </code> <strong class="userinput"><code>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</code></strong> +</p><p>And, in the case of Sun Solaris: +<a class="indexterm" name="id420743"></a> +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</code></strong> +<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id420791"></a> +As root, edit <code class="filename">/etc/nsswitch.conf</code> to allow user and group entries to be visible from the +<span class="application">winbindd</span> daemon. My <code class="filename">/etc/nsswitch.conf</code> file looked like this after editing: +</p><pre class="programlisting"> +passwd: files winbind +shadow: files +group: files winbind +</pre><p> +<a class="indexterm" name="id420825"></a> +<a class="indexterm" name="id420831"></a> +<a class="indexterm" name="id420838"></a> +<a class="indexterm" name="id420845"></a> +<a class="indexterm" name="id420852"></a> +The libraries needed by the <code class="literal">winbindd</code> daemon will be automatically +entered into the <code class="literal">ldconfig</code> cache the next time +your system reboots, but it is faster (and you do not need to reboot) if you do it manually: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/sbin/ldconfig -v | grep winbind</code></strong> +</pre><p> +This makes <code class="filename">libnss_winbind</code> available to winbindd and reports the current +search path that is used by the dynamic link loader. The use of the <code class="literal">grep</code> +filters the output of the <code class="literal">ldconfig</code> command so that we may see proof that +this library is indeed recognized by the dynamic link loader. +</p><p> +<a class="indexterm" name="id420911"></a> +<a class="indexterm" name="id420918"></a> +<a class="indexterm" name="id420925"></a> +<a class="indexterm" name="id420932"></a> +<a class="indexterm" name="id420938"></a> +The Sun Solaris dynamic link loader management tool is called <code class="literal">crle</code>. The +use of this tool is necessary to instruct the dynamic link loader to search directories that +contain library files that were not supplied as part of the original operating system platform. +The following example shows how to use this tool to add the directory <code class="filename">/usr/local/lib</code> +to the dynamic link loader's search path: +</p><pre class="screen"> +<code class="prompt">root# </code> crle -u -l /usr/lib:/usr/local/lib +</pre><p> +When executed without arguments, <code class="literal">crle</code> reports the current dynamic +link loader configuration. This is demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> crle + +Configuration file [version 4]: /var/ld/ld.config + Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib + Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default) + +Command line: + crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib +</pre><p> +From this it is apparent that the <code class="filename">/usr/local/lib</code> directory is included +in the search dynamic link libraries in order to satisfy object module dependencies. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421002"></a>NSS Winbind on AIX</h4></div></div></div><p>(This section is only for those running AIX.)</p><p> +<a class="indexterm" name="id421013"></a> +<a class="indexterm" name="id421020"></a> +<a class="indexterm" name="id421027"></a> +<a class="indexterm" name="id421034"></a> +<a class="indexterm" name="id421040"></a> +<a class="indexterm" name="id421047"></a> +The Winbind AIX identification module gets built as <code class="filename">libnss_winbind.so</code> in the +nsswitch directory of the Samba source. This file can be copied to <code class="filename">/usr/lib/security</code>, +and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following: +</p><pre class="programlisting"> +WINBIND: + program = /usr/lib/security/WINBIND + options = authonly +</pre><p> +can then be added to <code class="filename">/usr/lib/security/methods.cfg</code>. This module only supports +identification, but there have been reports of success using the standard Winbind PAM module for +authentication. Use caution configuring loadable authentication modules, since misconfiguration can make +it impossible to log on to the system. Information regarding the AIX authentication module API can +be found in the “<span class="quote">Kernel Extensions and Device Support Programming Concepts for AIX</span>” document that +describes the <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm" target="_top"> +Loadable Authentication Module Programming Interface</a> for AIX. Further information on administering the modules +can be found in the <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top">System +Management Guide: Operating System and Devices.</a> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421104"></a>Configure smb.conf</h4></div></div></div><p> +<a class="indexterm" name="id421112"></a> +<a class="indexterm" name="id421118"></a> +<a class="indexterm" name="id421125"></a> +Several parameters are needed in the <code class="filename">smb.conf</code> file to control the behavior of <span class="application">winbindd</span>. These +are described in more detail in the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My <code class="filename">smb.conf</code> file, as shown in <a href="winbind.html#winbindcfg" title="Example 24.1. smb.conf for Winbind Setup">the smb.conf for Winbind Setup</a>, was modified to include the necessary entries in the [global] section. +</p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example 24.1. smb.conf for Winbind Setup</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># separate domain and username with '\', like DOMAIN\username</td></tr><tr><td><a class="indexterm" name="id421196"></a><em class="parameter"><code>winbind separator = \</code></em></td></tr><tr><td># use uids from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id421212"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use gids from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id421228"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id421244"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id421257"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td># give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><a class="indexterm" name="id421274"></a><em class="parameter"><code>template homedir = /home/winnt/%D/%U</code></em></td></tr><tr><td><a class="indexterm" name="id421286"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421301"></a>Join the Samba Server to the PDC Domain</h4></div></div></div><p> +<a class="indexterm" name="id421309"></a> +<a class="indexterm" name="id421316"></a> +<a class="indexterm" name="id421322"></a> +All machines that will participate in domain security should be members of +the domain. This applies also to the PDC and all BDCs. +</p><p> +<a class="indexterm" name="id421333"></a> +<a class="indexterm" name="id421340"></a> +<a class="indexterm" name="id421347"></a> +<a class="indexterm" name="id421358"></a> +<a class="indexterm" name="id421365"></a> +<a class="indexterm" name="id421371"></a> +<a class="indexterm" name="id421378"></a> +<a class="indexterm" name="id421385"></a> +<a class="indexterm" name="id421392"></a> +The process of joining a domain requires the use of the <code class="literal">net rpc join</code> +command. This process communicates with the domain controller it will register with +(usually the PDC) via MS DCE RPC. This means, of course, that the <code class="literal">smbd</code> +process must be running on the target domain controller. It is therefore necessary to temporarily +start Samba on a PDC so that it can join its own domain. +</p><p> +<a class="indexterm" name="id421416"></a> +<a class="indexterm" name="id421423"></a> +<a class="indexterm" name="id421430"></a> +Enter the following command to make the Samba server join the domain, where <em class="replaceable"><code>PDC</code></em> is +the name of your PDC and <em class="replaceable"><code>Administrator</code></em> is a domain user who has administrative +privileges in the domain. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id421450"></a> +<a class="indexterm" name="id421456"></a> +<a class="indexterm" name="id421463"></a> +<a class="indexterm" name="id421470"></a> +Before attempting to join a machine to the domain, verify that Samba is running +on the target domain controller (usually PDC) and that it is capable of being reached via ports +137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx). +</p></div><p> +<a class="indexterm" name="id421482"></a> +The use of the <code class="literal">net rpc join</code> facility is shown here: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</code></strong> +</pre><p> +The proper response to the command should be “<span class="quote">Joined the domain +<em class="replaceable"><code>DOMAIN</code></em></span>” where <em class="replaceable"><code>DOMAIN</code></em> +is your domain name. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421528"></a>Starting and Testing the <code class="literal">winbindd</code> Daemon</h4></div></div></div><p> +<a class="indexterm" name="id421542"></a> +<a class="indexterm" name="id421549"></a> +<a class="indexterm" name="id421556"></a> +Eventually, you will want to modify your Samba startup script to automatically invoke the winbindd daemon when +the other parts of Samba start, but it is possible to test out just the Winbind portion first. To start up +Winbind services, enter the following command as root: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/sbin/winbindd</code></strong> +</pre><p> +Use the appropriate path to the location of the <code class="literal">winbindd</code> executable file. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id421592"></a> +<a class="indexterm" name="id421598"></a> +The command to start up Winbind services assumes that Samba has been installed in the +<code class="filename">/usr/local/samba</code> directory tree. You may need to search for the location of Samba files +if this is not the location of <code class="literal">winbindd</code> on your system. +</p></div><p> +<a class="indexterm" name="id421622"></a> +<a class="indexterm" name="id421629"></a> +I'm always paranoid and like to make sure the daemon is really running. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>ps -ae | grep winbindd</code></strong> +</pre><p> +</p><p> +<a class="indexterm" name="id421655"></a> +This command should produce output like the following if the daemon is running. +</p><pre class="screen"> +3025 ? 00:00:00 winbindd +</pre><p> +</p><p> +<a class="indexterm" name="id421672"></a> +<a class="indexterm" name="id421679"></a> +Now, for the real test, try to get some information about the users on your PDC: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/wbinfo -u</code></strong> +</pre><p> +This should echo back a list of users on your Windows users on your PDC. For example, I get the following +response: +</p><pre class="screen"> +CEO\Administrator +CEO\burdell +CEO\Guest +CEO\jt-ad +CEO\krbtgt +CEO\TsInternetUser +</pre><p> +Obviously, I have named my domain “<span class="quote">CEO</span>” and my <a class="indexterm" name="id421713"></a>winbind separator is +“<span class="quote">\</span>”. +</p><p> +<a class="indexterm" name="id421727"></a> +<a class="indexterm" name="id421734"></a> +You can do the same sort of thing to get group information from the PDC: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/wbinfo -g</code></strong> +CEO\Domain Admins +CEO\Domain Users +CEO\Domain Guests +CEO\Domain Computers +CEO\Domain Controllers +CEO\Cert Publishers +CEO\Schema Admins +CEO\Enterprise Admins +CEO\Group Policy Creator Owners +</pre><p> +<a class="indexterm" name="id421761"></a> +<a class="indexterm" name="id421768"></a> +<a class="indexterm" name="id421774"></a> +<a class="indexterm" name="id421781"></a> +<a class="indexterm" name="id421788"></a> +<a class="indexterm" name="id421794"></a> +<a class="indexterm" name="id421801"></a> +The function <code class="literal">getent</code> can now be used to get unified lists of both local and PDC users and +groups. Try the following command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> +</pre><p> +You should get a list that looks like your <code class="filename">/etc/passwd</code> +list followed by the domain users with their new UIDs, GIDs, home +directories, and default shells. +</p><p> +The same thing can be done for groups with the command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>getent group</code></strong> +</pre><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421860"></a>Fix the init.d Startup Scripts</h4></div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id421865"></a>Linux</h5></div></div></div><p> +<a class="indexterm" name="id421873"></a> +<a class="indexterm" name="id421880"></a> +<a class="indexterm" name="id421887"></a> +<a class="indexterm" name="id421894"></a> +<a class="indexterm" name="id421900"></a> +<a class="indexterm" name="id421907"></a> +<a class="indexterm" name="id421914"></a> +<a class="indexterm" name="id421919"></a> +<a class="indexterm" name="id421925"></a> +The <span class="application">winbindd</span> daemon needs to start up after the <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running. To accomplish this +task, you need to modify the startup scripts of your system. They are located at +<code class="filename">/etc/init.d/smb</code> in Red Hat Linux and in <code class="filename">/etc/init.d/samba</code> in Debian +Linux. Edit your script to add commands to invoke this daemon in the proper sequence. My startup script starts +up <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> from the <code class="filename">/usr/local/samba/bin</code> directory directly. The +<code class="literal">start</code> function in the script looks like this: +</p><pre class="programlisting"> +start() { + KIND="SMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/smbd $SMBDOPTIONS + RETVAL=$? + echo + KIND="NMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/sbin/winbindd + RETVAL3=$? + echo + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + touch /var/lock/subsys/smb || RETVAL=1 + return $RETVAL +} +</pre><p>If you would like to run winbindd in dual daemon mode, replace the line: +</p><pre class="programlisting"> + daemon /usr/local/samba/sbin/winbindd +</pre><p> + +in the example above with: + +</p><pre class="programlisting"> + daemon /usr/local/samba/sbin/winbindd -B +</pre><p>. +</p><p> +The <code class="literal">stop</code> function has a corresponding entry to shut down the services and looks like this: +</p><pre class="programlisting"> +stop() { + KIND="SMB" + echo -n $"Shutting down $KIND services: " + killproc smbd + RETVAL=$? + echo + KIND="NMB" + echo -n $"Shutting down $KIND services: " + killproc nmbd + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Shutting down $KIND services: " + killproc winbindd + RETVAL3=$? + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + rm -f /var/lock/subsys/smb + echo "" + return $RETVAL +} +</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id422049"></a>Solaris</h5></div></div></div><p> +Winbind does not work on Solaris 9; see <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Winbind on Solaris 9 section</a> +for details. +</p><p> +<a class="indexterm" name="id422068"></a> +<a class="indexterm" name="id422075"></a> +<a class="indexterm" name="id422082"></a> +<a class="indexterm" name="id422088"></a> +<a class="indexterm" name="id422095"></a> +<a class="indexterm" name="id422102"></a> +On Solaris, you need to modify the <code class="filename">/etc/init.d/samba.server</code> startup script. It +usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in +<code class="filename">/usr/local/samba/bin</code>, the file could contains something like this: +</p><p> + </p><pre class="programlisting"> + ## + ## samba.server + ## + + if [ ! -d /usr/bin ] + then # /usr not mounted + exit + fi + + killproc() { # kill the named process(es) + pid=`/usr/bin/ps -e | + /usr/bin/grep -w $1 | + /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` + [ "$pid" != "" ] && kill $pid + } + + # Start/stop processes required for Samba server + + case "$1" in + + 'start') + # + # Edit these lines to suit your installation (paths, workgroup, host) + # + echo Starting SMBD + /usr/local/samba/bin/smbd -D -s \ + /usr/local/samba/smb.conf + + echo Starting NMBD + /usr/local/samba/bin/nmbd -D -l \ + /usr/local/samba/var/log -s /usr/local/samba/smb.conf + + echo Starting Winbind Daemon + /usr/local/samba/sbin/winbindd + ;; + + 'stop') + killproc nmbd + killproc smbd + killproc winbindd + ;; + + *) + echo "Usage: /etc/init.d/samba.server { start | stop }" + ;; + esac +</pre><p> +Again, if you would like to run Samba in dual daemon mode, replace: +</p><pre class="programlisting"> +/usr/local/samba/sbin/winbindd +</pre><p> +in the script above with: +</p><pre class="programlisting"> +/usr/local/samba/sbin/winbindd -B +</pre><p> +</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id422168"></a>Restarting</h5></div></div></div><p> +<a class="indexterm" name="id422176"></a> +<a class="indexterm" name="id422182"></a> +If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you +should be able to connect to the Samba server as a domain member just as +if you were a local user. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id422211"></a>Configure Winbind and PAM</h4></div></div></div><p> +<a class="indexterm" name="id422219"></a> +<a class="indexterm" name="id422226"></a> +<a class="indexterm" name="id422233"></a> +<a class="indexterm" name="id422239"></a> +If you have made it this far, you know that <code class="literal">winbindd</code> and Samba are working together. If you +want to use Winbind to provide authentication for other services, keep reading. The PAM configuration files +need to be altered in this step. (Did you remember to make backups of your original +<code class="filename">/etc/pam.d</code> files? If not, do it now.) +</p><p> +<a class="indexterm" name="id422264"></a> +<a class="indexterm" name="id422270"></a> +<a class="indexterm" name="id422277"></a> +<a class="indexterm" name="id422284"></a> +<a class="indexterm" name="id422291"></a> +<a class="indexterm" name="id422298"></a> +You will need a PAM module to use winbindd with these other services. This module will be compiled in the +<code class="filename">../source/nsswitch</code> directory by invoking the command: +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>make nsswitch/pam_winbind.so</code></strong> +</pre><p> +from the <code class="filename">../source</code> directory. The <code class="filename">pam_winbind.so</code> file should be +copied to the location of your other PAM security modules. On my Red Hat system, this was the +<code class="filename">/lib/security</code> directory. On Solaris, the PAM security modules reside in +<code class="filename">/usr/lib/security</code>. +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</code></strong> +</pre><p> +</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id422370"></a>Linux/FreeBSD-Specific PAM Configuration</h5></div></div></div><p> +<a class="indexterm" name="id422378"></a> +The <code class="filename">/etc/pam.d/samba</code> file does not need to be changed. I just left this file as it was: +</p><pre class="programlisting"> +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth +</pre><p> +<a class="indexterm" name="id422400"></a> +<a class="indexterm" name="id422407"></a> +<a class="indexterm" name="id422414"></a> +<a class="indexterm" name="id422421"></a> +<a class="indexterm" name="id422428"></a> +<a class="indexterm" name="id422434"></a> +<a class="indexterm" name="id422441"></a> +<a class="indexterm" name="id422448"></a> +<a class="indexterm" name="id422455"></a> +The other services that I modified to allow the use of Winbind as an authentication service were the normal +login on the console (or a terminal session), telnet logins, and ftp service. In order to enable these +services, you may first need to change the entries in <code class="filename">/etc/xinetd.d</code> (or +<code class="filename">/etc/inetd.conf</code>). Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this +case you need to change the lines in <code class="filename">/etc/xinetd.d/telnet</code> and +<code class="filename">/etc/xinetd.d/wu-ftp</code> from: +</p><pre class="programlisting"> + enable = no +</pre><p> +to +</p><pre class="programlisting"> + enable = yes +</pre><p> +<a class="indexterm" name="id422503"></a> +<a class="indexterm" name="id422509"></a> +<a class="indexterm" name="id422516"></a> +For ftp services to work properly, you will also need to either have individual directories for the domain +users already present on the server or change the home directory template to a general directory for all +domain users. These can be easily set using the <code class="filename">smb.conf</code> global entry <a class="indexterm" name="id422531"></a>template homedir. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +<a class="indexterm" name="id422543"></a> +The directory in <a class="indexterm" name="id422550"></a>template homedir is not created automatically! Use pam_mkhomedir or +pre-create the directories of users to make sure users can log in on UNIX with their own home directory. +</p></div><p> +<a class="indexterm" name="id422561"></a> +<a class="indexterm" name="id422568"></a> +<a class="indexterm" name="id422575"></a> +The <code class="filename">/etc/pam.d/ftp</code> file can be changed to allow Winbind ftp access in a manner similar to +the samba file. My <code class="filename">/etc/pam.d/ftp</code> file was changed to look like this: +</p><pre class="programlisting"> +auth required /lib/security/pam_listfile.so item=user sense=deny \ + file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +</pre><p> +<a class="indexterm" name="id422606"></a> +The <code class="filename">/etc/pam.d/login</code> file can be changed in nearly the same way. It now looks like this: +</p><pre class="programlisting"> +auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so +</pre><p> +<a class="indexterm" name="id422631"></a> +<a class="indexterm" name="id422638"></a> +<a class="indexterm" name="id422644"></a> +In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p> lines +as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p> above it to disallow +root logins over the network. I also added a </p><pre class="programlisting">sufficient /lib/security/pam_unix.so +use_first_pass</pre><p> line after the <code class="literal">winbind.so</code> line to get rid of annoying +double prompts for passwords. +</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id422679"></a>Solaris-Specific Configuration</h5></div></div></div><p> +<a class="indexterm" name="id422687"></a> +<a class="indexterm" name="id422694"></a> +The <code class="filename">/etc/pam.conf</code> needs to be changed. I changed this file so my Domain +users can log on both locally as well as with telnet. The following are the changes +that I made. You can customize the <code class="filename">pam.conf</code> file as per your requirements, but +be sure of those changes because in the worst case it will leave your system +nearly impossible to boot. +</p><pre class="programlisting"> +# +#ident "@(#)pam.conf 1.14 99/09/16 SMI" +# +# Copyright (c) 1996-1999, Sun Microsystems, Inc. +# All Rights Reserved. +# +# PAM configuration +# +# Authentication management +# +login auth required /usr/lib/security/pam_winbind.so +login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass +# +rlogin auth sufficient /usr/lib/security/pam_winbind.so +rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 +rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +dtlogin auth sufficient /usr/lib/security/pam_winbind.so +dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 +other auth sufficient /usr/lib/security/pam_winbind.so +other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +# Account management +# +login account sufficient /usr/lib/security/pam_winbind.so +login account requisite /usr/lib/security/$ISA/pam_roles.so.1 +login account required /usr/lib/security/$ISA/pam_unix.so.1 +# +dtlogin account sufficient /usr/lib/security/pam_winbind.so +dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 +dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 +# +other account sufficient /usr/lib/security/pam_winbind.so +other account requisite /usr/lib/security/$ISA/pam_roles.so.1 +other account required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Session management +# +other session required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Password management +# +#other password sufficient /usr/lib/security/pam_winbind.so +other password required /usr/lib/security/$ISA/pam_unix.so.1 +dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Support for Kerberos V5 authentication (uncomment to use Kerberos) +# +#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +</pre><p> +<a class="indexterm" name="id422762"></a> +I also added a <em class="parameter"><code>try_first_pass</code></em> line after the <code class="filename">winbind.so</code> +line to get rid of annoying double prompts for passwords. +</p><p> +Now restart your Samba and try connecting through your application that you +configured in the pam.conf. +</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422791"></a>Conclusion</h2></div></div></div><p> +<a class="indexterm" name="id422799"></a> +<a class="indexterm" name="id422806"></a> +<a class="indexterm" name="id422812"></a> +<a class="indexterm" name="id422819"></a> +<a class="indexterm" name="id422826"></a> +The Winbind system, through the use of the NSS, PAMs, and appropriate Microsoft RPC calls, have allowed us to +provide seamless integration of Microsoft Windows NT domain users on a UNIX system. The result is a great +reduction in the administrative cost of running a mixed UNIX and NT network. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422837"></a>Common Errors</h2></div></div></div><p> + Winbind has a number of limitations in its current released version that we hope to overcome in future releases: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Winbind is currently only available for the Linux, Solaris, AIX, and IRIX operating systems, although + ports to other operating systems are certainly possible. For such ports to be feasible, we require the C + library of the target operating system to support the NSS and PAM systems. This is becoming more common as NSS + and PAM gain support among UNIX vendors. + </p></li><li><p> + The mappings of Windows NT RIDs to UNIX IDs is not made algorithmically and depends on the order in + which unmapped users or groups are seen by Winbind. It may be difficult to recover the mappings of RID to UNIX + ID if the file containing this information is corrupted or destroyed. + </p></li><li><p> + Currently the Winbind PAM module does not take into account possible workstation and logon time + restrictions that may be set for Windows NT users; this is instead up to the PDC to enforce. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422871"></a>NSCD Problem Warning</h3></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not under any circumstances run <code class="literal">nscd</code> on any system + on which <code class="literal">winbindd</code> is running. + </p></div><p> + If <code class="literal">nscd</code> is running on the UNIX/Linux system, then + even though NSSWITCH is correctly configured, it will not be possible to resolve + domain users and groups for file and directory controls. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422905"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p>“<span class="quote"> + My <code class="filename">smb.conf</code> file is correctly configured. I have specified <a class="indexterm" name="id422921"></a>idmap uid = 12000, + and <a class="indexterm" name="id422928"></a>idmap gid = 3000-3500 and <code class="literal">winbind</code> is running. + When I do the following, it all works fine. + </span>”</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> +MIDEARTH\maryo +MIDEARTH\jackb +MIDEARTH\ameds +... +MIDEARTH\root + +<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> +MIDEARTH\Domain Users +MIDEARTH\Domain Admins +MIDEARTH\Domain Guests +... +MIDEARTH\Accounts + +<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false +</pre><p>“<span class="quote"> +But the following command just fails: +</span>” +</p><pre class="screen"> +<code class="prompt">root# </code><strong class="userinput"><code>chown maryo a_file</code></strong> +chown: `maryo': invalid user +</pre><p> +“<span class="quote"> +This is driving me nuts! What can be wrong? +</span>”</p><p> +Same problem as the one above. +Your system is likely running <code class="literal">nscd</code>, the name service +caching daemon. Shut it down, do not restart it! You will find your problem resolved. +Alternately, fix the operation of nscd to resolve the problem. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. Advanced Network Management</td></tr></table></div></body></html> diff --git a/docs/htmldocs/index.html b/docs/htmldocs/index.html new file mode 100644 index 0000000000..e22808c535 --- /dev/null +++ b/docs/htmldocs/index.html @@ -0,0 +1,41 @@ +<html> +<head><title>Samba documentation collection</title> +<link rel="stylesheet" href="samba.css" type="text/css"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<hr> +<div class="book" lang="en"> + <div class="titlepage"> + <h1 class="title"><a name="Samba documentation collection"></a>Samba documentation collection</h1> + </div> +</div> +<hr> +<table> + <td valign="top">SAMBA <a href="Samba3-Developers-Guide/index.html">Developers</a> Guide</td> + <td valign="top">This book is a collection of documents that might be useful for people developing samba or those interested in doing so. It's nothing more than a collection of documents written by samba developers about the internals of various parts of samba and the SMB protocol. It's still (and will always be) incomplete.</td> +</tr> +<tr> +<td valign="top">Samba-3 by <a href="Samba3-ByExample/index.html">Example</a></td> + <td valign="top">Practical Exercises in Successful Samba Deployment.</td> +</tr> +<tr> + <td valign="top">The Official Samba-3 <a href="Samba3-HOWTO/index.html">HOWTO</a> and Reference Guide</td> + <td valign="top">This book provides example configurations, it documents key aspects of Microsoft Windows networking, provides in-depth insight into the important configuration of Samba-3, and helps to put all of these into a useful framework.</td> +</tr> +<tr> + <td valign="top"><a href="using_samba/toc.html">Using Samba</a>, 2nd Edition</td> + <td valign="top"><i>Using Samba</i>, Second Edition is a comprehensive guide to Samba administration. It covers all versions of Samba from 2.0 to 2.2, including selected features from an alpha version of 3.0, as well as the SWAT graphical configuration tool. Updated for Windows 2000, ME, and XP, the book also explores Samba's new role as a primary domain controller and domain member server, its support for the use of Windows NT/2000/XP authentication and filesystem security on the host Unix system, and accessing shared files and printers from Unix clients.</td> +</tr> +<tr> + <td valign="top"><a href="manpages/index.html">Man pages</a></td> + <td valign="top">The Samba man pages in HTML.</td> +</tr> +<tr> + <td valign="top"><a href="../../WHATSNEW.txt">WHATSNEW</a></td> + <td valign="top">Samba Release Notes.</td> +</tr> +<tr> + <td valign="top"><a href="../../README.VENDOR">README.VENDOR</a></td> + <td valign="top">VENDOR specific information.</td> +</tr> +</table></body></html> diff --git a/docs/htmldocs/manpages/eventlogadm.8.html b/docs/htmldocs/manpages/eventlogadm.8.html new file mode 100644 index 0000000000..f9c6cf859b --- /dev/null +++ b/docs/htmldocs/manpages/eventlogadm.8.html @@ -0,0 +1,109 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>eventlogadm</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="eventlogadm.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>eventlogadm — push records into the Samba event log store</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">eventlogadm</code> [<code class="option">-d</code>] [<code class="option">-h</code>] <code class="option">-o</code> + <code class="literal">addsource</code> + <em class="replaceable"><code>EVENTLOG</code></em> + <em class="replaceable"><code>SOURCENAME</code></em> + <em class="replaceable"><code>MSGFILE</code></em> + </p></div><div class="cmdsynopsis"><p><code class="literal">eventlogadm</code> [<code class="option">-d</code>] [<code class="option">-h</code>] <code class="option">-o</code> + <code class="literal">write</code> + <em class="replaceable"><code>EVENTLOG</code></em> + </p></div></div><div class="refsect1" lang="en"><a name="id299251"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.1.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(1)</span></a> suite.</p><p><code class="literal">eventlogadm</code> is a filter that accepts + formatted event log records on standard input and writes them + to the Samba event log store. Windows client can then manipulate + these record using the usual administration tools.</p></div><div class="refsect1" lang="en"><a name="id266714"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term"><code class="option">-d</code></span></dt><dd><p> + The <code class="literal">-d</code> option causes <code class="literal">eventlogadm</code> to emit debugging + information. + </p></dd><dt><span class="term"> + <code class="option">-o</code> + <code class="literal">addsource</code> + <em class="replaceable"><code>EVENTLOG</code></em> + <em class="replaceable"><code>SOURCENAME</code></em> + <em class="replaceable"><code>MSGFILE</code></em> + </span></dt><dd><p> + The <code class="literal">-o addsource</code> option creates a + new event log source. + </p></dd><dt><span class="term"> + <code class="option">-o</code> + <code class="literal">write</code> + <em class="replaceable"><code>EVENTLOG</code></em> + </span></dt><dd><p> + The <code class="literal">-o write</code> reads event log + records from standard input and writes them to theSamba + event log store named by EVENTLOG. + </p></dd><dt><span class="term"><code class="option">-h</code></span></dt><dd><p> + Print usage information. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266828"></a><h2>EVENTLOG RECORD FORMAT</h2><p>For the write operation, <code class="literal">eventlogadm</code> + expects to be able to read structured records from standard + input. These records are a sequence of lines, with the record key + and data separated by a colon character. Records are separated + by at least one or more blank line.</p><p>The event log record field are:</p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="literal">LEN</code> - This field should be 0, since <code class="literal">eventlogadm</code> will calculate this value. + </p></li><li><p> + <code class="literal">RS1</code> - This must be the value 1699505740. + </p></li><li><p> + <code class="literal">RCN</code> - This field should be 0. + </p></li><li><p> + <code class="literal">TMG</code> - The time the eventlog record + was generated; format is the number of seconds since + 00:00:00 January 1, 1970, UTC. + </p></li><li><p> + <code class="literal">TMW</code> - The time the eventlog record was + written; format is the number of seconds since 00:00:00 + January 1, 1970, UTC. + </p></li><li><p> + <code class="literal">EID</code> - The eventlog ID. + </p></li><li><p> + <code class="literal">ETP</code> - The event type -- one of + "INFO", + "ERROR", "WARNING", "AUDIT + SUCCESS" or "AUDIT FAILURE". + </p></li><li><p> + <code class="literal">ECT</code> - The event category; this depends + on the message file. It is primarily used as a means of + filtering in the eventlog viewer. + </p></li><li><p> + <code class="literal">RS2</code> - This field should be 0. + </p></li><li><p> + <code class="literal">CRN</code> - This field should be 0. + </p></li><li><p> + <code class="literal">USL</code> - This field should be 0. + </p></li><li><p> + <code class="literal">SRC</code> - This field contains the source + name associated with the event log. If a message file is + used with an event log, there will be a registry entry + for associating this source name with a message file DLL. + </p></li><li><p> + <code class="literal">SRN</code> - he name of the machine on + which the eventlog was generated. This is typically the + host name. + </p></li><li><p> + <code class="literal">STR</code> - The text associated with the + eventlog. There may be more than one string in a record. + </p></li><li><p> + <code class="literal">DAT</code> - This field should be left unset. + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id307897"></a><h2>EXAMPLES</h2><p>An example of the record format accepted by <code class="literal">eventlogadm</code>:</p><pre class="programlisting"> + LEN: 0 + RS1: 1699505740 + RCN: 0 + TMG: 1128631322 + TMW: 1128631322 + EID: 1000 + ETP: INFO + ECT: 0 + RS2: 0 + CRN: 0 + USL: 0 + SRC: cron + SRN: dmlinux + STR: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) + DAT: + </pre><p>Set up an eventlog source, specifying a message file DLL:</p><pre class="programlisting"> + eventlogadm -o addsource Application MyApplication | \\ + %SystemRoot%/system32/MyApplication.dll + </pre><p>Filter messages from the system log into an event log:</p><pre class="programlisting"> + tail -f /var/log/messages | \\ + my_program_to_parse_into_eventlog_records | \\ + eventlogadm SystemLogEvents + </pre></div><div class="refsect1" lang="en"><a name="id307938"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id307948"></a><h2>AUTHOR</h2><p> The original Samba software and related utilities were + created by Andrew Tridgell. Samba is now developed by the + Samba Team as an Open Source project similar to the way the + Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/findsmb.1.html b/docs/htmldocs/manpages/findsmb.1.html new file mode 100644 index 0000000000..84c97977b8 --- /dev/null +++ b/docs/htmldocs/manpages/findsmb.1.html @@ -0,0 +1,62 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>findsmb</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="findsmb.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>findsmb — list info about machines that respond to SMB + name queries on a subnet</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">findsmb</code> [subnet broadcast address]</p></div></div><div class="refsect1" lang="en"><a name="id267679"></a><h2>DESCRIPTION</h2><p>This perl script is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> + suite.</p><p><code class="literal">findsmb</code> is a perl script that + prints out several pieces of information about machines + on a subnet that respond to SMB name query requests. + It uses <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a> + and <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a> + to obtain this information. + </p></div><div class="refsect1" lang="en"><a name="id299210"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-r</span></dt><dd><p>Controls whether <code class="literal">findsmb</code> takes + bugs in Windows95 into account when trying to find a Netbios name + registered of the remote machine. This option is disabled by default + because it is specific to Windows 95 and Windows 95 machines only. + If set, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a> + will be called with <code class="constant">-B</code> option.</p></dd><dt><span class="term">subnet broadcast address</span></dt><dd><p>Without this option, <code class="literal">findsmb + </code> will probe the subnet of the machine where + <a href="findsmb.1.html"><span class="citerefentry"><span class="refentrytitle">findsmb</span>(1)</span></a> + is run. This value is passed to + <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a> + as part of the <code class="constant">-B</code> option.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266719"></a><h2>EXAMPLES</h2><p>The output of <code class="literal">findsmb</code> lists the following + information for all machines that respond to the initial + <code class="literal">nmblookup</code> for any name: IP address, NetBIOS name, + Workgroup name, operating system, and SMB server version.</p><p>There will be a '+' in front of the workgroup name for + machines that are local master browsers for that workgroup. There + will be an '*' in front of the workgroup name for + machines that are the domain master browser for that workgroup. + Machines that are running Windows for Workgroups, Windows 95 or + Windows 98 will + not show any information about the operating system or server + version.</p><p>The command with <code class="constant">-r</code> option + must be run on a system without <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> running. + + If <code class="literal">nmbd</code> is running on the system, you will + only get the IP address and the DNS name of the machine. To + get proper responses from Windows 95 and Windows 98 machines, + the command must be run as root and with <code class="constant">-r</code> + option on a machine without <code class="literal">nmbd</code> running.</p><p>For example, running <code class="literal">findsmb</code> + without <code class="constant">-r</code> option set would yield output similar + to the following</p><pre class="programlisting"> +IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION +--------------------------------------------------------------------- +192.168.35.10 MINESET-TEST1 [DMVENGR] +192.168.35.55 LINUXBOX *[MYGROUP] [Unix] [Samba 2.0.6] +192.168.35.56 HERBNT2 [HERB-NT] +192.168.35.63 GANDALF [MVENGR] [Unix] [Samba 2.0.5a for IRIX] +192.168.35.65 SAUNA [WORKGROUP] [Unix] [Samba 1.9.18p10] +192.168.35.71 FROGSTAR [ENGR] [Unix] [Samba 2.0.0 for IRIX] +192.168.35.78 HERBDHCP1 +[HERB] +192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] +192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] +192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] +</pre></div><div class="refsect1" lang="en"><a name="id266812"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266822"></a><h2>SEE ALSO</h2><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, + <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, and <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a> + </p></div><div class="refsect1" lang="en"><a name="id266878"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top">ftp://ftp.icce.rug.nl/pub/unix/</a>) + and updated for the Samba 2.0 release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/idmap_ad.8.html b/docs/htmldocs/manpages/idmap_ad.8.html new file mode 100644 index 0000000000..14477cc5fc --- /dev/null +++ b/docs/htmldocs/manpages/idmap_ad.8.html @@ -0,0 +1,41 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ad</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_ad.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ad — Samba's idmap_ad Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_ad plugin provides a way for Winbind to read + id mappings from an AD server that uses RFC2307/SFU schema + extensions. This module implements only the "idmap" + API, and is READONLY. Mappings must be provided in advance + by the administrator by adding the posixAccount/posixGroup + classess and relative attribute/value pairs to the users and + groups objects in AD</p></div><div class="refsect1" lang="en"><a name="id267675"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range acts as a filter. + If specified any UID or GID stored in AD that fall outside the + range is ignored and the corresponding map is discarded. + It is intended as a way to avoid accidental UID/GID overlaps + between local and remotely defined IDs. + </p></dd><dt><span class="term">schema_mode = <rfc2307 | sfu ></span></dt><dd><p> + Defines the schema that idmap_ad should use when querying + Active Directory regarding user and group information. + This can either the RFC2307 schema support included + in Windows 2003 R2 or the Service for Unix (SFU) schema. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299200"></a><h2>EXAMPLES</h2><p> + The following example shows how to retrieve idmappings from our principal and + and trusted AD domains. All is needed is to set default to yes. If trusted + domains are present id conflicts must be resolved beforehand, there is no + guarantee on the order conflicting mappings would be resolved at this point. + + This example also shows how to leave a small non conflicting range for local + id allocation that may be used in internal backends like BUILTIN. + </p><pre class="programlisting"> + [global] + idmap domains = ALLDOMAINS + idmap config ALLDOMAINS:backend = ad + idmap config ALLDOMAINS:default = yes + idmap config ALLDOMAINS:range = 10000 - 300000000 + + idmap alloc backend = tdb + idmap alloc config:range = 5000 - 9999 + </pre></div><div class="refsect1" lang="en"><a name="id299221"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/idmap_ldap.8.html b/docs/htmldocs/manpages/idmap_ldap.8.html new file mode 100644 index 0000000000..9510f2a7ac --- /dev/null +++ b/docs/htmldocs/manpages/idmap_ldap.8.html @@ -0,0 +1,69 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ldap</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_ldap.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ldap — Samba's idmap_ldap Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_ldap plugin provides a means for Winbind to + store and retrieve SID/uid/gid mapping tables in an LDAP directory + service. The module implements both the "idmap" and + "idmap alloc" APIs. + </p></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p> + Defines the directory base suffix to use when searching for + SID/uid/gid mapping entries. If not defined, idmap_ldap will default + to using the "ldap idmap suffix" option from smb.conf. + </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p> + Defines the user DN to be used for authentication. If absent an + anonymous bind will be performed. + </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p> + Specifies the LDAP server to use when searching for existing + SID/uid/gid map entries. If not defined, idmap_ldap will + assume that ldap://localhost/ should be used. + </p></dd><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range commonly matches + the allocation range due to the fact that the same backend will + store and retrieve SID/uid/gid mapping entries. If the parameter + is absent, Winbind fail over to use the "idmap uid" and + "idmap gid" options from smb.conf. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299222"></a><h2>IDMAP ALLOC OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p> + Defines the directory base suffix under which new SID/uid/gid mapping + entries should be stored. If not defined, idmap_ldap will default + to using the "ldap idmap suffix" option from smb.conf. + </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p> + Defines the user DN to be used for authentication. If absent an + anonymous bind will be performed. + </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p> + Specifies the LDAP server to which modify/add/delete requests should + be sent. If not defined, idmap_ldap will assume that ldap://localhost/ + should be used. + </p></dd><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range from which + winbindd can allocate for users and groups. If the parameter + is absent, Winbind fail over to use the "idmap uid" + and "idmap gid" options from smb.conf. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266718"></a><h2>EXAMPLES</h2><p> + The follow sets of a LDAP configuration which uses a slave server + running on localhost for fast fetching SID/gid/uid mappings, it + implies correct configuration of referrals. + The idmap alloc backend is pointed directly to the master to skip + the referral (and consequent reconnection to the master) that the + slave would return as allocation requires writing on the master. + </p><pre class="programlisting"> + [global] + idmap domains = ALLDOMAINS + idmap config ALLDOMAINS:default = yes + idmap config ALLDOMAINS:backend = ldap + idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com + idmap config ALLDOMAINS:ldap_url = ldap://localhost/ + idmap config ALLDOMAINS:range = 10000 - 50000 + + idmap alloc backend = ldap + idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com + idmap alloc config:ldap_url = ldap://master.example.com/ + idmap alloc config:range = 10000 - 50000 + </pre></div><div class="refsynopsisdiv"><h2>NOTE</h2><p>In order to use authentication against ldap servers you may + need to provide a DN and a password. To avoid exposing the password + in plain text in the configuration file we store it into a security + store. The "net idmap " command is used to store a secret + for the DN specified in a specific idmap domain. + </p></div><div class="refsect1" lang="en"><a name="id266753"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/idmap_nss.8.html b/docs/htmldocs/manpages/idmap_nss.8.html new file mode 100644 index 0000000000..b1aedf900b --- /dev/null +++ b/docs/htmldocs/manpages/idmap_nss.8.html @@ -0,0 +1,28 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_nss</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_nss.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_nss — Samba's idmap_nss Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_nss plugin provides a means to map Unix users and groups + to Windows accounts and obseletes the "winbind trusted domains only" + smb.conf option. This provides a simple means of ensuring that the SID + for a Unix user named jsmith is reported as the one assigned to + DOMAIN\jsmith which is necessary for reporting ACLs on files and printers + stored on a Samba member server. + </p></div><div class="refsect1" lang="en"><a name="id267675"></a><h2>EXAMPLES</h2><p> + This example shows how to use idmap_nss to check the local accounts for its + own domain while using allocation to create new mappings for trusted domains + </p><pre class="programlisting"> + [global] + idmap domains = SAMBA TRUSTEDDOMAINS + + idmap config SAMBA:backend = nss + idmap config SAMBA:readonly = yes + + idmap config TRUSTEDDOMAINS:default = yes + idmap config TRUSTEDDOMAINS:backend = tdb + idmap config TRUSTEDDOMAINS:range = 10000 - 50000 + + idmap alloc backend = tdb + idmap alloc config:range = 10000 - 50000 + </pre></div><div class="refsect1" lang="en"><a name="id267694"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/idmap_rid.8.html b/docs/htmldocs/manpages/idmap_rid.8.html new file mode 100644 index 0000000000..dbab83a449 --- /dev/null +++ b/docs/htmldocs/manpages/idmap_rid.8.html @@ -0,0 +1,32 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_rid</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_rid.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_rid — Samba's idmap_rid Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_rid backend provides a way to use an algorithmic + mapping scheme to map UIDs/GIDs and SIDs. No database is required + in this case as the mapping is deterministic.</p></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range acts as a filter. + If algorithmically determined UID or GID fall outside the + range, they are ignored and the corresponding map is discarded. + It is intended as a way to avoid accidental UID/GID overlaps + between local and remotely defined IDs. + </p></dd><dt><span class="term">base_rid = INTEGER</span></dt><dd><p> + Defines the base integer used to build SIDs out of an UID or a GID, + and to rebase the UID or GID to be obtained from a SID. User RIDs + by default start at 1000 (512 hexadecimal), this means a good value + for base_rid can be 1000 as the resulting ID is calculated this way: + ID = RID - BASE_RID + LOW RANGE ID. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299199"></a><h2>EXAMPLES</h2><p>This example shows how to configure 2 domains with idmap_rid</p><pre class="programlisting"> + [global] + idmap domains = MAIN TRUSTED1 + + idmap config MAIN:backend = rid + idmap config MAIN:base_rid = 0 + idmap config MAIN:range = 10000 - 49999 + + idmap config TRUSTED1:backend = rid + idmap config TRUSTED1:base_rid = 1000 + idmap config TRUSTED1:range = 50000 - 99999 + </pre></div><div class="refsect1" lang="en"><a name="id299217"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/idmap_tdb.8.html b/docs/htmldocs/manpages/idmap_tdb.8.html new file mode 100644 index 0000000000..6ab21584f9 --- /dev/null +++ b/docs/htmldocs/manpages/idmap_tdb.8.html @@ -0,0 +1,33 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_tdb</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_tdb.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_tdb — Samba's idmap_tdb Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_tdb plugin is the default backend used by winbindd + for storing SID/uid/gid mapping tables and implements + both the "idmap" and "idmap alloc" APIs. + </p></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range commonly matches + the allocation range due to the fact that the same backend will + store and retrieve SID/uid/gid mapping entries. If the parameter + is absent, Winbind fail over to use the "idmap uid" and + "idmap gid" options from smb.conf. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id267696"></a><h2>IDMAP ALLOC OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p> + Defines the available matching uid and gid range from which + winbindd can allocate for users and groups. If the parameter + is absent, Winbind fail over to use the "idmap uid" + and "idmap gid" options from smb.conf. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299208"></a><h2>EXAMPLES</h2><p> + The following example is equivalent to the pre-3.0.25 default idmap + configuration using the "idmap backend = tdb" setting. + </p><pre class="programlisting"> + [global] + idmap domains = ALLDOMAINS + idmap config ALLDOMAINS:default = yes + idmap config ALLDOMAINS:backend = tdb + idmap config ALLDOMAINS:range = 10000 - 50000 + + idmap alloc backend = tdb + idmap alloc config:range = 10000 - 50000 + </pre></div><div class="refsect1" lang="en"><a name="id299226"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/index.html b/docs/htmldocs/manpages/index.html new file mode 100644 index 0000000000..ca031be3eb --- /dev/null +++ b/docs/htmldocs/manpages/index.html @@ -0,0 +1,84 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title></title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="titlepage"><hr></div><div class="variablelist"><dl><dt><span class="term"><a href="eventlogadm.8.html" target="_top">eventlogadm(8)</a></span></dt><dd><p>push records into the Samba event log store +</p></dd><dt><span class="term"><a href="findsmb.1.html" target="_top">findsmb(1)</a></span></dt><dd><p>list info about machines that respond to SMB + name queries on a subnet +</p></dd><dt><span class="term"><a href="idmap_ad.8.html" target="_top">idmap_ad(8)</a></span></dt><dd><p>Samba's idmap_ad Backend for Winbind +</p></dd><dt><span class="term"><a href="idmap_ldap.8.html" target="_top">idmap_ldap(8)</a></span></dt><dd><p>Samba's idmap_ldap Backend for Winbind +</p></dd><dt><span class="term"><a href="idmap_nss.8.html" target="_top">idmap_nss(8)</a></span></dt><dd><p>Samba's idmap_nss Backend for Winbind +</p></dd><dt><span class="term"><a href="idmap_rid.8.html" target="_top">idmap_rid(8)</a></span></dt><dd><p>Samba's idmap_rid Backend for Winbind +</p></dd><dt><span class="term"><a href="idmap_tdb.8.html" target="_top">idmap_tdb(8)</a></span></dt><dd><p>Samba's idmap_tdb Backend for Winbind +</p></dd><dt><span class="term"><a href="ldb.3.html" target="_top">ldb(3)</a></span></dt><dd><p>A light-weight database library +</p></dd><dt><span class="term"><a href="ldbadd.1.html" target="_top">ldbadd(1)</a></span></dt><dd><p>Command-line utility for adding records to an LDB +</p></dd><dt><span class="term"><a href="ldbdel.1.html" target="_top">ldbdel(1)</a></span></dt><dd><p>Command-line program for deleting LDB records +</p></dd><dt><span class="term"><a href="ldbedit.1.html" target="_top">ldbedit(1)</a></span></dt><dd><p>Edit LDB databases using your preferred editor +</p></dd><dt><span class="term"><a href="ldbmodify.1.html" target="_top">ldbmodify(1)</a></span></dt><dd><p>Modify records in a LDB database +</p></dd><dt><span class="term"><a href="ldbsearch.1.html" target="_top">ldbsearch(1)</a></span></dt><dd><p>Search for records in a LDB database +</p></dd><dt><span class="term"><a href="libsmbclient.7.html" target="_top">libsmbclient(7)</a></span></dt><dd><p>An extension library for browsers and that can be used as a generic browsing API. +</p></dd><dt><span class="term"><a href="lmhosts.5.html" target="_top">lmhosts(5)</a></span></dt><dd><p>The Samba NetBIOS hosts file +</p></dd><dt><span class="term"><a href="log2pcap.1.html" target="_top">log2pcap(1)</a></span></dt><dd><p>Extract network traces from Samba log files +</p></dd><dt><span class="term"><a href="mount.cifs.8.html" target="_top">mount.cifs(8)</a></span></dt><dd><p>mount using the Common Internet File System (CIFS) +</p></dd><dt><span class="term"><a href="net.8.html" target="_top">net(8)</a></span></dt><dd><p>Tool for administration of Samba and remote + CIFS servers. + +</p></dd><dt><span class="term"><a href="nmbd.8.html" target="_top">nmbd(8)</a></span></dt><dd><p>NetBIOS name server to provide NetBIOS + over IP naming services to clients +</p></dd><dt><span class="term"><a href="nmblookup.1.html" target="_top">nmblookup(1)</a></span></dt><dd><p>NetBIOS over TCP/IP client used to lookup NetBIOS + names +</p></dd><dt><span class="term"><a href="ntlm_auth.1.html" target="_top">ntlm_auth(1)</a></span></dt><dd><p>tool to allow external access to Winbind's NTLM authentication function +</p></dd><dt><span class="term"><a href="pam_winbind.7.html" target="_top">pam_winbind(7)</a></span></dt><dd><p>PAM module for Winbind +</p></dd><dt><span class="term"><a href="pdbedit.8.html" target="_top">pdbedit(8)</a></span></dt><dd><p>manage the SAM database (Database of Samba Users) +</p></dd><dt><span class="term"><a href="profiles.1.html" target="_top">profiles(1)</a></span></dt><dd><p>A utility to report and change SIDs in registry files + +</p></dd><dt><span class="term"><a href="rpcclient.1.html" target="_top">rpcclient(1)</a></span></dt><dd><p>tool for executing client side + MS-RPC functions +</p></dd><dt><span class="term"><a href="samba.7.html" target="_top">samba(7)</a></span></dt><dd><p>A Windows SMB/CIFS fileserver for UNIX +</p></dd><dt><span class="term"><a href="smb.conf.5.html" target="_top">smb.conf(5)</a></span></dt><dd><p>The configuration file for the Samba suite +</p></dd><dt><span class="term"><a href="smbcacls.1.html" target="_top">smbcacls(1)</a></span></dt><dd><p>Set or get ACLs on an NT file or directory names +</p></dd><dt><span class="term"><a href="smbclient.1.html" target="_top">smbclient(1)</a></span></dt><dd><p>ftp-like client to access SMB/CIFS resources + on servers +</p></dd><dt><span class="term"><a href="smbcontrol.1.html" target="_top">smbcontrol(1)</a></span></dt><dd><p>send messages to smbd, nmbd or winbindd processes +</p></dd><dt><span class="term"><a href="smbcquotas.1.html" target="_top">smbcquotas(1)</a></span></dt><dd><p>Set or get QUOTAs of NTFS 5 shares +</p></dd><dt><span class="term"><a href="smbd.8.html" target="_top">smbd(8)</a></span></dt><dd><p>server to provide SMB/CIFS services to clients +</p></dd><dt><span class="term"><a href="smbget.1.html" target="_top">smbget(1)</a></span></dt><dd><p>wget-like utility for download files over SMB +</p></dd><dt><span class="term"><a href="smbgetrc.5.html" target="_top">smbgetrc(5)</a></span></dt><dd><p>configuration file for smbget +</p></dd><dt><span class="term"><a href="smbmnt.8.html" target="_top">smbmnt(8)</a></span></dt><dd><p>helper utility for mounting SMB filesystems +</p></dd><dt><span class="term"><a href="smbmount.8.html" target="_top">smbmount(8)</a></span></dt><dd><p>mount an smbfs filesystem +</p></dd><dt><span class="term"><a href="smbpasswd.5.html" target="_top">smbpasswd(5)</a></span></dt><dd><p>The Samba encrypted password file +</p></dd><dt><span class="term"><a href="smbpasswd.8.html" target="_top">smbpasswd(8)</a></span></dt><dd><p>change a user's SMB password +</p></dd><dt><span class="term"><a href="smbsh.1.html" target="_top">smbsh(1)</a></span></dt><dd><p>Allows access to remote SMB shares + using UNIX commands +</p></dd><dt><span class="term"><a href="smbspool.8.html" target="_top">smbspool(8)</a></span></dt><dd><p>send a print file to an SMB printer +</p></dd><dt><span class="term"><a href="smbstatus.1.html" target="_top">smbstatus(1)</a></span></dt><dd><p>report on current Samba connections +</p></dd><dt><span class="term"><a href="smbtar.1.html" target="_top">smbtar(1)</a></span></dt><dd><p>shell script for backing up SMB/CIFS shares + directly to UNIX tape drives +</p></dd><dt><span class="term"><a href="smbtree.1.html" target="_top">smbtree(1)</a></span></dt><dd><p>A text based smb network browser + +</p></dd><dt><span class="term"><a href="smbumount.8.html" target="_top">smbumount(8)</a></span></dt><dd><p>smbfs umount for normal users +</p></dd><dt><span class="term"><a href="swat.8.html" target="_top">swat(8)</a></span></dt><dd><p>Samba Web Administration Tool +</p></dd><dt><span class="term"><a href="tdbbackup.8.html" target="_top">tdbbackup(8)</a></span></dt><dd><p>tool for backing up and for validating the integrity of samba .tdb files +</p></dd><dt><span class="term"><a href="tdbdump.8.html" target="_top">tdbdump(8)</a></span></dt><dd><p>tool for printing the contents of a TDB file +</p></dd><dt><span class="term"><a href="tdbtool.8.html" target="_top">tdbtool(8)</a></span></dt><dd><p>manipulate the contents TDB files +</p></dd><dt><span class="term"><a href="testparm.1.html" target="_top">testparm(1)</a></span></dt><dd><p>check an smb.conf configuration file for + internal correctness +</p></dd><dt><span class="term"><a href="umount.cifs.8.html" target="_top">umount.cifs(8)</a></span></dt><dd><p>for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts +</p></dd><dt><span class="term"><a href="vfs_audit.8.html" target="_top">vfs_audit(8)</a></span></dt><dd><p>record selected Samba VFS operations in the system log +</p></dd><dt><span class="term"><a href="vfs_cacheprime.8.html" target="_top">vfs_cacheprime(8)</a></span></dt><dd><p>prime the kernel file data cache +</p></dd><dt><span class="term"><a href="vfs_cap.8.html" target="_top">vfs_cap(8)</a></span></dt><dd><p>CAP encode filenames +</p></dd><dt><span class="term"><a href="vfs_catia.8.html" target="_top">vfs_catia(8)</a></span></dt><dd><p>translate illegal characters in Catia filenames +</p></dd><dt><span class="term"><a href="vfs_commit.8.html" target="_top">vfs_commit(8)</a></span></dt><dd><p>flush dirty data at specified intervals +</p></dd><dt><span class="term"><a href="vfs_default_quota.8.html" target="_top">vfs_default_quota(8)</a></span></dt><dd><p>store default quota records for Windows clients +</p></dd><dt><span class="term"><a href="vfs_extd_audit.8.html" target="_top">vfs_extd_audit(8)</a></span></dt><dd><p>record selected Samba VFS operations +</p></dd><dt><span class="term"><a href="vfs_fake_perms.8.html" target="_top">vfs_fake_perms(8)</a></span></dt><dd><p>enable read only Roaming Profiles +</p></dd><dt><span class="term"><a href="vfs_full_audit.8.html" target="_top">vfs_full_audit(8)</a></span></dt><dd><p>record Samba VFS operations in the system log +</p></dd><dt><span class="term"><a href="vfs_gpfs.8.html" target="_top">vfs_gpfs(8)</a></span></dt><dd><p>gpfs specific samba extensions like acls and prealloc +</p></dd><dt><span class="term"><a href="vfs_netatalk.8.html" target="_top">vfs_netatalk(8)</a></span></dt><dd><p>hide .AppleDouble files from CIFS clients +</p></dd><dt><span class="term"><a href="vfs_notify_fam.8.html" target="_top">vfs_notify_fam(8)</a></span></dt><dd><p>FAM support for file change notifications +</p></dd><dt><span class="term"><a href="vfs_prealloc.8.html" target="_top">vfs_prealloc(8)</a></span></dt><dd><p>preallocate matching files to a predetermined size +</p></dd><dt><span class="term"><a href="vfs_readahead.8.html" target="_top">vfs_readahead(8)</a></span></dt><dd><p>pre-load the kernel buffer cache +</p></dd><dt><span class="term"><a href="vfs_readonly.8.html" target="_top">vfs_readonly(8)</a></span></dt><dd><p>make a Samba share read only for a specified time period +</p></dd><dt><span class="term"><a href="vfs_recycle.8.html" target="_top">vfs_recycle(8)</a></span></dt><dd><p>Samba VFS recycle bin +</p></dd><dt><span class="term"><a href="vfs_shadow_copy.8.html" target="_top">vfs_shadow_copy(8)</a></span></dt><dd><p>Make a Samba share read only for a specified time period +</p></dd><dt><span class="term"><a href="vfstest.1.html" target="_top">vfstest(1)</a></span></dt><dd><p>tool for testing samba VFS modules +</p></dd><dt><span class="term"><a href="wbinfo.1.html" target="_top">wbinfo(1)</a></span></dt><dd><p>Query information from winbind daemon +</p></dd><dt><span class="term"><a href="winbindd.8.html" target="_top">winbindd(8)</a></span></dt><dd><p>Name Service Switch daemon for resolving names + from NT servers +</p></dd></dl></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldb.3.html b/docs/htmldocs/manpages/ldb.3.html new file mode 100644 index 0000000000..dbf44dd31e --- /dev/null +++ b/docs/htmldocs/manpages/ldb.3.html @@ -0,0 +1,137 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldb</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldb.3"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldb<p><b>The Samba Project</b></p> — A light-weight database library</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">#include <ldb.h></pre></div><div class="refsect1" lang="en"><a name="id267383"></a><h2>description</h2><p> +ldb is a light weight embedded database library and API. With a +programming interface that is very similar to LDAP, ldb can store its +data either in a tdb(3) database or in a real LDAP database. + </p><p> +When used with the tdb backend ldb does not require any database +daemon. Instead, ldb function calls are processed immediately by the +ldb library, which does IO directly on the database, while allowing +multiple readers/writers using operating system byte range locks. This +leads to an API with very low overheads, often resulting in speeds of +more than 10x what can be achieved with a more traditional LDAP +architecture. + </p><p> +In a taxonomy of databases ldb would sit half way between key/value +pair databases (such as berkley db or tdb) and a full LDAP +database. With a structured attribute oriented API like LDAP and good +indexing capabilities, ldb can be used for quite sophisticated +applications that need a light weight database, without the +administrative overhead of a full LDAP installation. + </p><p> +Included with ldb are a number of useful command line tools for +manipulating a ldb database. These tools are similar in style to the +equivalent ldap command line tools. + </p><p> +In its default mode of operation with a tdb backend, ldb can also be +seen as a "schema-less LDAP". By default ldb does not require a +schema, which greatly reduces the complexity of getting started with +ldb databases. As the complexity of you application grows you can take +advantage of some of the optional schema-like attributes that ldb +offers, or you can migrate to using the full LDAP api while keeping +your exiting ldb code. + </p><p> +If you are new to ldb, then I suggest starting with the manual pages +for ldbsearch(1) and ldbedit(1), and experimenting with a local +database. Then I suggest you look at the ldb_connect(3) and +ldb_search(3) manual pages. + </p></div><div class="refsect1" lang="en"><a name="id267706"></a><h2>TOOLS</h2><div class="itemizedlist"><ul type="disc"><li><p> + <span class="application">ldbsearch(1)</span> + - command line ldb search utility + </p></li><li><p> + <span class="application">ldbedit(1)</span> + - edit all or part of a ldb database using your favourite editor + </p></li><li><p> + <span class="application">ldbadd(1)</span> + - add records to a ldb database using LDIF formatted input + </p></li><li><p> + <span class="application">ldbdel(1)</span> + - delete records from a ldb database + </p></li><li><p> + <span class="application">ldbmodify(1)</span> + - modify records in a ldb database using LDIF formatted input + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id267087"></a><h2>FUNCTIONS</h2><div class="itemizedlist"><ul type="disc"><li><p> + <code class="function">ldb_connect(3)</code> + - connect to a ldb backend + </p></li><li><p> + <code class="function">ldb_search(3)</code> + - perform a database search + </p></li><li><p> + <code class="function">ldb_add(3)</code> + - add a record to the database + </p></li><li><p> + <code class="function">ldb_delete(3)</code> + - delete a record from the database + </p></li><li><p> + <code class="function">ldb_modify(3)</code> + - modify a record in the database + </p></li><li><p> + <code class="function">ldb_errstring(3)</code> + - retrieve extended error information from the last operation + </p></li><li><p> + <code class="function">ldb_ldif_write(3)</code> + - write a LDIF formatted message + </p></li><li><p> + <code class="function">ldb_ldif_write_file(3)</code> + - write a LDIF formatted message to a file + </p></li><li><p> + <code class="function">ldb_ldif_read(3)</code> + - read a LDIF formatted message + </p></li><li><p> + <code class="function">ldb_ldif_read_free(3)</code> + - free the result of a ldb_ldif_read() + </p></li><li><p> + <code class="function">ldb_ldif_read_file(3)</code> + - read a LDIF message from a file + </p></li><li><p> + <code class="function">ldb_ldif_read_string(3)</code> + - read a LDIF message from a string + </p></li><li><p> + <code class="function">ldb_msg_find_element(3)</code> + - find an element in a ldb_message + </p></li><li><p> + <code class="function">ldb_val_equal_exact(3)</code> + - compare two ldb_val structures + </p></li><li><p> + <code class="function">ldb_msg_find_val(3)</code> + - find an element by value + </p></li><li><p> + <code class="function">ldb_msg_add_empty(3)</code> + - add an empty message element to a ldb_message + </p></li><li><p> + <code class="function">ldb_msg_add(3)</code> + - add a non-empty message element to a ldb_message + </p></li><li><p> + <code class="function">ldb_msg_element_compare(3)</code> + - compare two ldb_message_element structures + </p></li><li><p> + <code class="function">ldb_msg_find_int(3)</code> + - return an integer value from a ldb_message + </p></li><li><p> + <code class="function">ldb_msg_find_uint(3)</code> + - return an unsigned integer value from a ldb_message + </p></li><li><p> + <code class="function">ldb_msg_find_double(3)</code> + - return a double value from a ldb_message + </p></li><li><p> + <code class="function">ldb_msg_find_string(3)</code> + - return a string value from a ldb_message + </p></li><li><p> + <code class="function">ldb_set_alloc(3)</code> + - set the memory allocation function to be used by ldb + </p></li><li><p> + <code class="function">ldb_set_debug(3)</code> + - set a debug handler to be used by ldb + </p></li><li><p> + <code class="function">ldb_set_debug_stderr(3)</code> + - set a debug handler for stderr output + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id266894"></a><h2>Author</h2><p> + ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> +If you wish to report a problem or make a suggestion then please see +the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for +current contact and maintainer information. + </p><p> +ldb is released under the GNU Lesser General Public License version 2 +or later. Please see the file COPYING for license details. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldbadd.1.html b/docs/htmldocs/manpages/ldbadd.1.html new file mode 100644 index 0000000000..d2b1b7f7be --- /dev/null +++ b/docs/htmldocs/manpages/ldbadd.1.html @@ -0,0 +1,16 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldbadd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldbadd.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldbadd — Command-line utility for adding records to an LDB</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ldbadd</code> [-h] [-H LDB-URL] [ldif-file1] [ldif-file2] [...]</p></div></div><div class="refsect1" lang="en"><a name="id299200"></a><h2>DESCRIPTION</h2><p>ldbadd adds records to an ldb(7) database. It reads + the ldif(5) files specified on the command line and adds + the records from these files to the LDB database, which is specified + by the -H option or the LDB_URL environment variable. + </p><p>If - is specified as a ldb file, the ldif input is read from + standard input.</p></div><div class="refsect1" lang="en"><a name="id299215"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p> + Show list of available options.</p></dd><dt><span class="term">-H <ldb-url></span></dt><dd><p> + LDB URL to connect to. See ldb(7) for details. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299247"></a><h2>ENVIRONMENT</h2><div class="variablelist"><dl><dt><span class="term">LDB_URL</span></dt><dd><p>LDB URL to connect to (can be overrided by using the + -H command-line option.)</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299267"></a><h2>VERSION</h2><p>This man page is correct for version 4.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266712"></a><h2>SEE ALSO</h2><p>ldb(7), ldbmodify, ldbdel, ldif(5)</p></div><div class="refsect1" lang="en"><a name="id266722"></a><h2>AUTHOR</h2><p> ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> +If you wish to report a problem or make a suggestion then please see +the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for +current contact and maintainer information. + </p><p>This manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldbdel.1.html b/docs/htmldocs/manpages/ldbdel.1.html new file mode 100644 index 0000000000..5d9b9165ea --- /dev/null +++ b/docs/htmldocs/manpages/ldbdel.1.html @@ -0,0 +1,15 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldbdel</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldbdel.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldbdel — Command-line program for deleting LDB records</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ldbdel</code> [-h] [-H LDB-URL] [dn] [...]</p></div></div><div class="refsect1" lang="en"><a name="id267702"></a><h2>DESCRIPTION</h2><p>ldbdel deletes records from an ldb(7) database. + It deletes the records identified by the dn's specified + on the command-line. </p><p>ldbdel uses either the database that is specified with + the -H option or the database specified by the LDB_URL environment + variable.</p></div><div class="refsect1" lang="en"><a name="id299208"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p> + Show list of available options.</p></dd><dt><span class="term">-H <ldb-url></span></dt><dd><p> + LDB URL to connect to. See ldb(7) for details. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299240"></a><h2>ENVIRONMENT</h2><div class="variablelist"><dl><dt><span class="term">LDB_URL</span></dt><dd><p>LDB URL to connect to (can be overrided by using the + -H command-line option.)</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299259"></a><h2>VERSION</h2><p>This man page is correct for version 4.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id299270"></a><h2>SEE ALSO</h2><p>ldb(7), ldbmodify, ldbadd, ldif(5)</p></div><div class="refsect1" lang="en"><a name="id266716"></a><h2>AUTHOR</h2><p> ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> +If you wish to report a problem or make a suggestion then please see +the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for +current contact and maintainer information. + </p><p>ldbdel was written by Andrew Tridgell.</p><p>This manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldbedit.1.html b/docs/htmldocs/manpages/ldbedit.1.html new file mode 100644 index 0000000000..eda5125f48 --- /dev/null +++ b/docs/htmldocs/manpages/ldbedit.1.html @@ -0,0 +1,54 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldbedit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldbedit.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldbedit — Edit LDB databases using your preferred editor</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ldbedit</code> [-?] [--usage] [-s base|one|sub] [-b basedn] [-a] [-e editor] [-H LDB-URL] [expression] [attributes...]</p></div></div><div class="refsect1" lang="en"><a name="id299231"></a><h2>DESCRIPTION</h2><p>ldbedit is a utility that allows you to edit LDB entries (in + tdb files, sqlite files or LDAP servers) using your preferred editor. + ldbedit generates an LDIF file based on your query, allows you to edit + the LDIF, and then merges that LDIF back into the LDB backend. + </p></div><div class="refsect1" lang="en"><a name="id299243"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-?, </span><span class="term">--help</span></dt><dd><p> + Show list of available options, and a phrase describing what that option + does. + </p></dd><dt><span class="term">--usage</span></dt><dd><p> + Show list of available options. This is similar to the help option, + however it does not provide any description, and is hence shorter. + </p></dd><dt><span class="term">-H <ldb-url></span></dt><dd><p> + LDB URL to connect to. For a tdb database, + this will be of the form + tdb://<em class="replaceable"><code>filename</code></em>. + For a LDAP connection over unix domain + sockets, this will be of the form + ldapi://<em class="replaceable"><code>socket</code></em>. For + a (potentially remote) LDAP connection over + TCP, this will be of the form + ldap://<em class="replaceable"><code>hostname</code></em>. For + an SQLite database, this will be of the form + sqlite://<em class="replaceable"><code>filename</code></em>. + </p></dd><dt><span class="term">-s one|sub|base</span></dt><dd><p>Search scope to use. One-level, subtree or base.</p></dd><dt><span class="term">-a, </span><span class="term">-all</span></dt><dd><p>Edit all records. This allows you to + apply the same change to a number of records + at once. You probably want to combine this + with an expression of the form + "objectclass=*". + </p></dd><dt><span class="term">-e editor, </span><span class="term">--editor editor</span></dt><dd><p>Specify the editor that should be used (overrides + the VISUAL and EDITOR environment + variables). If this option is not used, and + neither VISUAL nor EDITOR environment variables + are set, then the vi editor will be used. + </p></dd><dt><span class="term">-b basedn</span></dt><dd><p>Specify Base Distinguished Name to use.</p></dd><dt><span class="term">-v, </span><span class="term">--verbose</span></dt><dd><p>Make ldbedit more verbose about the + operations that are being performed. Without + this option, ldbedit will only provide a + summary change line. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266826"></a><h2>ENVIRONMENT</h2><div class="variablelist"><dl><dt><span class="term">LDB_URL</span></dt><dd><p>LDB URL to connect to. This can be + overridden by using the -H command-line option.) + </p></dd><dt><span class="term">VISUAL and EDITOR</span></dt><dd><p> + Environment variables used to determine what + editor to use. VISUAL takes precedence over + EDITOR, and both are overridden by the + -e command-line option. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266886"></a><h2>VERSION</h2><p>This man page is correct for version 4.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266896"></a><h2>SEE ALSO</h2><p>ldb(7), ldbmodify(1), ldbdel(1), ldif(5), vi(1)</p></div><div class="refsect1" lang="en"><a name="id266906"></a><h2>AUTHOR</h2><p> + ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> + If you wish to report a problem or make a suggestion then please see + the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for + current contact and maintainer information. + </p><p> + This manpage was written by Jelmer Vernooij and updated + by Brad Hards. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldbmodify.1.html b/docs/htmldocs/manpages/ldbmodify.1.html new file mode 100644 index 0000000000..7f079f0942 --- /dev/null +++ b/docs/htmldocs/manpages/ldbmodify.1.html @@ -0,0 +1,14 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldbmodify</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldbmodify.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldbmodify — Modify records in a LDB database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ldbmodify</code> [-H LDB-URL] [ldif-file]</p></div></div><div class="refsect1" lang="en"><a name="id267687"></a><h2>DESCRIPTION</h2><p> + ldbmodify changes, adds and deletes records in a LDB database. + The changes that should be made to the LDB database are read from + the specified LDIF-file. If - is specified as the filename, input is read from stdin. + </p><p>For now, see ldapmodify(1) for details on the LDIF file format.</p></div><div class="refsect1" lang="en"><a name="id267703"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-H <ldb-url></span></dt><dd><p> + LDB URL to connect to. See ldb(7) for details. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299214"></a><h2>ENVIRONMENT</h2><div class="variablelist"><dl><dt><span class="term">LDB_URL</span></dt><dd><p>LDB URL to connect to (can be overrided by using the + -H command-line option.)</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299234"></a><h2>VERSION</h2><p>This man page is correct for version 4.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id299245"></a><h2>SEE ALSO</h2><p>ldb(7), ldbedit</p></div><div class="refsect1" lang="en"><a name="id299255"></a><h2>AUTHOR</h2><p> ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> +If you wish to report a problem or make a suggestion then please see +the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for +current contact and maintainer information. + </p><p>This manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ldbsearch.1.html b/docs/htmldocs/manpages/ldbsearch.1.html new file mode 100644 index 0000000000..3a4969b9a0 --- /dev/null +++ b/docs/htmldocs/manpages/ldbsearch.1.html @@ -0,0 +1,15 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ldbsearch</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ldbsearch.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ldbsearch — Search for records in a LDB database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ldbsearch</code> [-h] [-s base|one|sub] [-b basedn] [-i] [-H LDB-URL] [expression] [attributes]</p></div></div><div class="refsect1" lang="en"><a name="id299218"></a><h2>DESCRIPTION</h2><p>ldbsearch searches a LDB database for records matching the + specified expression (see the ldapsearch(1) manpage for + a description of the expression format). For each + record, the specified attributes are printed. + </p></div><div class="refsect1" lang="en"><a name="id299230"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p> + Show list of available options.</p></dd><dt><span class="term">-H <ldb-url></span></dt><dd><p> + LDB URL to connect to. See ldb(7) for details. + </p></dd><dt><span class="term">-s one|sub|base</span></dt><dd><p>Search scope to use. One-level, subtree or base.</p></dd><dt><span class="term">-i</span></dt><dd><p>Read search expressions from stdin. </p></dd><dt><span class="term">-b basedn</span></dt><dd><p>Specify Base DN to use.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266729"></a><h2>ENVIRONMENT</h2><div class="variablelist"><dl><dt><span class="term">LDB_URL</span></dt><dd><p>LDB URL to connect to (can be overrided by using the + -H command-line option.)</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266749"></a><h2>VERSION</h2><p>This man page is correct for version 4.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266760"></a><h2>SEE ALSO</h2><p>ldb(7), ldbedit(1)</p></div><div class="refsect1" lang="en"><a name="id266770"></a><h2>AUTHOR</h2><p> ldb was written by + <a href="http://samba.org/~tridge/" target="_top">Andrew Tridgell</a>. + </p><p> +If you wish to report a problem or make a suggestion then please see +the <a href="http://ldb.samba.org/" target="_top">http://ldb.samba.org/</a> web site for +current contact and maintainer information. + </p><p>This manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/libsmbclient.7.html b/docs/htmldocs/manpages/libsmbclient.7.html new file mode 100644 index 0000000000..703bdf7eb7 --- /dev/null +++ b/docs/htmldocs/manpages/libsmbclient.7.html @@ -0,0 +1,57 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>libsmbclient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="libsmbclient.7"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>libsmbclient — An extension library for browsers and that can be used as a generic browsing API.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">Browser URL:</code><p> + smb://[[[domain:]user[:password@]]server[/share[/path[/file]]]] [?options] + </p></p></div></div><div class="refsect1" lang="en"><a name="id267676"></a><h2>DESCRIPTION</h2><p> + This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite. + </p><p> + <code class="literal">libsmbclient</code> is a library toolset that permits applications to manipulate CIFS/SMB network + resources using many of the standards POSIX functions available for manipulating local UNIX/Linux files. It + permits much more than just browsing, files can be opened and read or written, permissions changed, file times + modified, attributes and ACL's can be manipulated, and so on. Of course, its functionality includes all the + capabilities commonly called browsing. + </p><p> + <code class="literal">libsmbclient</code> can not be used directly from the command line, instead it provides an + extension of the capabilities of tools such as file managers and browsers. This man page describes the + configuration options for this tool so that the user may obtain greatest utility of use. + </p></div><div class="refsect1" lang="en"><a name="id299208"></a><h2>OPTIONS</h2><p> + What the URLs mean: + </p><div class="variablelist"><dl><dt><span class="term">smb://</span></dt><dd><p> + Shows all workgroups or domains that are visible in the network. The behavior matches + that of the Microsoft Windows Explorer. + </p><p> + The method of locating the list of workgroups (domains also) varies depending on the setting of + the context variable <code class="literal">(context->options.browse_max_lmb_count)</code>. It is the + responsibility of the application that calls this library to set this to a sensible value. This + is a compile-time option. This value determines the maximum number of local master browsers to + query for the list of workgroups. In order to ensure that the list is complete for those present + on the network, all master browsers must be querried. If there are a large number of workgroups + on the network, the time spent querying will be significant. For small networks (just a few + workgroups), it is suggested to set this value to 0, instructing libsmbclient to query all local + master browsers. In an environment that has many workgroups a more reasonable setting may be around 3. + </p></dd><dt><span class="term">smb://name/</span></dt><dd><p> + This command causes libsmbclient to perform a name look-up. If the NAME<1D> or + NAME<1B> exists (workgroup name), libsmbclient will list all servers in the + workgroup (or domain). Otherwise, a name look-up for the NAME<20> (machine name) + will be performed, and the list of shared resources on the server will be displayed. + </p></dd></dl></div><p> + When libsmbclient is invoked by an application it searches for a directory called + <code class="filename">.smb</code> in the $HOME directory that is specified in the users shell + environment. It then searches for a file called <code class="filename">smb.conf</code> which, + if present, will fully over-ride the system <code class="filename">/etc/samba/smb.conf</code> file. If + instead libsmbclient finds a file called <code class="filename">~/.smb/smb.conf.append</code>, + it will read the system <code class="filename">/etc/samba/smb.conf</code> and then append the + contents of the <code class="filename">~/.smb/smb.conf.append</code> to it. + </p><p> + <code class="literal">libsmbclient</code> will check the users shell environment for the <code class="literal">USER</code> + parameter and will use its value when if the <code class="literal">user</code> parameter was not included + in the URL. + </p></div><div class="refsect1" lang="en"><a name="id266763"></a><h2>PROGRAMMERS GUIDE</h2><p> + Watch this space for future updates. + </p></div><div class="refsect1" lang="en"><a name="id266773"></a><h2>VERSION</h2><p> + This man page is correct for version 3.0 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266784"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. + </p><p> + The libsmbclient manpage page was written by John H Terpstra. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/lmhosts.5.html b/docs/htmldocs/manpages/lmhosts.5.html new file mode 100644 index 0000000000..8915e7d3d8 --- /dev/null +++ b/docs/htmldocs/manpages/lmhosts.5.html @@ -0,0 +1,41 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>lmhosts</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="lmhosts.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lmhosts — The Samba NetBIOS hosts file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">lmhosts</code> is the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> NetBIOS name to IP address mapping file.</p></div><div class="refsect1" lang="en"><a name="id267678"></a><h2>DESCRIPTION</h2><p>This file is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="filename">lmhosts</code> is the <span class="emphasis"><em>Samba + </em></span> NetBIOS name to IP address mapping file. It + is very similar to the <code class="filename">/etc/hosts</code> file + format, except that the hostname component must correspond + to the NetBIOS naming format.</p></div><div class="refsect1" lang="en"><a name="id299203"></a><h2>FILE FORMAT</h2><p>It is an ASCII file containing one line for NetBIOS name. + The two fields on each line are separated from each other by + white space. Any entry beginning with '#' is ignored. Each line + in the lmhosts file contains the following information:</p><div class="itemizedlist"><ul type="disc"><li><p>IP Address - in dotted decimal format.</p></li><li><p>NetBIOS Name - This name format is a + maximum fifteen character host name, with an optional + trailing '#' character followed by the NetBIOS name type + as two hexadecimal digits.</p><p>If the trailing '#' is omitted then the given IP + address will be returned for all names that match the given + name, whatever the NetBIOS name type in the lookup.</p></li></ul></div><p>An example follows: +</p><pre class="programlisting"> +# +# Sample Samba lmhosts file. +# +192.9.200.1 TESTPC +192.9.200.20 NTSERVER#20 +192.9.200.21 SAMBASERVER +</pre><p> + </p><p>Contains three IP to NetBIOS name mappings. The first + and third will be returned for any queries for the names "TESTPC" + and "SAMBASERVER" respectively, whatever the type component of + the NetBIOS name requested.</p><p>The second mapping will be returned only when the "0x20" name + type for a name "NTSERVER" is queried. Any other name type will not + be resolved.</p><p>The default location of the <code class="filename">lmhosts</code> file + is in the same directory as the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file.</p></div><div class="refsect1" lang="en"><a name="id299273"></a><h2>FILES</h2><p>lmhosts is loaded from the configuration directory. This is + usually <code class="filename">/etc/samba</code> or <code class="filename">/usr/local/samba/lib</code>. + </p></div><div class="refsect1" lang="en"><a name="id266730"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266740"></a><h2>SEE ALSO</h2><p><a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, and <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> + </p></div><div class="refsect1" lang="en"><a name="id266774"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/log2pcap.1.html b/docs/htmldocs/manpages/log2pcap.1.html new file mode 100644 index 0000000000..59de004aa8 --- /dev/null +++ b/docs/htmldocs/manpages/log2pcap.1.html @@ -0,0 +1,29 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>log2pcap</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="log2pcap.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>log2pcap — Extract network traces from Samba log files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">log2pcap</code> [-h] [-q] [logfile] [pcap_file]</p></div></div><div class="refsect1" lang="en"><a name="id267702"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">log2pcap</code> reads in a + samba log file and generates a pcap file (readable + by most sniffers, such as ethereal or tcpdump) based on the packet + dumps in the log file.</p><p>The log file must have a <em class="parameter"><code>log level</code></em> + of at least <code class="constant">5</code> to get the SMB header/parameters + right, <code class="constant">10</code> to get the first 512 data bytes of the + packet and <code class="constant">50</code> to get the whole packet. + </p></div><div class="refsect1" lang="en"><a name="id299240"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p>If this parameter is + specified the output file will be a + hex dump, in a format that is readable + by the <span class="application">text2pcap</span> utility.</p></dd><dt><span class="term">-q</span></dt><dd><p>Be quiet. No warning messages about missing + or incomplete data will be given.</p></dd><dt><span class="term">logfile</span></dt><dd><p> + Samba log file. log2pcap will try to read the log from stdin + if the log file is not specified. + </p></dd><dt><span class="term">pcap_file</span></dt><dd><p> + Name of the output file to write the pcap (or hexdump) data to. + If this argument is not specified, output data will be written + to stdout. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266749"></a><h2>EXAMPLES</h2><p>Extract all network traffic from all samba log files:</p><pre class="programlisting"> + <code class="prompt">$</code> log2pcap < /var/log/* > trace.pcap + </pre><p>Convert to pcap using text2pcap:</p><pre class="programlisting"> + <code class="prompt">$</code> log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap + </pre></div><div class="refsect1" lang="en"><a name="id266787"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266798"></a><h2>BUGS</h2><p>Only SMB data is extracted from the samba logs, no LDAP, + NetBIOS lookup or other data.</p><p>The generated TCP and IP headers don't contain a valid + checksum.</p></div><div class="refsect1" lang="en"><a name="id266813"></a><h2>SEE ALSO</h2><p><a href="text2pcap.1.html"><span class="citerefentry"><span class="refentrytitle">text2pcap</span>(1)</span></a>, <a href="ethereal.1.html"><span class="citerefentry"><span class="refentrytitle">ethereal</span>(1)</span></a></p></div><div class="refsect1" lang="en"><a name="id266835"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>This manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/mount.cifs.8.html b/docs/htmldocs/manpages/mount.cifs.8.html new file mode 100644 index 0000000000..b9498dfa5f --- /dev/null +++ b/docs/htmldocs/manpages/mount.cifs.8.html @@ -0,0 +1,206 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>mount.cifs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="mount.cifs.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mount.cifs — mount using the Common Internet File System (CIFS)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">mount.cifs</code> {service} {mount-point} [-o options]</p></div></div><div class="refsect1" lang="en"><a name="id267695"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>mount.cifs mounts a Linux CIFS filesystem. It +is usually invoked indirectly by +the <a href="mount.8.html"><span class="citerefentry"><span class="refentrytitle">mount</span>(8)</span></a> command when using the +"-t cifs" option. This command only works in Linux, and the kernel must +support the cifs filesystem. The CIFS protocol is the successor to the +SMB protocol and is supported by most Windows servers and many other +commercial servers and Network Attached Storage appliances as well as +by the popular Open Source server Samba. + </p><p> + The mount.cifs utility attaches the UNC name (exported network resource) to + the local directory <span class="emphasis"><em>mount-point</em></span>. It is possible to set the mode for mount.cifs to +setuid root to allow non-root users to mount shares to directories for which they +have write permission. + </p><p> + Options to <span class="emphasis"><em>mount.cifs</em></span> are specified as a comma-separated +list of key=value pairs. It is possible to send options other +than those listed here, assuming that the cifs filesystem kernel module (cifs.ko) supports them. +Unrecognized cifs mount options passed to the cifs vfs kernel code will be logged to the +kernel log. + + </p><p><span class="emphasis"><em>mount.cifs</em></span> causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until + the mounted resource is unmounted (usually via the umount utility). + </p></div><div class="refsect1" lang="en"><a name="id299241"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">user=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>specifies the username to connect as. If + this is not given, then the environment variable <span class="emphasis"><em>USER</em></span> is used. This option can also take the +form "user%password" or "workgroup/user" or +"workgroup/user%password" to allow the password and workgroup +to be specified as part of the username. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The cifs vfs accepts the parameter <em class="parameter"><code>user=</code></em>, or for users familiar with smbfs it accepts the longer form of the parameter <em class="parameter"><code>username=</code></em>. Similarly the longer smbfs style parameter names may be accepted as synonyms for the shorter cifs parameters <em class="parameter"><code>pass=</code></em>,<em class="parameter"><code>dom=</code></em> and <em class="parameter"><code>cred=</code></em>. + </p></div></dd><dt><span class="term">password=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>specifies the CIFS password. If this +option is not given then the environment variable +<span class="emphasis"><em>PASSWD</em></span> is used. If the password is not specified +directly or indirectly via an argument to mount <span class="emphasis"><em>mount.cifs</em></span> will prompt +for a password, unless the guest option is specified. +</p><p>Note that a password which contains the delimiter +character (i.e. a comma ',') will fail to be parsed correctly +on the command line. However, the same password defined +in the PASSWD environment variable or via a credentials file (see +below) or entered at the password prompt will be read correctly. +</p></dd><dt><span class="term">credentials=<em class="replaceable"><code>filename</code></em></span></dt><dd><p> + specifies a file that contains a username + and/or password. The format of the file is: + </p><pre class="programlisting"> + username=<em class="replaceable"><code>value</code></em> + password=<em class="replaceable"><code>value</code></em> +</pre><p> +This is preferred over having passwords in plaintext in a +shared file, such as <code class="filename">/etc/fstab</code>. Be sure to protect any +credentials file properly. + </p></dd><dt><span class="term">uid=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>sets the uid that will own all files on + the mounted filesystem. + It may be specified as either a username or a numeric uid. + This parameter is ignored when the target server supports + the CIFS Unix extensions.</p></dd><dt><span class="term">gid=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>sets the gid that will own all files on +the mounted filesystem. +It may be specified as either a groupname or a numeric +gid. This parameter is ignored when the target server supports +the CIFS Unix extensions. + </p></dd><dt><span class="term">port=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>sets the port number on the server to attempt to contact to negotiate +CIFS support. If the CIFS server is not listening on this port or +if it is not specified, the default ports will be tried i.e. +port 445 is tried and if no response then port 139 is tried. + </p></dd><dt><span class="term">netbiosname=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>When mounting to servers via port 139, specifies the RFC1001 + source name to use to represent the client netbios machine + name when doing the RFC1001 netbios session initialize. + </p></dd><dt><span class="term">file_mode=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>If the server does not support the CIFS Unix extensions this + overrides the default file mode.</p></dd><dt><span class="term">dir_mode=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>If the server does not support the CIFS Unix extensions this + overrides the default mode for directories. </p></dd><dt><span class="term">ip=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>sets the destination IP address.</p></dd><dt><span class="term">domain=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>sets the domain (workgroup) of the user </p></dd><dt><span class="term">guest</span></dt><dd><p>don't prompt for a password </p></dd><dt><span class="term">iocharset</span></dt><dd><p>Charset used to convert local path names to and from + Unicode. Unicode is used by default for network path + names if the server supports it. If iocharset is + not specified then the nls_default specified + during the local client kernel build will be used. + If server does not support Unicode, this parameter is + unused. </p></dd><dt><span class="term">ro</span></dt><dd><p>mount read-only</p></dd><dt><span class="term">rw</span></dt><dd><p>mount read-write</p></dd><dt><span class="term">setuids</span></dt><dd><p>If the CIFS Unix extensions are negotiated with the server + the client will attempt to set the effective uid and gid of + the local process on newly created files, directories, and + devices (create, mkdir, mknod). If the CIFS Unix Extensions + are not negotiated, for newly created files and directories + instead of using the default uid and gid specified on the + the mount, cache the new file's uid and gid locally which means + that the uid for the file can change when the inode is + reloaded (or the user remounts the share).</p></dd><dt><span class="term">nosetuids</span></dt><dd><p>The client will not attempt to set the uid and gid on + on newly created files, directories, and devices (create, + mkdir, mknod) which will result in the server setting the + uid and gid to the default (usually the server uid of the + user who mounted the share). Letting the server (rather than + the client) set the uid and gid is the default.If the CIFS + Unix Extensions are not negotiated then the uid and gid for + new files will appear to be the uid (gid) of the mounter or the + uid (gid) parameter specified on the mount.</p></dd><dt><span class="term">perm</span></dt><dd><p>Client does permission checks (vfs_permission check of uid + and gid of the file against the mode and desired operation), + Note that this is in addition to the normal ACL check on the + target machine done by the server software. + Client permission checking is enabled by default.</p></dd><dt><span class="term">noperm</span></dt><dd><p>Client does not do permission checks. This can expose + files on this mount to access by other users on the local + client system. It is typically only needed when the server + supports the CIFS Unix Extensions but the UIDs/GIDs on the + client and server system do not match closely enough to allow + access by the user doing the mount. + Note that this does not affect the normal ACL check on the + target machine done by the server software (of the server + ACL against the user name provided at mount time).</p></dd><dt><span class="term">directio</span></dt><dd><p>Do not do inode data caching on files opened on this mount. + This precludes mmaping files on this mount. In some cases + with fast networks and little or no caching benefits on the + client (e.g. when the application is doing large sequential + reads bigger than page size without rereading the same data) + this can provide better performance than the default + behavior which caches reads (readahead) and writes + (writebehind) through the local Linux client pagecache + if oplock (caching token) is granted and held. Note that + direct allows write operations larger than page size + to be sent to the server. On some kernels this requires the cifs.ko module + to be built with the CIFS_EXPERIMENTAL configure option.</p></dd><dt><span class="term">mapchars</span></dt><dd><p>Translate six of the seven reserved characters (not backslash, but including the colon, question mark, pipe, asterik, greater than and less than characters) + to the remap range (above 0xF000), which also + allows the CIFS client to recognize files created with + such characters by Windows's POSIX emulation. This can + also be useful when mounting to most versions of Samba + (which also forbids creating and opening files + whose names contain any of these seven characters). + This has no effect if the server does not support + Unicode on the wire.</p></dd><dt><span class="term">nomapchars</span></dt><dd><p>Do not translate any of these seven characters (default)</p></dd><dt><span class="term">intr</span></dt><dd><p>currently unimplemented</p></dd><dt><span class="term">nointr</span></dt><dd><p>(default) currently unimplemented </p></dd><dt><span class="term">hard</span></dt><dd><p>The program accessing a file on the cifs mounted file system will hang when the + server crashes.</p></dd><dt><span class="term">soft</span></dt><dd><p>(default) The program accessing a file on the cifs mounted file system will not hang when the server crashes and will return errors to the user application.</p></dd><dt><span class="term">noacl</span></dt><dd><p>Do not allow POSIX ACL operations even if server would support them.</p><p> + The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers + version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and + then POSIX support in the CIFS configuration options when building the cifs + module. POSIX ACL support can be disabled on a per mount basic by specifying + "noacl" on mount.</p></dd><dt><span class="term">nocase</span></dt><dd><p>Request case insensitive path name matching (case + sensitive is the default if the server suports it). + </p></dd><dt><span class="term">sec=</span></dt><dd><p>Security mode. Allowed values are:</p><div class="itemizedlist"><ul type="disc"><li><p>none attempt to connection as a null user (no name) </p></li><li><p>krb5 Use Kerberos version 5 authentication</p></li><li><p>krb5i Use Kerberos authentication and packet signing</p></li><li><p>ntlm Use NTLM password hashing (default)</p></li><li><p>ntlmi Use NTLM password hashing with signing (if + /proc/fs/cifs/PacketSigningEnabled on or if + server requires signing also can be the default)</p></li><li><p>ntlmv2 Use NTLMv2 password hashing</p></li><li><p>ntlmv2i Use NTLMv2 password hashing with packet signing</p></li></ul></div><p>[NB This [sec parameter] is under development and expected to be available in cifs kernel module 1.40 and later] + </p></dd><dt><span class="term">nobrl</span></dt><dd><p>Do not send byte range lock requests to the server. + This is necessary for certain applications that break + with cifs style mandatory byte range locks (and most + cifs servers do not yet support requesting advisory + byte range locks). + </p></dd><dt><span class="term">sfu</span></dt><dd><p> + When the CIFS Unix Extensions are not negotiated, attempt to + create device files and fifos in a format compatible with + Services for Unix (SFU). In addition retrieve bits 10-12 + of the mode via the SETFILEBITS extended attribute (as + SFU does). In the future the bottom 9 bits of the mode + mode also will be emulated using queries of the security + descriptor (ACL). [NB: requires version 1.39 or later + of the CIFS VFS. To recognize symlinks and be able + to create symlinks in an SFU interoperable form + requires version 1.40 or later of the CIFS VFS kernel module. + </p></dd><dt><span class="term">serverino</span></dt><dd><p>Use inode numbers (unique persistent file identifiers) + returned by the server instead of automatically generating + temporary inode numbers on the client. Although server inode numbers + make it easier to spot hardlinked files (as they will have + the same inode numbers) and inode numbers may be persistent (which is + userful for some sofware), + the server does not guarantee that the inode numbers + are unique if multiple server side mounts are exported under a + single share (since inode numbers on the servers might not + be unique if multiple filesystems are mounted under the same + shared higher level directory). Note that not all + servers support returning server inode numbers, although + those that support the CIFS Unix Extensions, and Windows 2000 and + later servers typically do support this (although not necessarily + on every local server filesystem). Parameter has no effect if + the server lacks support for returning inode numbers or equivalent. + </p></dd><dt><span class="term">noserverino</span></dt><dd><p>client generates inode numbers (rather than using the actual one + from the server) by default. + </p></dd><dt><span class="term">nouser_xattr</span></dt><dd><p>(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise. </p></dd><dt><span class="term">rsize=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>default network read size</p></dd><dt><span class="term">wsize=<em class="replaceable"><code>arg</code></em></span></dt><dd><p>default network write size</p></dd><dt><span class="term">--verbose</span></dt><dd><p>Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example:</p><p>mount -t cifs //server/share /mnt --verbose -o user=username</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308221"></a><h2>ENVIRONMENT VARIABLES</h2><p> + The variable <span class="emphasis"><em>USER</em></span> may contain the username of the +person to be used to authenticate to the server. +The variable can be used to set both username and +password by using the format username%password. + </p><p> + The variable <span class="emphasis"><em>PASSWD</em></span> may contain the password of the +person using the client. + </p><p> + The variable <span class="emphasis"><em>PASSWD_FILE</em></span> may contain the pathname +of a file to read the password from. A single line of input is +read and used as the password. + </p></div><div class="refsect1" lang="en"><a name="id308252"></a><h2>NOTES</h2><p>This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.</p></div><div class="refsect1" lang="en"><a name="id308263"></a><h2>CONFIGURATION</h2><p> +The primary mechanism for making configuration changes and for reading +debug information for the cifs vfs is via the Linux /proc filesystem. +In the directory <code class="filename">/proc/fs/cifs</code> are various +configuration files and pseudo files which can display debug information. +There are additional startup options such as maximum buffer size and number +of buffers which only may be set when the kernel cifs vfs (cifs.ko module) is +loaded. These can be seen by running the modinfo utility against the file +cifs.ko which will list the options that may be passed to cifs during module +installation (device driver load). +For more information see the kernel file <code class="filename">fs/cifs/README</code>. +</p></div><div class="refsect1" lang="en"><a name="id308290"></a><h2>BUGS</h2><p>Mounting using the CIFS URL specification is currently not supported. + </p><p>The credentials file does not handle usernames or passwords with + leading space.</p><p> +Note that the typical response to a bug report is a suggestion +to try the latest version first. So please try doing that first, +and always include which versions you use of relevant software +when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and +server type you are trying to contact. +</p></div><div class="refsect1" lang="en"><a name="id308311"></a><h2>VERSION</h2><p>This man page is correct for version 1.39 of + the cifs vfs filesystem (roughly Linux kernel 2.6.15).</p></div><div class="refsect1" lang="en"><a name="id308322"></a><h2>SEE ALSO</h2><p> + Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel + source tree may contain additional options and information. +</p><p><a href="umount.cifs.8.html"><span class="citerefentry"><span class="refentrytitle">umount.cifs</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id308342"></a><h2>AUTHOR</h2><p>Steve French</p><p>The syntax and manpage were loosely based on that of smbmount. It + was converted to Docbook/XML by Jelmer Vernooij.</p><p>The maintainer of the Linux cifs vfs and the userspace + tool <span class="emphasis"><em>mount.cifs</em></span> is <a href="mailto:sfrench@samba.org" target="_top">Steve French</a>. + The <a href="mailto:linux-cifs-client@lists.samba.org" target="_top">Linux CIFS Mailing list</a> + is the preferred place to ask questions regarding these programs. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/net.8.html b/docs/htmldocs/manpages/net.8.html new file mode 100644 index 0000000000..76fbae251b --- /dev/null +++ b/docs/htmldocs/manpages/net.8.html @@ -0,0 +1,416 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>net</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="net.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>net — Tool for administration of Samba and remote + CIFS servers. + </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">net</code> {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-d debuglevel] [-V]</p></div></div><div class="refsect1" lang="en"><a name="id267094"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The Samba net utility is meant to work just like the net utility + available for windows and DOS. The first argument should be used + to specify the protocol to use when executing a certain command. + ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) + clients and RPC can be used for NT4 and Windows 2000. If this + argument is omitted, net will try to determine it automatically. + Not all commands are available on all protocols. + </p></div><div class="refsect1" lang="en"><a name="id299215"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-w target-workgroup</span></dt><dd><p> + Sets target workgroup or domain. You have to specify + either this option or the IP address or the name of a server. + </p></dd><dt><span class="term">-W workgroup</span></dt><dd><p> + Sets client workgroup or domain + </p></dd><dt><span class="term">-U user</span></dt><dd><p> + User name to use + </p></dd><dt><span class="term">-I ip-address</span></dt><dd><p> + IP address of target server to use. You have to + specify either this option or a target workgroup or + a target server. + </p></dd><dt><span class="term">-p port</span></dt><dd><p> + Port on the target server to connect to (usually 139 or 445). + Defaults to trying 445 first, then 139. + </p></dd><dt><span class="term">-n <primary NetBIOS name></span></dt><dd><p>This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the <a class="indexterm" name="id266742"></a> parameter in the <code class="filename">smb.conf</code> file. +However, a command +line setting will take precedence over settings in +<code class="filename">smb.conf</code>.</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-S server</span></dt><dd><p> + Name of target server. You should specify either + this option or a target workgroup or a target IP address. + </p></dd><dt><span class="term">-l</span></dt><dd><p> + When listing data, give more information on each item. + </p></dd><dt><span class="term">-P</span></dt><dd><p> + Make queries to the external server using the machine account of the local server. + </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266844"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266861"></a><h2>COMMANDS</h2><div class="refsect2" lang="en"><a name="id266866"></a><h3>CHANGESECRETPW</h3><p>This command allows the Samba machine account password to be set from an external application +to a machine account password that has already been stored in Active Directory. DO NOT USE this command +unless you know exactly what you are doing. The use of this command requires that the force flag (-f) +be used also. There will be NO command prompt. Whatever information is piped into stdin, either by +typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use +this without care and attention as it will overwrite a legitimate machine password without warning. +YOU HAVE BEEN WARNED. +</p></div><div class="refsect2" lang="en"><a name="id266882"></a><h3>TIME</h3><p>The <code class="literal">NET TIME</code> command allows you to view the time on a remote server + or synchronise the time on the local server with the time on the remote server.</p><div class="refsect3" lang="en"><a name="id266898"></a><h4>TIME</h4><p>Without any options, the <code class="literal">NET TIME</code> command +displays the time on the remote server. +</p></div><div class="refsect3" lang="en"><a name="id266914"></a><h4>TIME SYSTEM</h4><p>Displays the time on the remote server in a format ready for <code class="literal">/bin/date</code>.</p></div><div class="refsect3" lang="en"><a name="id307883"></a><h4>TIME SET</h4><p>Tries to set the date and time of the local server to that on +the remote server using <code class="literal">/bin/date</code>. </p></div><div class="refsect3" lang="en"><a name="id307898"></a><h4>TIME ZONE</h4><p>Displays the timezone in hours from GMT on the remote computer.</p></div></div><div class="refsect2" lang="en"><a name="id307909"></a><h3>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]</h3><p> +Join a domain. If the account already exists on the server, and +[TYPE] is MEMBER, the machine will attempt to join automatically. +(Assuming that the machine has been created in server manager) +Otherwise, a password will be prompted for, and a new account may +be created.</p><p> +[TYPE] may be PDC, BDC or MEMBER to specify the type of server +joining the domain. +</p><p> +[UPN] (ADS only) set the principalname attribute during the join. The default +format is host/netbiosname@REALM. +</p><p> +[OU] (ADS only) Precreate the computer account in a specific OU. The +OU string reads from top to bottom without RDNs, and is delimited by +a '/'. Please note that '\' is used for escape by both the shell +and ldap, so it may need to be doubled or quadrupled to pass through, +and it is not used as a delimiter. +</p></div><div class="refsect2" lang="en"><a name="id307939"></a><h3>[RPC] OLDJOIN [options]</h3><p>Join a domain. Use the OLDJOIN option to join the domain +using the old style of domain joining - you need to create a trust +account in server manager first.</p></div><div class="refsect2" lang="en"><a name="id307950"></a><h3>[RPC|ADS] USER</h3><div class="refsect3" lang="en"><a name="id307956"></a><h4>[RPC|ADS] USER</h4><p>List all users</p></div><div class="refsect3" lang="en"><a name="id307966"></a><h4>[RPC|ADS] USER DELETE <em class="replaceable"><code>target</code></em></h4><p>Delete specified user</p></div><div class="refsect3" lang="en"><a name="id307978"></a><h4>[RPC|ADS] USER INFO <em class="replaceable"><code>target</code></em></h4><p>List the domain groups of the specified user.</p></div><div class="refsect3" lang="en"><a name="id307991"></a><h4>[RPC|ADS] USER RENAME <em class="replaceable"><code>oldname</code></em> <em class="replaceable"><code>newname</code></em></h4><p>Rename specified user.</p></div><div class="refsect3" lang="en"><a name="id308007"></a><h4>[RPC|ADS] USER ADD <em class="replaceable"><code>name</code></em> [password] [-F user flags] [-C comment]</h4><p>Add specified user.</p></div></div><div class="refsect2" lang="en"><a name="id308022"></a><h3>[RPC|ADS] GROUP</h3><div class="refsect3" lang="en"><a name="id308028"></a><h4>[RPC|ADS] GROUP [misc options] [targets]</h4><p>List user groups.</p></div><div class="refsect3" lang="en"><a name="id308038"></a><h4>[RPC|ADS] GROUP DELETE <em class="replaceable"><code>name</code></em> [misc. options]</h4><p>Delete specified group.</p></div><div class="refsect3" lang="en"><a name="id308052"></a><h4>[RPC|ADS] GROUP ADD <em class="replaceable"><code>name</code></em> [-C comment]</h4><p>Create specified group.</p></div></div><div class="refsect2" lang="en"><a name="id308067"></a><h3>[RAP|RPC] SHARE</h3><div class="refsect3" lang="en"><a name="id308073"></a><h4>[RAP|RPC] SHARE [misc. options] [targets]</h4><p>Enumerates all exported resources (network shares) on target server.</p></div><div class="refsect3" lang="en"><a name="id308084"></a><h4>[RAP|RPC] SHARE ADD <em class="replaceable"><code>name=serverpath</code></em> [-C comment] [-M maxusers] [targets]</h4><p>Adds a share from a server (makes the export active). Maxusers +specifies the number of users that can be connected to the +share simultaneously.</p></div><div class="refsect3" lang="en"><a name="id308099"></a><h4>SHARE DELETE <em class="replaceable"><code>sharename</code></em></h4><p>Delete specified share.</p></div></div><div class="refsect2" lang="en"><a name="id308112"></a><h3>[RPC|RAP] FILE</h3><div class="refsect3" lang="en"><a name="id308118"></a><h4>[RPC|RAP] FILE</h4><p>List all open files on remote server.</p></div><div class="refsect3" lang="en"><a name="id308128"></a><h4>[RPC|RAP] FILE CLOSE <em class="replaceable"><code>fileid</code></em></h4><p>Close file with specified <em class="replaceable"><code>fileid</code></em> on +remote server.</p></div><div class="refsect3" lang="en"><a name="id308145"></a><h4>[RPC|RAP] FILE INFO <em class="replaceable"><code>fileid</code></em></h4><p> +Print information on specified <em class="replaceable"><code>fileid</code></em>. +Currently listed are: file-id, username, locks, path, permissions. +</p></div><div class="refsect3" lang="en"><a name="id308161"></a><h4>[RAP|RPC] FILE USER <em class="replaceable"><code>user</code></em></h4><p> +List files opened by specified <em class="replaceable"><code>user</code></em>. +Please note that <code class="literal">net rap file user</code> does not work +against Samba servers. +</p></div></div><div class="refsect2" lang="en"><a name="id308185"></a><h3>SESSION</h3><div class="refsect3" lang="en"><a name="id308191"></a><h4>RAP SESSION</h4><p>Without any other options, SESSION enumerates all active SMB/CIFS +sessions on the target server.</p></div><div class="refsect3" lang="en"><a name="id308201"></a><h4>RAP SESSION DELETE|CLOSE <em class="replaceable"><code>CLIENT_NAME</code></em></h4><p>Close the specified sessions.</p></div><div class="refsect3" lang="en"><a name="id308214"></a><h4>RAP SESSION INFO <em class="replaceable"><code>CLIENT_NAME</code></em></h4><p>Give a list with all the open files in specified session.</p></div></div><div class="refsect2" lang="en"><a name="id308228"></a><h3>RAP SERVER <em class="replaceable"><code>DOMAIN</code></em></h3><p>List all servers in specified domain or workgroup. Defaults +to local domain.</p></div><div class="refsect2" lang="en"><a name="id308241"></a><h3>RAP DOMAIN</h3><p>Lists all domains and workgroups visible on the +current network.</p></div><div class="refsect2" lang="en"><a name="id308252"></a><h3>RAP PRINTQ</h3><div class="refsect3" lang="en"><a name="id308257"></a><h4>RAP PRINTQ LIST <em class="replaceable"><code>QUEUE_NAME</code></em></h4><p>Lists the specified print queue and print jobs on the server. +If the <em class="replaceable"><code>QUEUE_NAME</code></em> is omitted, all +queues are listed.</p></div><div class="refsect3" lang="en"><a name="id308274"></a><h4>RAP PRINTQ DELETE <em class="replaceable"><code>JOBID</code></em></h4><p>Delete job with specified id.</p></div></div><div class="refsect2" lang="en"><a name="id308288"></a><h3>RAP VALIDATE <em class="replaceable"><code>user</code></em> [<em class="replaceable"><code>password</code></em>]</h3><p> +Validate whether the specified user can log in to the +remote server. If the password is not specified on the commandline, it +will be prompted. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Currently NOT implemented.</p></div></div><div class="refsect2" lang="en"><a name="id308311"></a><h3>RAP GROUPMEMBER</h3><div class="refsect3" lang="en"><a name="id308316"></a><h4>RAP GROUPMEMBER LIST <em class="replaceable"><code>GROUP</code></em></h4><p>List all members of the specified group.</p></div><div class="refsect3" lang="en"><a name="id308329"></a><h4>RAP GROUPMEMBER DELETE <em class="replaceable"><code>GROUP</code></em> <em class="replaceable"><code>USER</code></em></h4><p>Delete member from group.</p></div><div class="refsect3" lang="en"><a name="id308345"></a><h4>RAP GROUPMEMBER ADD <em class="replaceable"><code>GROUP</code></em> <em class="replaceable"><code>USER</code></em></h4><p>Add member to group.</p></div></div><div class="refsect2" lang="en"><a name="id308362"></a><h3>RAP ADMIN <em class="replaceable"><code>command</code></em></h3><p>Execute the specified <em class="replaceable"><code>command</code></em> on +the remote server. Only works with OS/2 servers. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Currently NOT implemented.</p></div></div><div class="refsect2" lang="en"><a name="id308384"></a><h3>RAP SERVICE</h3><div class="refsect3" lang="en"><a name="id308389"></a><h4>RAP SERVICE START <em class="replaceable"><code>NAME</code></em> [arguments...]</h4><p>Start the specified service on the remote server. Not implemented yet.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Currently NOT implemented.</p></div></div><div class="refsect3" lang="en"><a name="id308408"></a><h4>RAP SERVICE STOP</h4><p>Stop the specified service on the remote server.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Currently NOT implemented.</p></div></div></div><div class="refsect2" lang="en"><a name="id308424"></a><h3>RAP PASSWORD <em class="replaceable"><code>USER</code></em> <em class="replaceable"><code>OLDPASS</code></em> <em class="replaceable"><code>NEWPASS</code></em></h3><p> +Change password of <em class="replaceable"><code>USER</code></em> from <em class="replaceable"><code>OLDPASS</code></em> to <em class="replaceable"><code>NEWPASS</code></em>. +</p></div><div class="refsect2" lang="en"><a name="id308455"></a><h3>LOOKUP</h3><div class="refsect3" lang="en"><a name="id308460"></a><h4>LOOKUP HOST <em class="replaceable"><code>HOSTNAME</code></em> [<em class="replaceable"><code>TYPE</code></em>]</h4><p> +Lookup the IP address of the given host with the specified type (netbios suffix). +The type defaults to 0x20 (workstation). +</p></div><div class="refsect3" lang="en"><a name="id308478"></a><h4>LOOKUP LDAP [<em class="replaceable"><code>DOMAIN</code></em>]</h4><p>Give IP address of LDAP server of specified <em class="replaceable"><code>DOMAIN</code></em>. Defaults to local domain.</p></div><div class="refsect3" lang="en"><a name="id308496"></a><h4>LOOKUP KDC [<em class="replaceable"><code>REALM</code></em>]</h4><p>Give IP address of KDC for the specified <em class="replaceable"><code>REALM</code></em>. +Defaults to local realm.</p></div><div class="refsect3" lang="en"><a name="id308514"></a><h4>LOOKUP DC [<em class="replaceable"><code>DOMAIN</code></em>]</h4><p>Give IP's of Domain Controllers for specified <em class="replaceable"><code> +DOMAIN</code></em>. Defaults to local domain.</p></div><div class="refsect3" lang="en"><a name="id308531"></a><h4>LOOKUP MASTER <em class="replaceable"><code>DOMAIN</code></em></h4><p>Give IP of master browser for specified <em class="replaceable"><code>DOMAIN</code></em> +or workgroup. Defaults to local domain.</p></div></div><div class="refsect2" lang="en"><a name="id308549"></a><h3>CACHE</h3><p>Samba uses a general caching interface called 'gencache'. It +can be controlled using 'NET CACHE'.</p><p>All the timeout parameters support the suffixes: + +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>s - Seconds</td></tr><tr><td>m - Minutes</td></tr><tr><td>h - Hours</td></tr><tr><td>d - Days</td></tr><tr><td>w - Weeks</td></tr></table><p> + +</p><div class="refsect3" lang="en"><a name="id308586"></a><h4>CACHE ADD <em class="replaceable"><code>key</code></em> <em class="replaceable"><code>data</code></em> <em class="replaceable"><code>time-out</code></em></h4><p>Add specified key+data to the cache with the given timeout.</p></div><div class="refsect3" lang="en"><a name="id308605"></a><h4>CACHE DEL <em class="replaceable"><code>key</code></em></h4><p>Delete key from the cache.</p></div><div class="refsect3" lang="en"><a name="id308618"></a><h4>CACHE SET <em class="replaceable"><code>key</code></em> <em class="replaceable"><code>data</code></em> <em class="replaceable"><code>time-out</code></em></h4><p>Update data of existing cache entry.</p></div><div class="refsect3" lang="en"><a name="id308637"></a><h4>CACHE SEARCH <em class="replaceable"><code>PATTERN</code></em></h4><p>Search for the specified pattern in the cache data.</p></div><div class="refsect3" lang="en"><a name="id308650"></a><h4>CACHE LIST</h4><p> +List all current items in the cache. +</p></div><div class="refsect3" lang="en"><a name="id308660"></a><h4>CACHE FLUSH</h4><p>Remove all the current items from the cache.</p></div></div><div class="refsect2" lang="en"><a name="id308671"></a><h3>GETLOCALSID [DOMAIN]</h3><p>Prints the SID of the specified domain, or if the parameter is +omitted, the SID of the local server.</p></div><div class="refsect2" lang="en"><a name="id308682"></a><h3>SETLOCALSID S-1-5-21-x-y-z</h3><p>Sets SID for the local server to the specified SID.</p></div><div class="refsect2" lang="en"><a name="id308693"></a><h3>GETDOMAINSID</h3><p>Prints the local machine SID and the SID of the current +domain.</p></div><div class="refsect2" lang="en"><a name="id308703"></a><h3>SETDOMAINSID</h3><p>Sets the SID of the current domain.</p></div><div class="refsect2" lang="en"><a name="id308714"></a><h3>GROUPMAP</h3><p>Manage the mappings between Windows group SIDs and UNIX groups. +Common options include:</p><div class="itemizedlist"><ul type="disc"><li><p>unixgroup - Name of the UNIX group</p></li><li><p>ntgroup - Name of the Windows NT group (must be + resolvable to a SID</p></li><li><p>rid - Unsigned 32-bit integer</p></li><li><p>sid - Full SID in the form of "S-1-..."</p></li><li><p>type - Type of the group; either 'domain', 'local', + or 'builtin'</p></li><li><p>comment - Freeform text description of the group</p></li></ul></div><div class="refsect3" lang="en"><a name="id308755"></a><h4>GROUPMAP ADD</h4><p> +Add a new group mapping entry: +</p><pre class="programlisting"> +net groupmap add {rid=int|sid=string} unixgroup=string \ + [type={domain|local}] [ntgroup=string] [comment=string] +</pre><p> +</p></div><div class="refsect3" lang="en"><a name="id308772"></a><h4>GROUPMAP DELETE</h4><p>Delete a group mapping entry. If more than one group name matches, the first entry found is deleted.</p><p>net groupmap delete {ntgroup=string|sid=SID}</p></div><div class="refsect3" lang="en"><a name="id308786"></a><h4>GROUPMAP MODIFY</h4><p>Update en existing group entry.</p><p> +</p><pre class="programlisting"> +net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \ + [comment=string] [type={domain|local}] +</pre><p> +</p></div><div class="refsect3" lang="en"><a name="id308806"></a><h4>GROUPMAP LIST</h4><p>List existing group mapping entries.</p><p>net groupmap list [verbose] [ntgroup=string] [sid=SID]</p></div></div><div class="refsect2" lang="en"><a name="id308821"></a><h3>MAXRID</h3><p>Prints out the highest RID currently in use on the local +server (by the active 'passdb backend'). +</p></div><div class="refsect2" lang="en"><a name="id308832"></a><h3>RPC INFO</h3><p>Print information about the domain of the remote server, +such as domain name, domain sid and number of users and groups. +</p></div><div class="refsect2" lang="en"><a name="id308843"></a><h3>[RPC|ADS] TESTJOIN</h3><p>Check whether participation in a domain is still valid.</p></div><div class="refsect2" lang="en"><a name="id308854"></a><h3>[RPC|ADS] CHANGETRUSTPW</h3><p>Force change of domain trust password.</p></div><div class="refsect2" lang="en"><a name="id308864"></a><h3>RPC TRUSTDOM</h3><div class="refsect3" lang="en"><a name="id308870"></a><h4>RPC TRUSTDOM ADD <em class="replaceable"><code>DOMAIN</code></em></h4><p>Add a interdomain trust account for <em class="replaceable"><code>DOMAIN</code></em>. +This is in fact a Samba account named <em class="replaceable"><code>DOMAIN$</code></em> +with the account flag <code class="constant">'I'</code> (interdomain trust account). +If the command is used against localhost it has the same effect as +<code class="literal">smbpasswd -a -i DOMAIN</code>. Please note that both commands +expect a appropriate UNIX account. +</p></div><div class="refsect3" lang="en"><a name="id308901"></a><h4>RPC TRUSTDOM DEL <em class="replaceable"><code>DOMAIN</code></em></h4><p>Remove interdomain trust account for +<em class="replaceable"><code>DOMAIN</code></em>. If it is used against localhost +it has the same effect as <code class="literal">smbpasswd -x DOMAIN$</code>. +</p></div><div class="refsect3" lang="en"><a name="id308923"></a><h4>RPC TRUSTDOM ESTABLISH <em class="replaceable"><code>DOMAIN</code></em></h4><p> +Establish a trust relationship to a trusting domain. +Interdomain account must already be created on the remote PDC. +</p></div><div class="refsect3" lang="en"><a name="id308936"></a><h4>RPC TRUSTDOM REVOKE <em class="replaceable"><code>DOMAIN</code></em></h4><p>Abandon relationship to trusted domain</p></div><div class="refsect3" lang="en"><a name="id308949"></a><h4>RPC TRUSTDOM LIST</h4><p>List all current interdomain trust relationships.</p></div><div class="refsect3" lang="en"><a name="id308960"></a><h4>RPC RIGHTS</h4><p>This subcommand is used to view and manage Samba's rights assignments (also +referred to as privileges). There are three options currently available: +<em class="parameter"><code>list</code></em>, <em class="parameter"><code>grant</code></em>, and +<em class="parameter"><code>revoke</code></em>. More details on Samba's privilege model and its use +can be found in the Samba-HOWTO-Collection.</p></div></div><div class="refsect2" lang="en"><a name="id308991"></a><h3>RPC ABORTSHUTDOWN</h3><p>Abort the shutdown of a remote server.</p></div><div class="refsect2" lang="en"><a name="id309001"></a><h3>RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]</h3><p>Shut down the remote server.</p><div class="variablelist"><dl><dt><span class="term">-r</span></dt><dd><p> +Reboot after shutdown. +</p></dd><dt><span class="term">-f</span></dt><dd><p> +Force shutting down all applications. +</p></dd><dt><span class="term">-t timeout</span></dt><dd><p> +Timeout before system will be shut down. An interactive +user of the system can use this time to cancel the shutdown. +</p></dd><dt><span class="term">-C message</span></dt><dd><p>Display the specified message on the screen to +announce the shutdown.</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id309061"></a><h3>RPC SAMDUMP</h3><p>Print out sam database of remote server. You need +to run this against the PDC, from a Samba machine joined as a BDC. </p></div><div class="refsect2" lang="en"><a name="id309072"></a><h3>RPC VAMPIRE</h3><p>Export users, aliases and groups from remote server to +local server. You need to run this against the PDC, from a Samba machine joined as a BDC. +</p></div><div class="refsect2" lang="en"><a name="id309083"></a><h3>RPC GETSID</h3><p>Fetch domain SID and store it in the local <code class="filename">secrets.tdb</code>. </p></div><div class="refsect2" lang="en"><a name="id309099"></a><h3>ADS LEAVE</h3><p>Make the remote host leave the domain it is part of. </p></div><div class="refsect2" lang="en"><a name="id309109"></a><h3>ADS STATUS</h3><p>Print out status of machine account of the local machine in ADS. +Prints out quite some debug info. Aimed at developers, regular +users should use <code class="literal">NET ADS TESTJOIN</code>.</p></div><div class="refsect2" lang="en"><a name="id309126"></a><h3>ADS PRINTER</h3><div class="refsect3" lang="en"><a name="id309132"></a><h4>ADS PRINTER INFO [<em class="replaceable"><code>PRINTER</code></em>] [<em class="replaceable"><code>SERVER</code></em>]</h4><p> +Lookup info for <em class="replaceable"><code>PRINTER</code></em> on <em class="replaceable"><code>SERVER</code></em>. The printer name defaults to "*", the +server name defaults to the local host.</p></div><div class="refsect3" lang="en"><a name="id309157"></a><h4>ADS PRINTER PUBLISH <em class="replaceable"><code>PRINTER</code></em></h4><p>Publish specified printer using ADS.</p></div><div class="refsect3" lang="en"><a name="id309170"></a><h4>ADS PRINTER REMOVE <em class="replaceable"><code>PRINTER</code></em></h4><p>Remove specified printer from ADS directory.</p></div></div><div class="refsect2" lang="en"><a name="id309183"></a><h3>ADS SEARCH <em class="replaceable"><code>EXPRESSION</code></em> <em class="replaceable"><code>ATTRIBUTES...</code></em></h3><p>Perform a raw LDAP search on a ADS server and dump the results. The +expression is a standard LDAP search expression, and the +attributes are a list of LDAP fields to show in the results.</p><p>Example: <strong class="userinput"><code>net ads search '(objectCategory=group)' sAMAccountName</code></strong> +</p></div><div class="refsect2" lang="en"><a name="id309210"></a><h3>ADS DN <em class="replaceable"><code>DN</code></em> <em class="replaceable"><code>(attributes)</code></em></h3><p> +Perform a raw LDAP search on a ADS server and dump the results. The +DN standard LDAP DN, and the attributes are a list of LDAP fields +to show in the result. +</p><p>Example: <strong class="userinput"><code>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</code></strong></p></div><div class="refsect2" lang="en"><a name="id309236"></a><h3>ADS WORKGROUP</h3><p>Print out workgroup name for specified kerberos realm.</p></div><div class="refsect2" lang="en"><a name="id309246"></a><h3>SAM CREATEBUILTINGROUP <NAME></h3><p> +(Re)Create a BUILTIN group. +Only a wellknown set of BUILTIN groups can be created with this command. +This is the list of currently recognized group names: Administrators, +Users, Guests, Power Users, Account Operators, Server Operators, Print +Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000 +compatible Access. + +This command requires a running Winbindd with idmap allocation properly +configured. The group gid will be allocated out of the winbindd range. +</p></div><div class="refsect2" lang="en"><a name="id309260"></a><h3>SAM CREATELOCALGROUP <NAME></h3><p> +Create a LOCAL group (also known as Alias). + +This command requires a running Winbindd with idmap allocation properly +configured. The group gid will be allocated out of the winbindd range. +</p></div><div class="refsect2" lang="en"><a name="id309272"></a><h3>SAM DELETELOCALGROUP <NAME></h3><p> +Delete an existing LOCAL group (also known as Alias). + +</p></div><div class="refsect2" lang="en"><a name="id309283"></a><h3>SAM MAPUNIXGROUP <NAME></h3><p> +Map an existing Unix group and make it a Domain Group, the domain group +will have the same name. +</p></div><div class="refsect2" lang="en"><a name="id309294"></a><h3>SAM UNMAPUNIXGROUP <NAME></h3><p> +Remove an existing group mapping entry. +</p></div><div class="refsect2" lang="en"><a name="id309305"></a><h3>SAM ADDMEM <GROUP> <MEMBER></h3><p> +Add a member to a Local group. The group can be specified only by name, +the member can be specified by name or SID. +</p></div><div class="refsect2" lang="en"><a name="id309316"></a><h3>SAM DELMEM <GROUP> <MEMBER></h3><p> +Remove a member from a Local group. The group and the member must be +specified by name. +</p></div><div class="refsect2" lang="en"><a name="id309327"></a><h3>SAM LISTMEM <GROUP></h3><p> +List Local group members. The group must be specified by name. +</p></div><div class="refsect2" lang="en"><a name="id309338"></a><h3>SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]</h3><p> +List the specified set of accounts by name. If verbose is specified, +the rid and description is also provided for each account. +</p></div><div class="refsect2" lang="en"><a name="id309350"></a><h3>SAM SHOW <NAME></h3><p> +Show the full DOMAIN\\NAME the SID and the type for the corresponding +account. +</p></div><div class="refsect2" lang="en"><a name="id309361"></a><h3>SAM SET HOMEDIR <NAME> <DIRECTORY></h3><p> +Set the home directory for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309371"></a><h3>SAM SET PROFILEPATH <NAME> <PATH></h3><p> +Set the profile path for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309382"></a><h3>SAM SET COMMENT <NAME> <COMMENT></h3><p> +Set the comment for a user or group account. +</p></div><div class="refsect2" lang="en"><a name="id309392"></a><h3>SAM SET FULLNAME <NAME> <FULL NAME></h3><p> +Set the full name for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309403"></a><h3>SAM SET LOGONSCRIPT <NAME> <SCRIPT></h3><p> +Set the logon script for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309413"></a><h3>SAM SET HOMEDRIVE <NAME> <DRIVE></h3><p> +Set the home drive for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309424"></a><h3>SAM SET WORKSTATIONS <NAME> <WORKSTATIONS></h3><p> +Set the workstations a user account is allowed to log in from. +</p></div><div class="refsect2" lang="en"><a name="id309435"></a><h3>SAM SET DISABLE <NAME></h3><p> +Set the "disabled" flag for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309445"></a><h3>SAM SET PWNOTREQ <NAME></h3><p> +Set the "password not required" flag for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309456"></a><h3>SAM SET AUTOLOCK <NAME></h3><p> +Set the "autolock" flag for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309466"></a><h3>SAM SET PWNOEXP <NAME></h3><p> +Set the "password do not expire" flag for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309477"></a><h3>SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]</h3><p> +Set or unset the "password must change" flag for a user account. +</p></div><div class="refsect2" lang="en"><a name="id309488"></a><h3>SAM POLICY LIST</h3><p> +List the available account policies. +</p></div><div class="refsect2" lang="en"><a name="id309498"></a><h3>SAM POLICY SHOW <account policy></h3><p> +Show the account policy value. +</p></div><div class="refsect2" lang="en"><a name="id309509"></a><h3>SAM POLICY SET <account policy> <value></h3><p> +Set a value for the account policy. +Valid values can be: "forever", "never", "off", or a number. +</p></div><div class="refsect2" lang="en"><a name="id309520"></a><h3>SAM PROVISION</h3><p> +Only available if ldapsam:editposix is set and winbindd is running. +Properly populates the ldap tree with the basic accounts (Administrator) +and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree. +</p></div><div class="refsect2" lang="en"><a name="id309532"></a><h3>IDMAP DUMP <local tdb file name></h3><p> +Dumps the mappings contained in the local tdb file specified. +This command is useful to dump only the mappings produced by the idmap_tdb backend. +</p></div><div class="refsect2" lang="en"><a name="id309544"></a><h3>IDMAP RESTORE [input file]</h3><p> +Restore the mappings from the specified file or stdin. +</p></div><div class="refsect2" lang="en"><a name="id309554"></a><h3>IDMAP SECRET <DOMAIN>|ALLOC <secret></h3><p> +Store a secret for the specified domain, used primarily for domains +that use idmap_ldap as a backend. In this case the secret is used +as the password for the user DN used to bind to the ldap server. +</p></div><div class="refsect2" lang="en"><a name="id309566"></a><h3>USERSHARE</h3><p>Starting with version 3.0.23, a Samba server now supports the ability for +non-root users to add user defined shares to be exported using the "net usershare" +commands. +</p><p> +To set this up, first set up your smb.conf by adding to the [global] section: + +usershare path = /usr/local/samba/lib/usershares + +Next create the directory /usr/local/samba/lib/usershares, change the owner to root and +set the group owner to the UNIX group who should have the ability to create usershares, +for example a group called "serverops". + +Set the permissions on /usr/local/samba/lib/usershares to 01770. + +(Owner and group all access, no access for others, plus the sticky bit, +which means that a file in that directory can be renamed or deleted only +by the owner of the file). + +Finally, tell smbd how many usershares you will allow by adding to the [global] +section of smb.conf a line such as : + +usershare max shares = 100. + +To allow 100 usershare definitions. Now, members of the UNIX group "serverops" +can create user defined shares on demand using the commands below. +</p><p>The usershare commands are: + +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] - to add or change a user defined share.</td></tr><tr><td>net usershare delete sharename - to delete a user defined share.</td></tr><tr><td>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</td></tr><tr><td>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</td></tr></table><p> + +</p><div class="refsect3" lang="en"><a name="id309613"></a><h4>USERSHARE ADD <em class="replaceable"><code>sharename</code></em> <em class="replaceable"><code>path</code></em> <em class="replaceable"><code>[comment]</code></em> <em class="replaceable"><code>[acl]</code></em> <em class="replaceable"><code>[guest_ok=[y|n]]</code></em></h4><p> +Add or replace a new user defined share, with name "sharename". +</p><p> +"path" specifies the absolute pathname on the system to be exported. +Restrictions may be put on this, see the global smb.conf parameters: +"usershare owner only", "usershare prefix allow list", and +"usershare prefix deny list". +</p><p> +The optional "comment" parameter is the comment that will appear +on the share when browsed to by a client. +</p><p>The optional "acl" field +specifies which users have read and write access to the entire share. +Note that guest connections are not allowed unless the smb.conf parameter +"usershare allow guests" has been set. The definition of a user +defined share acl is: "user:permission", where user is a valid +username on the system and permission can be "F", "R", or "D". +"F" stands for "full permissions", ie. read and write permissions. +"D" stands for "deny" for a user, ie. prevent this user from accessing +this share. +"R" stands for "read only", ie. only allow read access to this +share (no creation of new files or directories or writing to files). +</p><p> +The default if no "acl" is given is "Everyone:R", which means any +authenticated user has read-only access. +</p><p> +The optional "guest_ok" has the same effect as the parameter of the +same name in smb.conf, in that it allows guest access to this user +defined share. This parameter is only allowed if the global parameter +"usershare allow guests" has been set to true in the smb.conf. +</p> + +There is no separate command to modify an existing user defined share, +just use the "net usershare add [sharename]" command using the same +sharename as the one you wish to modify and specify the new options +you wish. The Samba smbd daemon notices user defined share modifications +at connect time so will see the change immediately, there is no need +to restart smbd on adding, deleting or changing a user defined share. +</div><div class="refsect3" lang="en"><a name="id309671"></a><h4>USERSHARE DELETE <em class="replaceable"><code>sharename</code></em></h4><p> +Deletes the user defined share by name. The Samba smbd daemon +immediately notices this change, although it will not disconnect +any users currently connected to the deleted share. +</p></div><div class="refsect3" lang="en"><a name="id309685"></a><h4>USERSHARE INFO <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>[wildcard sharename]</code></em></h4><p> +Get info on user defined shares owned by the current user matching the given pattern, or all users. +</p><p> +net usershare info on its own dumps out info on the user defined shares that were +created by the current user, or restricts them to share names that match the given +wildcard pattern ('*' matches one or more characters, '?' matches only one character). +If the '-l' or '--long' option is also given, it prints out info on user defined +shares created by other users. +</p><p> +The information given about a share looks like: + +[foobar] +path=/home/jeremy +comment=testme +usershare_acl=Everyone:F +guest_ok=n + +And is a list of the current settings of the user defined share that can be +modified by the "net usershare add" command. +</p></div><div class="refsect3" lang="en"><a name="id309714"></a><h4>USERSHARE LIST <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>wildcard sharename</code></em></h4><p> +List all the user defined shares owned by the current user matching the given pattern, or all users. +</p><p> +net usershare list on its own list out the names of the user defined shares that were +created by the current user, or restricts the list to share names that match the given +wildcard pattern ('*' matches one or more characters, '?' matches only one character). +If the '-l' or '--long' option is also given, it includes the names of user defined +shares created by other users. +</p></div></div><div class="refsect2" lang="en"><a name="id309738"></a><h3>CONF</h3><p>Starting with version 3.2.0, a Samba server can be configured by data +stored in registry. This configuration data can be edited with the new "net +conf" commands. +</p><p> +The deployment of this configuration data can be activated in two levels from the +<span class="emphasis"><em>smb.conf</em></span> file: Share definitions from registry are +activated by setting <em class="parameter"><code>registry shares</code></em> to +“<span class="quote">yes</span>” in the [global] section and global configuration options are +activated by setting <a class="indexterm" name="id309765"></a>include = registry in +the [global] section. +See the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> manpage for details. +</p><p>The conf commands are: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>net conf list - Dump the complete configuration in smb.conf like +format.</td></tr><tr><td>net conf import - Import configuration from file in smb.conf +format.</td></tr><tr><td>net conf listshares - List the registry shares.</td></tr><tr><td>net conf drop - Delete the complete configuration from +registry.</td></tr><tr><td>net conf showshare - Show the definition of a registry share.</td></tr><tr><td>net conf addshare - Create a new registry share.</td></tr><tr><td>net conf delshare - Delete a registry share.</td></tr><tr><td>net conf setparm - Store a parameter.</td></tr><tr><td>net conf getparm - Retrieve the value of a parameter.</td></tr><tr><td>net conf delparm - Delete a parameter.</td></tr></table><p> +</p><div class="refsect3" lang="en"><a name="id309828"></a><h4>CONF LIST</h4><p> +Print the configuration data stored in the registry in a smb.conf-like format to +standard output. +</p></div><div class="refsect3" lang="en"><a name="id309839"></a><h4>CONF IMPORT <em class="replaceable"><code>[--test|-T]</code></em> <em class="replaceable"><code>filename</code></em> <em class="replaceable"><code>[section]</code></em></h4><p> +This command imports configuration from a file in smb.conf format. +If a section encountered in the input file is present in registry, +its contents is replaced. Sections of registry configuration that have +no counterpart in the input file are not affected. If you want to delete these, +you will have to use the "net conf drop" or "net conf delshare" commands. +Optionally, a section may be specified to restrict the effect of the +import command to that specific section. A test mode is enabled by specifying +the parameter "-T" on the commandline. In test mode, no changes are made to the +registry, and the resulting configuration is printed to standard output instead. +</p></div><div class="refsect3" lang="en"><a name="id309864"></a><h4>CONF LISTSHARES</h4><p> +List the names of the shares defined in registry. +</p></div><div class="refsect3" lang="en"><a name="id309875"></a><h4>CONF DROP</h4><p> +Delete the complete configuration data from registry. +</p></div><div class="refsect3" lang="en"><a name="id309885"></a><h4>CONF SHOWSHARE <em class="replaceable"><code>sharename</code></em></h4><p> +Show the definition of the share or section specified. It is valid to specify +"global" as sharename to retrieve the global configuration options from +registry. +</p></div><div class="refsect3" lang="en"><a name="id309899"></a><h4>CONF ADDSHARE <em class="replaceable"><code>sharename</code></em> <em class="replaceable"><code>path</code></em> [<em class="replaceable"><code>writeable={y|N}</code></em> [<em class="replaceable"><code>guest_ok={y|N}</code></em> [<em class="replaceable"><code>comment</code></em>]]] </h4><p>Create a new share definition in registry. +The sharename and path have to be given. The share name may +<span class="emphasis"><em>not</em></span> be "global". Optionally, values for the very +common options "writeable", "guest ok" and a "comment" may be specified. +The same result may be obtained by a sequence of "net conf setparm" +commands. +</p></div><div class="refsect3" lang="en"><a name="id309932"></a><h4>CONF DELSHARE <em class="replaceable"><code>sharename</code></em></h4><p> +Delete a share definition from registry. +</p></div><div class="refsect3" lang="en"><a name="id309945"></a><h4>CONF SETPARM <em class="replaceable"><code>section</code></em> <em class="replaceable"><code>parameter</code></em> <em class="replaceable"><code>value</code></em></h4><p> +Store a parameter in registry. The section may be global or a sharename. +The section is created if it does not exist yet. +</p></div><div class="refsect3" lang="en"><a name="id309965"></a><h4>CONF GETPARM <em class="replaceable"><code>section</code></em> <em class="replaceable"><code>parameter</code></em></h4><p> +Show a parameter stored in registry. +</p></div><div class="refsect3" lang="en"><a name="id309981"></a><h4>CONF DELPARM <em class="replaceable"><code>section</code></em> <em class="replaceable"><code>parameter</code></em></h4><p> +Delete a parameter stored in registry. +</p></div><div class="refsect3" lang="en"><a name="id309998"></a><h4></h4><p> +</p></div></div><div class="refsect2" lang="en"><a name="id310007"></a><h3>HELP [COMMAND]</h3><p>Gives usage information for the specified command.</p></div></div><div class="refsect1" lang="en"><a name="id310019"></a><h2>VERSION</h2><p>This man page is complete for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id310029"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The net manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/nmbd.8.html b/docs/htmldocs/manpages/nmbd.8.html new file mode 100644 index 0000000000..4d8a2f8bf2 --- /dev/null +++ b/docs/htmldocs/manpages/nmbd.8.html @@ -0,0 +1,147 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>nmbd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="nmbd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>nmbd — NetBIOS name server to provide NetBIOS + over IP naming services to clients</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">nmbd</code> [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]</p></div></div><div class="refsect1" lang="en"><a name="id267087"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">nmbd</code> is a server that understands + and can reply to NetBIOS over IP name service requests, like + those produced by SMB/CIFS clients such as Windows 95/98/ME, + Windows NT, Windows 2000, Windows XP and LanManager clients. It also + participates in the browsing protocols which make up the + Windows "Network Neighborhood" view.</p><p>SMB/CIFS clients, when they start up, may wish to + locate an SMB/CIFS server. That is, they wish to know what + IP number a specified host is using.</p><p>Amongst other services, <code class="literal">nmbd</code> will + listen for such requests, and if its own NetBIOS name is + specified it will respond with the IP number of the host it + is running on. Its "own NetBIOS name" is by + default the primary DNS name of the host it is running on, + but this can be overridden by the <a class="indexterm" name="id299225"></a>netbios name + in <code class="filename">smb.conf</code>. Thus <code class="literal">nmbd</code> will + reply to broadcast queries for its own name(s). Additional + names for <code class="literal">nmbd</code> to respond on can be set + via parameters in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> configuration file.</p><p><code class="literal">nmbd</code> can also be used as a WINS + (Windows Internet Name Server) server. What this basically means + is that it will act as a WINS database server, creating a + database from name registration requests that it receives and + replying to queries from clients for these names.</p><p>In addition, <code class="literal">nmbd</code> can act as a WINS + proxy, relaying broadcast queries from clients that do + not understand how to talk the WINS protocol to a WINS + server.</p></div><div class="refsect1" lang="en"><a name="id266718"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-D</span></dt><dd><p>If specified, this parameter causes + <code class="literal">nmbd</code> to operate as a daemon. That is, + it detaches itself and runs in the background, fielding + requests on the appropriate port. By default, <code class="literal">nmbd</code> + will operate as a daemon if launched from a command shell. + nmbd can also be operated from the <code class="literal">inetd</code> + meta-daemon, although this is not recommended. + </p></dd><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes + the main <code class="literal">nmbd</code> process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + <code class="literal">nmbd</code> under process supervisors such + as <code class="literal">supervise</code> and <code class="literal">svscan</code> + from Daniel J. Bernstein's <code class="literal">daemontools</code> + package, or the AIX process monitor. + </p></dd><dt><span class="term">-S</span></dt><dd><p>If specified, this parameter causes + <code class="literal">nmbd</code> to log to standard output rather + than a file.</p></dd><dt><span class="term">-i</span></dt><dd><p>If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit daemon mode when run from the + command line. <code class="literal">nmbd</code> also logs to standard + output, as if the <code class="constant">-S</code> parameter had been + given. </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-H <filename></span></dt><dd><p>NetBIOS lmhosts file. The lmhosts + file is a list of NetBIOS names to IP addresses that + is loaded by the nmbd server and used via the name + resolution mechanism <a class="indexterm" name="id266863"></a>name resolve order described in <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> to resolve any + NetBIOS name queries needed by the server. Note + that the contents of this file are <span class="emphasis"><em>NOT</em></span> + used by <code class="literal">nmbd</code> to answer any name queries. + Adding a line to this file affects name NetBIOS resolution + from this host <span class="emphasis"><em>ONLY</em></span>.</p><p>The default path to this file is compiled into + Samba as part of the build process. Common defaults + are <code class="filename">/usr/local/samba/lib/lmhosts</code>, + <code class="filename">/usr/samba/lib/lmhosts</code> or + <code class="filename">/etc/samba/lmhosts</code>. See the <a href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> man page for details on the contents of this file.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id307906"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-p <UDP port number></span></dt><dd><p>UDP port number is a positive integer value. + This option changes the default UDP port number (normally 137) + that <code class="literal">nmbd</code> responds to name queries on. Don't + use this option unless you are an expert, in which case you + won't need help!</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307989"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/inetd.conf</code></span></dt><dd><p>If the server is to be run by the + <code class="literal">inetd</code> meta-daemon, this file + must contain suitable startup information for the + meta-daemon. + </p></dd><dt><span class="term"><code class="filename">/etc/rc</code></span></dt><dd><p>or whatever initialization script your + system uses).</p><p>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server.</p></dd><dt><span class="term"><code class="filename">/etc/services</code></span></dt><dd><p>If running the server via the + meta-daemon <code class="literal">inetd</code>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + </p></dd><dt><span class="term"><code class="filename">/usr/local/samba/lib/smb.conf</code></span></dt><dd><p>This is the default location of + the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> server + configuration file. Other common places that systems + install this file are <code class="filename">/usr/samba/lib/smb.conf</code> + and <code class="filename">/etc/samba/smb.conf</code>.</p><p>When run as a WINS server (see the + <a class="indexterm" name="id308096"></a>wins support + parameter in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> man page), + <code class="literal">nmbd</code> + will store the WINS database in the file <code class="filename">wins.dat</code> + in the <code class="filename">var/locks</code> directory configured under + wherever Samba was configured to install itself.</p><p>If <code class="literal">nmbd</code> is acting as a <span class="emphasis"><em> + browse master</em></span> (see the <a class="indexterm" name="id308143"></a>local master + parameter in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> man page, <code class="literal">nmbd</code> + will store the browsing database in the file <code class="filename">browse.dat + </code> in the <code class="filename">var/locks</code> directory + configured under wherever Samba was configured to install itself. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308181"></a><h2>SIGNALS</h2><p>To shut down an <code class="literal">nmbd</code> process it is recommended + that SIGKILL (-9) <span class="emphasis"><em>NOT</em></span> be used, except as a last + resort, as this may leave the name database in an inconsistent state. + The correct way to terminate <code class="literal">nmbd</code> is to send it + a SIGTERM (-15) signal and wait for it to die on its own.</p><p><code class="literal">nmbd</code> will accept SIGHUP, which will cause + it to dump out its namelists into the file <code class="filename">namelist.debug + </code> in the <code class="filename">/usr/local/samba/var/locks</code> + directory (or the <code class="filename">var/locks</code> directory configured + under wherever Samba was configured to install itself). This will also + cause <code class="literal">nmbd</code> to dump out its server database in + the <code class="filename">log.nmb</code> file.</p><p>The debug log level of nmbd may be raised or lowered + using <a href="smbcontrol.1.html"><span class="citerefentry"><span class="refentrytitle">smbcontrol</span>(1)</span></a> (SIGUSR[1|2] signals + are no longer used since Samba 2.2). This is to allow + transient problems to be diagnosed, whilst still running + at a normally low log level.</p></div><div class="refsect1" lang="en"><a name="id308261"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308272"></a><h2>SEE ALSO</h2><p> + <a href="inetd.8.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>, and the Internet + RFC's <code class="filename">rfc1001.txt</code>, <code class="filename">rfc1002.txt</code>. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page <a href="http://samba.org/cifs/" target="_top"> + http://samba.org/cifs/</a>.</p></div><div class="refsect1" lang="en"><a name="id308349"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/nmblookup.1.html b/docs/htmldocs/manpages/nmblookup.1.html new file mode 100644 index 0000000000..d4084372ad --- /dev/null +++ b/docs/htmldocs/manpages/nmblookup.1.html @@ -0,0 +1,105 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>nmblookup</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="nmblookup"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS + names</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">nmblookup</code> [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}</p></div></div><div class="refsect1" lang="en"><a name="id299269"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">nmblookup</code> is used to query NetBIOS names + and map them to IP addresses in a network using NetBIOS over TCP/IP + queries. The options allow the name queries to be directed at a + particular IP broadcast area or to a particular machine. All queries + are done over UDP.</p></div><div class="refsect1" lang="en"><a name="id266732"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-M</span></dt><dd><p>Searches for a master browser by looking + up the NetBIOS name <em class="replaceable"><code>name</code></em> with a + type of <code class="constant">0x1d</code>. If <em class="replaceable"><code> + name</code></em> is "-" then it does a lookup on the special name + <code class="constant">__MSBROWSE__</code>. Please note that in order to + use the name "-", you need to make sure "-" isn't parsed as an + argument, e.g. use : + <strong class="userinput"><code>nmblookup -M -- -</code></strong>.</p></dd><dt><span class="term">-R</span></dt><dd><p>Set the recursion desired bit in the packet + to do a recursive lookup. This is used when sending a name + query to a machine running a WINS server and the user wishes + to query the names in the WINS server. If this bit is unset + the normal (broadcast responding) NetBIOS processing code + on a machine is used instead. See RFC1001, RFC1002 for details. + </p></dd><dt><span class="term">-S</span></dt><dd><p>Once the name query has returned an IP + address then do a node status query as well. A node status + query returns the NetBIOS names registered by a host. + </p></dd><dt><span class="term">-r</span></dt><dd><p>Try and bind to UDP port 137 to send and receive UDP + datagrams. The reason for this option is a bug in Windows 95 + where it ignores the source port of the requesting packet + and only replies to UDP port 137. Unfortunately, on most UNIX + systems root privilege is needed to bind to this port, and + in addition, if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> daemon is running on this machine it also binds to this port. + </p></dd><dt><span class="term">-A</span></dt><dd><p>Interpret <em class="replaceable"><code>name</code></em> as + an IP Address and do a node status query on this address.</p></dd><dt><span class="term">-n <primary NetBIOS name></span></dt><dd><p>This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the <a class="indexterm" name="id266847"></a> parameter in the <code class="filename">smb.conf</code> file. +However, a command +line setting will take precedence over settings in +<code class="filename">smb.conf</code>.</p></dd><dt><span class="term">-i <scope></span></dt><dd><p>This specifies a NetBIOS scope that +<code class="literal">nmblookup</code> will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +<span class="emphasis"><em>very</em></span> rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with.</p></dd><dt><span class="term">-W|--workgroup=domain</span></dt><dd><p>Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM). </p></dd><dt><span class="term">-O socket options</span></dt><dd><p>TCP socket options to set on the client +socket. See the socket options parameter in +the <code class="filename">smb.conf</code> manual page for the list of valid +options. </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-B <broadcast address></span></dt><dd><p>Send the query to the given broadcast address. Without + this option the default behavior of nmblookup is to send the + query to the broadcast address of the network interfaces as + either auto-detected or defined in the <a href="smb.conf.5.html#INTERFACES" target="_top"><em class="parameter"><code>interfaces</code></em> + </a> parameter of the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file. + </p></dd><dt><span class="term">-U <unicast address></span></dt><dd><p>Do a unicast query to the specified address or + host <em class="replaceable"><code>unicast address</code></em>. This option + (along with the <em class="parameter"><code>-R</code></em> option) is needed to + query a WINS server.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id307894"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-T</span></dt><dd><p>This causes any IP addresses found in the + lookup to be looked up via a reverse DNS lookup into a + DNS name, and printed out before each</p><p><span class="emphasis"><em>IP address .... NetBIOS name</em></span></p><p> pair that is the normal output.</p></dd><dt><span class="term">-f</span></dt><dd><p> + Show which flags apply to the name that has been looked up. Possible + answers are zero or more of: Response, Authoritative, + Truncated, Recursion_Desired, Recursion_Available, Broadcast. + </p></dd><dt><span class="term">name</span></dt><dd><p>This is the NetBIOS name being queried. Depending + upon the previous options this may be a NetBIOS name or IP address. + If a NetBIOS name then the different name types may be specified + by appending '#<type>' to the name. This name may also be + '*', which will return all registered names within a broadcast + area.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308003"></a><h2>EXAMPLES</h2><p><code class="literal">nmblookup</code> can be used to query + a WINS server (in the same way <code class="literal">nslookup</code> is + used to query DNS servers). To query a WINS server, <code class="literal">nmblookup</code> + must be called like this:</p><p><code class="literal">nmblookup -U server -R 'name'</code></p><p>For example, running :</p><p><code class="literal">nmblookup -U samba.org -R 'IRIX#1B'</code></p><p>would query the WINS server samba.org for the domain + master browser (1B name type) for the IRIX workgroup.</p></div><div class="refsect1" lang="en"><a name="id308052"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308063"></a><h2>SEE ALSO</h2><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, and <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id308095"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/ntlm_auth.1.html b/docs/htmldocs/manpages/ntlm_auth.1.html new file mode 100644 index 0000000000..18c77834ed --- /dev/null +++ b/docs/htmldocs/manpages/ntlm_auth.1.html @@ -0,0 +1,157 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ntlm_auth</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ntlm-auth.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ntlm_auth — tool to allow external access to Winbind's NTLM authentication function</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ntlm_auth</code> [-d debuglevel] [-l logdir] [-s <smb config file>]</p></div></div><div class="refsect1" lang="en"><a name="id267695"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">ntlm_auth</code> is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only indended to be used by other programs (currently + <a href="http://www.squid-cache.org/" target="_top">Squid</a> + and <a href="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/" target="_top">mod_ntlm_winbind</a>) + </p></div><div class="refsect1" lang="en"><a name="id299225"></a><h2>OPERATIONAL REQUIREMENTS</h2><p> + The <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon must be operational + for many of these commands to function.</p><p>Some of these commands also require access to the directory + <code class="filename">winbindd_privileged</code> in + <code class="filename">$LOCKDIR</code>. This should be done either by running + this command as root or providing group access + to the <code class="filename">winbindd_privileged</code> directory. For + security reasons, this directory should not be world-accessable. </p></div><div class="refsect1" lang="en"><a name="id299266"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--helper-protocol=PROTO</span></dt><dd><p> + Operate as a stdio-based helper. Valid helper protocols are: + </p><div class="variablelist"><dl><dt><span class="term">squid-2.4-basic</span></dt><dd><p> + Server-side helper for use with Squid 2.4's basic (plaintext) + authentication. </p></dd><dt><span class="term">squid-2.5-basic</span></dt><dd><p> + Server-side helper for use with Squid 2.5's basic (plaintext) + authentication. </p></dd><dt><span class="term">squid-2.5-ntlmssp</span></dt><dd><p> + Server-side helper for use with Squid 2.5's NTLMSSP + authentication. </p><p>Requires access to the directory + <code class="filename">winbindd_privileged</code> in + <code class="filename">$LOCKDIR</code>. The protocol used is + described here: <a href="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html" target="_top">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</a>. + This protocol has been extended to allow the + NTLMSSP Negotiate packet to be included as an argument + to the <code class="literal">YR</code> command. (Thus avoiding + loss of information in the protocol exchange). + </p></dd><dt><span class="term">ntlmssp-client-1</span></dt><dd><p> + Client-side helper for use with arbitrary external + programs that may wish to use Samba's NTLMSSP + authentication knowledge. </p><p>This helper is a client, and as such may be run by any + user. The protocol used is + effectively the reverse of the previous protocol. A + <code class="literal">YR</code> command (without any arguments) + starts the authentication exchange. + </p></dd><dt><span class="term">gss-spnego</span></dt><dd><p> + Server-side helper that implements GSS-SPNEGO. This + uses a protocol that is almost the same as + <code class="literal">squid-2.5-ntlmssp</code>, but has some + subtle differences that are undocumented outside the + source at this stage. + </p><p>Requires access to the directory + <code class="filename">winbindd_privileged</code> in + <code class="filename">$LOCKDIR</code>. + </p></dd><dt><span class="term">gss-spnego-client</span></dt><dd><p> + Client-side helper that implements GSS-SPNEGO. This + also uses a protocol similar to the above helpers, but + is currently undocumented. + </p></dd><dt><span class="term">ntlm-server-1</span></dt><dd><p> + Server-side helper protocol, intended for use by a + RADIUS server or the 'winbind' plugin for pppd, for + the provision of MSCHAP and MSCHAPv2 authentication. + </p><p>This protocol consists of lines in the form: + <code class="literal">Parameter: value</code> and <code class="literal">Parameter:: + Base64-encode value</code>. The presence of a single + period <code class="literal">.</code> indicates that one side has + finished supplying data to the other. (Which in turn + could cause the helper to authenticate the + user). </p><p>Curently implemented parameters from the + external program to the helper are:</p><div class="variablelist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3>Implementors should take care to base64 encode + any data (such as usernames/passwords) that may contain malicous user data, such as + a newline. They may also need to decode strings from + the helper, which likewise may have been base64 encoded.</div><dl><dt><span class="term">Username</span></dt><dd><p>The username, expected to be in + Samba's <a class="indexterm" name="id266937"></a>unix charset. + </p><div class="example"><a name="id266946"></a><p class="title"><b>Example 1. </b></p><div class="example-contents">Username: bob</div></div><p><br class="example-break"></p><div class="example"><a name="id266950"></a><p class="title"><b>Example 2. </b></p><div class="example-contents">Username:: Ym9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">Username</span></dt><dd><p>The user's domain, expected to be in + Samba's <a class="indexterm" name="id266964"></a>unix charset. + </p><div class="example"><a name="id266973"></a><p class="title"><b>Example 3. </b></p><div class="example-contents">Domain: WORKGROUP</div></div><p><br class="example-break"></p><div class="example"><a name="id266978"></a><p class="title"><b>Example 4. </b></p><div class="example-contents">Domain:: V09SS0dST1VQ</div></div><p><br class="example-break"></p></dd><dt><span class="term">Full-Username</span></dt><dd><p>The fully qualified username, expected to be in + Samba's <a class="indexterm" name="id266991"></a> and qualified with the + <a class="indexterm" name="id266997"></a>winbind separator. + </p><div class="example"><a name="id267007"></a><p class="title"><b>Example 5. </b></p><div class="example-contents">Full-Username: WORKGROUP\bob</div></div><p><br class="example-break"></p><div class="example"><a name="id267011"></a><p class="title"><b>Example 6. </b></p><div class="example-contents">Full-Username:: V09SS0dST1VQYm9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Challenge</span></dt><dd><p>The 8 byte <code class="literal">LANMAN Challenge</code> value, + generated randomly by the server, or (in cases such as + MSCHAPv2) generated in some way by both the server and + the client. + </p><div class="example"><a name="id307893"></a><p class="title"><b>Example 7. </b></p><div class="example-contents">LANMAN-Challege: 0102030405060708</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Response</span></dt><dd><p>The 24 byte <code class="literal">LANMAN Response</code> value, + calculated from the user's password and the supplied + <code class="literal">LANMAN Challenge</code>. Typically, this + is provided over the network by a client wishing to authenticate. + </p><div class="example"><a name="id307922"></a><p class="title"><b>Example 8. </b></p><div class="example-contents">LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">NT-Response</span></dt><dd><p>The >= 24 byte <code class="literal">NT Response</code> + calculated from the user's password and the supplied + <code class="literal">LANMAN Challenge</code>. Typically, this is + provided over the network by a client wishing to authenticate. + </p><div class="example"><a name="id307952"></a><p class="title"><b>Example 9. </b></p><div class="example-contents">NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">Password</span></dt><dd><p>The user's password. This would be + provided by a network client, if the helper is being + used in a legacy situation that exposes plaintext + passwords in this way. + </p><div class="example"><a name="id307970"></a><p class="title"><b>Example 10. </b></p><div class="example-contents">Password: samba2</div></div><p><br class="example-break"></p><div class="example"><a name="id307974"></a><p class="title"><b>Example 11. </b></p><div class="example-contents">Password:: c2FtYmEy</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-User-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return + the user session key associated with the login. + </p><div class="example"><a name="id307991"></a><p class="title"><b>Example 12. </b></p><div class="example-contents">Request-User-Session-Key: Yes</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-LanMan-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return + the LANMAN session key associated with the login. + </p><div class="example"><a name="id308008"></a><p class="title"><b>Example 13. </b></p><div class="example-contents">Request-LanMan-Session-Key: Yes</div></div><p><br class="example-break"></p></dd></dl></div></dd></dl></div></dd><dt><span class="term">--username=USERNAME</span></dt><dd><p> + Specify username of user to authenticate + </p></dd><dt><span class="term">--domain=DOMAIN</span></dt><dd><p> + Specify domain of user to authenticate + </p></dd><dt><span class="term">--workstation=WORKSTATION</span></dt><dd><p> + Specify the workstation the user authenticated from + </p></dd><dt><span class="term">--challenge=STRING</span></dt><dd><p>NTLM challenge (in HEXADECIMAL)</p></dd><dt><span class="term">--lm-response=RESPONSE</span></dt><dd><p>LM Response to the challenge (in HEXADECIMAL)</p></dd><dt><span class="term">--nt-response=RESPONSE</span></dt><dd><p>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</p></dd><dt><span class="term">--password=PASSWORD</span></dt><dd><p>User's plaintext password</p><p>If + not specified on the command line, this is prompted for when + required. </p><p>For the NTLMSSP based server roles, this parameter + specifies the expected password, allowing testing without + winbindd operational.</p></dd><dt><span class="term">--request-lm-key</span></dt><dd><p>Retreive LM session key</p></dd><dt><span class="term">--request-nt-key</span></dt><dd><p>Request NT key</p></dd><dt><span class="term">--diagnostics</span></dt><dd><p>Perform Diagnostics on the authentication + chain. Uses the password from <code class="literal">--password</code> + or prompts for one.</p></dd><dt><span class="term">--require-membership-of={SID|Name}</span></dt><dd><p>Require that a user be a member of specified + group (either name or SID) for authentication to succeed.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id308198"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308275"></a><h2>EXAMPLE SETUP</h2><p>To setup ntlm_auth for use by squid 2.5, with both basic and + NTLMSSP authentication, the following + should be placed in the <code class="filename">squid.conf</code> file. +</p><pre class="programlisting"> +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This example assumes that ntlm_auth has been installed into your + path, and that the group permissions on + <code class="filename">winbindd_privileged</code> are as described above.</p></div><p>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above + example, the following should be added to the <code class="filename">squid.conf</code> file. +</p><pre class="programlisting"> +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' +</pre></div><div class="refsect1" lang="en"><a name="id308327"></a><h2>TROUBLESHOOTING</h2><p>If you're experiencing problems with authenticating Internet Explorer running + under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication + helper (--helper-protocol=squid-2.5-ntlmssp), then please read + <a href="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP" target="_top"> + the Microsoft Knowledge Base article #239869 and follow instructions described there</a>. + </p></div><div class="refsect1" lang="en"><a name="id308346"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id308356"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The ntlm_auth manpage was written by Jelmer Vernooij and + Andrew Bartlett.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/pam_winbind.7.html b/docs/htmldocs/manpages/pam_winbind.7.html new file mode 100644 index 0000000000..697ecbc784 --- /dev/null +++ b/docs/htmldocs/manpages/pam_winbind.7.html @@ -0,0 +1,61 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>pam_winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="pam_winbind.7"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pam_winbind — PAM module for Winbind</p></div><div class="refsect1" lang="en"><a name="id267380"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p> + pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. + </p></div><div class="refsect1" lang="en"><a name="id267683"></a><h2>OPTIONS</h2><p> + + pam_winbind supports several options which can either be set in + the PAM configuration files or in the pam_winbind configuration + file situated at + <code class="filename">/etc/security/pam_winbind.conf</code>. Options + from the PAM configuration file take precedence to those from + the configuration file. + + </p><div class="variablelist"><dl><dt><span class="term">debug</span></dt><dd><p>Gives debugging output to syslog.</p></dd><dt><span class="term">debug_state</span></dt><dd><p>Gives detailed PAM state debugging output to syslog.</p></dd><dt><span class="term">require_membership_of=[SID or NAME]</span></dt><dd><p> + If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: <em class="parameter"><code>MYDOMAIN\\mygroup</code></em> or + <em class="parameter"><code>MYDOMAIN\\myuser</code></em>. pam_winbind will, in that case, lookup the SID internally. Note that + NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a + user is a member of with <code class="literal">wbinfo --user-sids=SID</code>. + </p></dd><dt><span class="term">try_first_pass</span></dt><dd><p></p></dd><dt><span class="term">use_first_pass</span></dt><dd><p> + By default, pam_winbind tries to get the authentication token from a previous module. If no token is available + it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication + token from a previous module is available. + </p></dd><dt><span class="term">use_authtok</span></dt><dd><p> + Set the new password to the one provided by the previously stacked password module. If this option is not set + pam_winbind will ask the user for the new password. + </p></dd><dt><span class="term">krb5_auth</span></dt><dd><p> + + pam_winbind can authenticate using Kerberos when winbindd is + talking to an Active Directory domain controller. Kerberos + authentication must be enabled with this parameter. When + Kerberos authentication can not succeed (e.g. due to clock + skew), winbindd will fallback to samlogon authentication over + MSRPC. When this parameter is used in conjunction with + <em class="parameter"><code>winbind refresh tickets</code></em>, winbind will + keep your Ticket Granting Ticket (TGT) uptodate by refreshing + it whenever necessary. + + </p></dd><dt><span class="term">krb5_ccache_type=[type]</span></dt><dd><p> + + When pam_winbind is configured to try kerberos authentication + by enabling the <em class="parameter"><code>krb5_auth</code></em> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be set with + this option. Currently the only supported value is: + <em class="parameter"><code>FILE</code></em>. In that case a credential cache in + the form of /tmp/krb5cc_UID will be created, where UID is + replaced with the numeric user id. Leave empty to just do + kerberos authentication without having a ticket cache after the + logon has succeeded. + + </p></dd><dt><span class="term">cached_login</span></dt><dd><p> + Winbind allows to logon using cached credentials when <em class="parameter"><code>winbind offline logon</code></em> is enabled. To use this feature from the PAM module this option must be set. + </p></dd><dt><span class="term">silent</span></dt><dd><p> + Do not emit any messages. + </p></dd></dl></div><p> + + + </p></div><div class="refsect1" lang="en"><a name="id266792"></a><h2>SEE ALSO</h2><p><a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></p></div><div class="refsect1" lang="en"><a name="id266827"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of Samba.</p></div><div class="refsect1" lang="en"><a name="id266837"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by + the Samba Team as an Open Source project similar to the way the Linux kernel is developed. + </p><p>This manpage was written by Jelmer Vernooij and Guenther Deschner.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/pdbedit.8.html b/docs/htmldocs/manpages/pdbedit.8.html new file mode 100644 index 0000000000..15122a414f --- /dev/null +++ b/docs/htmldocs/manpages/pdbedit.8.html @@ -0,0 +1,151 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>pdbedit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="pdbedit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pdbedit — manage the SAM database (Database of Samba Users)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">pdbedit</code> [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-t, --password-from-stdin] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] [-y]</p></div></div><div class="refsect1" lang="en"><a name="id266779"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The pdbedit program is used to manage the users accounts + stored in the sam database and can only be run by root.</p><p>The pdbedit tool uses the passdb modular interface and is + independent from the kind of users database used (currently there + are smbpasswd, ldap, nis+ and tdb based and more can be added + without changing the tool).</p><p>There are five main ways to use pdbedit: adding a user account, + removing a user account, modifing a user account, listing user + accounts, importing users accounts.</p></div><div class="refsect1" lang="en"><a name="id266812"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-L</span></dt><dd><p>This option lists all the user accounts + present in the users database. + This option prints a list of user/uid pairs separated by + the ':' character.</p><p>Example: <code class="literal">pdbedit -L</code></p><pre class="programlisting"> +sorce:500:Simo Sorce +samba:45:Test User +</pre></dd><dt><span class="term">-v</span></dt><dd><p>This option enables the verbose listing format. + It causes pdbedit to list the users in the database, printing + out the account fields in a descriptive format.</p><p>Example: <code class="literal">pdbedit -L -v</code></p><pre class="programlisting"> +--------------- +username: sorce +user ID/Group: 500/500 +user RID/GRID: 2000/2001 +Full Name: Simo Sorce +Home Directory: \\BERSERKER\sorce +HomeDir Drive: H: +Logon Script: \\BERSERKER\netlogon\sorce.bat +Profile Path: \\BERSERKER\profile +--------------- +username: samba +user ID/Group: 45/45 +user RID/GRID: 1090/1091 +Full Name: Test User +Home Directory: \\BERSERKER\samba +HomeDir Drive: +Logon Script: +Profile Path: \\BERSERKER\profile +</pre></dd><dt><span class="term">-w</span></dt><dd><p>This option sets the "smbpasswd" listing format. + It will make pdbedit list the users in the database, printing + out the account fields in a format compatible with the + <code class="filename">smbpasswd</code> file format. (see the + <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for details)</p><p>Example: <code class="literal">pdbedit -L -w</code></p><pre class="programlisting"> +sorce:500:508818B733CE64BEAAD3B435B51404EE: + D2A2418EFC466A8A0F6B1DBB5C3DB80C: + [UX ]:LCT-00000000: +samba:45:0F2B255F7B67A7A9AAD3B435B51404EE: + BC281CE3F53B6A5146629CD4751D3490: + [UX ]:LCT-3BFA1E8D: +</pre></dd><dt><span class="term">-u username</span></dt><dd><p>This option specifies the username to be + used for the operation requested (listing, adding, removing). + It is <span class="emphasis"><em>required</em></span> in add, remove and modify + operations and <span class="emphasis"><em>optional</em></span> in list + operations.</p></dd><dt><span class="term">-f fullname</span></dt><dd><p>This option can be used while adding or + modifing a user account. It will specify the user's full + name. </p><p>Example: <code class="literal">-f "Simo Sorce"</code></p></dd><dt><span class="term">-h homedir</span></dt><dd><p>This option can be used while adding or + modifing a user account. It will specify the user's home + directory network path.</p><p>Example: <code class="literal">-h "\\\\BERSERKER\\sorce"</code> + </p></dd><dt><span class="term">-D drive</span></dt><dd><p>This option can be used while adding or + modifing a user account. It will specify the windows drive + letter to be used to map the home directory.</p><p>Example: <code class="literal">-D "H:"</code> + </p></dd><dt><span class="term">-S script</span></dt><dd><p>This option can be used while adding or + modifing a user account. It will specify the user's logon + script path.</p><p>Example: <code class="literal">-S "\\\\BERSERKER\\netlogon\\sorce.bat"</code> + </p></dd><dt><span class="term">-p profile</span></dt><dd><p>This option can be used while adding or + modifing a user account. It will specify the user's profile + directory.</p><p>Example: <code class="literal">-p "\\\\BERSERKER\\netlogon"</code> + </p></dd><dt><span class="term">-G SID|rid</span></dt><dd><p> + This option can be used while adding or modifying a user account. It + will specify the users' new primary group SID (Security Identifier) or + rid. </p><p>Example: <code class="literal">-G S-1-5-21-2447931902-1787058256-3961074038-1201</code></p></dd><dt><span class="term">-U SID|rid</span></dt><dd><p> + This option can be used while adding or modifying a user account. It + will specify the users' new SID (Security Identifier) or + rid. </p><p>Example: <code class="literal">-U S-1-5-21-2447931902-1787058256-3961074038-5004</code></p></dd><dt><span class="term">-c account-control</span></dt><dd><p>This option can be used while adding or modifying a user + account. It will specify the users' account control property. Possible flags are listed below. + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>N: No password required</p></li><li><p>D: Account disabled</p></li><li><p>H: Home directory required</p></li><li><p>T: Temporary duplicate of other account</p></li><li><p>U: Regular user account</p></li><li><p>M: MNS logon user account</p></li><li><p>W: Workstation Trust Account</p></li><li><p>S: Server Trust Account</p></li><li><p>L: Automatic Locking</p></li><li><p>X: Password does not expire</p></li><li><p>I: Domain Trust Account</p></li></ul></div><p> + </p><p>Example: <code class="literal">-c "[X ]"</code></p></dd><dt><span class="term">-a</span></dt><dd><p>This option is used to add a user into the + database. This command needs a user name specified with + the -u switch. When adding a new user, pdbedit will also + ask for the password to be used.</p><p>Example: <code class="literal">pdbedit -a -u sorce</code> +</p><pre class="programlisting">new password: +retype new password +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>pdbedit does not call the unix password syncronisation + script if <a class="indexterm" name="id308083"></a>unix password sync + has been set. It only updates the data in the Samba + user database. + </p><p>If you wish to add a user and synchronise the password + that immediately, use <code class="literal">smbpasswd</code>'s <code class="option">-a</code> option. + </p></div></dd><dt><span class="term">-t, --password-from-stdin</span></dt><dd><p>This option causes pdbedit to read the password + from standard input, rather than from /dev/tty (like the + <code class="literal">passwd(1)</code> program does). The password has + to be submitted twice and terminated by a newline each.</p></dd><dt><span class="term">-r</span></dt><dd><p>This option is used to modify an existing user + in the database. This command needs a user name specified with the -u + switch. Other options can be specified to modify the properties of + the specified user. This flag is kept for backwards compatibility, but + it is no longer necessary to specify it. + </p></dd><dt><span class="term">-m</span></dt><dd><p>This option may only be used in conjunction + with the <em class="parameter"><code>-a</code></em> option. It will make + pdbedit to add a machine trust account instead of a user + account (-u username will provide the machine name).</p><p>Example: <code class="literal">pdbedit -a -m -u w2k-wks</code> + </p></dd><dt><span class="term">-x</span></dt><dd><p>This option causes pdbedit to delete an account + from the database. It needs a username specified with the + -u switch.</p><p>Example: <code class="literal">pdbedit -x -u bob</code></p></dd><dt><span class="term">-i passdb-backend</span></dt><dd><p>Use a different passdb backend to retrieve users + than the one specified in smb.conf. Can be used to import data into + your local user database.</p><p>This option will ease migration from one passdb backend to + another.</p><p>Example: <code class="literal">pdbedit -i smbpasswd:/etc/smbpasswd.old + </code></p></dd><dt><span class="term">-e passdb-backend</span></dt><dd><p>Exports all currently available users to the + specified password database backend.</p><p>This option will ease migration from one passdb backend to + another and will ease backing up.</p><p>Example: <code class="literal">pdbedit -e smbpasswd:/root/samba-users.backup</code></p></dd><dt><span class="term">-g</span></dt><dd><p>If you specify <em class="parameter"><code>-g</code></em>, + then <em class="parameter"><code>-i in-backend -e out-backend</code></em> + applies to the group mapping instead of the user database.</p><p>This option will ease migration from one passdb backend to + another and will ease backing up.</p></dd><dt><span class="term">-b passdb-backend</span></dt><dd><p>Use a different default passdb backend. </p><p>Example: <code class="literal">pdbedit -b xml:/root/pdb-backup.xml -l</code></p></dd><dt><span class="term">-P account-policy</span></dt><dd><p>Display an account policy</p><p>Valid policies are: minimum password age, reset count minutes, disconnect time, + user must logon to change password, password history, lockout duration, min password length, + maximum password age and bad lockout attempt.</p><p>Example: <code class="literal">pdbedit -P "bad lockout attempt"</code></p><pre class="programlisting"> +account policy value for bad lockout attempt is 0 +</pre></dd><dt><span class="term">-C account-policy-value</span></dt><dd><p>Sets an account policy to a specified value. + This option may only be used in conjunction + with the <em class="parameter"><code>-P</code></em> option. + </p><p>Example: <code class="literal">pdbedit -P "bad lockout attempt" -C 3</code></p><pre class="programlisting"> +account policy value for bad lockout attempt was 0 +account policy value for bad lockout attempt is now 3 +</pre></dd><dt><span class="term">-y</span></dt><dd><p>If you specify <em class="parameter"><code>-y</code></em>, + then <em class="parameter"><code>-i in-backend -e out-backend</code></em> + applies to the account policies instead of the user database.</p><p>This option will allow to migrate account policies from their default + tdb-store into a passdb backend, e.g. an LDAP directory server.</p><p>Example: <code class="literal">pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host</code></p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id308437"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308501"></a><h2>NOTES</h2><p>This command may be used only by root.</p></div><div class="refsect1" lang="en"><a name="id308512"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308522"></a><h2>SEE ALSO</h2><p><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a></p></div><div class="refsect1" lang="en"><a name="id308546"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/profiles.1.html b/docs/htmldocs/manpages/profiles.1.html new file mode 100644 index 0000000000..c820bcac0f --- /dev/null +++ b/docs/htmldocs/manpages/profiles.1.html @@ -0,0 +1,12 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>profiles</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="profiles.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>profiles — A utility to report and change SIDs in registry files + </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">profiles</code> [-v] [-c SID] [-n SID] {file}</p></div></div><div class="refsect1" lang="en"><a name="id267702"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">profiles</code> is a utility that + reports and changes SIDs in windows registry files. It currently only + supports NT. + </p></div><div class="refsect1" lang="en"><a name="id299219"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">file</span></dt><dd><p>Registry file to view or edit. </p></dd><dt><span class="term">-v,--verbose</span></dt><dd><p>Increases verbosity of messages. + </p></dd><dt><span class="term">-c SID1 -n SID2</span></dt><dd><p>Change all occurences of SID1 in <code class="filename">file</code> by SID2. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266714"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id266725"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The profiles man page was written by Jelmer Vernooij. </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/rpcclient.1.html b/docs/htmldocs/manpages/rpcclient.1.html new file mode 100644 index 0000000000..ef9b4bc532 --- /dev/null +++ b/docs/htmldocs/manpages/rpcclient.1.html @@ -0,0 +1,206 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>rpcclient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="rpcclient.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>rpcclient — tool for executing client side + MS-RPC functions</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">rpcclient</code> [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}</p></div></div><div class="refsect1" lang="en"><a name="id299254"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">rpcclient</code> is a utility initially developed + to test MS-RPC functionality in Samba itself. It has undergone + several stages of development and stability. Many system administrators + have now written scripts around it to manage Windows NT clients from + their UNIX workstation. </p></div><div class="refsect1" lang="en"><a name="id266717"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">server</span></dt><dd><p>NetBIOS name of Server to which to connect. + The server can be any SMB/CIFS server. The name is + resolved using the <a class="indexterm" name="id266734"></a>name resolve order line from <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>.</p></dd><dt><span class="term">-c|--command='command string'</span></dt><dd><p>execute semicolon separated commands (listed + below)) </p></dd><dt><span class="term">-I IP-address</span></dt><dd><p><em class="replaceable"><code>IP address</code></em> is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation. </p><p>Normally the client would attempt to locate a named + SMB/CIFS server by looking it up via the NetBIOS name resolution + mechanism described above in the <em class="parameter"><code>name resolve order</code></em> + parameter above. Using this parameter will force the client + to assume that the server is on the machine with the specified IP + address and the NetBIOS name component of the resource being + connected to will be ignored. </p><p>There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above. </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266823"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-N</span></dt><dd><p>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </p><p>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</p><p>If a password is specified on the command line and this +option is also defined the password on the command line will +be silently ingnored and no password will be used.</p></dd><dt><span class="term">-k</span></dt><dd><p> +Try to authenticate with kerberos. Only useful in +an Active Directory environment. +</p></dd><dt><span class="term">-A|--authentication-file=filename</span></dt><dd><p>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +</p><pre class="programlisting"> +username = <value> +password = <value> +domain = <value> +</pre><p>Make certain that the permissions on the file restrict +access from unwanted users. </p></dd><dt><span class="term">-U|--user=username[%password]</span></dt><dd><p>Sets the SMB username or username and password. </p><p>If %password is not specified, the user will be prompted. The +client will first check the <code class="envar">USER</code> environment variable, then the +<code class="envar">LOGNAME</code> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <code class="constant">GUEST</code> is used. </p><p>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<em class="parameter"><code>-A</code></em> for more details. </p><p>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <code class="literal">ps</code> command. To be safe always allow +<code class="literal">rpcclient</code> to prompt for a password and type +it in directly. </p></dd><dt><span class="term">-n <primary NetBIOS name></span></dt><dd><p>This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the <a class="indexterm" name="id307888"></a> parameter in the <code class="filename">smb.conf</code> file. +However, a command +line setting will take precedence over settings in +<code class="filename">smb.conf</code>.</p></dd><dt><span class="term">-i <scope></span></dt><dd><p>This specifies a NetBIOS scope that +<code class="literal">nmblookup</code> will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +<span class="emphasis"><em>very</em></span> rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with.</p></dd><dt><span class="term">-W|--workgroup=domain</span></dt><dd><p>Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM). </p></dd><dt><span class="term">-O socket options</span></dt><dd><p>TCP socket options to set on the client +socket. See the socket options parameter in +the <code class="filename">smb.conf</code> manual page for the list of valid +options. </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307973"></a><h2>COMMANDS</h2><div class="refsect2" lang="en"><a name="id307979"></a><h3>LSARPC</h3><div class="variablelist"><dl><dt><span class="term">lsaquery</span></dt><dd><p>Query info policy</p></dd><dt><span class="term">lookupsids</span></dt><dd><p>Resolve a list + of SIDs to usernames. + </p></dd><dt><span class="term">lookupnames</span></dt><dd><p>Resolve a list + of usernames to SIDs. + </p></dd><dt><span class="term">enumtrusts</span></dt><dd><p>Enumerate trusted domains</p></dd><dt><span class="term">enumprivs</span></dt><dd><p>Enumerate privileges</p></dd><dt><span class="term">getdispname</span></dt><dd><p>Get the privilege name</p></dd><dt><span class="term">lsaenumsid</span></dt><dd><p>Enumerate the LSA SIDS</p></dd><dt><span class="term">lsaenumprivsaccount</span></dt><dd><p>Enumerate the privileges of an SID</p></dd><dt><span class="term">lsaenumacctrights</span></dt><dd><p>Enumerate the rights of an SID</p></dd><dt><span class="term">lsaenumacctwithright</span></dt><dd><p>Enumerate accounts with a right</p></dd><dt><span class="term">lsaaddacctrights</span></dt><dd><p>Add rights to an account</p></dd><dt><span class="term">lsaremoveacctrights</span></dt><dd><p>Remove rights from an account</p></dd><dt><span class="term">lsalookupprivvalue</span></dt><dd><p>Get a privilege value given its name</p></dd><dt><span class="term">lsaquerysecobj</span></dt><dd><p>Query LSA security object</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308103"></a><h3>LSARPC-DS</h3><div class="variablelist"><dl><dt><span class="term">dsroledominfo</span></dt><dd><p>Get Primary Domain Information</p></dd></dl></div><p> </p><p><span class="emphasis"><em>DFS</em></span></p><div class="variablelist"><dl><dt><span class="term">dfsexist</span></dt><dd><p>Query DFS support</p></dd><dt><span class="term">dfsadd</span></dt><dd><p>Add a DFS share</p></dd><dt><span class="term">dfsremove</span></dt><dd><p>Remove a DFS share</p></dd><dt><span class="term">dfsgetinfo</span></dt><dd><p>Query DFS share info</p></dd><dt><span class="term">dfsenum</span></dt><dd><p>Enumerate dfs shares</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308172"></a><h3>REG</h3><div class="variablelist"><dl><dt><span class="term">shutdown</span></dt><dd><p>Remote Shutdown</p></dd><dt><span class="term">abortshutdown</span></dt><dd><p>Abort Shutdown</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308197"></a><h3>SRVSVC</h3><div class="variablelist"><dl><dt><span class="term">srvinfo</span></dt><dd><p>Server query info</p></dd><dt><span class="term">netshareenum</span></dt><dd><p>Enumerate shares</p></dd><dt><span class="term">netfileenum</span></dt><dd><p>Enumerate open files</p></dd><dt><span class="term">netremotetod</span></dt><dd><p>Fetch remote time of day</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308239"></a><h3>SAMR</h3><div class="variablelist"><dl><dt><span class="term">queryuser</span></dt><dd><p>Query user info</p></dd><dt><span class="term">querygroup</span></dt><dd><p>Query group info</p></dd><dt><span class="term">queryusergroups</span></dt><dd><p>Query user groups</p></dd><dt><span class="term">querygroupmem</span></dt><dd><p>Query group membership</p></dd><dt><span class="term">queryaliasmem</span></dt><dd><p>Query alias membership</p></dd><dt><span class="term">querydispinfo</span></dt><dd><p>Query display info</p></dd><dt><span class="term">querydominfo</span></dt><dd><p>Query domain info</p></dd><dt><span class="term">enumdomusers</span></dt><dd><p>Enumerate domain users</p></dd><dt><span class="term">enumdomgroups</span></dt><dd><p>Enumerate domain groups</p></dd><dt><span class="term">enumalsgroups</span></dt><dd><p>Enumerate alias groups</p></dd><dt><span class="term">createdomuser</span></dt><dd><p>Create domain user</p></dd><dt><span class="term">samlookupnames</span></dt><dd><p>Look up names</p></dd><dt><span class="term">samlookuprids</span></dt><dd><p>Look up names</p></dd><dt><span class="term">deletedomuser</span></dt><dd><p>Delete domain user</p></dd><dt><span class="term">samquerysecobj</span></dt><dd><p>Query SAMR security object</p></dd><dt><span class="term">getdompwinfo</span></dt><dd><p>Retrieve domain password info</p></dd><dt><span class="term">lookupdomain</span></dt><dd><p>Look up domain</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308385"></a><h3>SPOOLSS</h3><div class="variablelist"><dl><dt><span class="term">adddriver <arch> <config> [<version>]</span></dt><dd><p> + Execute an AddPrinterDriver() RPC to install the printer driver + information on the server. Note that the driver files should + already exist in the directory returned by + <code class="literal">getdriverdir</code>. Possible values for + <em class="parameter"><code>arch</code></em> are the same as those for + the <code class="literal">getdriverdir</code> command. + The <em class="parameter"><code>config</code></em> parameter is defined as + follows: </p><pre class="programlisting"> +Long Printer Name:\ +Driver File Name:\ +Data File Name:\ +Config File Name:\ +Help File Name:\ +Language Monitor Name:\ +Default Data Type:\ +Comma Separated list of Files +</pre><p>Any empty fields should be enter as the string "NULL". </p><p>Samba does not need to support the concept of Print Monitors + since these only apply to local printers whose driver can make + use of a bi-directional link for communication. This field should + be "NULL". On a remote NT print server, the Print Monitor for a + driver must already be installed prior to adding the driver or + else the RPC will fail. </p><p>The <em class="parameter"><code>version</code></em> parameter lets you + specify the printer driver version number. If omitted, the + default driver version for the specified architecture will + be used. This option can be used to upload Windows 2000 + (version 3) printer drivers.</p></dd><dt><span class="term">addprinter <printername> + <sharename> <drivername> <port></span></dt><dd><p> + Add a printer on the remote server. This printer + will be automatically shared. Be aware that the printer driver + must already be installed on the server (see <code class="literal">adddriver</code>) + and the <em class="parameter"><code>port</code></em>must be a valid port name (see + <code class="literal">enumports</code>.</p></dd><dt><span class="term">deldriver</span></dt><dd><p>Delete the + specified printer driver for all architectures. This + does not delete the actual driver files from the server, + only the entry from the server's list of drivers. + </p></dd><dt><span class="term">deldriverex <driver> [architecture] [version] + </span></dt><dd><p>Delete the specified printer driver including driver files. + You can limit this action to a specific architecture and a specific version. + If no architecure is given, all driver files of that driver will be deleted. + </p></dd><dt><span class="term">enumdata</span></dt><dd><p>Enumerate all + printer setting data stored on the server. On Windows NT clients, + these values are stored in the registry, while Samba servers + store them in the printers TDB. This command corresponds + to the MS Platform SDK GetPrinterData() function (* This + command is currently unimplemented).</p></dd><dt><span class="term">enumdataex</span></dt><dd><p>Enumerate printer data for a key</p></dd><dt><span class="term">enumjobs <printer></span></dt><dd><p>List the jobs and status of a given printer. + This command corresponds to the MS Platform SDK EnumJobs() + function</p></dd><dt><span class="term">enumkey</span></dt><dd><p>Enumerate + printer keys</p></dd><dt><span class="term">enumports [level]</span></dt><dd><p> + Executes an EnumPorts() call using the specified + info level. Currently only info levels 1 and 2 are supported. + </p></dd><dt><span class="term">enumdrivers [level]</span></dt><dd><p> + Execute an EnumPrinterDrivers() call. This lists the various installed + printer drivers for all architectures. Refer to the MS Platform SDK + documentation for more details of the various flags and calling + options. Currently supported info levels are 1, 2, and 3.</p></dd><dt><span class="term">enumprinters [level]</span></dt><dd><p>Execute an EnumPrinters() call. This lists the various installed + and share printers. Refer to the MS Platform SDK documentation for + more details of the various flags and calling options. Currently + supported info levels are 1, 2 and 5.</p></dd><dt><span class="term">getdata <printername> <valuename;></span></dt><dd><p>Retrieve the data for a given printer setting. See + the <code class="literal">enumdata</code> command for more information. + This command corresponds to the GetPrinterData() MS Platform + SDK function. </p></dd><dt><span class="term">getdataex</span></dt><dd><p>Get + printer driver data with + keyname</p></dd><dt><span class="term">getdriver <printername></span></dt><dd><p> + Retrieve the printer driver information (such as driver file, + config file, dependent files, etc...) for + the given printer. This command corresponds to the GetPrinterDriver() + MS Platform SDK function. Currently info level 1, 2, and 3 are supported. + </p></dd><dt><span class="term">getdriverdir <arch></span></dt><dd><p> + Execute a GetPrinterDriverDirectory() + RPC to retrieve the SMB share name and subdirectory for + storing printer driver files for a given architecture. Possible + values for <em class="parameter"><code>arch</code></em> are "Windows 4.0" + (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows + Alpha_AXP", and "Windows NT R4000". </p></dd><dt><span class="term">getprinter <printername></span></dt><dd><p>Retrieve the current printer information. This command + corresponds to the GetPrinter() MS Platform SDK function. + </p></dd><dt><span class="term">getprintprocdir</span></dt><dd><p>Get + print processor + directory</p></dd><dt><span class="term">openprinter <printername></span></dt><dd><p>Execute an OpenPrinterEx() and ClosePrinter() RPC + against a given printer. </p></dd><dt><span class="term">setdriver <printername> + <drivername></span></dt><dd><p>Execute a SetPrinter() command to update the printer driver + associated with an installed printer. The printer driver must + already be correctly installed on the print server. </p><p>See also the <code class="literal">enumprinters</code> and + <code class="literal">enumdrivers</code> commands for obtaining a list of + of installed printers and drivers.</p></dd><dt><span class="term">addform</span></dt><dd><p>Add form</p></dd><dt><span class="term">setform</span></dt><dd><p>Set form</p></dd><dt><span class="term">getform</span></dt><dd><p>Get form</p></dd><dt><span class="term">deleteform</span></dt><dd><p>Delete form</p></dd><dt><span class="term">enumforms</span></dt><dd><p>Enumerate form</p></dd><dt><span class="term">setprinter</span></dt><dd><p>Set printer comment</p></dd><dt><span class="term">setprinterdata</span></dt><dd><p>Set REG_SZ printer data</p></dd><dt><span class="term">setprintername <printername> + <newprintername></span></dt><dd><p>Set printer name</p></dd><dt><span class="term">rffpcnex</span></dt><dd><p>Rffpcnex test</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308764"></a><h3>NETLOGON</h3><div class="variablelist"><dl><dt><span class="term">logonctrl2</span></dt><dd><p>Logon Control 2</p></dd><dt><span class="term">logonctrl</span></dt><dd><p>Logon Control</p></dd><dt><span class="term">samsync</span></dt><dd><p>Sam Synchronisation</p></dd><dt><span class="term">samdeltas</span></dt><dd><p>Query Sam Deltas</p></dd><dt><span class="term">samlogon</span></dt><dd><p>Sam Logon</p></dd></dl></div></div><div class="refsect2" lang="en"><a name="id308824"></a><h3>GENERAL COMMANDS</h3><div class="variablelist"><dl><dt><span class="term">debuglevel</span></dt><dd><p>Set the current + debug level used to log information.</p></dd><dt><span class="term">help (?)</span></dt><dd><p>Print a listing of all + known commands or extended help on a particular command. + </p></dd><dt><span class="term">quit (exit)</span></dt><dd><p>Exit <code class="literal">rpcclient + </code>.</p></dd></dl></div></div></div><div class="refsect1" lang="en"><a name="id308866"></a><h2>BUGS</h2><p><code class="literal">rpcclient</code> is designed as a developer testing tool + and may not be robust in certain areas (such as command line parsing). + It has been known to generate a core dump upon failures when invalid + parameters where passed to the interpreter. </p><p>From Luke Leighton's original rpcclient man page:</p><p><span class="emphasis"><em>WARNING!</em></span> The MSRPC over SMB code has + been developed from examining Network traces. No documentation is + available from the original creators (Microsoft) on how MSRPC over + SMB works, or how the individual MSRPC services work. Microsoft's + implementation of these services has been demonstrated (and reported) + to be... a bit flaky in places. </p><p>The development of Samba's implementation is also a bit rough, + and as more of the services are understood, it can even result in + versions of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and <a href="rpcclient.1.html"><span class="citerefentry"><span class="refentrytitle">rpcclient</span>(1)</span></a> that are incompatible for some commands or services. Additionally, + the developers are sending reports to Microsoft, and problems found + or reported to Microsoft are fixed in Service Packs, which may + result in incompatibilities.</p></div><div class="refsect1" lang="en"><a name="id308917"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id308928"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original rpcclient man page was written by Matthew + Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter. + The conversion to DocBook for Samba 2.2 was done by Gerald + Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was + done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/samba.7.html b/docs/htmldocs/manpages/samba.7.html new file mode 100644 index 0000000000..67de3c40fb --- /dev/null +++ b/docs/htmldocs/manpages/samba.7.html @@ -0,0 +1,113 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="samba.7"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>samba — A Windows SMB/CIFS fileserver for UNIX</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">samba</code></p></div></div><div class="refsect1" lang="en"><a name="id267383"></a><h2>DESCRIPTION</h2><p>The Samba software suite is a collection of programs + that implements the Server Message Block (commonly abbreviated + as SMB) protocol for UNIX systems. This protocol is sometimes + also referred to as the Common Internet File System (CIFS). For a + more thorough description, see <a href="http://www.ubiqx.org/cifs/" target="_top"> + http://www.ubiqx.org/cifs/</a>. Samba also implements the NetBIOS + protocol in nmbd.</p><div class="variablelist"><dl><dt><span class="term"><a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a></span></dt><dd><p>The <code class="literal">smbd</code> daemon provides the file and print services to + SMB clients, such as Windows 95/98, Windows NT, Windows + for Workgroups or LanManager. The configuration file + for this daemon is described in <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> + </p></dd><dt><span class="term"><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a></span></dt><dd><p>The <code class="literal">nmbd</code> + daemon provides NetBIOS nameservice and browsing + support. The configuration file for this daemon + is described in <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></p></dd><dt><span class="term"><a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbclient</code> + program implements a simple ftp-like client. This + is useful for accessing SMB shares on other compatible + servers (such as Windows NT), and can also be used + to allow a UNIX box to print to a printer attached to + any SMB server (such as a PC running Windows NT).</p></dd><dt><span class="term"><a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a></span></dt><dd><p>The <code class="literal">testparm</code> + utility is a simple syntax checker for Samba's <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> configuration file.</p></dd><dt><span class="term"><a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a></span></dt><dd><p>The <code class="literal">testprns</code> + utility supports testing printer names defined + in your <code class="filename">printcap</code> file used + by Samba.</p></dd><dt><span class="term"><a href="smbstatus.1.html"><span class="citerefentry"><span class="refentrytitle">smbstatus</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbstatus</code> + tool provides access to information about the + current connections to <code class="literal">smbd</code>.</p></dd><dt><span class="term"><a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a></span></dt><dd><p>The <code class="literal">nmblookup</code> + tools allows NetBIOS name queries to be made + from a UNIX host.</p></dd><dt><span class="term"><a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a></span></dt><dd><p>The <code class="literal">smbpasswd</code> + command is a tool for changing LanMan and Windows NT + password hashes on Samba and Windows NT servers.</p></dd><dt><span class="term"><a href="smbcacls.1.html"><span class="citerefentry"><span class="refentrytitle">smbcacls</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbcacls</code> command is + a tool to set ACL's on remote CIFS servers. </p></dd><dt><span class="term"><a href="smbsh.1.html"><span class="citerefentry"><span class="refentrytitle">smbsh</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbsh</code> command is + a program that allows you to run a unix shell with + with an overloaded VFS.</p></dd><dt><span class="term"><a href="smbtree.1.html"><span class="citerefentry"><span class="refentrytitle">smbtree</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbtree</code> command + is a text-based network neighborhood tool.</p></dd><dt><span class="term"><a href="smbtar.1.html"><span class="citerefentry"><span class="refentrytitle">smbtar</span>(1)</span></a></span></dt><dd><p>The <code class="literal">smbtar</code> can make + backups of data on CIFS/SMB servers.</p></dd><dt><span class="term"><a href="smbspool.8.html"><span class="citerefentry"><span class="refentrytitle">smbspool</span>(8)</span></a></span></dt><dd><p><code class="literal">smbspool</code> is a + helper utility for printing on printers connected + to CIFS servers. </p></dd><dt><span class="term"><a href="smbcontrol.1.html"><span class="citerefentry"><span class="refentrytitle">smbcontrol</span>(1)</span></a></span></dt><dd><p><code class="literal">smbcontrol</code> is a utility + that can change the behaviour of running samba daemons. + </p></dd><dt><span class="term"><a href="rpcclient.1.html"><span class="citerefentry"><span class="refentrytitle">rpcclient</span>(1)</span></a></span></dt><dd><p><code class="literal">rpcclient</code> is a utility + that can be used to execute RPC commands on remote + CIFS servers.</p></dd><dt><span class="term"><a href="pdbedit.8.html"><span class="citerefentry"><span class="refentrytitle">pdbedit</span>(8)</span></a></span></dt><dd><p>The <code class="literal">pdbedit</code> command + can be used to maintain the local user database on + a samba server.</p></dd><dt><span class="term"><a href="findsmb.1.html"><span class="citerefentry"><span class="refentrytitle">findsmb</span>(1)</span></a></span></dt><dd><p>The <code class="literal">findsmb</code> command + can be used to find SMB servers on the local network. + </p></dd><dt><span class="term"><a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a></span></dt><dd><p>The <code class="literal">net</code> command + is supposed to work similar to the DOS/Windows + NET.EXE command.</p></dd><dt><span class="term"><a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a></span></dt><dd><p><code class="literal">swat</code> is a web-based + interface to configuring <code class="filename">smb.conf</code>. + </p></dd><dt><span class="term"><a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a></span></dt><dd><p><code class="literal">winbindd</code> is a daemon + that is used for integrating authentication and + the user database into unix.</p></dd><dt><span class="term"><a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a></span></dt><dd><p><code class="literal">wbinfo</code> is a utility + that retrieves and stores information related to winbind. + </p></dd><dt><span class="term"><a href="profiles.1.html"><span class="citerefentry"><span class="refentrytitle">profiles</span>(1)</span></a></span></dt><dd><p><code class="literal">profiles</code> is a command-line + utility that can be used to replace all occurences of + a certain SID with another SID. + </p></dd><dt><span class="term"><a href="log2pcap.1.html"><span class="citerefentry"><span class="refentrytitle">log2pcap</span>(1)</span></a></span></dt><dd><p><code class="literal">log2pcap</code> is a utility + for generating pcap trace files from Samba log + files.</p></dd><dt><span class="term"><a href="vfstest.1.html"><span class="citerefentry"><span class="refentrytitle">vfstest</span>(1)</span></a></span></dt><dd><p><code class="literal">vfstest</code> is a utility + that can be used to test vfs modules.</p></dd><dt><span class="term"><a href="ntlm_auth.1.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(1)</span></a></span></dt><dd><p><code class="literal">ntlm_auth</code> is a helper-utility + for external programs wanting to do NTLM-authentication. + </p></dd><dt><span class="term"> +<a href="smbmount.8.html"><span class="citerefentry"><span class="refentrytitle">smbmount</span>(8)</span></a>, +<a href="smbumount.8.html"><span class="citerefentry"><span class="refentrytitle">smbumount</span>(8)</span></a>, +<a href="smbmnt.8.html"><span class="citerefentry"><span class="refentrytitle">smbmnt</span>(8)</span></a></span></dt><dd><p><code class="literal">smbmount</code>,<code class="literal">smbumount</code> and <code class="literal">smbmnt</code> are commands that can be used to + mount CIFS/SMB shares on Linux. + </p></dd><dt><span class="term"><a href="smbcquotas.1.html"><span class="citerefentry"><span class="refentrytitle">smbcquotas</span>(1)</span></a></span></dt><dd><p><code class="literal">smbcquotas</code> is a tool that + can set remote QUOTA's on server with NTFS 5. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308170"></a><h2>COMPONENTS</h2><p>The Samba suite is made up of several components. Each + component is described in a separate manual page. It is strongly + recommended that you read the documentation that comes with Samba + and the manual pages of those components that you use. If the + manual pages and documents aren't clear enough then please visit + <a href="http://devel.samba.org/" target="_top">http://devel.samba.org</a> + for information on how to file a bug report or submit a patch.</p><p>If you require help, visit the Samba webpage at + <a href="http://samba.org/" target="_top">http://www.samba.org/</a> and + explore the many option available to you. + </p></div><div class="refsect1" lang="en"><a name="id308199"></a><h2>AVAILABILITY</h2><p>The Samba software suite is licensed under the + GNU Public License(GPL). A copy of that license should + have come with the package in the file COPYING. You are + encouraged to distribute copies of the Samba suite, but + please obey the terms of this license.</p><p>The latest version of the Samba suite can be + obtained via anonymous ftp from samba.org in the + directory pub/samba/. It is also available on several + mirror sites worldwide.</p><p>You may also find useful information about Samba + on the newsgroup <a href="news:comp.protocols.smb" target="_top"> + comp.protocol.smb</a> and the Samba mailing + list. Details on how to join the mailing list are given in + the README file that comes with Samba.</p><p>If you have access to a WWW viewer (such as Mozilla + or Konqueror) then you will also find lots of useful information, + including back issues of the Samba mailing list, at + <a href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>.</p></div><div class="refsect1" lang="en"><a name="id308237"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the + Samba suite. </p></div><div class="refsect1" lang="en"><a name="id308247"></a><h2>CONTRIBUTIONS</h2><p>If you wish to contribute to the Samba project, + then I suggest you join the Samba mailing list at + <a href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>. + </p><p>If you have patches to submit, visit + <a href="http://devel.samba.org/" target="_top">http://devel.samba.org/</a> + for information on how to do it properly. We prefer patches + in <code class="literal">diff -u</code> format.</p></div><div class="refsect1" lang="en"><a name="id308280"></a><h2>CONTRIBUTORS</h2><p>Contributors to the project are now too numerous + to mention here but all deserve the thanks of all Samba + users. To see a full list, look at the + <code class="filename">change-log</code> in the source package + for the pre-CVS changes and at <a href="http://cvs.samba.org/" target="_top"> + http://cvs.samba.org/</a> + for the contributors to Samba post-CVS. CVS is the Open Source + source code control system used by the Samba Team to develop + Samba. The project would have been unmanageable without it.</p></div><div class="refsect1" lang="en"><a name="id308305"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML + 4.2 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smb.conf.5.html b/docs/htmldocs/manpages/smb.conf.5.html new file mode 100644 index 0000000000..bd1675c385 --- /dev/null +++ b/docs/htmldocs/manpages/smb.conf.5.html @@ -0,0 +1,5127 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf — The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id267380"></a><h2>SYNOPSIS</h2><p> + The <code class="filename">smb.conf</code> file is a configuration file for the Samba suite. <code class="filename">smb.conf</code> contains runtime configuration information for the Samba programs. The + <code class="filename">smb.conf</code> file is designed to be configured and administered by the + <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The + complete description of the file format and possible parameters held within are here for reference purposes. + </p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p> + The file consists of sections and parameters. A section begins with the name of the section in square brackets + and continues until the next section begins. Sections contain parameters of the form: +</p><pre class="programlisting"> +<em class="replaceable"><code>name</code></em> = <em class="replaceable"><code>value </code></em> +</pre><p> + </p><p> + The file is line-based - that is, each newline-terminated line represents either a comment, a section name or + a parameter. + </p><p>Section and parameter names are not case sensitive.</p><p> + Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is + discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading + and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is + retained verbatim. + </p><p> + Any line beginning with a semicolon (“<span class="quote">;</span>”) or a hash (“<span class="quote">#</span>”) + character is ignored, as are lines containing only whitespace. + </p><p> + Any line ending in a “<span class="quote"><code class="literal">\</code></span>” is continued on the next line in the customary UNIX fashion. + </p><p> + The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, + which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved + in string values. Some items such as create masks are numeric. + </p></div><div class="refsect1" lang="en"><a name="id299256"></a><h2>SECTION DESCRIPTIONS</h2><p> + Each section in the configuration file (except for the [global] section) describes a shared resource (known as + a “<span class="quote">share</span>”). The section name is the name of the shared resource and the parameters within the + section define the shares attributes. + </p><p> + There are three special sections, [global], [homes] and [printers], which are described under + <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions. + </p><p> + A share consists of a directory to which access is being given plus a description of the access rights + which are granted to the user of the service. Some housekeeping options are also specifiable. + </p><p> + Sections are either file share services (used by the client as an extension of their native file systems) + or printable services (used by the client to access print services on the host running the server). + </p><p> + Sections may be designated <span class="emphasis"><em>guest</em></span> services, in which case no password is required to + access them. A specified UNIX <span class="emphasis"><em>guest account</em></span> is used to define access privileges in this + case. + </p><p> + Sections other than guest services will require a password to access them. The client provides the + username. As older clients only provide passwords and not usernames, you may specify a list of usernames to + check against the password using the <code class="literal">user =</code> option in the share definition. For modern clients + such as Windows 95/98/ME/NT/2000, this should not be necessary. + </p><p> + The access rights granted by the server are masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more access than the host system grants. + </p><p> + The following sample section defines a file space share. The user has write access to the path <code class="filename">/home/bar</code>. The share is accessed via the share name <code class="literal">foo</code>: +</p><pre class="programlisting"> + <em class="parameter"><code>[foo]</code></em> + <a class="indexterm" name="id266776"></a>path = /home/bar + <a class="indexterm" name="id266783"></a>read only = no +</pre><p> + </p><p> + The following sample section defines a printable share. The share is read-only, but printable. That is, + the only write access permitted is via calls to open, write to and close a spool file. The <span class="emphasis"><em>guest + ok</em></span> parameter means access will be permitted as the default guest user (specified elsewhere): +</p><pre class="programlisting"> + <em class="parameter"><code>[aprinter]</code></em> + <a class="indexterm" name="id266810"></a>path = /usr/spool/public + <a class="indexterm" name="id266818"></a>read only = yes + <a class="indexterm" name="id266825"></a>printable = yes + <a class="indexterm" name="id266832"></a>guest ok = yes +</pre><p> + </p></div><div class="refsect1" lang="en"><a name="id266842"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id266848"></a><h3>The [global] section</h3><p> + Parameters in this section apply to the server as a whole, or are defaults for sections that do not + specifically define certain items. See the notes under PARAMETERS for more information. + </p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p> + If a section called [homes] is included in the configuration file, services connecting clients + to their home directories can be created on the fly by the server. + </p><p> + When the connection request is made, the existing sections are scanned. If a match is found, it is + used. If no match is found, the requested section name is treated as a username and looked up in the local + password file. If the name exists and the correct password has been given, a share is created by cloning the + [homes] section. + </p><p> + Some modifications are then made to the newly created share: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The share name is changed from homes to the located username. + </p></li><li><p> + If no path was given, the path is set to the user's home directory. + </p></li></ul></div><p> + If you decide to use a <span class="emphasis"><em>path =</em></span> line in your [homes] section, it may be useful + to use the %S macro. For example: +</p><pre class="programlisting"> +<strong class="userinput"><code>path = /data/pchome/%S</code></strong> +</pre><p> + is useful if you have different home directories for your PCs than for UNIX access. + </p><p> + This is a fast and simple way to give a large number of clients access to their home directories with a minimum + of fuss. + </p><p> + A similar process occurs if the requested section name is “<span class="quote">homes</span>”, except that the share + name is not changed to that of the requesting user. This method of using the [homes] section works well if + different users share a client PC. + </p><p> + The [homes] section can specify all the parameters a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] section: +</p><pre class="programlisting"> +<em class="parameter"><code>[homes]</code></em> +<a class="indexterm" name="id266965"></a>read only = no +</pre><p> + </p><p> + An important point is that if guest access is specified in the [homes] section, all home directories will be + visible to all clients <span class="emphasis"><em>without a password</em></span>. In the very unlikely event that this is actually + desirable, it is wise to also specify <span class="emphasis"><em>read only access</em></span>. + </p><p> + The <span class="emphasis"><em>browseable</em></span> flag for auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as it means setting <span class="emphasis"><em>browseable = no</em></span> in + the [homes] section will hide the [homes] share but make any auto home directories visible. + </p></div><div class="refsect2" lang="en"><a name="PRINTERSSECT"></a><h3>The [printers] section</h3><p> + This section works like [homes], but for printers. + </p><p> + If a [printers] section occurs in the configuration file, users are able to connect to any printer + specified in the local host's printcap file. + </p><p> + When a connection request is made, the existing sections are scanned. If a match is found, it is used. + If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested + section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested + section name is a valid printer share name. If a match is found, a new printer share is created by cloning the + [printers] section. + </p><p> + A few modifications are then made to the newly created share: + </p><div class="itemizedlist"><ul type="disc"><li><p>The share name is set to the located printer name</p></li><li><p>If no printer name was given, the printer name is set to the located printer name</p></li><li><p>If the share does not permit guest access and no username was given, the username is set + to the located printer name.</p></li></ul></div><p> + The [printers] service MUST be printable - if you specify otherwise, the server will refuse + to load the configuration file. + </p><p> + Typically the path specified is that of a world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry looks like this: +</p><pre class="programlisting"> +<em class="parameter"><code>[printers]</code></em> +<a class="indexterm" name="id307925"></a>path = /usr/spool/public +<a class="indexterm" name="id307932"></a>guest ok = yes +<a class="indexterm" name="id307939"></a>printable = yes +</pre><p> + </p><p> + All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file + consisting of one or more lines like this: +</p><pre class="programlisting"> +alias|alias|alias|alias... +</pre><p> + </p><p> + Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, + specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, + which of course can contain whatever aliases you like. The same technique could be used simply to limit access + to a subset of your local printers. + </p><p> + An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical bar symbols (<code class="literal">|</code>). + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use + <code class="literal">printcap name = lpstat</code> to automatically obtain a list of printers. See the + <code class="literal">printcap name</code> option for more details. + </p></div></div></div><div class="refsect1" lang="en"><a name="id307997"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete + their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and + is controlled by a set of parameters in the [global] section of the smb.conf. + The relevant parameters are : + </p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions. + The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares. + All other share parameters not specified in the user defined share definition + are copied from this named share.</p></dd></dl></div><p>To allow members of the UNIX group <code class="literal">foo</code> to create user defined + shares, create the directory to contain the share definitions as follows: + </p><p>Become root:</p><pre class="programlisting"> +mkdir /usr/local/samba/lib/usershares +chgrp foo /usr/local/samba/lib/usershares +chmod 1770 /usr/local/samba/lib/usershares +</pre><p>Then add the parameters + +</p><pre class="programlisting"> + <a class="indexterm" name="id308127"></a>usershare path = /usr/local/samba/lib/usershares + <a class="indexterm" name="id308134"></a>usershare max shares = 10 # (or the desired number of shares) +</pre><p> + + to the global + section of your <code class="filename">smb.conf</code>. Members of the group foo may then manipulate the user defined shares + using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308201"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p> + Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>). Some parameters + are usable in all sections (e.g., <span class="emphasis"><em>create mask</em></span>). All others are permissible only in normal + sections. For the purposes of the following descriptions the [homes] and [printers] sections will be + considered normal. The letter <span class="emphasis"><em>G</em></span> in parentheses indicates that a parameter is specific to + the [global] section. The letter <span class="emphasis"><em>S</em></span> indicates that a parameter can be specified in a + service specific section. All <span class="emphasis"><em>S</em></span> parameters can also be specified in the [global] section + - in which case they will define the default behavior for all services. + </p><p> + Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can + find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred + synonym. + </p></div><div class="refsect1" lang="en"><a name="id308242"></a><h2>VARIABLE SUBSTITUTIONS</h2><p> + Many of the strings that are settable in the config file can take substitutions. For example the option + “<span class="quote">path = /tmp/%u</span>” is interpreted as “<span class="quote">path = /tmp/john</span>” if the user connected with the + username john. + </p><p> + These substitutions are mostly noted in the descriptions below, but there are some general substitutions + which apply whenever they might be relevant. These are: + </p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session username (the username that the client wanted, not + necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine (very useful).</p><p>This parameter is not available when Samba listens on port 445, as clients no longer + send this information. If you use this macro in an include statement on a domain that has + a Samba domain controller be sure to set in the [global] section <em class="parameter"><code>smb ports = + 139</code></em>. This will cause Samba to not listen on port 445 and will permit include + functionality to function as it did with Samba 2.x. + </p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you to change your config based on what + the client calls you. Your server can have a “<span class="quote">dual personality</span>”. + </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine. + </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1.</p></dd><dt><span class="term">%d</span></dt><dd><p>the process id of the current server + process.</p></dd><dt><span class="term">%a</span></dt><dd><p>the architecture of the remote + machine. It currently recognizes Samba (<code class="constant">Samba</code>), + the Linux CIFS file system (<code class="constant">CIFSFS</code>), OS/2, (<code class="constant">OS2</code>), + Windows for Workgroups (<code class="constant">WfWg</code>), Windows 9x/ME + (<code class="constant">Win95</code>), Windows NT (<code class="constant">WinNT</code>), + Windows 2000 (<code class="constant">Win2K</code>), Windows XP (<code class="constant">WinXP</code>), + and Windows 2003 (<code class="constant">Win2K3</code>). Anything else will be known as + <code class="constant">UNKNOWN</code>.</p></dd><dt><span class="term">%I</span></dt><dd><p>the IP address of the client machine.</p></dd><dt><span class="term">%i</span></dt><dd><p>the local IP address to which a client connected.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%w</span></dt><dd><p>the winbind separator.</p></dd><dt><span class="term">%$(<em class="replaceable"><code>envvar</code></em>)</span></dt><dd><p>the value of the environment variable + <em class="replaceable"><code>envar</code></em>.</p></dd></dl></div><p> + The following substitutes apply only to some configuration options (only those that are + used when a connection has been established): + </p><div class="variablelist"><dl><dt><span class="term">%S</span></dt><dd><p>the name of the current service, if any.</p></dd><dt><span class="term">%P</span></dt><dd><p>the root directory of the current service, if any.</p></dd><dt><span class="term">%u</span></dt><dd><p>username of the current service, if any.</p></dd><dt><span class="term">%g</span></dt><dd><p>primary group name of %u.</p></dd><dt><span class="term">%H</span></dt><dd><p>the home directory of the user given by %u.</p></dd><dt><span class="term">%N</span></dt><dd><p> + the name of your NIS home directory server. This is obtained from your NIS auto.map entry. + If you have not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span> option, this + value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p> + the path of the service's home directory, obtained from your NIS auto.map entry. The NIS + auto.map entry is split up as <code class="literal">%N:%p</code>.</p></dd></dl></div><p> + There are some quite creative things that can be done with these substitutions and other + <code class="filename">smb.conf</code> options. + </p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p> + Samba supports <code class="literal">name mangling</code> so that DOS and Windows clients can use files that don't + conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. + </p><p> + There are several options that control the way mangling is performed, and they are grouped here rather + than listed separately. For the defaults look at the output of the testparm program. + </p><p> + These options can be set separately for each service. + </p><p> + The options are: + </p><div class="variablelist"><dl><dt><span class="term">case sensitive = yes/no/auto</span></dt><dd><p> + controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on + passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS + and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to + access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or + DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no + for them. Default <span class="emphasis"><em>auto</em></span>. + </p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p> + controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). + Default <span class="emphasis"><em>lower</em></span>. IMPORTANT NOTE: This option will be used to modify the case of + <span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id308683"></a>case sensitive = yes, <a class="indexterm" name="id308690"></a>preserve case = No, + <a class="indexterm" name="id308697"></a>short preserve case = No are set. This change is needed as part of the + optimisations for directories containing large numbers of files. + </p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p> + controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case + that the client passes, or if they are forced to be the <code class="literal">default</code> case. Default + <span class="emphasis"><em>yes</em></span>. + </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p> + controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created upper case, or if they are forced to be the + <code class="literal">default</code> case. This option can be used with <code class="literal">preserve case = yes</code> to permit + long filenames to retain their case, while short names are lowercased. Default <span class="emphasis"><em>yes</em></span>. + </p></dd></dl></div><p> + By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive + but case preserving. As a special case for directories with large numbers of files, if the case + options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" + then the "default case" option will be applied and will modify all filenames sent from the client + when accessing this share. + </p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p> + There are a number of ways in which a user can connect to a service. The server uses the following steps + in determining if it will allow a connection to a specified service. If all the steps fail, the connection + request is rejected. However, if one of the steps succeeds, the following steps are not checked. + </p><p> + If the service is marked “<span class="quote">guest only = yes</span>” and the server is running with share-level + security (“<span class="quote">security = share</span>”, steps 1 to 5 are skipped. + </p><div class="orderedlist"><ol type="1"><li><p> + If the client has passed a username/password pair and that username/password pair is validated by the UNIX + system's password programs, the connection is made as that username. This includes the + <code class="literal">\\server\service</code>%<em class="replaceable"><code>username</code></em> method of passing a username. + </p></li><li><p> + If the client has previously registered a username with the system and now supplies a correct password for that + username, the connection is allowed. + </p></li><li><p> + The client's NetBIOS name and any previously used usernames are checked against the supplied password. If + they match, the connection is allowed as the corresponding user. + </p></li><li><p> + If the client has previously validated a username/password pair with the server and the client has passed + the validation token, that username is used. + </p></li><li><p> + If a <code class="literal">user = </code> field is given in the <code class="filename">smb.conf</code> file for the + service and the client has supplied a password, and that password matches (according to the UNIX system's + password checking) with one of the usernames from the <code class="literal">user =</code> field, the connection is made as + the username in the <code class="literal">user =</code> line. If one of the usernames in the <code class="literal">user =</code> list + begins with a <code class="literal">@</code>, that name expands to a list of names in the group of the same name. + </p></li><li><p> + If the service is a guest service, a connection is made as the username given in the <code class="literal">guest account + =</code> for the service, irrespective of the supplied password. + </p></li></ol></div></div><div class="refsect1" lang="en"><a name="id308893"></a><h2>REGISTRY-BASED CONFIGURATION</h2><p> + Starting with Samba version 3.2.0, the capability to + store Samba configuration in the registry is available. + There are two levels of registry configuration: + </p><div class="orderedlist"><ol type="1"><li><p>Share definitions stored in registry are used. + This is triggered by setting the global + parameter <em class="parameter"><code>registry shares</code></em> to “<span class="quote">yes</span>” + in <span class="emphasis"><em>smb.conf</em></span>. + </p><p>Note: Shares defined in <span class="emphasis"><em>smb.conf</em></span> + always take priority over + shares of the same name defined in registry. + </p></li><li><p>Global <span class="emphasis"><em>smb.conf</em></span> options stored in + registry are used. This is triggered by the + parameter <a class="indexterm" name="id308946"></a>config backend = registry in + the [global] section of <span class="emphasis"><em>smb.conf</em></span>. + This removes everything that has been read from config files + to this point and reads the content of the global configuration + section from the registry. + Activation of global registry options automatically + activates registry shares. In this case, no share definitions + from smb.conf are read: This is a registry only configuration + with the advantage that share definitions are not read + in a bulk at startup time but on demand when a share is + accessed. + </p></li></ol></div><p> + Caveat: To make registry-based configurations foolproof at least to a + certain extent, the use + of <em class="parameter"><code>lock directory</code></em>, + <em class="parameter"><code>config backend</code></em>, and + <em class="parameter"><code>include</code></em> inside the registry + configuration has been disabled. Especially, by changing the + <em class="parameter"><code>lock directory</code></em> inside the registry + configuration, one would create a broken setup where the daemons + do not see the configuration they loaded once it is active. + </p><p> + The registry configuration can be accessed with + tools like <span class="emphasis"><em>regedit</em></span> or <span class="emphasis"><em>net rpc + registry</em></span> in the key + <span class="emphasis"><em>HKLM\Software\Samba\smbconf</em></span>. + + More conveniently, the <span class="emphasis"><em>conf</em></span> subcommand of the + <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> utility + offers a dedicated interface to read and write the + registry based configuration locally, i.e. directly + accessing the database file, circumventing the + server. + </p></div><div class="refsect1" lang="en"><a name="id309022"></a><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p>This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that + should stop a shutdown procedure issued by the <a class="indexterm" name="id309062"></a>shutdown script.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, + right, this command will be run as user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">/sbin/shutdown -c</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLCHECKPERMISSIONS"></a>acl check permissions (S)</span></dt><dd><p>This boolean parameter controls what <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>does on receiving a protocol request of "open for delete" + from a Windows client. If a Windows client doesn't have permissions to delete a file then they + expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by + actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a + delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately + on "open for delete" request as we cannot restore such a deleted file. With this parameter set to + true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the + request without actually deleting the file if the file system permissions would seem to deny it. + This is not perfect, as it's possible a user could have deleted a file without Samba being able to + check the permissions correctly, but it is close enough to Windows semantics for mostly correct + behaviour. Samba will correctly check POSIX ACL semantics in this case. + </p><p>If this parameter is set to "false" Samba doesn't check permissions on "open for delete" + and allows the open. If the user doesn't have permission to delete the file this will only be + discovered at close time, which is too late for the Windows user tools to display an error message + to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing + on a Windows explorer refersh. This is an extremely advanced protocol option which should not + need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version + with slightly different semantics was introduced in 3.0.20. That older version is not documented here. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl check permissions</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLCOMPATIBILITY"></a>acl compatibility (S)</span></dt><dd><p>This parameter specifies what OS ACL semantics should + be compatible with. Possible values are <span class="emphasis"><em>winnt</em></span> for Windows NT 4, + <span class="emphasis"><em>win2k</em></span> for Windows 2000 and above and <span class="emphasis"><em>auto</em></span>. + If you specify <span class="emphasis"><em>auto</em></span>, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">Auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">win2k</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLGROUPCONTROL"></a>acl group control (S)</span></dt><dd><p> + In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs + on that file. + </p><p> + On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing managability. + </p><p> + This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. + </p><p> + This parameter is best used with the <a class="indexterm" name="id309290"></a>inherit owner option and also + on on a share containing directories with the UNIX <span class="emphasis"><em>setgid bit</em></span> bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + </p><p> + This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now + implemented by the <em class="parameter"><code>dos filemode</code></em> option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl group control</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLMAPFULLCONTROL"></a>acl map full control (S)</span></dt><dd><p> + This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum + allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX + ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any + POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and + execute. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl map full control</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a new group is requested. It + will expand any <em class="parameter"><code>%g</code></em> to the group name passed. This script is only useful + for installations using the Windows NT domain administration tools. The script is free to create a group with + an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric + gid of the created group on stdout. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal">/usr/sbin/groupadd %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is + added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not + already exist. + </p><p>This option is very similar to the <a class="indexterm" name="id309488"></a>add user script, and likewise uses the %u + substitution for the account name. Do not use the %m + substitution. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDPORTCOMMAND"></a>add port command (G)</span></dt><dd><p>Samba 3.0.23 introduces support for adding printer ports + remotely using the Windows "Add Standard TCP/IP Port Wizard". + This option defines an external program to be executed when + smbd receives a request to add a new Port to the system. + he script is passed two parameters: + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>device URI</code></em></p></li></ul></div><p>The deviceURI is in the for of socket://<hostname>[:<portnumber>] + or lpd://<hostname>/<queuename>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal">/etc/samba/scripts/addport.sh</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>add printer command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing + support for Windows NT/2000 clients in Samba 2.2, The MS Add + Printer Wizard (APW) icon is now also available in the + "Printers..." folder displayed a share listing. The APW + allows for printers to be add remotely to a Samba or Windows + NT/2000 print server.</p><p>For a Samba host this means that the printer must be + physically added to the underlying printing system. The <em class="parameter"><code>add + printer command</code></em> defines a script to be run which + will perform the necessary operations for adding the printer + to the print system and to add the appropriate service definition + to the <code class="filename">smb.conf</code> file in order that it can be + shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <em class="parameter"><code>addprinter command</code></em> is + automatically invoked with the following parameter (in + order):</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>printer name</code></em></p></li><li><p><em class="parameter"><code>share name</code></em></p></li><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>driver name</code></em></p></li><li><p><em class="parameter"><code>location</code></em></p></li><li><p><em class="parameter"><code>Windows 9x driver location</code></em></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility + only. The remaining fields in the structure are generated from answers + to the APW questions.</p><p>Once the <em class="parameter"><code>addprinter command</code></em> has + been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> + smb.conf</code> to determine if the share defined by the APW + exists. If the sharename is still invalid, then <code class="literal">smbd + </code> will return an ACCESS_DENIED error to the client.</p><p> + The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal">/usr/bin/addprinter</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p> + Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server + Manager. The <em class="parameter"><code>add share command</code></em> is used to define an external program + or script which will add a new service definition to <code class="filename">smb.conf</code>. In order + to successfully execute the <em class="parameter"><code>add share command</code></em>, <code class="literal">smbd</code> requires that the administrator be connected using a root account (i.e. uid == 0). + </p><p> + If the connected account has <code class="literal">SeDiskOperatorPrivilege</code>, scripts defined in + <em class="parameter"><code>change share</code></em> parameter are executed as root. + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>add share command</code></em> with five parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new share. + </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** + directory on disk. + </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate with the new + share. + </p></li><li><p><em class="parameter"><code>max + connections</code></em> + Number of maximum simultaneous connections to this + share. + </p></li></ul></div><p> + This parameter is only used for add file shares. To add printer shares, see the <a class="indexterm" name="id309946"></a>addprinter command. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + under special circumstances described below. + </p><p> + Normally, a Samba server requires that UNIX users are created for all users accessing + files on this server. For sites that use Windows NT account databases as their primary + user database creating these users and keeping the user list in sync with the Windows + NT PDC is an onerous task. This option allows smbd to create the required UNIX users + <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server. + </p><p> + In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to + <a class="indexterm" name="id310044"></a>security = share and <a class="indexterm" name="id310052"></a>add user script + must be set to a full pathname for a script that will create a UNIX user given one argument of + <em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create. + </p><p> + When the Windows user attempts to access the Samba server, at login (session setup in + the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id310078"></a>password server + and attempts to authenticate the given user with the given password. If the authentication + succeeds then <code class="literal">smbd</code> attempts to find a UNIX user in the UNIX + password database to map the Windows user into. If this lookup fails, and + <a class="indexterm" name="id310093"></a>add user script is set then <code class="literal">smbd</code> will + call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any + <em class="parameter"><code>%u</code></em> argument to be the user name to create. + </p><p> + If this script successfully creates the user then <code class="literal">smbd</code> will + continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + </p><p> + See also <a class="indexterm" name="id310130"></a>security, <a class="indexterm" name="id310137"></a>password server, + <a class="indexterm" name="id310144"></a>delete user script. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal">/usr/local/samba/bin/add_user %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p> + Full path to the script that will be called when a user is added to a group using the Windows NT domain administration + tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + <span class="emphasis"><em>AS ROOT</em></span>. Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and + any <em class="parameter"><code>%u</code></em> will be replaced with the user name. + </p><p> + Note that the <code class="literal">adduser</code> command used in the example below does + not support the used syntax on all systems. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal">/usr/sbin/adduser %u %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id310304"></a>security = share in + Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal">jason</code> +</em></span> +</p></dd><dt><span class="term"><a name="AFSSHARE"></a>afs share (S)</span></dt><dd><p>This parameter controls whether special AFS features are enabled + for this share. If enabled, it assumes that the directory exported via + the <em class="parameter"><code>path</code></em> parameter is a local AFS import. The + special AFS features include the attempt to hand-craft an AFS token + if you enabled --with-fake-kaserver in configure. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs share</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="AFSUSERNAMEMAP"></a>afs username map (G)</span></dt><dd><p>If you are using the fake kaserver AFS feature, you might + want to hand-craft the usernames you are creating tokens for. + For example this is necessary if you have users from several domain + in your AFS Protection Database. One possible scheme to code users + as DOMAIN+User as it is done by winbind with the + as a separator. + </p><p>The mapped user name must contain the cell name to log into, + so without setting this parameter there will be no token.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal">%u@afs.samba.org</code> +</em></span> +</p></dd><dt><span class="term"><a name="AIOREADSIZE"></a>aio read size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this + integer parameter is set to non-zero value, + Samba will read from file asynchronously when size of request is bigger + than this value. Note that it happens only for non-chained and non-chaining + reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support + only up to 10 outstanding asynchronous requests, read and write combined.</p> + + write cache size + aio write size + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">16384 +# Use asynchronous I/O for reads bigger than 16KB + request size</code> +</em></span> +</p></dd><dt><span class="term"><a name="AIOWRITESIZE"></a>aio write size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this + integer parameter is set to non-zero value, + Samba will write to file asynchronously when size of request is bigger + than this value. Note that it happens only for non-chained and non-chaining + reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support + only up to 10 outstanding asynchronous requests, read and write combined.</p> + + write cache size + aio read size + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">16384 +# Use asynchronous I/O for writes bigger than 16KB + request size</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + </p><p>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + </p><p>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitrary-rid supporting backends. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">1000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">100000</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOCATIONROUNDUPSIZE"></a>allocation roundup size (S)</span></dt><dd><p>This parameter allows an administrator to tune the + allocation size reported to Windows clients. The default + size of 1Mb generally results in improved Windows client + performance. However, rounding the allocation size may cause + difficulties for some applications, e.g. MS Visual Studio. + If the MS Visual Studio compiler starts to crash with an + internal error, set this parameter to zero for this share. + </p><p>The integer parameter specifies the roundup size in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">1048576</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">0 +# (to disable roundups)</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p> + This option only takes effect when the <a class="indexterm" name="id310731"></a>security option is set to + <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.</p><p>This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allow trusted domains</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">NT Server</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">Win95</code> +</em></span> +</p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.9. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">4.9</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">2.0</code> +</em></span> +</p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p> + This option allows the administrator to chose what authentication methods <code class="literal">smbd</code> + will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id310928"></a>security. + This should be considered a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. + </p><p> + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + </p><p> + Possible options include <code class="constant">guest</code> (anonymous access), + <code class="constant">sam</code> (lookups in local list of accounts based on netbios + name or domain name), <code class="constant">winbind</code> (relay authentication requests + for remote users through winbindd), <code class="constant">ntdomain</code> (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + <code class="constant">trustdomain</code> (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal">guest sam winbind</code> +</em></span> +</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If + <em class="parameter"><code>available = no</code></em>, then <span class="emphasis"><em>ALL</em></span> + attempts to connect to the service will fail. Such failures are + logged.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>available</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin + to limit what interfaces on a machine will serve SMB requests. It + affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p> + For name service it causes <code class="literal">nmbd</code> to bind to ports 137 and 138 on the + interfaces listed in the <a class="indexterm" name="id311097"></a>interfaces parameter. <code class="literal">nmbd</code> + also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of + reading broadcast messages. If this option is not set then <code class="literal">nmbd</code> will + service name requests on all of these sockets. If <a class="indexterm" name="id311118"></a>bind interfaces only is set then + <code class="literal">nmbd</code> will check the source address of any packets coming in on the + broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the + <a class="indexterm" name="id311132"></a>interfaces parameter list. As unicast packets are received on the other sockets it + allows <code class="literal">nmbd</code> to refuse to serve names to machines that send packets that + arrive through any interfaces not listed in the <a class="indexterm" name="id311147"></a>interfaces list. IP Source address + spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for + <code class="literal">nmbd</code>. + </p><p> + For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id311172"></a>interfaces parameter. This restricts the networks that <code class="literal">smbd</code> will + serve to packets coming in those interfaces. Note that you should not use this parameter for machines that + are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with + non-permanent interfaces. + </p><p> + If <a class="indexterm" name="id311191"></a>bind interfaces only is set then unless the network address + <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id311202"></a>interfaces parameter list + <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and + <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as + expected due to the reasons covered below. + </p><p> + To change a users SMB password, the <code class="literal">smbpasswd</code> by default connects to the + <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If + <a class="indexterm" name="id311240"></a>bind interfaces only is set then unless the network address + <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id311251"></a>interfaces parameter list then <code class="literal"> smbpasswd</code> will fail to connect in it's default mode. <code class="literal">smbpasswd</code> can be forced to use the primary IP interface of the local host by using + its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote + machine</code></em> set to the IP name of the primary interface of the local host. + </p><p> + The <code class="literal">swat</code> status page tries to connect with <code class="literal">smbd</code> and <code class="literal">nmbd</code> at the address + <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running. Not adding <span class="emphasis"><em>127.0.0.1</em></span> + will cause <code class="literal"> smbd</code> and <code class="literal">nmbd</code> to always show + "not running" even if they really are. This can prevent <code class="literal"> swat</code> + from starting/stopping/restarting <code class="literal">smbd</code> and <code class="literal">nmbd</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>bind interfaces only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior + of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested + cannot be immediately satisfied, samba will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires.</p><p>If this parameter is set to <code class="constant">no</code>, then + samba will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>blocking locks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. + </p><p>Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. + </p><p>Changing this option does not change the disk free reporting + size, just the block size unit reported to the client. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">1024</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">4096</code> +</em></span> +</p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable</span></dt><dd><p>This parameter is a synonym for browseable.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in + the list of available shares in a net view and in the browse list.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browseable</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will serve a browse list to + a client doing a <code class="literal">NetServerEnum</code> call. Normally + set to <code class="constant">yes</code>. You should never need to change + this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id311661"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHANGENOTIFY"></a>change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should reply + to a client's file change notify requests. + </p><p>You should never need to change this parameter</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change notify</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p> + Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server +Manager. The <em class="parameter"><code>change share command</code></em> is used to define an external +program or script which will modify an existing service definition in <code class="filename">smb.conf</code>. In order to successfully execute the <em class="parameter"><code>change +share command</code></em>, <code class="literal">smbd</code> requires that the administrator be +connected using a root account (i.e. uid == 0). + </p><p> + If the connected account has <code class="literal">SeDiskOperatorPrivilege</code>, scripts defined in + <em class="parameter"><code>change share</code></em> parameter are executed as root. + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>change share command</code></em> with five parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location + of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new + share. + </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** + directory on disk. + </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate + with the new share. + </p></li><li><p><em class="parameter"><code>max + connections</code></em> + Number of maximum simultaneous connections to this + share. + </p></li></ul></div><p> + This parameter is only used modify existing file shares definitions. To modify + printer shares, use the "Printers..." folder as seen when browsing the Samba host. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHECKPASSWORDSCRIPT"></a>check password script (G)</span></dt><dd><p>The name of a program that can be used to check password + complexity. The password is sent to the program's standrad input.</p><p>The program must return 0 on good password any other value otherwise. + In case the password is considered weak (the program do not return 0) the + user will be notified and the password change will fail.</p><p>Note: In the example directory there is a sample program called crackcheck + that uses cracklib to checkpassword quality</p>. + + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">Disabled</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">check password script = /usr/local/sbin/crackcheck</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTLANMANAUTH"></a>client lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.</p><p>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. </p><p>Disabling this option will also disable the <code class="literal">client plaintext auth</code> option</p><p>Likewise, if the <code class="literal">client ntlmv2 + auth</code> parameter is enabled, then only NTLMv2 logins will be + attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTLDAPSASLWRAPPING"></a>client ldap sasl wrapping (G)</span></dt><dd><p> + The <a class="indexterm" name="id312072"></a>client ldap sasl wrapping defines whether + ldap traffic will be signed or signed and encrypted (sealed). + Possible values are <span class="emphasis"><em>plain</em></span>, <span class="emphasis"><em>sign</em></span> + and <span class="emphasis"><em>seal</em></span>. + </p><p> + The values <span class="emphasis"><em>sign</em></span> and <span class="emphasis"><em>seal</em></span> are + only available if Samba has been compiled against a modern + OpenLDAP version (2.3.x or higher). + </p><p> + This option is needed in the case of Domain Controllers enforcing + the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). + LDAP sign and seal can be controlled with the registry key + "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity" + on the Windows server side. + </p><p> + Depending on the used KRB5 library (MIT and older Heimdal versions) + it is possible that the message "integrity only" is not supported. + In this case, <span class="emphasis"><em>sign</em></span> is just an alias for + <span class="emphasis"><em>seal</em></span>. + </p><p> + The default value is <span class="emphasis"><em>plain</em></span> which is not irritable + to KRB5 clock skew errors. That implies synchronizing the time + with the KDC in the case of using <span class="emphasis"><em>sign</em></span> or + <span class="emphasis"><em>seal</em></span>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ldap sasl wrapping</code></em> = <code class="literal">plain</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</p><p>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. </p><p>Similarly, if enabled, NTLMv1, <code class="literal">client lanman auth</code> and <code class="literal">client plaintext auth</code> + authentication will be disabled. This also disables share-level + authentication. </p><p>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <code class="literal">client lanman auth</code>. </p><p>Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ntlmv2 auth</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p> + This controls whether the client offers or even demands the use of the netlogon schannel. + <a class="indexterm" name="id312298"></a>client schannel = no does not offer the schannel, + <a class="indexterm" name="id312306"></a>client schannel = auto offers the schannel but does not + enforce it, and <a class="indexterm" name="id312313"></a>client schannel = yes denies access + if the server is not able to speak netlogon schannel. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTSIGNING"></a>client signing (G)</span></dt><dd><p>This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client signing</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls whether Samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + supporting servers (including WindowsXP, Windows2000 and Samba + 3.0) to agree upon an authentication + mechanism. This enables Kerberos authentication in particular.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client use spnego</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via <code class="literal">net view</code> to list what shares + are available.</p><p>If you want to set the string that is displayed next to the + machine name then see the <a class="indexterm" name="id312483"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal"> +# No comment</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal">Fred's Files</code> +</em></span> +</p></dd><dt><span class="term"><a name="CONFIGBACKEND"></a>config backend (G)</span></dt><dd><p> + This controls the backend for storing the configuration. + Possible values are <span class="emphasis"><em>file</em></span> (the default) + and <span class="emphasis"><em>registry</em></span>. + When <a class="indexterm" name="id312554"></a>config backend = registry + is encountered while loading <span class="emphasis"><em>smb.conf</em></span>, + the configuration read so far is dropped and the global + options are read from registry instead. So this triggers a + registry only configuration. Share definitions are not read + immediately but instead <em class="parameter"><code>registry + shares</code></em> is set to <span class="emphasis"><em>yes</em></span>. + </p><p> + Note: This option can not be set inside the registry + configuration itself. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>config backend</code></em> = <code class="literal">file</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>config backend</code></em> = <code class="literal">registry</code> +</em></span> +</p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file + to use, instead of the default (usually <code class="filename">smb.conf</code>). + There is a chicken and egg problem here as this option is set + in the config file!</p><p>For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file.</p><p>This option takes the usual substitutions, which can + be very useful.</p><p>If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients).</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>config file</code></em> = <code class="literal">/usr/local/samba/lib/smb.conf.%m</code> +</em></span> +</p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal">otherservice</code> +</em></span> +</p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode</span></dt><dd><p>This parameter is a synonym for create mask.</p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span> set here will + be removed from the modes set on a file when it is created. + </p><p> + The default value of this parameter removes the <code class="literal">group</code> and <code class="literal">other</code> + write and execute bits from the UNIX modes. + </p><p> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <a class="indexterm" name="id312806"></a>force create mode parameter which is set to 000 by default. + </p><p> + This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id312818"></a>directory mask + for details. + </p><p> + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id312830"></a>security mask. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0744</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0775</code> +</em></span> +</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p> + This stands for <span class="emphasis"><em>client-side caching policy</em></span>, and specifies how clients capable of offline + caching will cache the files in the share. The valid values are: manual, documents, programs, disable. + </p><p> + These values correspond to those used on Windows servers. + </p><p> + For example, shares containing roaming profiles can have offline caching disabled using + <a class="indexterm" name="id312906"></a>csc policy = disable. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">manual</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">programs</code> +</em></span> +</p></dd><dt><span class="term"><a name="CUPSOPTIONS"></a>cups options (S)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id312969"></a>printing is + set to <code class="constant">cups</code>. Its value is a free form string of options + passed directly to the cups library. + </p><p> + You can pass any generic print option known to CUPS (as listed + in the CUPS "Software Users' Manual"). You can also pass any printer + specific option (as listed in "lpoptions -d printername -l") + valid for the target queue. + </p><p> + You should set this parameter to <code class="constant">raw</code> if your CUPS server + <code class="filename">error_log</code> file contains messages such as + "Unsupported format 'application/octet-stream'" when printing from a Windows client + through Samba. It is no longer necessary to enable + system wide raw printing in <code class="filename">/etc/cups/mime.{convs,types}</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">"raw,media=a4,job-sheets=secret,secret"</code> +</em></span> +</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id313063"></a>printing is set to <code class="constant">cups</code>. + </p><p> + If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. + </p><p>Optionally, a port can be specified by separating the server name + and port number with a colon. If no port was specified, + the default port for IPP (631) will be used. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver:1631</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEADTIME"></a>deadtime (G)</span></dt><dd><p>The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being + exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users.</p><p>Using this parameter with a timeout of a few minutes + is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection + should be performed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">15</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p> + Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp message header when turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id313240"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug hires timestamp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p> + When using only one log file for more then one forked <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to follow which process outputs which + message. This boolean parameter is adds the process-id to the timestamp message headers in the + logfile when turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id313298"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug pid</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGPREFIXTIMESTAMP"></a>debug prefix timestamp (G)</span></dt><dd><p> + With this option enabled, the timestamp message header is prefixed to the debug message without the + filename and function information that is included with the <a class="indexterm" name="id313346"></a>debug timestamp + parameter. This gives timestamps to the messages without adding an additional line. + </p><p> + Note that this parameter overrides the <a class="indexterm" name="id313357"></a>debug timestamp parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug prefix timestamp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs</span></dt><dd><p>This parameter is a synonym for debug timestamp.</p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p> + Samba debug log messages are timestamped by default. If you are running at a high + <a class="indexterm" name="id313424"></a>debug level these timestamps can be distracting. This + boolean parameter allows timestamping to be turned off. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug timestamp</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p> + Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id313475"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id313521"></a>name mangling. + Also note the <a class="indexterm" name="id313528"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = <code class="literal">lower</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id313574"></a>printable services. + When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. + </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). + </p><p>This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting <code class="literal">default devmode = yes</code> + will instruct smbd to generate a default one. + </p><p>For more information on Windows NT/2k printing and Device Modes, + see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default devmode</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULT"></a>default</span></dt><dd><p>This parameter is a synonym for default service.</p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span> + given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error.</p><p> + Typically the default service would be a <a class="indexterm" name="id313686"></a>guest ok, <a class="indexterm" name="id313693"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal + that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service. + </p><p>Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal">pub</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFERSHARINGVIOLATIONS"></a>defer sharing violations (G)</span></dt><dd><p> + Windows allows specifying how a file will be shared with + other processes when it is opened. Sharing violations occur when + a file is opened by a different process using options that violate + the share settings specified by other processes. This parameter causes + smbd to act as a Windows server does, and defer returning a "sharing + violation" error message for up to one second, allowing the client + to close the file causing the violation in the meantime. + </p><p>UNIX by default does not have this behaviour.</p><p> + There should be no reason to turn off this parameter, as it is + designed to enable Samba to more correctly emulate Windows. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>defer sharing violations</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will + be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a group is requested to be deleted. + It will expand any <em class="parameter"><code>%g</code></em> to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete group script</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer + support for Windows NT/2000 clients in Samba 2.2, it is now + possible to delete printer at run time by issuing the + DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be + physically deleted from underlying printing system. The + <a class="indexterm" name="id313883"></a>deleteprinter command defines a script to be run which + will perform the necessary operations for removing the printer + from the print system and from <code class="filename">smb.conf</code>. + </p><p>The <a class="indexterm" name="id313900"></a>deleteprinter command is + automatically called with only one parameter: <a class="indexterm" name="id313908"></a>printer name. + </p><p>Once the <a class="indexterm" name="id313918"></a>deleteprinter command has + been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> + smb.conf</code> to associated printer no longer exists. + If the sharename is still valid, then <code class="literal">smbd + </code> will return an ACCESS_DENIED error to the client.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal">/usr/bin/removeprinter</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete readonly</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p> + Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server + Manager. The <em class="parameter"><code>delete share command</code></em> is used to define an external + program or script which will remove an existing service definition from + <code class="filename">smb.conf</code>. In order to successfully execute the + <em class="parameter"><code>delete share command</code></em>, <code class="literal">smbd</code> + requires that the administrator be connected using a root account (i.e. uid == 0). + </p><p> + If the connected account has <code class="literal">SeDiskOperatorPrivilege</code>, scripts defined in + <em class="parameter"><code>change share</code></em> parameter are executed as root. + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>delete share command</code></em> with two parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location + of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of + the existing service. + </p></li></ul></div><p> + This parameter is only used to remove file shares. To delete printer shares, + see the <a class="indexterm" name="id314137"></a>deleteprinter command. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal">/usr/local/bin/delshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>. + Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and + any <em class="parameter"><code>%u</code></em> will be replaced with the user name. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal">/usr/sbin/deluser %u %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will + be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when managing users + with remote RPC (NT) tools. + </p><p>This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + <code class="literal">rpcclient</code>.</p><p>This script should delete the given UNIX username.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal">/usr/local/samba/bin/del_user %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the <a class="indexterm" name="id314355"></a>veto files + option). If this option is set to <code class="constant">no</code> (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want.</p><p>If this option is set to <code class="constant">yes</code>, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id314386"></a>delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete veto files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DFREECACHETIME"></a>dfree cache time (S)</span></dt><dd><p> + The <em class="parameter"><code>dfree cache time</code></em> should only be used on systems where a problem + occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur + with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the + end of each directory listing. + </p><p> + This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will + cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily + loaded server to prevent rapid spawning of <a class="indexterm" name="id314446"></a>dfree command scripts increasing the load. + </p><p> + By default this parameter is zero, meaning no caching will be done. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree cache time</code></em> = <code class="literal">dfree cache time = 60</code> +</em></span> +</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (S)</span></dt><dd><p> + The <em class="parameter"><code>dfree command</code></em> setting should only be used on systems where a + problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may + occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" + at the end of each directory listing. + </p><p> + This setting allows the replacement of the internal routines to calculate the total disk space and amount + available with an external routine. The example below gives a possible script that might fulfill this + function. + </p><p> + In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the + parameter <a class="indexterm" name="id314518"></a>dfree cache time was added to allow the output of this script to be cached + for systems under heavy load. + </p><p> + The external program will be passed a single parameter indicating a directory in the filesystem being queried. + This will typically consist of the string <code class="filename">./</code>. The script should return + two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number + of available blocks. An optional third return value can give the block size in bytes. The default blocksize is + 1024 bytes. + </p><p> + Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or setgid and should be owned by (and writeable + only by) root! + </p><p> + Where the script dfree (which must be made executable) could be: +</p><pre class="programlisting"> +#!/bin/sh +df $1 | tail -1 | awk '{print $(NF-4),$(NF-2)}' +</pre><p> + or perhaps (on Sys V based systems): +</p><pre class="programlisting"> +#!/bin/sh +/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' +</pre><p> + Note that you may have to replace the command names with full path names on some systems. + </p><p> + By default internal routines for determining the disk capacity and remaining space will be used. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree command</code></em> = <code class="literal">/usr/local/samba/bin/dfree</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode</span></dt><dd><p>This parameter is a synonym for directory mask.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.</p><p>When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set + here will be removed from the modes set on a directory when it is + created.</p><p>The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the <a class="indexterm" name="id314651"></a>force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the <a class="indexterm" name="id314664"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0755</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0775</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits + will be set when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box.</p><p> + This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting + any bits not in this mask. Make sure not to mix up this parameter with <a class="indexterm" name="id314734"></a>force directory security mode, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask are a set of bits that will always be set to zero. + </p><p> + Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the + file permissions regardless of the previous status of this bits on the file. + </p><p>If not set explicitly this parameter is set to 0777 + meaning a user is allowed to set all the user/group/world + permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of <code class="constant">0777</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0777</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0700</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Clients that only support netbios won't be able to + see your samba server when netbios support is disabled. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable netbios</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be unaffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span> +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable spoolss</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p> + Specifies the charset that samba will use to print messages to stdout and stderr. + The default value is "LOCALE", which means automatically set, depending on the + current locale. The value should generally be the same as the value of the parameter + <a class="indexterm" name="id314912"></a>unix charset. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">"LOCALE" or "ASCII" (depending on the system)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">UTF8</code> +</em></span> +</p></dd><dt><span class="term"><a name="DMAPISUPPORT"></a>dmapi support (S)</span></dt><dd><p>This parameter specifies whether Samba should use DMAPI to + determine whether a file is offline or not. This would typically + be used in conjunction with a hierarchical storage system that + automatically migrates files to tape. + </p><p>Note that Samba infers the status of a file by examining the + events that a DMAPI application has registered interest in. This + heuristic is satisfactory for a number of hierarchical storage + systems, but there may be system for which it will fail. In this + case, Samba may erroneously report files to be offline. + </p><p>This parameter is only available if a supported DMAPI + implementation was found at compilation time. It will only be used + if DMAPI is found to enabled on the system at run time. + </p><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dmapi support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and + finding that a NetBIOS name has not been registered, should treat the + NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server + for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum.</p><p><code class="literal">nmbd</code> spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dns proxy</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p> + If set to <code class="constant">yes</code>, the Samba server will + provide the netlogon service for Windows 9X network logons for the + <a class="indexterm" name="id315094"></a>workgroup it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain logons</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p> + Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable + WAN-wide browse list collation. Setting this option causes <code class="literal">nmbd</code> to claim a + special domain specific NetBIOS name that identifies it as a domain master browser for its given + <a class="indexterm" name="id315156"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id315164"></a>workgroup on + broadcast-isolated subnets will give this <code class="literal">nmbd</code> their local browse lists, + and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a + complete copy of the browse list for the whole wide area network. Browser clients will then contact their + local master browser, and will receive the domain-wide browse list, instead of just the list for their + broadcast-isolated subnet. + </p><p> + Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id315191"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that + <a class="indexterm" name="id315199"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting + to do this). This means that if this parameter is set and <code class="literal">nmbd</code> claims the + special name for a <a class="indexterm" name="id315213"></a>workgroup before a Windows NT PDC is able to do so then cross + subnet browsing will behave strangely and may fail. + </p><p> + If <a class="indexterm" name="id315225"></a>domain logons = yes, then the default behavior is to enable the + <a class="indexterm" name="id315232"></a>domain master parameter. If <a class="indexterm" name="id315239"></a>domain logons is not enabled (the + default setting), then neither will <a class="indexterm" name="id315247"></a>domain master be enabled by default. + </p><p> + When <a class="indexterm" name="id315257"></a>domain logons = Yes the default setting for this parameter is + Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id315265"></a>domain master = No, + Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems + (e.g., the <code class="filename">/proc</code> tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need <code class="filename"> + ./proc</code> instead of just <code class="filename">/proc</code>. + Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal">/proc,/dev</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has + the same charset as they do. This option specifies which + charset Samba should talk to DOS clients. + </p><p>The default depends on which charsets you have installed. + Samba tries to use charset 850 but falls back to ASCII in + case it is not available. Run <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> to check the default on your system.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is + able to change the permissions on it. However, this behavior + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means) to modify the permissions (including ACL) on it. Note that a user + belonging to the group owning the file will not be allowed to + change permissions if the group is only granted read access. + Ownership of the file/directory may also be changed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filemode</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetime resolution</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user <code class="literal">smbd</code> is acting + on behalf of is not the file owner. Setting this option to <code class="constant"> + yes</code> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file + timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, + the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 + and above. Microsoft Excel will display dialog box warnings about the file being + changed by another user if this parameter is not set to "yes" and files are being + shared between users. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetimes</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="EASUPPORT"></a>ea support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow clients to attempt to store OS/2 style Extended + attributes on a share. In order to enable this parameter the underlying filesystem exported by + the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the + correct kernel patches). On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ea support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENABLEASUSUPPORT"></a>enable asu support (G)</span></dt><dd><p>Hosts running the "Advanced Server for Unix (ASU)" product + require some special accomodations such as creating a builting [ADMIN$] + share that only supports IPC connections. The has been the default + behavior in smbd for many years. However, certain Microsoft applications + such as the Print Migrator tool require that the remote server support + an [ADMIN$} file share. Disabling this parameter allows for creating + an [ADMIN$] file share in smb.conf.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable asu support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p> + This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + <code class="literal">net rpc rights</code> or one of the Windows user and group manager tools. This parameter is + enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to + assign privileges to users or groups which can then result in certain smbd operations running as root that + would normally run under the context of the connected user. + </p><p> + An example of how privileges can be used is to assign the right to join clients to a Samba controlled + domain without providing root access to the server via smbd. + </p><p> + Please read the extended description provided in the Samba HOWTO documentation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable privileges</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. + </p><p> + MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encrypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. + </p><p> + The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. + </p><p>In order for encrypted passwords to work correctly + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either + have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up + and maintain this file), or set the <a class="indexterm" name="id315792"></a>security = [server|domain|ads] parameter which + causes <code class="literal">smbd</code> to authenticate against another + server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>encrypt passwords</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to + cross-subnet browse propagation that have been added in Samba + but which are not standard in Microsoft implementations. + </p><p>The first enhancement to browse propagation consists of a regular + wildcard query to a Samba WINS server for all Domain Master Browsers, + followed by a browse synchronization with each of the returned + DMBs. The second enhancement consists of a regular randomised browse + synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty + workgroups not disappearing from browse lists. Due to the restrictions + of the browse protocols these enhancements can cause a empty workgroup + to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes + cross-subnet browse propagation much more reliable.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enhanced browsing</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign + to UNIX hosts. Under Windows NT/2000 print servers, a port + is associated with a port monitor and generally takes the form of + a local port (i.e. LPT1:, COM1:, FILE:) or a remote port + (i.e. LPD Port Monitor, etc...). By default, Samba has only one + port defined--<code class="constant">"Samba Printer Port"</code>. Under + Windows NT/2000, all printers must have a valid port name. + If you wish to have a list of ports displayed (<code class="literal">smbd + </code> does not use a port name for anything) other than + the default <code class="constant">"Samba Printer Port"</code>, you + can define <em class="parameter"><code>enumports command</code></em> to point to + a program which should generate a list of ports, one per line, + to standard output. This listing will then be used in response + to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal">/usr/bin/listports</code> +</em></span> +</p></dd><dt><span class="term"><a name="EVENTLOGLIST"></a>eventlog list (G)</span></dt><dd><p>This option defines a list of log names that Samba will + report to the Microsoft EventViewer utility. The listed + eventlogs will be associated with tdb file on disk in the + <code class="filename">$(lockdir)/eventlog</code>. + </p><p> + The administrator must use an external process to parse the normal + Unix logs such as <code class="filename">/var/log/messages</code> + and write then entries to the eventlog tdb files. Refer to the + eventlogadm(8) utility for how to write eventlog entries. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal">Security Application Syslog Apache</code> +</em></span> +</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + or deleted in the directory. NMAKE finds all object files in + the object directory. The timestamp of the last one built is then + compared to the timestamp of the object directory. If the + directory's timestamp if newer, then all object files + will be rebuilt. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake directory create times</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + </p><p>When you set <code class="literal">fake oplocks = yes</code>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will + always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id316132"></a>oplocks support rather + than this parameter.</p><p>If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake oplocks</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p> + This parameter allows the Samba administrator to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic links in a particular share. Setting this + parameter to <code class="constant">no</code> prevents any file or directory that is a symbolic link from being + followed (the user will get an error). This option is very useful to stop users from adding a symbolic + link to <code class="filename">/etc/passwd</code> in their home directory for instance. However + it will slow filename lookups down slightly. + </p><p> + This option is enabled (i.e. <code class="literal">smbd</code> will follow symbolic links) by default. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>follow symlinks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit + permissions that will <span class="emphasis"><em>always</em></span> be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the <em class="parameter"><code>create mask</code></em> + parameter is applied.</p><p>The example below would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">0755</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit + permissions that will <span class="emphasis"><em>always</em></span> be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter <em class="parameter"><code>directory mask</code></em> is + applied.</p><p>The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">0755</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id316406"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </p><p> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </p><p> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">700</code> +</em></span> +</p></dd><dt><span class="term"><a name="GROUP"></a>group</span></dt><dd><p>This parameter is a synonym for force group.</p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting <code class="filename">force group = +sys</code> means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.</p><p> + If the <a class="indexterm" name="id266502"></a>force user parameter is also set the group specified in + <em class="parameter"><code>force group</code></em> will override the primary group + set in <em class="parameter"><code>force user</code></em>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal">agroup</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEPRINTERNAME"></a>force printername (S)</span></dt><dd><p>When printing from Windows NT (or later), + each printer in <code class="filename">smb.conf</code> has two + associated names which can be used by the client. The first + is the sharename (or shortname) defined in smb.conf. This + is the only printername available for use by Windows 9x clients. + The second name associated with a printer can be seen when + browsing to the "Printers" (or "Printers and Faxes") folder + on the Samba server. This is referred to simply as the printername + (not to be confused with the <em class="parameter"><code>printer name</code></em> option). + </p><p>When assigning a new driver to a printer on a remote + Windows compatible print server such as Samba, the Windows client + will rename the printer to match the driver name just uploaded. + This can result in confusion for users when multiple + printers are bound to the same driver. To prevent Samba from + allowing the printer's printername to differ from the sharename + defined in smb.conf, set <em class="parameter"><code>force printername = yes</code></em>. + </p><p>Be aware that enabling this parameter may affect migrating + printers from a Windows server to Samba since Windows has no way to + force the sharename and printername to match.</p><p>It is recommended that this parameter's value not be changed + once the printer is in use by clients as this could cause a user + not be able to delete printer connections from their local Printers + folder.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force printername</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id316754"></a>security mask, which works similar like this one but uses logical AND instead of OR. + </p><p> + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + </p><p> + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + </p><p><span class="emphasis"><em> + Note</em></span> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">700</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEUNKNOWNACLUSER"></a>force unknown acl user (S)</span></dt><dd><p> + If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or + representation of a user or group id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently connected user. + </p><p> + This is designed to allow Windows NT clients to copy files and folders containing ACLs that were + created locally on the client machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and + groupid of the file owner map to the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. + </p><p> + Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force unknown acl user</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal">auser</code> +</em></span> +</p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p> + This parameter allows the administrator to configure the string that specifies the type of filesystem a share + is using that is reported by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + when a client queries the filesystem type for a share. The default type is <code class="constant">NTFS</code> for compatibility + with Windows NT but this can be changed to other strings such as <code class="constant">Samba</code> or <code class="constant">FAT</code> + if required. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">NTFS</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">Samba</code> +</em></span> +</p></dd><dt><span class="term"><a name="GETQUOTACOMMAND"></a>get quota command (G)</span></dt><dd><p>The <code class="literal">get quota command</code> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This option is only available with <code class="literal">./configure --with-sys-quotas</code>. + Or on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api + was found in the system.</p><p>This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on.</p><p>Such a script should take 3 arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>directory</p></li><li><p>type of query</p></li><li><p>uid of user or gid of group</p></li></ul></div><p>The type of query can be one of :</p><div class="itemizedlist"><ul type="disc"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p>This script should print one line as output with spaces between the arguments. The arguments are: + </p><div class="itemizedlist"><ul type="disc"><li><p>Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)</p></li><li><p>Arg 2 - number of currently used blocks</p></li><li><p>Arg 3 - the softlimit number of blocks</p></li><li><p>Arg 4 - the hardlimit number of blocks</p></li><li><p>Arg 5 - currently used number of inodes</p></li><li><p>Arg 6 - the softlimit number of inodes</p></li><li><p>Arg 7 - the hardlimit number of inodes</p></li><li><p>Arg 8(optional) - the number of bytes in a block(default is 1024)</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal">/usr/local/sbin/query_quota</code> +</em></span> +</p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the <a class="indexterm" name="id317205"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access + to services which are specified as <a class="indexterm" name="id317254"></a>guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + </p><p>On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + <code class="literal">su -</code> command) and trying to print using the + system print command such as <code class="literal">lpr(1)</code> or <code class="literal"> + lp(1)</code>.</p><p>This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">nobody +# default can be changed at compile-time</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">ftp</code> +</em></span> +</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for + a service, then no password is required to connect to the service. + Privileges will be those of the <a class="indexterm" name="id317373"></a>guest account.</p><p>This paramater nullifies the benifits of setting + <a class="indexterm" name="id317384"></a>restrict anonymous = 2 + </p><p>See the section below on <a class="indexterm" name="id317394"></a>security for more information about this option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if <a class="indexterm" name="id317465"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id317476"></a>security for more information about this option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether + files starting with a dot appear as hidden files.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide dot files</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match.</p><p>Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable + in hiding files.</p><p>Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned.</p><p> + The example shown above is based on files that the Macintosh + SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top"> + Thursby</a> creates for internal use, and also still hides + all files beginning with a dot. + </p><p> + An example of us of this parameter is: +</p><pre class="programlisting"> +hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide files</code></em> = <code class="literal"> +# no file are hidden</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p> + This parameter prevents clients from seeing special files such as sockets, devices and + fifo's in directory listings. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide special files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the + existance of files that cannot be read. Defaults to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unreadable</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p> + This parameter prevents clients from seeing the existance of files that cannot be written to. + Defaults to off. Note that unwriteable directories are shown as usual. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unwriteable files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p> + If <a class="indexterm" name="id317755"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting as a Win95/98 <em class="parameter"><code>logon server</code></em> + then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. + At present, only the Sun auto.home map format is understood. The form of the map is: +</p><pre class="programlisting"> +<code class="literal">username server:/some/file/system</code> +</pre><p> + and the program will extract the servername from before the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another automounter) maps. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + A working NIS client is required on the system for this option to work. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal">amd.homedir</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p> + If set to <code class="constant">yes</code>, Samba will act as a Dfs server, and allow Dfs-aware clients to browse + Dfs trees hosted on the server. + </p><p> + See also the <a class="indexterm" name="id317862"></a>msdfs root share level parameter. For more information on + setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>host msdfs</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the <code class="literal">hosts deny</code> and <code class="literal">hosts allow</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id317998"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.</p><p>You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like <code class="literal">allow hosts = 150.203.5.</code>. + The full syntax of the list is described in the man + page <code class="filename">hosts_access(5)</code>. Note that this man + page may not be present on your system, so a brief description will + be given here also.</p><p>Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a <a class="indexterm" name="id318036"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a + wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><code class="literal">hosts allow = 150.203. EXCEPT 150.203.6.66</code></p><p>Example 2: allow hosts that match the given network/netmask</p><p><code class="literal">hosts allow = 150.203.15.0/255.255.255.0</code></p><p>Example 3: allow a couple of hosts</p><p><code class="literal">hosts allow = lapland, arvidsjaur</code></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host</p><p><code class="literal">hosts allow = @foonet</code></p><p><code class="literal">hosts deny = pirate</code></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access + to see if it does what you expect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal"> +# none (i.e., all hosts permitted access)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal">150.203.5. myhost.mynet.edu.au</code> +</em></span> +</p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts</span></dt><dd><p>This parameter is a synonym for hosts deny.</p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <em class="parameter"><code>hosts allow</code></em> + - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the <em class="parameter"><code>allow</code></em> + list takes precedence.</p><p> + In the event that it is necessary to deny all by default, use the keyword + ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify + to the <a class="indexterm" name="id318224"></a>hosts allow = hosts allow parameter those hosts + that should be permitted access. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal"> +# none (i.e., no hosts specifically excluded)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal">150.203.4. badhost.mynet.edu.au</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPALLOCBACKEND"></a>idmap alloc backend (G)</span></dt><dd><p> + The idmap alloc backend provides a plugin interface for Winbind to use + when allocating Unix uids/gids for Windows SIDs. This option is + to be used in conjunction with the <a class="indexterm" name="id318289"></a>idmap domains + parameter and refers to the name of the idmap module which will provide + the id allocation functionality. Please refer to the man page + for each idmap plugin to determine whether or not the module implements + the allocation feature. The most common plugins are the tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>) + and ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>) libraries. + </p><p>Also refer to the <a class="indexterm" name="id318318"></a>idmap alloc config option. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap alloc backend</code></em> = <code class="literal">tdb</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPALLOCCONFIG"></a>idmap alloc config (G)</span></dt><dd><p> + The idmap alloc config prefix provides a means of managing settings + for the backend defined by the <a class="indexterm" name="id318368"></a>idmap alloc backend + parameter. Refer to the man page for each idmap plugin regarding + specific configuration details. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPBACKEND"></a>idmap backend (G)</span></dt><dd><p> + The idmap backend provides a plugin interface for Winbind to use + varying backends to store SID/uid/gid mapping tables. This + option is mutually exclusive with the newer and more flexible + <a class="indexterm" name="id318404"></a>idmap domains parameter. The main difference + between the "idmap backend" and the "idmap domains" + is that the former only allows on backend for all domains while the + latter supports configuring backends on a per domain basis. + </p><p>Examples of SID/uid/gid backends include tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>), + ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>), rid (<a href="idmap_rid.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_rid</span>(8)</span></a>), + and ad (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = <code class="literal">tdb</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPCACHETIME"></a>idmap cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's + idmap interface will cache positive SID/uid/gid query results. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap cache time</code></em> = <code class="literal">900</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPCONFIG"></a>idmap config (G)</span></dt><dd><p> + The idmap config prefix provides a means of managing each domain + defined by the <a class="indexterm" name="id318526"></a>idmap domains option using Samba's + parameteric option support. The idmap config prefix should be + followed by the name of the domain, a colon, and a setting specific to + the chosen backend. There are three options available for all domains: + </p><div class="variablelist"><dl><dt><span class="term">backend = backend_name</span></dt><dd><p> + Specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. + </p></dd><dt><span class="term">default = [yes|no]</span></dt><dd><p> + The default domain/backend will be used for searching for + users and groups not belonging to one of the explicitly + listed domains (matched by comparing the account SID and the + domain SID). + </p></dd><dt><span class="term">readonly = [yes|no]</span></dt><dd><p> + Mark the domain as readonly which means that no attempts to + allocate a uid or gid (by the <a class="indexterm" name="id318573"></a>idmap alloc backend) for any user or group in that domain + will be attempted. + </p></dd></dl></div><p> + The following example illustrates how to configure the <a href="idmap_ad.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ad</span>(8)</span></a> + for the CORP domain and the <a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a> backend for all other domains. The + TRUSTEDDOMAINS string is simply a key used to reference the "idmap + config" settings and does not represent the actual name of a domain. + </p><pre class="programlisting"> + idmap domains = CORP TRUSTEDDOMAINS + + idmap config CORP:backend = ad + idmap config CORP:readonly = yes + + idmap config TRUSTEDDOMAINS:backend = tdb + idmap config TRUSTEDDOMAINS:default = yes + idmap config TRUSTEDDOMAINS:range = 1000 - 9999 + </pre><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPDOMAINS"></a>idmap domains (G)</span></dt><dd><p> + The idmap domains option defines a list of Windows domains which will each + have a separately configured backend for managing Winbind's SID/uid/gid + tables. This parameter is mutually exclusive with the older <a class="indexterm" name="id318641"></a>idmap backend option. + </p><p> + Values consist of the short domain name for Winbind's primary or collection + of trusted domains. You may also use an arbitrary string to represent a catchall + domain backend for any domain not explicitly listed. + </p><p> + Refer to the <a class="indexterm" name="id318656"></a>idmap config for details about + managing the SID/uid/gid backend for each domain. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap domains</code></em> = <code class="literal">default AD CORP</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid</span></dt><dd><p>This parameter is a synonym for idmap gid.</p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids + that are allocated for the purpose of mapping UNX groups to NT group + SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can + occur otherwise.</p><p>See also the <a class="indexterm" name="id318734"></a>idmap backend, <a class="indexterm" name="id318741"></a>idmap domains, and <a class="indexterm" name="id318748"></a>idmap config options. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal">10000-20000</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPNEGATIVECACHETIME"></a>idmap negative cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's + idmap interface will cache negative SID/uid/gid query results. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap negative cache time</code></em> = <code class="literal">120</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid</span></dt><dd><p>This parameter is a synonym for idmap uid.</p></dd><dt><span class="term"><a name="IDMAPUID"></a>idmap uid (G)</span></dt><dd><p> + The idmap uid parameter specifies the range of user ids that are + allocated for use in mapping UNIX users to NT user SIDs. This + range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id318876"></a>idmap backend, <a class="indexterm" name="id318883"></a>idmap domains, and <a class="indexterm" name="id318890"></a>idmap config options. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal">10000-20000</code> +</em></span> +</p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p> + This allows you to include one config file inside another. The file is included literally, as though typed + in place. + </p><p> + It takes the standard substitutions, except <em class="parameter"><code>%u</code></em>, + <em class="parameter"><code>%P</code></em> and <em class="parameter"><code>%S</code></em>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal">/usr/local/samba/lib/admin_smb.conf</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + new file or subdirectory in these parent directories. The default + behavior is to use the unix mode specified when creating the directory. + Enabling this option sets the unix mode to 0777, thus guaranteeing that + default directory acls are propagated. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit acls</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITOWNER"></a>inherit owner (S)</span></dt><dd><p>The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory.</p><p>Common scenarios where this behavior is useful is in + implementing drop-boxes where users can create and edit files but not + delete them and to ensure that newly create files in a user's + roaming profile directory are actually owner by the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit owner</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p> + The permissions on new files and directories are normally governed by <a class="indexterm" name="id319114"></a>create mask, + <a class="indexterm" name="id319121"></a>directory mask, <a class="indexterm" name="id319128"></a>force create mode and <a class="indexterm" name="id319135"></a>force directory mode but the boolean inherit permissions parameter overrides this. + </p><p>New directories inherit the mode of the parent directory, + including bits such as setgid.</p><p> + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by <a class="indexterm" name="id319151"></a>map archive, <a class="indexterm" name="id319158"></a>map hidden and <a class="indexterm" name="id319166"></a>map system as usual. + </p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via + inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit permissions</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string + can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decimal form.</p><p>The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OS's normal hostname resolution mechanisms.</p><p> + By default Samba enables all active interfaces that are broadcast capable + except the loopback adaptor (IP address 127.0.0.1). + </p><p> + The example below configures three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal">eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</code> +</em></span> +</p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed + to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span> + check to absolutely ensure an improper setting does not breach + your security.</p><p>A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only + by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value <em class="parameter"><code>+&group</code></em> means check the + UNIX group database, followed by the NIS netgroup database, and + the value <em class="parameter"><code>&+group</code></em> means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).</p><p>The current servicename is substituted for <em class="parameter"><code>%S</code></em>. + This is useful in the [homes] section.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal"> +# no invalid users</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal">root fred admin @wheel</code> +</em></span> +</p></dd><dt><span class="term"><a name="IPRINTSERVER"></a>iprint server (G)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id319425"></a>printing is set to <code class="constant">iprint</code>. + </p><p> + If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">MYCUPSSERVER</code> +</em></span> +</p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents + the number of seconds between <em class="parameter"><code>keepalive</code></em> + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket + has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id319514"></a>socket options). +Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">300</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">600</code> +</em></span> +</p></dd><dt><span class="term"><a name="KERNELCHANGENOTIFY"></a>kernel change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. + </p><p>This parameter is only used when your kernel supports + change notification to user programs using the inotify interface. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel change notify</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id319620"></a>oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <em class="parameter"><code>oplocks + </code></em> to be broken whenever a local UNIX process or NFS operation + accesses a file that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has oplocked. This allows complete + data consistency between SMB/CIFS, NFS and local file access (and is + a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <code class="constant">on</code>, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host.</p><p>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option. </p><p>Unlike the <code class="literal">encrypt + passwords</code> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <code class="literal">client lanman + auth</code> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <code class="literal">ntlm + auth</code> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k + streaming read and write varient SMB requests introduced with + Windows 2000. Note that due to Windows 2000 client redirector bugs + this requires Samba to be running on a 64-bit capable operating + system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve + performance by 10% with Windows 2000 clients. Defaults to on. Not as + tested as some other Samba code paths.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>large readwrite</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> + The <a class="indexterm" name="id319828"></a>ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact + the ldap server when retreiving user account information. The <a class="indexterm" name="id319836"></a>ldap admin dn is used + in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code> + file. See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> + man page for more information on how to accomplish this. + </p><p> + The <a class="indexterm" name="id319862"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id319869"></a>ldap suffix is not appended to the <a class="indexterm" name="id319876"></a>ldap admin dn. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap delete dn</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of <a class="indexterm" name="id319950"></a>ldap suffix will be used instead. The suffix string is pre-pended to the + <a class="indexterm" name="id319957"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal">ou=Groups</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p> + This parameters specifies the suffix that is used when storing idmap mappings. If this parameter + is unset, the value of <a class="indexterm" name="id320020"></a>ldap suffix will be used instead. The suffix + string is pre-pended to the <a class="indexterm" name="id320027"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal">ou=Idmap</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p> + It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of + <a class="indexterm" name="id320089"></a>ldap suffix will be used instead. The suffix string is pre-pended to the + <a class="indexterm" name="id320097"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal">ou=Computers</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p> + This option is used to define whether or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password + change via SAMBA. + </p><p> + The <a class="indexterm" name="id320164"></a>ldap passwd sync can be set to one of three values: + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em> = Try + to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and + LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>Only</code></em> = Only update + the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap passwd sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPREPLICATIONSLEEP"></a>ldap replication sleep (G)</span></dt><dd><p> + When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. + This server then replicates our changes back to the 'local' server, however the replication might take some seconds, + especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' + that does not immediately change the LDAP back-end's data. + </p><p> + This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly + high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. + Be aware that no checking is performed that the data has actually replicated. + </p><p> + The value is specified in milliseconds, the maximum value is 5000 (5 seconds). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap replication sleep</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSAM:EDITPOSIX"></a>ldapsam:editposix (G)</span></dt><dd><p> + Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller + eliminating the need to set up custom scripts to add and manage the posix users and groups. This option + will instead directly manipulate the ldap tree to create, remove and modify user and group entries. + This option also requires a running winbindd as it is used to allocate new uids/gids on user/group + creation. The allocation range must be therefore configured. + </p><p> + To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly + configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, + Domain Admins, Domain Guests) can be precreated with the command <code class="literal">net sam + provision</code>. To run this command the ldap server must be running, Winindd must be running and + the smb.conf ldap options must be properly configured. + + The typical ldap setup used with the <a class="indexterm" name="id320317"></a>ldapsam:trusted = yes option + is usually sufficient to use <a class="indexterm" name="id320325"></a>ldapsam:editposix = yes as well. + </p><p> + An example configuration can be the following: + + </p><pre class="programlisting"> + encrypt passwords = true + passdb backend = ldapsam + + ldapsam:trusted=yes + ldapsam:editposix=yes + + ldap admin dn = cn=admin,dc=samba,dc=org + ldap delete dn = yes + ldap group suffix = ou=groups + ldap idmap suffix = ou=idmap + ldap machine suffix = ou=computers + ldap user suffix = ou=users + ldap suffix = dc=samba,dc=org + + idmap backend = ldap:"ldap://localhost" + + idmap uid = 5000-50000 + idmap gid = 5000-50000 + </pre><p> + + This configuration assume the ldap server have been loaded with a base tree like described + in the following ldif: + + </p><pre class="programlisting"> + dn: dc=samba,dc=org + objectClass: top + objectClass: dcObject + objectClass: organization + o: samba.org + dc: samba + + dn: cn=admin,dc=samba,dc=org + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: admin + description: LDAP administrator + userPassword: secret + + dn: ou=users,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: users + + dn: ou=groups,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: groups + + dn: ou=idmap,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: idmap + + dn: ou=computers,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: computers + </pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:editposix</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSAM:TRUSTED"></a>ldapsam:trusted (G)</span></dt><dd><p> + By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to + access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group + this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he + is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS + counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that + are used to deal with user and group attributes lack such optimization. + </p><p> + To make Samba scale well in large environments, the <a class="indexterm" name="id320404"></a>ldapsam:trusted = yes + option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the + standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are + stored together with the POSIX data in the same LDAP object. If these assumptions are met, + <a class="indexterm" name="id320414"></a>ldapsam:trusted = yes can be activated and Samba can bypass the + NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and + administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries + is easily achieved. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:trusted</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is <span class="emphasis"><em>NOT</em></span> related to + Samba's previous SSL support which was enabled by specifying the + <code class="literal">--with-ssl</code> option to the <code class="filename">configure</code> + script.</p><p>The <a class="indexterm" name="id320482"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never + use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use + the LDAPv3 StartTLS extended operation (RFC2830) for + communicating with the directory server.</p></li><li><p><em class="parameter"><code>On</code></em> = Use SSL + on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the + backwards-compatiblity <code class="literal">--with-ldapsam</code> option is specified + to configure. See <a class="indexterm" name="id320538"></a>passdb backend</p>. + </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = <code class="literal">start_tls</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p> + The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id320590"></a>ldap user suffix, + <a class="indexterm" name="id320597"></a>ldap group suffix, <a class="indexterm" name="id320604"></a>ldap machine suffix, and the + <a class="indexterm" name="id320612"></a>ldap idmap suffix. Each of these should be given only a DN relative to the + <a class="indexterm" name="id320619"></a>ldap suffix. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal">dc=samba,dc=org</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPTIMEOUT"></a>ldap timeout (G)</span></dt><dd><p> + When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst + waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the + connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap timeout</code></em> = <code class="literal">15</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p> + This parameter specifies where users are added to the tree. If this parameter is unset, + the value of <a class="indexterm" name="id320721"></a>ldap suffix will be used instead. The suffix + string is pre-pended to the <a class="indexterm" name="id320729"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal">ou=people</code> +</em></span> +</p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports + level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many accesses of files that are not commonly written (such as + application .EXE files).</p><p>Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to + speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p> + Currently, if <a class="indexterm" name="id320816"></a>kernel oplocks are supported then + level2 oplocks are not granted (even if this parameter is set to + <code class="constant">yes</code>). Note also, the <a class="indexterm" name="id320827"></a>oplocks + parameter must be set to <code class="constant">yes</code> on this share in order for + this parameter to have any effect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>level2 oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, <code class="constant">yes</code>, <code class="constant">no</code>, or + <code class="constant">auto</code>. The default is <code class="constant">auto</code>. + If set to <code class="constant">no</code> Samba will never produce these + broadcasts. If set to <code class="constant">yes</code> Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + <a class="indexterm" name="id320908"></a>lm interval. If set to <code class="constant">auto</code> + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + <a class="indexterm" name="id320920"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + <a class="indexterm" name="id320983"></a>lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the <a class="indexterm" name="id320992"></a>lm announce + parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">60</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">120</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the <a class="indexterm" name="id321055"></a>printers section for + more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser + on a subnet. If set to <code class="constant">no</code> then <code class="literal"> + nmbd</code> will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to <code class="constant">yes</code>. Setting this value to + <code class="constant">yes</code> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the + local master browser on a subnet, just that <code class="literal">nmbd</code> + will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <code class="constant">no</code> will cause <code class="literal">nmbd</code> <span class="emphasis"><em>never</em></span> to become a local +master browser.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>local master</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir</span></dt><dd><p>This parameter is a synonym for lock directory.</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock + files will be placed. The lock files are used to implement the + <a class="indexterm" name="id321217"></a>max connections option. + </p><p> + Note: This option can not be set inside registry + configurations. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">${prefix}/var/locks</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">/var/run/samba/locks</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be + performed by the server in response to lock requests from the + client.</p><p>If <code class="literal">locking = no</code>, all lock and unlock + requests will appear to succeed and all lock queries will report + that the file in question is available for locking.</p><p>If <code class="literal">locking = yes</code>, real locking will be performed + by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only + filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as + CDROM drives), although setting this parameter of <code class="constant">no</code> + is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24. + The functionality it contolled is now controlled by the parameter + <a class="indexterm" name="id321351"></a>lock spin time. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should + keep waiting to see if a failed lock request can + be granted. This parameter has changed in default + value from Samba 3.0.23 from 10 to 200. The associated + <a class="indexterm" name="id321399"></a>lock spin count parameter is + no longer used in Samba 3.0.24. You should not need + to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = <code class="literal">200</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p> + This option allows you to override the name of the Samba log file (also known as the debug file). + </p><p> + This option takes the standard substitutions, allowing you to have separate log files for each user or machine. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log file</code></em> = <code class="literal">/usr/local/samba/var/log.%m</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debuglevel</span></dt><dd><p>This parameter is a synonym for log level.</p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p> + The value of the parameter (a astring) allows the debug level (logging level) to be specified in the + <code class="filename">smb.conf</code> file. This parameter has been extended since the 2.2.x + series, now it allow to specify the debug level for multiple debug classes. This is to give greater + flexibility in the configuration of the system. + </p><p> + The default will be the log level specified on the command line or level zero if none was specified. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log level</code></em> = <code class="literal">3 passdb:5 auth:10 winbind:2</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p> + This parameter specifies the local path to which the home directory will be + connected (see <a class="indexterm" name="id321570"></a>logon home) and is only used by NT + Workstations. + </p><p> + Note that this option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal">h:</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p> + This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + </p><p> + <code class="prompt">C:\></code><strong class="userinput"><code>NET USE H: /HOME</code></strong> + </p><p> + from a command prompt, for example. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </p><p> + This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a + subdirectory of the user's home directory. This is done in the following way: + </p><p> + <code class="literal">logon home = \\%N\%U\profile</code> + </p><p> + This tells Samba to return the above string, with substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does + <code class="literal">net use /home</code> but use the whole string when dealing with profiles. + </p><p> + Note that in prior versions of Samba, the <a class="indexterm" name="id321687"></a>logon path was returned rather than + <em class="parameter"><code>logon home</code></em>. This broke <code class="literal">net use /home</code> + but allowed profiles outside the home directory. The current implementation is correct, and can be used for + profiles if you use the above trick. + </p><p> + Disable this feature by setting <a class="indexterm" name="id321711"></a>logon home = "" - using the empty string. + </p><p> + This option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\%N\%U</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\remote_smb_server\%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p> + This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are + stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming + profiles. To find out how to handle roaming profiles for Win 9X system, see the + <a class="indexterm" name="id321780"></a>logon home parameter. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. It also specifies the directory from which the "Application Data", <code class="filename">desktop</code>, <code class="filename">start menu</code>, <code class="filename">network neighborhood</code>, <code class="filename">programs</code> and other + folders, and their contents, are loaded and displayed on your Windows NT client. + </p><p> + The share and the path must be readable by the user for the preferences and directories to be loaded onto the + Windows NT client. The share must be writeable when the user logs in for the first time, in order that the + Windows NT client can create the NTuser.dat and other directories. + Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable + that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a + <span class="emphasis"><em>MAN</em></span>datory profile). + </p><p> + Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged + in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting + this parameter to \\%N\homes\profile_path will cause problems). + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not quote the value. Setting this as “<span class="quote">\\%N\profile\%U</span>” + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be editted using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool). + </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p> + Disable the use of roaming profiles by setting the value of this parameter to the empty string. For + example, <a class="indexterm" name="id321857"></a>logon path = "". Take note that even if the default setting + in the smb.conf file is the empty string, any value specified in the user account settings in the passdb + backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use + requires that the user account settings must also be blank. + </p><p> + An example of use is: +</p><pre class="programlisting"> +logon path = \\PROFILESERVER\PROFILE\%U +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon path</code></em> = <code class="literal">\\%N\%U\profile</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p> + This parameter specifies the batch file (<code class="filename">.bat</code>) or NT command file + (<code class="filename">.cmd</code>) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + </p><p> + The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service. If the [netlogon] + service specifies a <a class="indexterm" name="id321939"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id321952"></a>logon script = STARTUP.BAT, then the file that will be downloaded is: +</p><pre class="programlisting"> + /usr/local/samba/netlogon/STARTUP.BAT +</pre><p> + </p><p> + The contents of the batch file are entirely your choice. A suggested command would be to add <code class="literal">NET TIME \\SERVER /SET /YES</code>, to force every machine to synchronize clocks with the + same time server. Another use would be to add <code class="literal">NET USE U: \\SERVER\UTILS</code> + for commonly used utilities, or +</p><pre class="programlisting"> +<strong class="userinput"><code>NET USE Q: \\SERVER\ISO9001_QA</code></strong> +</pre><p> + for example. + </p><p> + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + </p><p> + This option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal">scripts\%U.bat</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job.</p><p>This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer). On HPUX (see <em class="parameter"><code>printing=hpux + </code></em>), if the <em class="parameter"><code>-p%p</code></em> option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal"> +# Currently no default value is given to + this string, unless the value of the <a class="indexterm" name="id322120"></a>printing + parameter is <code class="constant">SYSV</code>, in which case the default is : + <code class="literal">lp -i %p-%j -H hold</code> or if the value of the + <em class="parameter"><code>printing</code></em> parameter is + <code class="constant">SOFTQ</code>, then the default is: + <code class="literal">qstat -s -j%j -h</code>. </code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal">/usr/bin/lpalt %p-%j -p0</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached + for to prevent the <code class="literal">lpq</code> command being called too + often. A separate cache is kept for each variation of the <code class="literal"> + lpq</code> command used by the system, so if you use different + <code class="literal">lpq</code> commands for different users then they won't + share cache information.</p><p>The cache files are stored in <code class="filename">/tmp/lpq.xxxx</code> + where xxxx is a hash of the <code class="literal">lpq</code> command in use.</p><p>The default is 30 seconds, meaning that the cached results + of a previous identical <code class="literal">lpq</code> command will be used + if the cached data is less than 30 seconds old. A large value may + be advisable if your <code class="literal">lpq</code> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">30</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">10</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to obtain <code class="literal">lpq + </code>-style printer status information.</p><p>This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information.</p><p>Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the <em class="parameter"><code>printing =</code></em> option.</p><p>Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.</p><p>Note that it is good practice to include the absolute path + in the <em class="parameter"><code>lpq command</code></em> as the <code class="envar">$PATH + </code> may not be available to the server. When compiled with + the CUPS libraries, no <em class="parameter"><code>lpq command</code></em> is + needed because smbd will make a library call to obtain the + print queue listing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal">/usr/bin/lpq -P%p</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job.</p><p>This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the <a class="indexterm" name="id322423"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer).</p><p>Note that it is good practice to include the absolute path + in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not + be available to the server.</p><p>See also the <a class="indexterm" name="id322460"></a>printing parameter.</p><p>Default: Currently no default value is given + to this string, unless the value of the <em class="parameter"><code>printing</code></em> + parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><code class="literal">lp -i %p-%j -H resume</code></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter + is <code class="constant">SOFTQ</code>, then the default is:</p><p><code class="literal">qstat -s -j%j -r</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpresume command</code></em> = <code class="literal">lpresume command = /usr/bin/lpalt %p-%j -p2</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes + a printer name and job number, and deletes the print job.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer).</p><p>Note that it is good practice to include the absolute + path in the <em class="parameter"><code>lprm command</code></em> as the PATH may not be + available to the server.</p><p> + Examples of use are: +</p><pre class="programlisting"> +lprm command = /usr/bin/lprm -P%p %j + +or + +lprm command = /usr/bin/cancel %p-%j +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lprm command</code></em> = <code class="literal"> determined by printing parameter</code> +</em></span> +</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p> + If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id322626"></a>security = domain parameter) then periodically a running smbd process will try and change + the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb + </code>. This parameter specifies how often this password will be changed, in seconds. The default is one + week (expressed in seconds), the same as a Windows NT Domain member server. + </p><p> + See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, + and the <a class="indexterm" name="id322653"></a>security = domain parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = <code class="literal">604800</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p> + This parameter specifies the name of a file which will contain output created by a magic script (see the + <a class="indexterm" name="id322699"></a>magic script parameter below). + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script + </code></em> in the same directory the output file content is undefined. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal"><magic script name>.out</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal">myfile.txt</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon + completion assuming that the user has the appropriate level + of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to + the file specified by the <a class="indexterm" name="id322784"></a>magic output + parameter (see above).</p><p>Note that some shells are unable to interpret scripts + containing CR/LF instead of CR as + the end-of-line marker. Magic scripts must be executable + <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and + some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and + should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal">user.csh</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p> + This is for those who want to directly map UNIX file names which cannot be represented on + Windows/DOS. The mangling of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use <code class="filename">.html</code> + for HTML files, whereas under Windows/DOS <code class="filename">.htm</code> + is more commonly used. + </p><p> + So to map <code class="filename">html</code> to <code class="filename">htm</code> + you would use: + </p><p> + <a class="indexterm" name="id322898"></a>mangled map = (*.html *.htm). + </p><p> + One very useful case is to remove the annoying <code class="filename">;1</code> off + the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of + (*;1 *;). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal"> +# no mangled map</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal">(*;1 *;)</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id322975"></a>name mangling for + details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters.</p><p>Note that the character to use may be specified using + the <a class="indexterm" name="id323009"></a>mangling char + option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled names</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEPREFIX"></a>mangle prefix (G)</span></dt><dd><p> controls the number of prefix + characters from the original name used when generating + the mangled names. A larger value will give a weaker + hash and therefore more name collisions. The minimum + value is 1 and the maximum value is 6.</p><p> + mangle prefix is effective only when mangling method is hash2. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">1</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">4</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as + the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id323146"></a>name mangling. The + default is a '~' but this may interfere with some software. Use this option to set + it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">~</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">^</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the algorithm that was used + used in Samba for many years and was the default in Samba 2.2.x "hash2" is + now the default and is newer and considered a better algorithm (generates less collisions) in + the names. Many Win32 applications store the mangled names and so + changing to algorithms must not be done lightly as these applications + may break unless reinstalled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash2</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPACLINHERIT"></a>map acl inherit (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map acl inherit</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p> + This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option is to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc... + </p><p> + Note that this requires the <a class="indexterm" name="id323326"></a>create mask parameter to be set such that owner + execute bit is not masked out (i.e. it must include 100). See the parameter + <a class="indexterm" name="id323334"></a>create mask for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p> + This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. + </p><p> + Note that this requires the <a class="indexterm" name="id323384"></a>create mask to be set such that the world execute + bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id323392"></a>create mask + for details. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p> + This controls how the DOS read only attribute should be mapped from a UNIX filesystem. + </p><p> + This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either + <a class="indexterm" name="id323437"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is + present. If <a class="indexterm" name="id323448"></a>store dos attributes is set to <code class="constant">yes</code> then this + parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21. + </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="constant">Yes</code> - The read only DOS attribute is mapped to the inverse of the user + or owner write bit in the unix permission mode set. If the owner write bit is not set, the + read only attribute is reported as being set on the file. + </p></li><li><p> + <code class="constant">Permissions</code> - The read only DOS attribute is mapped to the effective permissions of + the connecting user, as evaluated by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> by reading the unix permissions and POSIX ACL (if present). + If the connecting user does not have permission to modify the file, the read only attribute + is reported as being set on the file. + </p></li><li><p> + <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by + the <a class="indexterm" name="id323505"></a>store dos attributes method. This may be useful for exporting mounted CDs. + </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p> + This controls whether DOS style system files should be mapped to the UNIX group execute bit. + </p><p> + Note that this requires the <a class="indexterm" name="id323556"></a>create mask to be set such that the group + execute bit is not masked out (i.e. it must include 010). See the parameter + <a class="indexterm" name="id323564"></a>create mask for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id323609"></a>SECURITY = + security modes other than <em class="parameter"><code>security = share</code></em> + and <em class="parameter"><code>security = server</code></em> + - i.e. <code class="constant">user</code>, and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user + login requests that don't match a valid UNIX user in some way.</p><p>The four settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">Never</code> - Means user login + requests with an invalid password are rejected. This is the + default.</p></li><li><p><code class="constant">Bad User</code> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <a class="indexterm" name="id323673"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <a class="indexterm" name="id323690"></a>guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <span class="emphasis"><em>hate</em></span> you if you set the <em class="parameter"><code>map to + guest</code></em> parameter this way :-).</p></li><li><p><code class="constant">Bad Uid</code> - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.</p></li></ul></div><p>Note that this parameter is needed to set up "Guest" + share services when using <em class="parameter"><code>security</code></em> modes other than + share and server. This is because in these modes the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. This parameter is not useful with + <em class="parameter"><code>security = server</code></em> as in this security mode + no information is returned about whether a user logon failed due to + a bad username or bad password, the same error is returned from a modern server + in both cases.</p><p>For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the <code class="constant"> + GUEST_SESSSETUP</code> value in local.h.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Never</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Bad User</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited. + If <em class="parameter"><code>max connections</code></em> is greater than 0 then connections + will be refused if this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in + the directory specified by the <a class="indexterm" name="id323827"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">10</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size.</p><p>Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in <em class="parameter"><code>max + disk size</code></em>.</p><p>This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size.</p><p>A <em class="parameter"><code>max disk size</code></em> of 0 means no limit.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p> + This option (an integer in kilobytes) specifies the max size the log file should grow to. + Samba periodically checks the size and if it is exceeded it will rename the file, adding + a <code class="filename">.old</code> extension. + </p><p>A size of 0 means no limit. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">5000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of + outstanding simultaneous SMB operations that Samba tells the client + it will allow. You should never need to set this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max mux</code></em> = <code class="literal">50</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of + open files that one <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file.</p><p>The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max open files</code></em> = <code class="literal">10000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of + jobs allowable in a Samba printer queue at any given moment. + If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">1000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">5000</code> +</em></span> +</p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol</span></dt><dd><p>This parameter is a synonym for max protocol.</p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest + protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">CORE</code>: Earliest version. No + concept of user names.</p></li><li><p><code class="constant">COREPLUS</code>: Slight improvements on + CORE for efficiency.</p></li><li><p><code class="constant">LANMAN1</code>: First <span class="emphasis"><em> + modern</em></span> version of the protocol. Long filename + support.</p></li><li><p><code class="constant">LANMAN2</code>: Updates to Lanman1 protocol.</p></li><li><p><code class="constant">NT1</code>: Current up to date version of the protocol. + Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">NT1</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">LANMAN1</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXREPORTEDPRINTJOBS"></a>max reported print jobs (S)</span></dt><dd><p> + This parameter limits the maximum number of jobs displayed in a port monitor for + Samba printer queue at any given moment. If this number is exceeded, the excess + jobs will not be shown. A value of zero means there is no limit on the number of + print jobs reported. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended + as a stopgap to prevent degrading service to clients in the event that the server has insufficient + resources to handle more than this number of connections. Remember that under normal operating + conditions, each user will have an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> associated with him or her to handle connections to all + shares from a given host.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXSTATCACHESIZE"></a>max stat cache size (G)</span></dt><dd><p>This parameter limits the size in memory of any + <em class="parameter"><code>stat cache</code></em> being used + to speed up case insensitive name mappings. This parameter is + the number of kilobyte (1024) units the stat cache can use. + A value of zero means unlimited which is not advised aѕ it can + use a lot of memory. + You should not need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">256</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">100</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> what the default 'time to live' + of NetBIOS names should be (in seconds) when <code class="literal">nmbd</code> is + requesting a name using either a broadcast packet or from a WINS server. You should + never need to change this parameter. The default is 3 days.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max ttl</code></em> = <code class="literal">259200</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server + (<a class="indexterm" name="id324595"></a>wins support = yes) what the maximum + 'time to live' of NetBIOS names that <code class="literal">nmbd</code> + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max wins ttl</code></em> = <code class="literal">518400</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size + that will be negotiated by Samba. The default is 16644, which + matches the behavior of Windows 2000. A value below 2048 is likely to cause problems. + You should never need to change this parameter from its default value. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">16644</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">8192</code> +</em></span> +</p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the + server receives a WinPopup style message.</p><p>This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination.</p><p>An example is: +</p><pre class="programlisting"> +<code class="literal">message command = csh -c 'xedit %s;rm %s' &</code> +</pre><p> + </p><p>This delivers the message using <code class="literal">xedit</code>, then + removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user. + The command takes the standard substitutions, although <em class="parameter"><code> + %u</code></em> won't work (<em class="parameter"><code>%U</code></em> may be better + in this case).</p><p>Apart from the standard substitutions, some additional + ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%s</code></em> = the filename containing + the message.</p></li><li><p><em class="parameter"><code>%t</code></em> = the destination that + the message was sent to (probably the server name).</p></li><li><p><em class="parameter"><code>%f</code></em> = who the message + is from.</p></li></ul></div><p>You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have.</p><p> + Here's a way of sending the messages as mail to root: +</p><pre class="programlisting"> +<code class="literal">message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code> +</pre><p> + </p><p>If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + </p><p> + If you want to silently delete it then try: +</p><pre class="programlisting"> +<code class="literal">message command = rm %s</code> +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal">csh -c 'xedit %s; rm %s' &</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">2000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the + lowest SMB protocol dialect than Samba will support. Please refer + to the <a class="indexterm" name="id324954"></a>max protocol + parameter for a list of valid protocol names and a brief description + of each. You may also wish to refer to the C source code in + <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol + dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should + also refer to the <a class="indexterm" name="id324973"></a>lanman auth parameter. Otherwise, you should never need + to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">CORE</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">NT1</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINRECEIVEFILESIZE"></a>min receivefile size (G)</span></dt><dd><p>This option changes the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when processing SMBwriteX calls. Any incoming +SMBwriteX call on a non-signed SMB/CIFS connection greater than this value will not be processed in the normal way but will +be passed to any underlying kernel recvfile or splice system call (if there is no such +call Samba will emulate in user space). This allows zero-copy writes directly from network +socket buffers into the filesystem buffer cache, if available. It may improve performance +but user testing is recommended. If set to zero Samba processes SMBwriteX calls in the +normal way. To enable POSIX large write support (SMB/CIFS writes up to 16Mb) this option must be +nonzero. The maximum value is 128k. Values greater than 128k will be silently set to 128k.</p><p>Note this option will have NO EFFECT if set on a SMB signed connection.</p><p>The default is zero, which diables this option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min receivefile size</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> + when acting as a WINS server (<a class="indexterm" name="id325104"></a>wins support = yes) what the minimum 'time to live' + of NetBIOS names that <code class="literal">nmbd</code> will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min wins ttl</code></em> = <code class="literal">21600</code> +</em></span> +</p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a + stand-in for another CIFS share whose location is specified by + the value of the parameter. When clients attempt to connect to + this share, they are redirected to the proxied share using + the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the + <a class="indexterm" name="id325163"></a>msdfs root and <a class="indexterm" name="id325170"></a>host msdfs + options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = <code class="literal">\otherserver\someshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>If set to <code class="constant">yes</code>, Samba treats the + share as a Dfs root and allows clients to browse the + distributed file system tree rooted at the share directory. + Dfs links are specified in the share directory by symbolic + links of the form <code class="filename">msdfs:serverA\\shareA,serverB\\shareB</code> + and so on. For more information on setting up a Dfs tree on + Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>msdfs root</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">660</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba + suite to determine what naming services to use and in what order + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space + separated string of name resolution options.</p><p>The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be + resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="constant">lmhosts</code> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then + any name type matches for lookup. + </p></li><li><p> + <code class="constant">host</code> : Do a standard host name to IP address resolution, using the system + <code class="filename">/etc/hosts </code>, NIS, or DNS lookups. This method of name resolution is + operating system depended for instance on IRIX or Solaris this may be controlled by the <code class="filename">/etc/nsswitch.conf</code> file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only + useful for active directory domains and results in a DNS query for the SRV RR entry matching + _ldap._tcp.domain. + </p></li><li><p><code class="constant">wins</code> : Query a name with + the IP address listed in the <a class="indexterm" name="id325382"></a>WINSSERVER parameter. If no WINS server has + been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on + each of the known local interfaces listed in the <a class="indexterm" name="id325399"></a>interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.</p></li></ul></div><p>The example below will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup.</p><p>When Samba is functioning in ADS security mode (<code class="literal">security = ads</code>) + it is advised to use following settings for <em class="parameter"><code>name resolve order</code></em>:</p><p><code class="literal">name resolve order = wins bcast</code></p><p>DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts host wins bcast</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts bcast host</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that nmbd will + advertise as additional names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is acting as a browse server + or logon server none of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised with these capabilities. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal"> +# empty string (no additional names)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal">TEST TEST1 TEST2</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p> + This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of + the hosts DNS name) will be the name that these services are advertised under. + </p><p> + There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name + is set to the literal name <code class="literal">PIPE</code>. To avoid this problem, do not name your Samba-3 + server <code class="literal">PIPE</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal"> +# machine DNS name</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal">MYNAME</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios scope</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. </p><p>When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow.</p><p>This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + <a class="indexterm" name="id325685"></a>homedir map and return the server + listed there.</p><p>Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nis homedir</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map + UNIX permissions into Windows NT access control lists. The UNIX + permissions considered are the the traditional UNIX owner and + group permissions, as well as POSIX ACLs set on any files or + directories. This parameter was formally a global parameter in + releases prior to 2.2.2.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt acl support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.</p><p>If this option, and <code class="literal">lanman + auth</code> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ntlm auth</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow Windows NT + clients to connect to the NT SMB specific <code class="constant">IPC$</code> + pipes. This is a developer debugging option and can be left + alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt pipe support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. + If this option is set to <code class="constant">no</code> then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt status support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>null passwords</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of <a class="indexterm" name="id326002"></a>encrypt passwords = yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>obey pam restrictions</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether + connections with usernames not in the <em class="parameter"><code>user</code></em> + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the <em class="parameter"><code>user</code></em> list and is only really + useful in <a class="indexterm" name="id326064"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use <code class="literal">user = + %S</code> which means your <em class="parameter"><code>user</code></em> list + will be just the service name, which for home directories is the + name of the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>only user</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p> + This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock break request, then the network client can + fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount + of time Samba will wait before sending an oplock break request to such (broken) clients. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock break wait time</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p> + This is a <span class="emphasis"><em>very</em></span> advanced <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> tuning option to improve the efficiency of the + granting of oplocks under multiple client contention for the same file. + </p><p> + In brief it specifies a number, which causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>not to grant an oplock even when requested if the + approximate number of clients contending for an oplock on the same file goes over this + limit. This causes <code class="literal">smbd</code> to behave in a similar + way to Windows NT. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock contention limit</code></em> = <code class="literal">2</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p> + This boolean option tells <code class="literal">smbd</code> whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files locally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + <code class="filename">Speed.txt</code> in the Samba + <code class="filename">docs/</code> directory. + </p><p> + Oplocks may be selectively turned off on certain files with a share. See + the <a class="indexterm" name="id326275"></a>veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + <a class="indexterm" name="id326284"></a>kernel oplocks parameter for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute + path to a file containing a mapping of Windows NT printer driver + names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5 + printer driver would appear as <code class="literal">HP LaserJet 5L = LASERJET.HP + LaserJet 5L</code>.</p><p> + The need for the file is due to the printer driver namespace problem described in + the chapter on Classical Printing in the Samba3-HOWTO book. For more + details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os2 driver map</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p> + This integer value controls what level Samba advertises itself as for browse elections. The value of this + parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id326397"></a>workgroup in the local broadcast area. +</p><p><span class="emphasis"><em> + Note:</em></span> By default, Samba will win a local master browsing election over all Microsoft operating + systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can + effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 + release series and it is seldom necessary to manually override the default setting. Please refer to + chapter 9 of the Samba-3 HOWTO document for further information regarding the use of this parameter. + <span class="emphasis"><em>Note:</em></span> The maximum value for this parameter is 255. If you use higher values, counting + will start at 0! + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">20</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">65</code> +</em></span> +</p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + <a class="indexterm" name="id326476"></a>passwd program. + It should be possible to enable this without changing your + <a class="indexterm" name="id326484"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a + system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> crashes. This is usually used to + draw attention to the fact that a problem occurred. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal">"/bin/sleep 90000"</code> +</em></span> +</p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. + </p><p>Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>paranoid server security</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backend + will be used for storing user and possibly group information. This allows + you to swap between dfferent storage mechanisms without recompile. </p><p>The parameter value is divided into two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character.</p><p>Available backends can include: + </p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">smbpasswd</code> - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + </p></li><li><p><code class="literal">tdbsam</code> - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the <a class="indexterm" name="id326681"></a>private dir directory.</p></li><li><p><code class="literal">ldapsam</code> - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + <code class="literal">ldap://localhost</code>)</p><p>LDAP connections should be secured where possible. This may be done using either + Start-TLS (see <a class="indexterm" name="id326710"></a>ldap ssl) or by + specifying <em class="parameter"><code>ldaps://</code></em> in + the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your + LDAP libraries supports the LDAP URL notation. + (OpenLDAP does). + </p></li></ul></div><p> + + </p> + Examples of use are: +<pre class="programlisting"> +passdb backend = tdbsam:/etc/samba/private/passdb.tdb + +or + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" +</pre><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb backend</code></em> = <code class="literal">smbpasswd</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSDBEXPANDEXPLICIT"></a>passdb expand explicit (G)</span></dt><dd><p> + This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We + used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable + %G_osver% in which %G would have been substituted by the user's primary group. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span> + conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the + <a class="indexterm" name="id326839"></a>passwd program and what to expect back. If the expected output is not + received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id326855"></a>unix password sync parameter is set to <code class="constant">yes</code>. This sequence is + then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the <a class="indexterm" name="id326872"></a>passwd program must + be executed on the NIS master. + </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted + for the new password. The old passsword (<em class="parameter"><code>%o</code></em>) is only available when + <a class="indexterm" name="id326895"></a>encrypt passwords has been disabled. + The chat sequence can also contain the standard macros + \n, \r, \t and \s to give line-feed, carriage-return, tab + and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can + be used to collect strings with spaces in them into a single + string.</p><p>If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id326913"></a>pam password change parameter is set to <code class="constant">yes</code>, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">*new*password* %n\n*new*password* %n\n *changed*</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">"*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script + parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a + <a class="indexterm" name="id326995"></a>debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <code class="literal">smbd</code> log. It is available to help + Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts + when calling the <em class="parameter"><code>passwd program</code></em> and should + be turned off after this has been done. This option has no effect if the + <a class="indexterm" name="id327022"></a>pam password change + parameter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = <code class="literal">2</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <em class="parameter"><code>%u</code></em> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable + </em></span> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</p><p><span class="emphasis"><em>Note</em></span> that if the <em class="parameter"><code>unix + password sync</code></em> parameter is set to <code class="constant">yes + </code> then this program is called <span class="emphasis"><em>AS ROOT</em></span> + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + <code class="literal">smbd</code> will fail to change the SMB password also + (this is by design).</p><p>If the <em class="parameter"><code>unix password sync</code></em> parameter + is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span> + for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined + for security implications. Note that by default <em class="parameter"><code>unix + password sync</code></em> is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal">/bin/passwd %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response.</p><p>This parameter defines the maximum number of characters + that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <em class="parameter"><code> + password level</code></em> is set to 1, the following combinations + would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <em class="parameter"><code>password level</code></em> was set to 2, + the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</p><p>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is + not at all used when encrypted passwords as in use (that is the default + since samba-3.0.0). Use this only when <a class="indexterm" name="id327287"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">4</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <code class="literal">security = [ads|domain|server]</code> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</p><p>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</p><p>If parameter is a name, it is looked up using the + parameter <a class="indexterm" name="id327369"></a>name resolve order and so may resolved + by any method and order described in that parameter.</p><p>The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running + Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>. + </p></div><p>Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard + substitutions, but probably the only useful one is <em class="parameter"><code>%m + </code></em>, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!</p><p>If the <em class="parameter"><code>security</code></em> parameter is set to + <code class="constant">domain</code> or <code class="constant">ads</code>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using <code class="literal"> + security = domain</code> is that if you list several hosts in the + <em class="parameter"><code>password server</code></em> option then <code class="literal">smbd + </code> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</p><p>If the <em class="parameter"><code>password server</code></em> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <code class="constant">WORKGROUP<1C></code> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </p><p>If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</p><p>If the <em class="parameter"><code>security</code></em> parameter is + set to <code class="constant">server</code>, then there are different + restrictions that <code class="literal">security = domain</code> doesn't + suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in + the <em class="parameter"><code>password server</code></em> parameter, however if an + <code class="literal">smbd</code> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <code class="literal">smbd</code>. This is a + restriction of the SMB/CIFS protocol when in <code class="literal">security = server + </code> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <code class="literal"> + security = server</code> mode the network logon will appear to + come from there rather than from the users workstation.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">NT-PDC, NT-BDC1, NT-BDC2, *</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">windc.mydomain.com:389 192.168.1.101 *</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">*</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory</span></dt><dd><p>This parameter is a synonym for path.</p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.</p><p>For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.</p><p>Any occurrences of <em class="parameter"><code>%u</code></em> in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of <em class="parameter"><code>%m</code></em> + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id327672"></a>root dir + if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal">/home/fred</code> +</em></span> +</p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p> + This option specifies the directory where pid files will be placed. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">${prefix}/var/locks</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">pid directory = /var/run/</code> +</em></span> +</p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p> + The <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + daemon maintains an database of file locks obtained by SMB clients. The default behavior is + to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are + consistent with those seen by POSIX compliant applications accessing the files via a non-SMB + method (e.g. NFS or local file access). You should never need to disable this parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>posix locking</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.</p><p>An interesting example may be to unmount server + resources:</p><p><code class="literal">postexec = /etc/umount /cdrom</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal">echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</code> +</em></span> +</p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:</p><p> + <code class="literal">preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & </code> + </p><p>Of course, this could get annoying after a while :-)</p><p> + See also <a class="indexterm" name="id327950"></a>preexec close and <a class="indexterm" name="id327957"></a>postexec. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal">echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code> +</em></span> +</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p> + This boolean option controls whether a non-zero return code from <a class="indexterm" name="id328019"></a>preexec + should close the service being connected to. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p> + This boolean parameter controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> is a preferred master browser for its workgroup. + </p><p> + If this is set to <code class="constant">yes</code>, on startup, <code class="literal">nmbd</code> will force + an election, and it will have a slight advantage in winning the election. It is recommended that this + parameter is used in conjunction with <a class="indexterm" name="id328108"></a>domain master = yes, so that + <code class="literal">nmbd</code> can guarantee becoming a domain master. + </p><p> + Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) + that are preferred master browsers on the same subnet, they will each periodically and continuously attempt + to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing + capabilities. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible.</p><p> + Note that if you just want all printers in your + printcap file loaded then the <a class="indexterm" name="id328193"></a>load printers + option is easier. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal">fred lp colorlp</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal">/usr/lib/samba/passdb/mysql.so</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> + This controls if new filenames are created with the case that the client passes, or if + they are forced to be the <a class="indexterm" name="id328311"></a>default case. + </p><p> + See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preserve case</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok</span></dt><dd><p>This parameter is a synonym for printable.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, then + clients may open, write to and submit spool files on the directory + specified for the service. </p><p>Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The <a class="indexterm" name="id328500"></a>read only parameter controls only non-printing access to + the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCAPCACHETIME"></a>printcap cache time (G)</span></dt><dd><p>This option specifies the number of seconds before the printing + subsystem is again asked for the known printers. If the value + is greater than 60 the initial waiting time is set to 60 seconds + to allow an earlier first rescan of the printing subsystem. + </p><p>Setting this parameter to 0 disables any rescanning for new + or removed printers after the initial startup. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">750</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">600</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap</span></dt><dd><p>This parameter is a synonym for printcap name.</p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p> + This parameter may be used to override the compiled-in default printcap name used by the server (usually + <code class="filename"> /etc/printcap</code>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons why you might want to do this. + </p><p> + To use the CUPS printing interface set <code class="literal">printcap name = cups </code>. This should + be supplemented by an addtional setting <a class="indexterm" name="id328654"></a>printing = cups in the [global] + section. <code class="literal">printcap name = cups</code> will use the "dummy" printcap + created by CUPS, as specified in your CUPS configuration file. + </p><p> + On System V systems that use <code class="literal">lpstat</code> to + list available printers you can use <code class="literal">printcap name = lpstat + </code> to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If <em class="parameter"><code> + printcap name</code></em> is set to <code class="literal">lpstat</code> on + these systems then Samba will launch <code class="literal">lpstat -v</code> and + attempt to parse the output to obtain a printer list. + </p><p> + A minimal printcap file would look something like this: +</p><pre class="programlisting"> +print1|My Printer 1 +print2|My Printer 2 +print3|My Printer 3 +print4|My Printer 4 +print5|My Printer 5 +</pre><p> + where the '|' separates aliases of a printer. The fact that the second alias has a space in + it gives a hint to Samba that it's a comment. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Under AIX the default printcap name is <code class="filename">/etc/qconfig</code>. Samba will + assume the file is in AIX <code class="filename">qconfig</code> format if the string <code class="filename">qconfig</code> appears in the printcap filename. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/printcap</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/myprintcap</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to + a service, this command will be used via a <code class="literal">system()</code> + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.</p><p>The print command is simply a text string. It will be used + verbatim after macro substitutions have been made:</p><p>%s, %f - the path to the spool + file name</p><p>%p - the appropriate printer + name</p><p>%J - the job + name as transmitted by the client.</p><p>%c - The number of printed pages + of the spooled job (if known).</p><p>%z - the size of the spooled + print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least + one occurrence of <em class="parameter"><code>%s</code></em> or <em class="parameter"><code>%f + </code></em> - the <em class="parameter"><code>%p</code></em> is optional. At the time + a job is submitted, if no printer name is supplied the <em class="parameter"><code>%p + </code></em> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.</p><p>If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the + <code class="constant">nobody</code> account. If this happens then create + an alternative guest account that can print and set the <a class="indexterm" name="id328877"></a>guest account + in the [global] section.</p><p>You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.</p><p><code class="literal">print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s</code></p><p>You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the <a class="indexterm" name="id328903"></a>printing + parameter.</p><p>Default: For <code class="literal">printing = BSD, AIX, QNX, LPRNG + or PLP :</code></p><p><code class="literal">print command = lpr -r -P%p %s</code></p><p>For <code class="literal">printing = SYSV or HPUX :</code></p><p><code class="literal">print command = lp -c -d%p %s; rm %s</code></p><p>For <code class="literal">printing = SOFTQ :</code></p><p><code class="literal">print command = lp -d%p -s %s; rm %s</code></p><p>For printing = CUPS : If SAMBA is compiled against + libcups, then <a class="indexterm" name="id328959"></a>printcap = cups + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses <code class="literal">lp -c -d%p -oraw; rm %s</code>. + With <code class="literal">printing = cups</code>, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>print command</code></em> = <code class="literal">/usr/local/samba/bin/myprintscript %p %s</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p> + This lists users who can do anything to printers + via the remote administration interfaces offered + by MS-RPC (usually using a NT workstation). + This parameter can be set per-share or globally. + Note: The root user always has admin rights. Use + caution with use in the global stanza as this can + cause side effects. + </p><p> + This parameter has been marked deprecated in favor + of using the SePrintOperatorPrivilege and individual + print security descriptors. It will be removed in a future release. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal">admin, @staff</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTER"></a>printer</span></dt><dd><p>This parameter is a synonym for printer name.</p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p> + This parameter specifies the name of the printer to which print jobs spooled through a printable service + will be sent. + </p><p> + If specified in the [global] section, the printer name given will be used for any printable service that + does not have its own printer name specified. + </p><p> + The default value of the <a class="indexterm" name="id329116"></a>printer name may be <code class="literal">lp</code> on many + systems. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">none</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">laserwriter</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is + interpreted on your system. It also affects the default values for + the <em class="parameter"><code>print command</code></em>, <em class="parameter"><code>lpq command</code></em>, <em class="parameter"><code>lppause command </code></em>, <em class="parameter"><code>lpresume command</code></em>, and <em class="parameter"><code>lprm command</code></em> if specified in the + [global] section.</p><p>Currently nine printing styles are supported. They are + <code class="constant">BSD</code>, <code class="constant">AIX</code>, + <code class="constant">LPRNG</code>, <code class="constant">PLP</code>, + <code class="constant">SYSV</code>, <code class="constant">HPUX</code>, + <code class="constant">QNX</code>, <code class="constant">SOFTQ</code>, + and <code class="constant">CUPS</code>.</p><p>To see what the defaults are for the other print + commands when using the various options use the <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> program.</p><p>This option can be set on a per printer basis. Please be + aware however, that you must place any of the various printing + commands (e.g. print command, lpq command, etc...) after defining + the value for the <em class="parameter"><code>printing</code></em> option since it will + reset the printing commands to default values.</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section"> + [printers]</a> section.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="PRINTJOBUSERNAME"></a>printjob username (S)</span></dt><dd><p>This parameter specifies which user information will be + passed to the printing system. Usually, the username is sent, + but in some cases, e.g. the domain prefix is useful, too.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%U</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%D\%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory + smbd will use for storing such files as <code class="filename">smbpasswd</code> + and <code class="filename">secrets.tdb</code>. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>private dir</code></em> = <code class="literal">${prefix}/private</code> +</em></span> +</p></dd><dt><span class="term"><a name="PROFILEACLS"></a>profile acls (S)</span></dt><dd><p> + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. + </p><p> + When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. + </p><p> + Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>profile acls</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes + a printer name as its only parameter and stops the printer queue, + such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the command. + </p><p>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queuepause command</code></em> = <code class="literal">disable %p</code> +</em></span> +</p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to resume the printer queue. It + is the command to undo the behavior that is caused by the + previous parameter (<a class="indexterm" name="id329545"></a>queuepause command).</p><p>This command should be a program or script which takes + a printer name as its only parameter and resumes the printer queue, + such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.</p><p>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal">enable %p</code> +</em></span> +</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p> + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the <a class="indexterm" name="id329631"></a>read only option is set + to. The list can include group names using the syntax described in the <a class="indexterm" name="id329639"></a>invalid users + parameter. + </p><p>This parameter will not work with the <a class="indexterm" name="id329650"></a>security = share in + Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal">mary, @students</code> +</em></span> +</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id329711"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users + of a service may not create or modify files in the service's + directory.</p><p>Note that a printable service (<code class="literal">printable = yes</code>) + will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory + (user privileges permitting), but only via spooling operations.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read only</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + </p><p>However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning + tool and left severely alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read raw</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is + used as the ADS equivalent of the NT4 <code class="literal">domain</code>. It + is usually set to the DNS name of the kerberos server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal">mysambabox.mycompany.com</code> +</em></span> +</p></dd><dt><span class="term"><a name="REGISTRYSHARES"></a>registry shares (G)</span></dt><dd><p> + This turns on or off support for share definitions read from + registry. Shares defined in <span class="emphasis"><em>smb.conf</em></span> take + precedence over shares with the same name defined in + registry. See the section on registry-based configuration + for details. + </p><p> + Note that this parameter defaults to <span class="emphasis"><em>no</em></span>, + but it is set to <span class="emphasis"><em>yes</em></span> when + <em class="parameter"><code>config bakend</code></em> is set + to <span class="emphasis"><em>registry</em></span>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>registry shares</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>registry shares</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p> + This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. + </p><p> + This is useful if you want your Samba server to appear in a remote workgroup for + which the normal browse propagation rules don't work. The remote workgroup can be + anywhere that you can send IP packets to. + </p><p> + For example: +</p><pre class="programlisting"> +<code class="literal">remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> +</pre><p> + the above line would cause <code class="literal">nmbd</code> to announce itself + to the two given IP addresses using the given workgroup names. If you leave out the + workgroup name then the one given in the <a class="indexterm" name="id330010"></a>workgroup parameter + is used instead. + </p><p> + The IP addresses you choose would normally be the broadcast addresses of the remote + networks, but can also be the IP addresses of known browse masters if your network + config is that stable. + </p><p> + See the chapter on Network Browsing in the Samba-HOWTO book. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote announce</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p> + This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request + synchronization of browse lists with the master browser of a Samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-Samba servers. + </p><p> + This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to. + </p><p> + For example: +</p><pre class="programlisting"> +<em class="parameter"><code>remote browse sync = 192.168.2.255 192.168.4.255</code></em> +</pre><p> + the above line would cause <code class="literal">nmbd</code> to request the master browser on the + specified subnets or addresses to synchronize their browse lists with + the local server. + </p><p> + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on its segment. + </p><p> + The <a class="indexterm" name="id330111"></a>remote browse sync may be used on networks + where there is no WINS server, and may be used on disjoint networks where + each network has its own WINS server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote browse sync</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="RENAMEUSERSCRIPT"></a>rename user script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run as root by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> under special circumstances described below. + </p><p> + When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager + for Domains), this script will be run to rename the POSIX user. Two variables, <code class="literal">%uold</code> and + <code class="literal">%unew</code>, will be substituted with the old and new usernames, respectively. The script should + return 0 upon successful completion, and nonzero otherwise. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The script has all responsibility to rename all the necessary data that is accessible in this posix method. + This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care + of the contents of their respective files, so the script is responsible only for changing the POSIX username, and + other data that may required for your circumstances, such as home directory. Please also consider whether or + not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, + because of the potential issues with renaming the LDAP naming attribute. In this case the script is + responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that + needs to change for other applications using the same directory. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>rename user script</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (G)</span></dt><dd><p> + This boolean option controls whether an incoming session setup + should kill other connections coming from the same IP. This matches + the default Windows 2003 behaviour. + + Setting this parameter to yes becomes necessary when you have a flaky + network and windows decides to reconnect while the old connection + still has files with share modes open. These files become inaccessible + over the new connection. + + The client sends a zero VC on the new connection, and Windows 2003 + kills all other connections coming from the same IP. This way the + locked files are accessible again. + + Please be aware that enabling this option will kill connections behind + a masquerading router. + + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>reset on zero vc</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>The setting of this parameter determines whether user and + group list information is returned for an anonymous connection. + and mirrors the effects of the +</p><pre class="programlisting"> +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Control\LSA\RestrictAnonymous +</pre><p> + registry key in Windows 2000 and Windows NT. When set to 0, user + and group list information is returned to anyone who asks. When set + to 1, only an authenticated user can retrive user and + group list information. For the value 2, supported by + Windows 2000/XP and Samba, no anonymous connections are allowed at + all. This can break third party and Microsoft + applications which expect to be allowed to perform + operations anonymously.</p><p> + The security advantage of using restrict anonymous = 1 is dubious, + as user and group list information can be obtained using other + means. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The security advantage of using restrict anonymous = 2 is removed + by setting <a class="indexterm" name="id330306"></a>guest ok = yes on any share. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOT"></a>root</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <code class="literal">chroot()</code> (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + <a class="indexterm" name="id330408"></a>wide smbconfoptions parameter). + </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <em class="parameter"><code>root directory</code></em> + option, <span class="emphasis"><em>including</em></span> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <em class="parameter"><code>root directory</code></em> tree. In particular + you will need to mirror <code class="filename">/etc/passwd</code> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/homes/smb</code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p> + This is the same as the <em class="parameter"><code>postexec</code></em> + parameter except that the command is run as root. This is useful for + unmounting filesystems (such as CDROMs) after a connection is closed. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p> + This is the same as the <em class="parameter"><code>preexec</code></em> + parameter except that the command is run as root. This is useful for + mounting filesystems (such as CDROMs) when a connection is opened. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close + </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to + Samba and is one of the most important settings in the <code class="filename"> + smb.conf</code> file.</p><p>The option sets the "security mode bit" in replies to + protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</p><p>The default is <code class="literal">security = user</code>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</p><p>The alternatives are <code class="literal">security = share</code>, + <code class="literal">security = server</code> or <code class="literal">security = domain + </code>.</p><p>In versions of Samba prior to 2.0.0, the default was + <code class="literal">security = share</code> mainly because that was + the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the username and password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <code class="literal">security = user</code>. If you mostly use usernames + that don't exist on the UNIX box then use <code class="literal">security = + share</code>.</p><p>You should also use <code class="literal">security = share</code> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <code class="literal">security = user</code>, see + the <a class="indexterm" name="id330741"></a>map to guestparameter for details.</p><p>It is possible to use <code class="literal">smbd</code> in a <span class="emphasis"><em> + hybrid mode</em></span> where it is offers both user and share + level security under different <a class="indexterm" name="id330762"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <code class="literal">security = share + </code> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</p><p>Note that <code class="literal">smbd</code> <span class="emphasis"><em>ALWAYS</em></span> + uses a valid UNIX user to act on behalf of the client, even in + <code class="literal">security = share</code> level security.</p><p>As clients are not required to send a username to the server + in share level security, <code class="literal">smbd</code> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</p><p>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id330838"></a>guest only parameter is set, then all the other + stages are missed and only the <a class="indexterm" name="id330845"></a>guest account username is checked. + </p></li><li><p>Is a username is sent with the share connection + request, then this username (after mapping - see <a class="indexterm" name="id330860"></a>username map), + is added as a potential username. + </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon + </em></span> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </p></li><li><p>The name of the service the client requested is + added as a potential username. + </p></li><li><p>The NetBIOS name of the client is added to + the list as a potential username. + </p></li><li><p>Any users on the <a class="indexterm" name="id330900"></a>user list are added as potential usernames. + </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</p><p>If the <em class="parameter"><code>guest only</code></em> parameter is + set, or no username can be determined then if the share is marked + as available to the <em class="parameter"><code>guest account</code></em>, then this + guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the <a class="indexterm" name="id330969"></a>username map + parameter). Encrypted passwords (see the <a class="indexterm" name="id330977"></a>encrypted passwords parameter) can also + be used in this security mode. Parameters such as <a class="indexterm" name="id330985"></a>user and <a class="indexterm" name="id330992"></a>guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id331011"></a>guest account. + See the <a class="indexterm" name="id331019"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this + machine into a Windows NT Domain. It expects the <a class="indexterm" name="id331057"></a>encrypted passwords + parameter to be set to <code class="constant">yes</code>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point + of view <code class="literal">security = domain</code> is the same + as <code class="literal">security = user</code>. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id331107"></a>guest account. + See the <a class="indexterm" name="id331114"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id331135"></a>password server parameter and + the <a class="indexterm" name="id331142"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p> + In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + NT box. If this fails it will revert to <code class="literal">security = user</code>. It expects the + <a class="indexterm" name="id331169"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote + server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in + the Samba HOWTO Collection for details on how to set this up. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This mode of operation has + significant pitfalls since it is more vulnerable to + man-in-the-middle attacks and server impersonation. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authentications to the + Samba server may fail (from a single client, till it disconnects). + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>From the client's point of + view <code class="literal">security = server</code> is the + same as <code class="literal">security = user</code>. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees.</p></div><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id331226"></a>guest account. + See the <a class="indexterm" name="id331234"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id331255"></a>password server parameter and the + <a class="indexterm" name="id331262"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. </p><p>Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. </p><p>Read the chapter about Domain Membership in the HOWTO for details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">USER</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">DOMAIN</code> +</em></span> +</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting + any bits not in this mask. Make sure not to mix up this parameter with <a class="indexterm" name="id331354"></a>force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. + </p><p> + Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the + file permissions regardless of the previous status of this bits on the file. + </p><p> + If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + </p><p><span class="emphasis"><em> + Note</em></span> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to <code class="constant">0777</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0777</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0770</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p> + This controls whether the server offers or even demands the use of the netlogon schannel. + <a class="indexterm" name="id331438"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id331446"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id331453"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel. + This is only the case for Windows NT4 before SP4. + </p><p> + Please note that with this set to <code class="literal">no</code> you will have to apply the WindowsXP + <code class="filename">WinXP_SignOrSeal.reg</code> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSIGNING"></a>server signing (G)</span></dt><dd><p>This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server signing</code></em> = <code class="literal">Disabled</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print + manager and next to the IPC connection in <code class="literal">net view</code>. It + can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next + to the machine name.</p><p>A <em class="parameter"><code>%v</code></em> will be replaced with the Samba + version number.</p><p>A <em class="parameter"><code>%h</code></em> will be replaced with the + hostname.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">Samba %v</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">University of GNUs Samba Server</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p> + If <code class="literal">set directory = no</code>, then users of the + service may not use the setdir command to change directory. + </p><p> + The <code class="literal">setdir</code> command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set directory</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix userdatase when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with <code class="literal">net rpc + vampire</code>. <em class="parameter"><code>%u</code></em> will be replaced + with the user whose primary group is to be set. + <em class="parameter"><code>%g</code></em> will be replaced with the group to + set.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal">/usr/sbin/usermod -g '%g' '%u'</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETQUOTACOMMAND"></a>set quota command (G)</span></dt><dd><p>The <code class="literal">set quota command</code> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This option is only available if Samba was configured with the argument <code class="literal">--with-sys-quotas</code> or + on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api + was found in the system. Most packages are configured with these options already.</p><p>This parameter should specify the path to a script that + can set quota for the specified arguments.</p><p>The specified script should take the following arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>1 - quota type + </p><div class="itemizedlist"><ul type="circle"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p> + </p></li><li><p>2 - id (uid for user, gid for group, -1 if N/A)</p></li><li><p>3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)</p></li><li><p>4 - block softlimit</p></li><li><p>5 - block hardlimit</p></li><li><p>6 - inode softlimit</p></li><li><p>7 - inode hardlimit</p></li><li><p>8(optional) - block size, defaults to 1024</p></li></ul></div><p>The script should output at least one line of data on success. And nothing on failure.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal">/usr/local/sbin/set_quota</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of + the <em class="parameter"><code>share modes</code></em> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</p><p>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are + <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>, + <code class="constant">DENY_READ</code>, <code class="constant">DENY_WRITE</code>, + <code class="constant">DENY_NONE</code> and <code class="constant">DENY_FCB</code>. + </p><p>This option gives full share compatibility and enabled + by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter + off as many Windows applications will break if you do so.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>share modes</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p> + This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id332044"></a>default case. + This option can be use with <a class="indexterm" name="id332051"></a>preserve case = yes to permit long filenames + to retain their case, while short names are lowered. + </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + appear on Samba hosts in the share listing. Normally this folder will + contain an icon for the MS Add Printer Wizard (APW). However, it is + possible to disable this feature regardless of the level of privilege + of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will + open a handle on the printer server with OpenPrinterEx() asking for + Administrator privileges. If the user does not have administrative + access on the print server (i.e is not root or a member of the + <em class="parameter"><code>printer admin</code></em> group), the OpenPrinterEx() + call fails and the client makes another open call with a request for + a lower privilege level. This should succeed, however the APW + icon will not be displayed.</p><p>Disabling the <em class="parameter"><code>show add printer wizard</code></em> + parameter will always cause the OpenPrinterEx() on the server + to fail. Thus the APW icon will never be displayed. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This does not prevent the same user from having + administrative privilege on an individual printer.</p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>show add printer wizard</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p>This a full path name to a script called by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should + start a shutdown procedure.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, + right, this command will be run as user.</p><p>The %z %t %r %f variables are expanded as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%z</code></em> will be substituted with the + shutdown message sent to the server.</p></li><li><p><em class="parameter"><code>%t</code></em> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</p></li><li><p><em class="parameter"><code>%r</code></em> will be substituted with the + switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown + for NT.</p></li><li><p><em class="parameter"><code>%f</code></em> will be substituted with the + switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown + even if applications do not respond for NT.</p></li></ul></div><p>Shutdown script example: +</p><pre class="programlisting"> +#!/bin/bash + +$time=0 +let "time/60" +let "time++" + +/sbin/shutdown $3 $4 +$time $1 & +</pre><p> + Shutdown does not return so we need to launch it in background. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal">/usr/local/samba/sbin/shutdown %m %t %r %f</code> +</em></span> +</p></dd><dt><span class="term"><a name="SMBENCRYPT"></a>smb encrypt (S)</span></dt><dd><p>This is a new feature introduced with Samba 3.2 and above. It is an + extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. + SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt + and sign every request/response in a SMB protocol stream. When + enabled it provides a secure method of SMB/CIFS communication, + similar to an ssh protected session, but using SMB/CIFS authentication + to negotiate encryption and signing keys. Currently this is only + supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS + and MacOS/X clients. Windows clients do not support this feature. + </p><p>This controls whether the server offers or requires + the client it talks to to use SMB encryption. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share <span class="emphasis"><em>must</em></span> must + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + </p><p>If SMB encryption is selected, Windows style SMB signing (see + the <a class="indexterm" name="id332354"></a>server signing option) is no longer necessary, + as the GSSAPI flags use select both signing and sealing of the data. + </p><p>When set to auto, SMB encryption is offered, but not enforced. + When set to mandatory, SMB encryption is required and if set + to disabled, SMB encryption can not be negotiated.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb encrypt</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba.</p><p> + An example of use is: +</p><pre class="programlisting"> +smb passwd file = /etc/samba/smbpasswd +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb passwd file</code></em> = <code class="literal">${prefix}/private/smbpasswd</code> +</em></span> +</p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb ports</code></em> = <code class="literal">445 139</code> +</em></span> +</p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.</p><p>By default Samba will accept connections on any + address.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal">192.168.2.20</code> +</em></span> +</p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options + to be used when talking with the client.</p><p>Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.</p><p>This option will typically be used to tune your Samba server + for optimal performance for your local network. There is no way + that Samba can know what the optimal parameters are for your net, + so you must experiment and choose them yourself. We strongly + suggest you read the appropriate documentation for your operating + system first (perhaps <code class="literal">man + setsockopt</code> will help).</p><p>You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to <a href="mailto:samba-technical@samba.org" target="_top"> + samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable + using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE + for example <code class="literal">SO_SNDBUF = 8192</code>. Note that you must + not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option + might be:</p><p><code class="literal">socket options = IPTOS_LOWDELAY</code></p><p>If you have a local network then you could try:</p><p><code class="literal">socket options = IPTOS_LOWDELAY TCP_NODELAY</code></p><p>If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">TCP_NODELAY</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">IPTOS_LOWDELAY</code> +</em></span> +</p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>stat cache</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="STOREDOSATTRIBUTES"></a>store dos attributes (S)</span></dt><dd><p> + If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or + READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such + as occurs with <a class="indexterm" name="id332794"></a>map hidden and <a class="indexterm" name="id332801"></a>map readonly). When set, DOS + attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or + directory. For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id332810"></a>map hidden, + <a class="indexterm" name="id332817"></a>map system, <a class="indexterm" name="id332824"></a>map archive and <a class="indexterm" name="id332831"></a>map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended + attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an + EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for + extended attributes to work, also extended attributes must be compiled into the Linux kernel. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>store dos attributes</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of + disk space allocation in the server. When this is set to <code class="constant">yes</code> + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.</p><p>When strict allocate is <code class="constant">no</code> the server does sparse + disk block allocation when a file is extended.</p><p>Setting this to <code class="constant">yes</code> can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict allocate</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p> + This is an enumerated type that controls the handling of file locking in the server. When this is set to <code class="constant">yes</code>, + the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on + some systems. + </p><p> + When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files. + As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for + inproved performance. + </p><p> + When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them. + </p><p> + Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, + <code class="literal">strict locking = Auto</code> or + <code class="literal">strict locking = no</code> is acceptable. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = <code class="literal">Auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer + shell) seem to confuse flushing buffer contents to disk with doing + a sync to disk. Under UNIX, a sync call forces the process to be + suspended until the kernel has ensured that all outstanding data in + kernel disk buffers has been safely stored onto stable storage. + This is very slow and should only be done rarely. Setting this + parameter to <code class="constant">no</code> (the default) means that + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> ignores the Windows + applications requests for a sync call. There is only a possibility + of losing data if the operating system itself that Samba is running + on crashes, so there is little danger in this default setting. In + addition, this fixes many performance problems that people have + reported with the new Windows98 explorer shell file copies.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SVCCTLLIST"></a>svcctl list (G)</span></dt><dd><p>This option defines a list of init scripts that smbd + will use for starting and stopping Unix services via the Win32 + ServiceControl API. This allows Windows administrators to + utilize the MS Management Console plug-ins to manage a + Unix server running Samba.</p><p>The administrator must create a directory + name <code class="filename">svcctl</code> in Samba's $(libdir) + and create symbolic links to the init scripts in + <code class="filename">/etc/init.d/</code>. The name of the links + must match the names given as part of the <em class="parameter"><code>svcctl list</code></em>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal">cups postfix portmap httpd</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is <code class="constant">no</code> then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is <code class="constant">yes</code> then every write will be followed by a <code class="literal">fsync() + </code> call to ensure the data is written to disk. Note that + the <em class="parameter"><code>strict sync</code></em> parameter must be set to + <code class="constant">yes</code> in order for this parameter to have + any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p> + This parameter maps how Samba debug messages are logged onto the system syslog logging levels. + Samba debug level zero maps onto syslog <code class="constant">LOG_ERR</code>, debug level one maps onto + <code class="constant">LOG_WARNING</code>, debug level two maps onto <code class="constant">LOG_NOTICE</code>, + debug level three maps onto LOG_INFO. All higher levels are mapped to <code class="constant">LOG_DEBUG</code>. + </p><p> + This parameter sets the threshold for sending messages to syslog. Only messages with debug + level less than this value will be sent to syslog. There still will be some + logging to log.[sn]mbd even if <span class="emphasis"><em>syslog only</em></span> is enabled. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = <code class="literal">1</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p> + If this parameter is set then Samba debug messages are logged into the system + syslog only, and not to the debug log files. There still will be some + logging to log.[sn]mbd even if <span class="emphasis"><em>syslog only</em></span> is enabled. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT + user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this + parameter to fill in the home directory for that user. If the + string <em class="parameter"><code>%D</code></em> is present it + is substituted with the user's Windows NT domain name. If the + string <em class="parameter"><code>%U</code></em> is present it + is substituted with the user's Windows NT user name.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>template homedir</code></em> = <code class="literal">/home/%D/%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT + user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this + parameter to fill in the login shell for that user.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">60</code> +</em></span> +</p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows +clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time server</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine + Samba runs on uses. Samba needs to know this in order to be able to + convert text to the charsets other SMB clients use. + </p><p>This is also the charset Samba will use when specifying arguments + to scripts that it invokes. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">UTF8</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">ASCII</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... + These extensions require a similarly enabled client, and are of + no current use to Windows clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix extensions</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to <code class="constant">yes</code> the program specified in the <em class="parameter"><code>passwd + program</code></em>parameter is called <span class="emphasis"><em>AS ROOT</em></span> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix password sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p> + This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as they log on. This option allows a site to + migrate from plaintext password authentication (users authenticate with plaintext password over the + wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all users to re-enter their passwords via + smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted + passwords to be made over a longer period. Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to <code class="constant">no</code>. + </p><p> + In order for this parameter to be operative the <a class="indexterm" name="id333687"></a>encrypt passwords parameter must + be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id333698"></a>encrypt passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id333709"></a>update encrypted to work. + </p><p> + Note that even when this parameter is set a user authenticating to <code class="literal">smbd</code> + must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) + passwords. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>update encrypted</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000 + clients. It has no effect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when <code class="literal">disable spoolss = yes</code>. + </p><p>The differentiating factor is that under normal + circumstances, the NT/2000 client will attempt to open the network + printer using MS-RPC. The problem is that because the client + considers the printer to be local, it will attempt to issue the + OpenPrinterEx() call requesting access rights associated with the + logged on user. If the user possesses local administator rights but + not root privilege on the Samba host (often the case), the + OpenPrinterEx() call will fail. The result is that the client will + now display an "Access Denied; Unable to connect" message + in the printer queue window (even though jobs may successfully be + printed). </p><p>If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server.</em></span></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use client driver</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USEKERBEROSKEYTAB"></a>use kerberos keytab (G)</span></dt><dd><p> + Specifies whether Samba should attempt to maintain service principals in the systems + keytab file for <code class="constant">host/FQDN</code> and <code class="constant">cifs/FQDN</code>. + </p><p> + When you are using the heimdal Kerberos libraries, you must also specify the following in + <code class="filename">/etc/krb5.conf</code>: +</p><pre class="programlisting"> +[libdefaults] +default_keytab_name = FILE:/etc/krb5.keytab +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use kerberos keytab</code></em> = <code class="literal">False</code> +</em></span> +</p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to <code class="constant">no</code> by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <em class="parameter"><code>username</code></em> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</p><p>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you + can use the <a class="indexterm" name="id334024"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</p><p>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</a> for more information on how + this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal"> +# The guest account if a guest service, + else <empty string>.</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal">fred, mary, jack, jane, @users, @pcgroup</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <code class="constant">AstrangeUser + </code>.</p><p>This parameter is needed only on UNIX systems that have case + sensitive usernames.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">5</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p> + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + </p><p> + Please note that for user or share mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. + biddle = DOMAIN\foo). + </p><p> + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + </p><p> + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + </p><p> + If any line begins with a '#' or a ';' then it is ignored. + </p><p> + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + </p><p> + For example to map from the name <code class="constant">admin</code> or <code class="constant">administrator</code> to the UNIX + name <code class="constant"> root</code> you would use: +</p><pre class="programlisting"> +<code class="literal">root = admin administrator</code> +</pre><p> + Or to map anyone in the UNIX group <code class="constant">system</code> to the UNIX name <code class="constant">sys</code> you would use: +</p><pre class="programlisting"> +<code class="literal">sys = @system</code> +</pre><p> + </p><p> + You can have as many mappings as you like in a username map file. + </p><p> + If your system supports the NIS NETGROUP option then the netgroup database is checked before the <code class="filename">/etc/group </code> database for matching groups. + </p><p> + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: +</p><pre class="programlisting"> +<code class="literal">tridge = "Andrew Tridgell"</code> +</pre><p> + would map the windows username "Andrew Tridgell" to the unix username "tridge". + </p><p> + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: +</p><pre class="programlisting"> +!sys = mary fred +guest = * +</pre><p> + </p><p> + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to + \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not + <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id334332"></a>password server (if you have one). The password server will receive whatever username the client + supplies without modification. + </p><p> + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + </p><p> + Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. + </p><p> + The following functionality is obeyed in version 3.0.8 and later: + </p><p> + When performing local authentication, the username map is applied to the login name before attempting to authenticate + the connection. + </p><p> + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. + </p><p> + An example of use is: +</p><pre class="programlisting"> +username map = /usr/local/samba/lib/users.map +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map</code></em> = <code class="literal"> +# no username map</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the + <a class="indexterm" name="id334414"></a>username map parameter. This parameter + specifies and external program or script that must accept a single + command line option (the username transmitted in the authentication + request) and return a line line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP or NIS directory services. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal">/etc/samba/scripts/mapusers.sh</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed + to be accessed by non-authenticated users or not. It is the equivalent + of allowing people who can create a share the option of setting + <em class="parameter"><code>guest ok = yes</code></em> in a share + definition. Due to the security sensitive nature of this the default + is set to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare allow guests</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREMAXSHARES"></a>usershare max shares (G)</span></dt><dd><p>This parameter specifies the number of user defined shares + that are allowed to be created by users belonging to the group owning the + usershare directory. If set to zero (the default) user defined shares are ignored. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare max shares</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREOWNERONLY"></a>usershare owner only (G)</span></dt><dd><p>This parameter controls whether the pathname exported by + a user defined shares must be owned by the user creating the + user defined share or not. If set to True (the default) then + smbd checks that the directory path being shared is owned by + the user who owns the usershare file defining this share and + refuses to create the share if not. If set to False then no + such check is performed and any directory path may be exported + regardless of who owns it. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the + filesystem used to store the user defined share definition files. + This directory must be owned by root, and have no access for + other, and be writable only by the group owner. In addition the + "sticky" bit must also be set, restricting rename and delete to + owners of a file (in the same way the /tmp directory is usually configured). + Members of the group owner of this directory are the users allowed to create + usershares. If this parameter is undefined then no user defined + shares are allowed. + </p><p> + For example, a valid usershare directory might be /usr/local/samba/lib/usershares, + set up as follows. + </p><p> + </p><pre class="programlisting"> + ls -ld /usr/local/samba/lib/usershares/ + drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/ + </pre><p> + </p><p> + In this case, only members of the group "power_users" can create user defined shares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">NULL</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames + the root of which are allowed to be exported by user defined share definitions. + If the pathname exported doesn't start with one of the strings in this + list the user defined share will not be allowed. This allows the Samba + administrator to restrict the directories on the system that can be + exported by user defined shares. + </p><p> + If there is a "usershare prefix deny list" and also a + "usershare prefix allow list" the deny list is processed + first, followed by the allow list, thus leading to the most + restrictive interpretation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">/home /data /space</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPREFIXDENYLIST"></a>usershare prefix deny list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames + the root of which are NOT allowed to be exported by user defined share definitions. + If the pathname exported starts with one of the strings in this + list the user defined share will not be allowed. Any pathname not + starting with one of these strings will be allowed to be exported + as a usershare. This allows the Samba administrator to restrict the + directories on the system that can be exported by user defined shares. + </p><p> + If there is a "usershare prefix deny list" and also a + "usershare prefix allow list" the deny list is processed + first, followed by the allow list, thus leading to the most + restrictive interpretation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">/etc /dev /private</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHARETEMPLATESHARE"></a>usershare template share (G)</span></dt><dd><p>User defined shares only have limited possible parameters + such as path, guest ok etc. This parameter allows usershares to + "cloned" from an existing share. If "usershare template share" + is set to the name of an existing share, then all usershares + created have their defaults set from the parameters set on this + share. + </p><p> + The target share may be set to be invalid for real file + sharing by setting the parameter "-valid = False" on the template + share definition. This causes it not to be seen as a real exported + share but to be able to be used as a template for usershares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">template_share</code> +</em></span> +</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, and the <code class="constant">sendfile()</code> + system call is supported by the underlying operating system, then some SMB read calls + (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. Samba automatically turns this off for clients + that use protocol levels lower than NT LM 0.12 and when it detects a client is + Windows 9x (using sendfile from Linux will cause these clients to fail). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use sendfile</code></em> = <code class="literal">false</code> +</em></span> +</p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p>This variable controls controls whether samba will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. +</p><p> + Unless further issues are discovered with our SPNEGO + implementation, there is no reason this should ever be + disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p> + This boolean parameter is only available if Samba has been configured and compiled + with the option <code class="literal">--with-utmp</code>. If set to + <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records + (depending on the UNIX system) whenever a connection is made to a Samba server. + Sites may use this to record the user connecting to a Samba share. + </p><p> + Due to the requirements of the utmp record, we are required to create a unique + identifier for the incoming user. Enabling this option creates an n^2 algorithm + to find this number. This may impede performance on large installations. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has + been configured and compiled with the option <code class="literal"> + --with-utmp</code>. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + <code class="filename">/var/run/utmp</code> on Linux).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal"> +# Determined automatically</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal">/var/run/utmp</code> +</em></span> +</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. + </p><p> + This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p> + This is a list of users that should be allowed to login to this service. Names starting with + '@', '+' and '&' are interpreted using the same rules as described in the + <em class="parameter"><code>invalid users</code></em> parameter. + </p><p> + If this is empty (the default) then any user can login. If a username is in both this list + and the <em class="parameter"><code>invalid users</code></em> list then access is denied + for that user. + </p><p> + The current servicename is substituted for <em class="parameter"><code>%S</code></em>. + This is useful in the [homes] section. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal"> +# No valid users list (anyone can login) </code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal">greg, @pcusers</code> +</em></span> +</p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p> + This is a list of files and directories that are neither visible nor accessible. Each entry in + the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' + can be used to specify multiple files or directories as in DOS wildcards. + </p><p> + Each entry must be a unix path, not a DOS path and must <span class="emphasis"><em>not</em></span> include the + unix directory separator '/'. + </p><p> + Note that the <a class="indexterm" name="id335230"></a>case sensitive option is applicable in vetoing files. + </p><p> + One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this + deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id335247"></a>delete veto files + parameter to <em class="parameter"><code>yes</code></em>. + </p><p> + Setting this parameter will affect the performance of Samba, as it will be forced to check all files + and directories for a match as they are scanned. + </p><p> + Examples of use include: +</p><pre class="programlisting"> +; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ + +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto files</code></em> = <code class="literal">No files or directories are vetoed.</code> +</em></span> +</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p> + This parameter is only valid when the <a class="indexterm" name="id335315"></a>oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + <a class="indexterm" name="id335324"></a>veto files parameter. + </p><p> + You might want to do this on files that you know will be heavily contended + for by clients. A good example of this is in the NetBench SMB benchmark + program, which causes heavy client contention for files ending in + <code class="filename">.SEM</code>. To cause Samba not to grant + oplocks on these files you would use the line (either in the [global] + section or in the section for the particular NetBench share. + </p><p> + An example of use is: +</p><pre class="programlisting"> +veto oplock files = /.*SEM/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto oplock files</code></em> = <code class="literal"> +# No files are vetoed for oplock grants</code> +</em></span> +</p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object</span></dt><dd><p>This parameter is a synonym for vfs objects.</p></dd><dt><span class="term"><a name="VFSOBJECTS"></a>vfs objects (S)</span></dt><dd><p>This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal">extd_audit recycle</code> +</em></span> +</p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p>This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>volume</code></em> = <code class="literal"> +# the name of the share</code> +</em></span> +</p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wide links</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of + seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache + user and group information before querying a Windows NT server + again.</p><p> + This does not apply to authentication requests, these are always + evaluated in real time unless the <a class="indexterm" name="id335568"></a>winbind offline logon option has been enabled. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = <code class="literal">300</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress + the enumeration of groups through the <code class="literal">setgrent()</code>, + <code class="literal">getgrent()</code> and + <code class="literal">endgrent()</code> group of system calls. If + the <em class="parameter"><code>winbind enum groups</code></em> parameter is + <code class="constant">no</code>, calls to the <code class="literal">getgrent()</code> system + call will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off group enumeration may cause some programs to behave oddly. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum groups</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be + necessary to suppress the enumeration of users through the <code class="literal">setpwent()</code>, + <code class="literal">getpwent()</code> and + <code class="literal">endpwent()</code> group of system calls. If + the <em class="parameter"><code>winbind enum users</code></em> parameter is + <code class="constant">no</code>, calls to the <code class="literal">getpwent</code> system call + will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum users</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDEXPANDGROUPS"></a>winbind expand groups (G)</span></dt><dd><p>This option controls the maximum depth that winbindd + will traverse when flattening nested group memberships + of Windows domain groups. This is different from the + <a class="indexterm" name="id335788"></a>winbind nested groups option + which implements the Windows NT4 model of local group + nesting. The "winbind expand groups" + parameter specifically applies to the membership of + domain groups.</p><p>Be aware that a high value for this parameter can + result in system slowdown as the main parent winbindd daemon + must perform the group unrolling and will be unable to answer + incoming NSS or authentication requests during this time.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind expand groups</code></em> = <code class="literal">1</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNESTEDGROUPS"></a>winbind nested groups (G)</span></dt><dd><p>If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nested groups</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNORMALIZENAMES"></a>winbind normalize names (G)</span></dt><dd><p>This parameter controls whether winbindd will replace + whitespace in user and group names with an underscore (_) character. + For example, whether the name "Space Kadet" should be + replaced with the string "space_kadet". + Frequently Unix shell scripts will have difficulty with usernames + contains whitespace due to the default field separator in the shell. + Do not enable this option if the underscore character is used in + account names within your domain + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNSSINFO"></a>winbind nss info (G)</span></dt><dd><p>This parameter is designed to control how Winbind retrieves Name + Service Information to construct a user's home directory and login shell. + Currently the following settings are available: + + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>template</code></em> + - The default, using the parameters of <em class="parameter"><code>template + shell</code></em> and <em class="parameter"><code>template homedir</code></em>) + </p></li><li><p><em class="parameter"><code>sfu</code></em> + - When Samba is running in security = ads and your Active Directory + Domain Controller does support the Microsoft "Services for Unix" (SFU) + LDAP schema, winbind can retrieve the login shell and the home + directory attributes directly from your Directory Server. Note that + retrieving UID and GID from your ADS-Server requires to + use <em class="parameter"><code>idmap backend</code></em> = ad + or <em class="parameter"><code>idmap config DOMAIN:backend</code></em> = ad + as well. + </p></li></ul></div><p> + +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template sfu</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDOFFLINELOGON"></a>winbind offline logon (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should + allow to login with the <em class="parameter"><code>pam_winbind</code></em> + module using Cached Credentials. If enabled, winbindd will store user credentials + from successful logins encrypted in a local cache. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">false</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">true</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDREFRESHTICKETS"></a>winbind refresh tickets (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should refresh Kerberos Tickets + retrieved using the <em class="parameter"><code>pam_winbind</code></em> module. + +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">false</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">true</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDRPCONLY"></a>winbind rpc only (G)</span></dt><dd><p> + Setting this parameter to <code class="literal">yes</code> forces + winbindd to use RPC instead of LDAP to retrieve information from Domain + Controllers. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind rpc only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character + used when listing a username of the form of <em class="replaceable"><code>DOMAIN + </code></em>\<em class="replaceable"><code>user</code></em>. This parameter + is only applicable when using the <code class="filename">pam_winbind.so</code> + and <code class="filename">nss_winbind.so</code> modules for UNIX services. + </p><p>Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">'\'</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">+</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDTRUSTEDDOMAINSONLY"></a>winbind trusted domains only (G)</span></dt><dd><p> + This parameter is designed to allow Samba servers that are members + of a Samba controlled domain to use UNIX accounts distributed via NIS, + rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. + Therefore, the user <code class="literal">DOMAIN\user1</code> would be mapped to + the account user1 in /etc/passwd instead of allocating a new uid for him or her. + </p><p> + This parameter is now deprecated in favor of the newer idmap_nss backend. + Refer to the <a class="indexterm" name="id336317"></a>idmap domains smb.conf option and + the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the + <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benifit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.</p><p>The wins hook parameter specifies the name of a script + or executable that will be called as follows:</p><p><code class="literal">wins_hook operation name nametype ttl IP_list</code></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is + one of "add", "delete", or + "refresh". In most cases the operation + can be ignored as the rest of the parameters + provide sufficient information. Note that + "refresh" may sometimes be called when + the name has not previously been added, in that + case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.</p></li><li><p>The third argument is the NetBIOS name + type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live) + for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update + program <code class="literal">nsupdate</code> is provided in the examples + directory of the Samba source code. </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to <code class="constant">yes</code> for some older clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins proxy</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a + multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can + give every wins server a 'tag'. For each tag, only one + (working) server will be queried for a name. The tag should be + separated from the ip address by a colon. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.</p></div><p>See the chapter in the Samba3-HOWTO on Network Browsing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 + +# For this example when querying a certain name, 192.19.200.1 will + be asked first and if that doesn't respond 192.168.2.61. If either + of those doesn't know the name 192.168.3.199 will be queried.</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">192.9.200.1 192.168.2.61</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should + not set this to <code class="constant">yes</code> unless you have a multi-subnetted network and + you wish a particular <code class="literal">nmbd</code> to be your WINS server. + Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <code class="constant">yes</code> + on more than one machine in your network.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with + the <a class="indexterm" name="id336750"></a>security = domain + setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">WORKGROUP</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">MYGROUP</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id336834"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value, + Samba will create an in-memory cache for each oplocked file + (it does <span class="emphasis"><em>not</em></span> do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.</p><p>This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (i.e. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.</p><p>The integer parameter specifies the size of this cache + (per oplocked file) in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">262144 +# for a 256k cache size per file</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p> + This is a list of users that are given read-write access to a service. If the + connecting user is in this list then they will be given write access, no matter + what the <a class="indexterm" name="id336942"></a>read only option is set to. The list can + include group names using the @group syntax. + </p><p> + Note that if a user is in both the read list and the write list then they will be + given write access. + </p><p> + By design, this parameter will not work with the + <a class="indexterm" name="id336958"></a>security = share in Samba 3.0. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal">admin, root, @staff</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server + will support raw write SMB's when transferring data from clients. + You should never need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write raw</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p> + This parameter is only available if Samba has been configured and compiled with the option <code class="literal"> + --with-utmp</code>. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on + the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact + that user info is kept after a user has logged out. + </p><p> + By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually + <code class="filename">/var/run/wtmp</code> on Linux). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal">/var/log/wtmp</code> +</em></span> +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id337116"></a><h2>WARNINGS</h2><p> + Although the configuration file permits service names to contain spaces, your client software may not. + Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility. + </p><p> + On a similar note, many clients - especially DOS clients - limit service names to eight characters. + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has no such + limitation, but attempts to connect from such clients will fail if they truncate the service names. For this + reason you should probably keep your service names down to eight characters in length. + </p><p> + Use of the <code class="literal">[homes]</code> and <code class="literal">[printers]</code> special sections make life + for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme + care when designing these sections. In particular, ensure that the permissions on spool directories are + correct. + </p></div><div class="refsect1" lang="en"><a name="id337159"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id337169"></a><h2>SEE ALSO</h2><p> + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id337249"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. + </p><p> + The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 release by Jeremy Allison. The conversion + to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by + Alexander Bokovoy. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbcacls.1.html b/docs/htmldocs/manpages/smbcacls.1.html new file mode 100644 index 0000000000..ffbf336c0b --- /dev/null +++ b/docs/htmldocs/manpages/smbcacls.1.html @@ -0,0 +1,93 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbcacls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbcacls.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbcacls — Set or get ACLs on an NT file or directory names</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbcacls</code> {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]</p></div></div><div class="refsect1" lang="en"><a name="id299261"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">smbcacls</code> program manipulates NT Access Control + Lists (ACLs) on SMB file shares. </p></div><div class="refsect1" lang="en"><a name="id266723"></a><h2>OPTIONS</h2><p>The following options are available to the <code class="literal">smbcacls</code> program. + The format of ACLs is described in the section ACL FORMAT </p><div class="variablelist"><dl><dt><span class="term">-a acls</span></dt><dd><p>Add the ACLs specified to the ACL list. Existing + access control entries are unchanged. </p></dd><dt><span class="term">-M acls</span></dt><dd><p>Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list + </p></dd><dt><span class="term">-D acls</span></dt><dd><p>Delete any ACLs specified on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list. </p></dd><dt><span class="term">-S acls</span></dt><dd><p>This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </p></dd><dt><span class="term">-U username</span></dt><dd><p>Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided. </p></dd><dt><span class="term">-C name</span></dt><dd><p>The owner of a file or directory can be changed + to the name given using the <em class="parameter"><code>-C</code></em> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </p><p>This command is a shortcut for -M OWNER:name. + </p></dd><dt><span class="term">-G name</span></dt><dd><p>The group owner of a file or directory can + be changed to the name given using the <em class="parameter"><code>-G</code></em> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </p><p>This command is a shortcut for -M GROUP:name.</p></dd><dt><span class="term">--numeric</span></dt><dd><p>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </p></dd><dt><span class="term">-t</span></dt><dd><p> + Don't actually do anything, only validate the correctness of + the arguments. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266940"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id267004"></a><h2>ACL FORMAT</h2><p>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </p><pre class="programlisting"> +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> +</pre><p>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </p><p>The owner and group specify the owner and group sids for the + object. If a SID in the format S-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </p><p>ACLs specify permissions granted to the SID. This SID again + can be specified in S-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID. </p><p>The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are: </p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</code></p></li></ul></div><p>At present flags can only be specified as decimal or + hexadecimal values.</p><p>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>R</em></span> - Allow read access </p></li><li><p><span class="emphasis"><em>W</em></span> - Allow write access</p></li><li><p><span class="emphasis"><em>X</em></span> - Execute permission on the object</p></li><li><p><span class="emphasis"><em>D</em></span> - Delete the object</p></li><li><p><span class="emphasis"><em>P</em></span> - Change permissions</p></li><li><p><span class="emphasis"><em>O</em></span> - Take ownership</p></li></ul></div><p>The following combined permissions can be specified:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>READ</em></span> - Equivalent to 'RX' + permissions</p></li><li><p><span class="emphasis"><em>CHANGE</em></span> - Equivalent to 'RXWD' permissions + </p></li><li><p><span class="emphasis"><em>FULL</em></span> - Equivalent to 'RWXDPO' + permissions</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id308009"></a><h2>EXIT STATUS</h2><p>The <code class="literal">smbcacls</code> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </p><p>If the operation succeeded, smbcacls returns and exit + status of 0. If <code class="literal">smbcacls</code> couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </p></div><div class="refsect1" lang="en"><a name="id308038"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308049"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p><code class="literal">smbcacls</code> was written by Andrew Tridgell + and Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done + by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbclient.1.html b/docs/htmldocs/manpages/smbclient.1.html new file mode 100644 index 0000000000..e965d241a3 --- /dev/null +++ b/docs/htmldocs/manpages/smbclient.1.html @@ -0,0 +1,508 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbclient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbclient.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbclient — ftp-like client to access SMB/CIFS resources + on servers</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbclient</code> [-b <buffer size>] [-d debuglevel] [-e] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k] [-P] [-c <command>]</p></div><div class="cmdsynopsis"><p><code class="literal">smbclient</code> {servicename} [password] [-b <buffer size>] [-d debuglevel] [-e] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l log-basename] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]</p></div></div><div class="refsect1" lang="en"><a name="id266947"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbclient</code> is a client that can + 'talk' to an SMB/CIFS server. It offers an interface + similar to that of the ftp program (see <a href="ftp.1.html"><span class="citerefentry"><span class="refentrytitle">ftp</span>(1)</span></a>). + Operations include things like getting files from the server + to the local machine, putting files from the local machine to + the server, retrieving directory information from the server + and so on. </p></div><div class="refsect1" lang="en"><a name="id266984"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">servicename</span></dt><dd><p>servicename is the name of the service + you want to use on the server. A service name takes the form + <code class="filename">//server/service</code> where <em class="parameter"><code>server + </code></em> is the NetBIOS name of the SMB/CIFS server + offering the desired service and <em class="parameter"><code>service</code></em> + is the name of the service offered. Thus to connect to + the service "printer" on the SMB/CIFS server "smbserver", + you would use the servicename <code class="filename">//smbserver/printer + </code></p><p>Note that the server name required is NOT necessarily + the IP (DNS) host name of the server ! The name required is + a NetBIOS server name, which may or may not be the + same as the IP hostname of the machine running the server. + </p><p>The server name is looked up according to either + the <em class="parameter"><code>-R</code></em> parameter to <code class="literal">smbclient</code> or + using the name resolve order parameter in + the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file, + allowing an administrator to change the order and methods + by which server names are looked up. </p></dd><dt><span class="term">password</span></dt><dd><p>The password required to access the specified + service on the specified server. If this parameter is + supplied, the <em class="parameter"><code>-N</code></em> option (suppress + password prompt) is assumed. </p><p>There is no default password. If no password is supplied + on the command line (either by using this parameter or adding + a password to the <em class="parameter"><code>-U</code></em> option (see + below)) and the <em class="parameter"><code>-N</code></em> option is not + specified, the client will prompt for a password, even if + the desired service does not require one. (If no password is + required, simply press ENTER to provide a null password.) + </p><p>Note: Some servers (including OS/2 and Windows for + Workgroups) insist on an uppercase password. Lowercase + or mixed case passwords may be rejected by these servers. + </p><p>Be cautious about including passwords in scripts. + </p></dd><dt><span class="term">-R <name resolve order></span></dt><dd><p>This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space-separated + string of different name resolution options.</p><p>The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">lmhosts</code>: Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see + the <a href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> for details) then + any name type matches for lookup.</p></li><li><p><code class="constant">host</code>: Do a standard host + name to IP address resolution, using the system <code class="filename">/etc/hosts + </code>, NIS, or DNS lookups. This method of name resolution + is operating system dependent, for instance on IRIX or Solaris this + may be controlled by the <code class="filename">/etc/nsswitch.conf</code> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</p></li><li><p><code class="constant">wins</code>: Query a name with + the IP address listed in the <em class="parameter"><code>wins server</code></em> + parameter. If no WINS server has + been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code>: Do a broadcast on + each of the known local interfaces listed in the + <em class="parameter"><code>interfaces</code></em> + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.</p></li></ul></div><p>If this parameter is not set then the name resolve order + defined in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file parameter + (name resolve order) will be used. </p><p>The default order is lmhosts, host, wins, bcast and without + this parameter or any entry in the <em class="parameter"><code>name resolve order + </code></em> parameter of the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file the name resolution + methods will be attempted in this order. </p></dd><dt><span class="term">-M NetBIOS name</span></dt><dd><p>This options allows you to send messages, using + the "WinPopup" protocol, to another computer. Once a connection is + established you then type your message, pressing ^D (control-D) to + end. </p><p>If the receiving computer is running WinPopup the user will + receive the message and probably a beep. If they are not running + WinPopup the message will be lost, and no error message will + occur. </p><p>The message is also automatically truncated if the message + is over 1600 bytes, as this is the limit of the protocol. + </p><p> + One useful trick is to pipe the message through <code class="literal">smbclient</code>. + For example: smbclient -M FRED < mymessage.txt will send the + message in the file <code class="filename">mymessage.txt</code> to the + machine FRED. + </p><p>You may also find the <em class="parameter"><code>-U</code></em> and + <em class="parameter"><code>-I</code></em> options useful, as they allow you to + control the FROM and TO parts of the message. </p><p>See the <em class="parameter"><code>message command</code></em> parameter in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> for a description of how to handle incoming + WinPopup messages in Samba. </p><p><span class="emphasis"><em>Note</em></span>: Copy WinPopup into the startup group + on your WfWg PCs if you want them to always be able to receive + messages. </p></dd><dt><span class="term">-p port</span></dt><dd><p>This number is the TCP port number that will be used + when making connections to the server. The standard (well-known) + TCP port number for an SMB/CIFS server is 139, which is the + default. </p></dd><dt><span class="term">-P</span></dt><dd><p> + Make queries to the external server using the machine account of the local server. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-I IP-address</span></dt><dd><p><em class="replaceable"><code>IP address</code></em> is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation. </p><p>Normally the client would attempt to locate a named + SMB/CIFS server by looking it up via the NetBIOS name resolution + mechanism described above in the <em class="parameter"><code>name resolve order</code></em> + parameter above. Using this parameter will force the client + to assume that the server is on the machine with the specified IP + address and the NetBIOS name component of the resource being + connected to will be ignored. </p><p>There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above. </p></dd><dt><span class="term">-E</span></dt><dd><p>This parameter causes the client to write messages + to the standard error stream (stderr) rather than to the standard + output stream. </p><p>By default, the client writes messages to standard output + - typically the user's tty. </p></dd><dt><span class="term">-L</span></dt><dd><p>This option allows you to look at what services + are available on a server. You use it as <code class="literal">smbclient -L + host</code> and a list should appear. The <em class="parameter"><code>-I + </code></em> option may be useful if your NetBIOS names don't + match your TCP/IP DNS host names or if you are trying to reach a + host on another network. </p></dd><dt><span class="term">-t terminal code</span></dt><dd><p>This option tells <code class="literal">smbclient</code> how to interpret + filenames coming from the remote server. Usually Asian language + multibyte UNIX implementations use different character sets than + SMB/CIFS servers (<span class="emphasis"><em>EUC</em></span> instead of <span class="emphasis"><em> + SJIS</em></span> for example). Setting this parameter will let + <code class="literal">smbclient</code> convert between the UNIX filenames and + the SMB filenames correctly. This option has not been seriously tested + and may have some problems. </p><p>The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8, + CWjunet, CWhex, CWcap. This is not a complete list, check the Samba + source code for the complete list. </p></dd><dt><span class="term">-b buffersize</span></dt><dd><p>This option changes the transmit/send buffer + size when getting or putting a file from/to the server. The default + is 65520 bytes. Setting this value smaller (to 1200 bytes) has been + observed to speed up file transfers to and from a Win9x server. + </p></dd><dt><span class="term">-e</span></dt><dd><p>This command line parameter requires the remote + server support the UNIX extensions. Request that the connection be + encrypted. This is new for Samba 3.2 and will only work with Samba + 3.2 or above servers. Negotiates SMB encryption using GSSAPI. Uses + the given credentials for the encryption negotiaion (either kerberos + or NTLMv1/v2 if given domain/username/password triple. Fails the + connection if encryption cannot be negotiated. + </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 1.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id308361"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-N</span></dt><dd><p>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </p><p>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</p><p>If a password is specified on the command line and this +option is also defined the password on the command line will +be silently ingnored and no password will be used.</p></dd><dt><span class="term">-k</span></dt><dd><p> +Try to authenticate with kerberos. Only useful in +an Active Directory environment. +</p></dd><dt><span class="term">-A|--authentication-file=filename</span></dt><dd><p>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +</p><pre class="programlisting"> +username = <value> +password = <value> +domain = <value> +</pre><p>Make certain that the permissions on the file restrict +access from unwanted users. </p></dd><dt><span class="term">-U|--user=username[%password]</span></dt><dd><p>Sets the SMB username or username and password. </p><p>If %password is not specified, the user will be prompted. The +client will first check the <code class="envar">USER</code> environment variable, then the +<code class="envar">LOGNAME</code> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <code class="constant">GUEST</code> is used. </p><p>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<em class="parameter"><code>-A</code></em> for more details. </p><p>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <code class="literal">ps</code> command. To be safe always allow +<code class="literal">rpcclient</code> to prompt for a password and type +it in directly. </p></dd><dt><span class="term">-n <primary NetBIOS name></span></dt><dd><p>This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the <a class="indexterm" name="id308547"></a> parameter in the <code class="filename">smb.conf</code> file. +However, a command +line setting will take precedence over settings in +<code class="filename">smb.conf</code>.</p></dd><dt><span class="term">-i <scope></span></dt><dd><p>This specifies a NetBIOS scope that +<code class="literal">nmblookup</code> will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +<span class="emphasis"><em>very</em></span> rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with.</p></dd><dt><span class="term">-W|--workgroup=domain</span></dt><dd><p>Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM). </p></dd><dt><span class="term">-O socket options</span></dt><dd><p>TCP socket options to set on the client +socket. See the socket options parameter in +the <code class="filename">smb.conf</code> manual page for the list of valid +options. </p></dd><dt><span class="term">-T tar options</span></dt><dd><p>smbclient may be used to create <code class="literal">tar(1) + </code> compatible backups of all the files on an SMB/CIFS + share. The secondary tar flags that can be given to this option + are : </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>c</code></em> - Create a tar file on UNIX. + Must be followed by the name of a tar file, tape device + or "-" for standard output. If using standard output you must + turn the log level to its lowest value -d0 to avoid corrupting + your tar file. This flag is mutually exclusive with the + <em class="parameter"><code>x</code></em> flag. </p></li><li><p><em class="parameter"><code>x</code></em> - Extract (restore) a local + tar file back to a share. Unless the -D option is given, the tar + files will be restored from the top level of the share. Must be + followed by the name of the tar file, device or "-" for standard + input. Mutually exclusive with the <em class="parameter"><code>c</code></em> flag. + Restored files have their creation times (mtime) set to the + date saved in the tar file. Directories currently do not get + their creation dates restored properly. </p></li><li><p><em class="parameter"><code>I</code></em> - Include files and directories. + Is the default behavior when filenames are specified above. Causes + files to be included in an extract or create (and therefore + everything else to be excluded). See example below. Filename globbing + works in one of two ways. See <em class="parameter"><code>r</code></em> below. </p></li><li><p><em class="parameter"><code>X</code></em> - Exclude files and directories. + Causes files to be excluded from an extract or create. See + example below. Filename globbing works in one of two ways now. + See <em class="parameter"><code>r</code></em> below. </p></li><li><p><em class="parameter"><code>F</code></em> - File containing a list of files and directories. + The <em class="parameter"><code>F</code></em> causes the name following the tarfile to + create to be read as a filename that contains a list of files and directories to + be included in an extract or create (and therefore everything else to be excluded). + See example below. Filename globbing works in one of two ways. + See <em class="parameter"><code>r</code></em> below. + </p></li><li><p><em class="parameter"><code>b</code></em> - Blocksize. Must be followed + by a valid (greater than zero) blocksize. Causes tar file to be + written out in blocksize*TBLOCK (usually 512 byte) blocks. + </p></li><li><p><em class="parameter"><code>g</code></em> - Incremental. Only back up + files that have the archive bit set. Useful only with the + <em class="parameter"><code>c</code></em> flag. </p></li><li><p><em class="parameter"><code>q</code></em> - Quiet. Keeps tar from printing + diagnostics as it works. This is the same as tarmode quiet. + </p></li><li><p><em class="parameter"><code>r</code></em> - Regular expression include + or exclude. Uses regular expression matching for + excluding or excluding files if compiled with HAVE_REGEX_H. + However this mode can be very slow. If not compiled with + HAVE_REGEX_H, does a limited wildcard match on '*' and '?'. + </p></li><li><p><em class="parameter"><code>N</code></em> - Newer than. Must be followed + by the name of a file whose date is compared against files found + on the share during a create. Only files newer than the file + specified are backed up to the tar file. Useful only with the + <em class="parameter"><code>c</code></em> flag. </p></li><li><p><em class="parameter"><code>a</code></em> - Set archive bit. Causes the + archive bit to be reset when a file is backed up. Useful with the + <em class="parameter"><code>g</code></em> and <em class="parameter"><code>c</code></em> flags. + </p></li></ul></div><p><span class="emphasis"><em>Tar Long File Names</em></span></p><p><code class="literal">smbclient</code>'s tar option now supports long + file names both on backup and restore. However, the full path + name of the file must be less than 1024 bytes. Also, when + a tar archive is created, <code class="literal">smbclient</code>'s tar option places all + files in the archive with relative names, not absolute names. + </p><p><span class="emphasis"><em>Tar Filenames</em></span></p><p>All file names can be given as DOS path names (with '\\' + as the component separator) or as UNIX path names (with '/' as + the component separator). </p><p><span class="emphasis"><em>Examples</em></span></p><p>Restore from tar file <code class="filename">backup.tar</code> into myshare on mypc + (no password on share). </p><p><code class="literal">smbclient //mypc/yshare "" -N -Tx backup.tar + </code></p><p>Restore everything except <code class="filename">users/docs</code> + </p><p><code class="literal">smbclient //mypc/myshare "" -N -TXx backup.tar + users/docs</code></p><p>Create a tar file of the files beneath <code class="filename"> + users/docs</code>. </p><p><code class="literal">smbclient //mypc/myshare "" -N -Tc + backup.tar users/docs </code></p><p>Create the same tar file as above, but now use + a DOS path name. </p><p><code class="literal">smbclient //mypc/myshare "" -N -tc backup.tar + users\edocs </code></p><p>Create a tar file of the files listed in the file <code class="filename">tarlist</code>.</p><p><code class="literal">smbclient //mypc/myshare "" -N -TcF + backup.tar tarlist</code></p><p>Create a tar file of all the files and directories in + the share. </p><p><code class="literal">smbclient //mypc/myshare "" -N -Tc backup.tar * + </code></p></dd><dt><span class="term">-D initial directory</span></dt><dd><p>Change to initial directory before starting. Probably + only of any use with the tar -T option. </p></dd><dt><span class="term">-c command string</span></dt><dd><p>command string is a semicolon-separated list of + commands to be executed instead of prompting from stdin. <em class="parameter"><code> + -N</code></em> is implied by <em class="parameter"><code>-c</code></em>.</p><p>This is particularly useful in scripts and for printing stdin + to the server, e.g. <code class="literal">-c 'print -'</code>. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id309059"></a><h2>OPERATIONS</h2><p>Once the client is running, the user is presented with + a prompt : </p><p><code class="prompt">smb:\> </code></p><p>The backslash ("\\") indicates the current working directory + on the server, and will change if the current working directory + is changed. </p><p>The prompt indicates that the client is ready and waiting to + carry out a user command. Each command is a single word, optionally + followed by parameters specific to that command. Command and parameters + are space-delimited unless these notes specifically + state otherwise. All commands are case-insensitive. Parameters to + commands may or may not be case sensitive, depending on the command. + </p><p>You can specify file names which have spaces in them by quoting + the name with double quotes, for example "a long file name". </p><p>Parameters shown in square brackets (e.g., "[parameter]") are + optional. If not given, the command will use suitable defaults. Parameters + shown in angle brackets (e.g., "<parameter>") are required. + </p><p>Note that all commands operating on the server are actually + performed by issuing a request to the server. Thus the behavior may + vary from server to server, depending on how the server was implemented. + </p><p>The commands available are given here in alphabetical order. </p><div class="variablelist"><dl><dt><span class="term">? [command]</span></dt><dd><p>If <em class="replaceable"><code>command</code></em> is specified, the ? command will display + a brief informative message about the specified command. If no + command is specified, a list of available commands will + be displayed. </p></dd><dt><span class="term">! [shell command]</span></dt><dd><p>If <em class="replaceable"><code>shell command</code></em> is specified, the ! + command will execute a shell locally and run the specified shell + command. If no command is specified, a local shell will be run. + </p></dd><dt><span class="term">allinfo file</span></dt><dd><p>The client will request that the server return + all known information about a file or directory (including streams). + </p></dd><dt><span class="term">altname file</span></dt><dd><p>The client will request that the server return + the "alternate" name (the 8.3 name) for a file or directory. + </p></dd><dt><span class="term">archive <number></span></dt><dd><p>Sets the archive level when operating on files. + 0 means ignore the archive bit, 1 means only operate on files with this bit set, + 2 means only operate on files with this bit set and reset it after operation, + 3 means operate on all files and reset it after operation. The default is 0. + </p></dd><dt><span class="term">blocksize <number></span></dt><dd><p>Sets the blocksize parameter for a tar operation. The default is 20. + Causes tar file to be written out in blocksize*TBLOCK (normally 512 byte) units. + </p></dd><dt><span class="term">cancel jobid0 [jobid1] ... [jobidN]</span></dt><dd><p>The client will request that the server cancel + the printjobs identified by the given numeric print job ids. + </p></dd><dt><span class="term">case_sensitive</span></dt><dd><p>Toggles the setting of the flag in SMB packets that + tells the server to treat filenames as case sensitive. Set to OFF by + default (tells file server to treat filenames as case insensitive). Only + currently affects Samba 3.0.5 and above file servers with the case sensitive + parameter set to auto in the smb.conf. + </p></dd><dt><span class="term">cd <directory name></span></dt><dd><p>If "directory name" is specified, the current + working directory on the server will be changed to the directory + specified. This operation will fail if for any reason the specified + directory is inaccessible. </p><p>If no directory name is specified, the current working + directory on the server will be reported. </p></dd><dt><span class="term">chmod file mode in octal</span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX permissions to the given octal mode, in standard UNIX format. + </p></dd><dt><span class="term">chown file uid gid</span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX user and group ownership to the given decimal values. Note there is + currently no way to remotely look up the UNIX uid and gid values for a given name. + This may be addressed in future versions of the CIFS UNIX extensions. + </p></dd><dt><span class="term">close <fileid></span></dt><dd><p>Closes a file explicitly opened by the open command. Used for + internal Samba testing purposes. + </p></dd><dt><span class="term">del <mask></span></dt><dd><p>The client will request that the server attempt + to delete all files matching <em class="replaceable"><code>mask</code></em> from the current working + directory on the server. </p></dd><dt><span class="term">dir <mask></span></dt><dd><p>A list of the files matching <em class="replaceable"><code>mask</code></em> in the current + working directory on the server will be retrieved from the server + and displayed. </p></dd><dt><span class="term">du <filename></span></dt><dd><p>Does a directory listing and then prints out the current disk useage and free space on a share. + </p></dd><dt><span class="term">echo <number> <data></span></dt><dd><p>Does an SMBecho request to ping the server. Used for internal Samba testing purposes. + </p></dd><dt><span class="term">exit</span></dt><dd><p>Terminate the connection with the server and exit + from the program. </p></dd><dt><span class="term">get <remote file name> [local file name]</span></dt><dd><p>Copy the file called <code class="filename">remote file name</code> from + the server to the machine running the client. If specified, name + the local copy <code class="filename">local file name</code>. Note that all transfers in + <code class="literal">smbclient</code> are binary. See also the + lowercase command. </p></dd><dt><span class="term">getfacl <filename></span></dt><dd><p>Requires the server support the UNIX extensions. Requests and prints + the POSIX ACL on a file. + </p></dd><dt><span class="term">hardlink <src> <dest<</span></dt><dd><p>Creates a hardlink on the server using Windows CIFS semantics. + the POSIX ACL on a file. + </p></dd><dt><span class="term">help [command]</span></dt><dd><p>See the ? command above. </p></dd><dt><span class="term">history</span></dt><dd><p>Displays the command history.</p></dd><dt><span class="term">iosize <bytes></span></dt><dd><p>When sending or receiving files, smbclient uses an + internal memory buffer by default of size 64512 bytes. This command + allows this size to be set to any range between 16384 (0x4000) bytes + and 16776960 (0xFFFF00) bytes. Larger sizes may mean more efficient + data transfer as smbclient will try and use the most efficient + read and write calls for the connected server. + </p></dd><dt><span class="term">lcd [directory name]</span></dt><dd><p>If <em class="replaceable"><code>directory name</code></em> is specified, the current + working directory on the local machine will be changed to + the directory specified. This operation will fail if for any + reason the specified directory is inaccessible. </p><p>If no directory name is specified, the name of the + current working directory on the local machine will be reported. + </p></dd><dt><span class="term">link target linkname</span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + create a hard link between the linkname and target files. The linkname file + must not exist. + </p></dd><dt><span class="term">listconnect</span></dt><dd><p>Show the current connections held for DFS purposes. + </p></dd><dt><span class="term">lock <filenum> <r|w> <hex-start> <hex-len></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Tries to set a POSIX + fcntl lock of the given type on the given range. Used for internal Samba testing purposes. + </p></dd><dt><span class="term">logon <username> <password></span></dt><dd><p>Establishes a new vuid for this session by logging on again. + Replaces the current vuid. Prints out the new vuid. Used for internal Samba testing purposes. + </p></dd><dt><span class="term">lowercase</span></dt><dd><p>Toggle lowercasing of filenames for the get and + mget commands. + </p><p>When lowercasing is toggled ON, local filenames are converted + to lowercase when using the get and mget commands. This is + often useful when copying (say) MSDOS files from a server, because + lowercase filenames are the norm on UNIX systems. </p></dd><dt><span class="term">ls <mask></span></dt><dd><p>See the dir command above. </p></dd><dt><span class="term">mask <mask></span></dt><dd><p>This command allows the user to set up a mask + which will be used during recursive operation of the mget and + mput commands. </p><p>The masks specified to the mget and mput commands act as + filters for directories rather than files when recursion is + toggled ON. </p><p>The mask specified with the mask command is necessary + to filter files within those directories. For example, if the + mask specified in an mget command is "source*" and the mask + specified with the mask command is "*.c" and recursion is + toggled ON, the mget command will retrieve all files matching + "*.c" in all directories below and including all directories + matching "source*" in the current working directory. </p><p>Note that the value for mask defaults to blank (equivalent + to "*") and remains so until the mask command is used to change it. + It retains the most recently specified value indefinitely. To + avoid unexpected results it would be wise to change the value of + mask back to "*" after using the mget or mput commands. </p></dd><dt><span class="term">md <directory name></span></dt><dd><p>See the mkdir command. </p></dd><dt><span class="term">mget <mask></span></dt><dd><p>Copy all files matching <em class="replaceable"><code>mask</code></em> from the server to + the machine running the client. </p><p>Note that <em class="replaceable"><code>mask</code></em> is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and + mask commands for more information. Note that all transfers in + <code class="literal">smbclient</code> are binary. See also the lowercase command. </p></dd><dt><span class="term">mkdir <directory name></span></dt><dd><p>Create a new directory on the server (user access + privileges permitting) with the specified name. </p></dd><dt><span class="term">more <file name></span></dt><dd><p>Fetch a remote file and view it with the contents + of your PAGER environment variable. + </p></dd><dt><span class="term">mput <mask></span></dt><dd><p>Copy all files matching <em class="replaceable"><code>mask</code></em> in the current working + directory on the local machine to the current working directory on + the server. </p><p>Note that <em class="replaceable"><code>mask</code></em> is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and mask + commands for more information. Note that all transfers in <code class="literal">smbclient</code> + are binary. </p></dd><dt><span class="term">posix</span></dt><dd><p>Query the remote server to see if it supports the CIFS UNIX + extensions and prints out the list of capabilities supported. If so, turn + on POSIX pathname processing and large file read/writes (if available),. + </p></dd><dt><span class="term">posix_encrypt <domain> <username> <password></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Attempt to negotiate + SMB encryption on this connection. If smbclient connected with kerberos + credentials (-k) the arguments to this command are ignored and the kerberos + credentials are used to negotiate GSSAPI signing and sealing instead. See + also the -e option to smbclient to force encryption on initial connection. + This command is new with Samba 3.2. + </p></dd><dt><span class="term">posix_open <filename> <octal mode></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Opens a remote file + using the CIFS UNIX extensions and prints a fileid. Used for internal Samba + testing purposes. + </p></dd><dt><span class="term">posix_mkdir <directoryname> <octal mode></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Creates a remote directory + using the CIFS UNIX extensions with the given mode. + </p></dd><dt><span class="term">posix_rmdir <directoryname></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Deletes a remote directory + using the CIFS UNIX extensions. + </p></dd><dt><span class="term">posix_unlink <filename></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Deletes a remote file + using the CIFS UNIX extensions. + </p></dd><dt><span class="term">print <file name></span></dt><dd><p>Print the specified file from the local machine + through a printable service on the server. </p></dd><dt><span class="term">prompt</span></dt><dd><p>Toggle prompting for filenames during operation + of the mget and mput commands. </p><p>When toggled ON, the user will be prompted to confirm + the transfer of each file during these commands. When toggled + OFF, all specified files will be transferred without prompting. + </p></dd><dt><span class="term">put <local file name> [remote file name]</span></dt><dd><p>Copy the file called <code class="filename">local file name</code> from the + machine running the client to the server. If specified, + name the remote copy <code class="filename">remote file name</code>. Note that all transfers + in <code class="literal">smbclient</code> are binary. See also the lowercase command. + </p></dd><dt><span class="term">queue</span></dt><dd><p>Displays the print queue, showing the job id, + name, size and current status. </p></dd><dt><span class="term">quit</span></dt><dd><p>See the exit command. </p></dd><dt><span class="term">rd <directory name></span></dt><dd><p>See the rmdir command. </p></dd><dt><span class="term">recurse</span></dt><dd><p>Toggle directory recursion for the commands mget + and mput. </p><p>When toggled ON, these commands will process all directories + in the source directory (i.e., the directory they are copying + from ) and will recurse into any that match the mask specified + to the command. Only files that match the mask specified using + the mask command will be retrieved. See also the mask command. + </p><p>When recursion is toggled OFF, only files from the current + working directory on the source machine that match the mask specified + to the mget or mput commands will be copied, and any mask specified + using the mask command will be ignored. </p></dd><dt><span class="term">rm <mask></span></dt><dd><p>Remove all files matching <em class="replaceable"><code>mask</code></em> from the current + working directory on the server. </p></dd><dt><span class="term">rmdir <directory name></span></dt><dd><p>Remove the specified directory (user access + privileges permitting) from the server. </p></dd><dt><span class="term">setmode <filename> <perm=[+|\-]rsha></span></dt><dd><p>A version of the DOS attrib command to set + file permissions. For example: </p><p><code class="literal">setmode myfile +r </code></p><p>would make myfile read only. </p></dd><dt><span class="term">showconnect</span></dt><dd><p>Show the currently active connection held for DFS purposes. + </p></dd><dt><span class="term">stat file</span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests the + UNIX basic info level and prints out the same info that the Linux stat command + would about the file. This includes the size, blocks used on disk, file type, + permissions, inode number, number of links and finally the three timestamps + (access, modify and change). If the file is a special file (symlink, character or + block device, fifo or socket) then extra information may also be printed. + </p></dd><dt><span class="term">symlink target linkname</span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + create a symbolic hard link between the target and linkname files. The linkname file + must not exist. Note that the server will not create a link to any path that lies + outside the currently connected share. This is enforced by the Samba server. + </p></dd><dt><span class="term">tar <c|x>[IXbgNa]</span></dt><dd><p>Performs a tar operation - see the <em class="parameter"><code>-T + </code></em> command line option above. Behavior may be affected + by the tarmode command (see below). Using g (incremental) and N + (newer) will affect tarmode settings. Note that using the "-" option + with tar x may not work - use the command line option instead. + </p></dd><dt><span class="term">blocksize <blocksize></span></dt><dd><p>Blocksize. Must be followed by a valid (greater + than zero) blocksize. Causes tar file to be written out in + <em class="replaceable"><code>blocksize</code></em>*TBLOCK (usually 512 byte) blocks. </p></dd><dt><span class="term">tarmode <full|inc|reset|noreset></span></dt><dd><p>Changes tar's behavior with regard to archive + bits. In full mode, tar will back up everything regardless of the + archive bit setting (this is the default mode). In incremental mode, + tar will only back up files with the archive bit set. In reset mode, + tar will reset the archive bit on all files it backs up (implies + read/write share). </p></dd><dt><span class="term">unlock <filenum> <hex-start> <hex-len></span></dt><dd><p>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. Tries to unlock a POSIX + fcntl lock on the given range. Used for internal Samba testing purposes. + </p></dd><dt><span class="term">volume</span></dt><dd><p>Prints the current volume name of the share. + </p></dd><dt><span class="term">vuid <number></span></dt><dd><p>Changes the currently used vuid in the protocol to + the given arbitrary number. Without an argument prints out the current + vuid being used. Used for internal Samba testing purposes. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id310037"></a><h2>NOTES</h2><p>Some servers are fussy about the case of supplied usernames, + passwords, share names (AKA service names) and machine names. + If you fail to connect try giving all parameters in uppercase. + </p><p>It is often necessary to use the -n option when connecting + to some types of servers. For example OS/2 LanManager insists + on a valid NetBIOS name being used, so you need to supply a valid + name that would be known to the server.</p><p>smbclient supports long file names where the server + supports the LANMAN2 protocol or above. </p></div><div class="refsect1" lang="en"><a name="id310058"></a><h2>ENVIRONMENT VARIABLES</h2><p>The variable <code class="envar">USER</code> may contain the + username of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords.</p><p>The variable <code class="envar">PASSWD</code> may contain + the password of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords. </p><p>The variable <code class="envar">LIBSMB_PROG</code> may contain + the path, executed with system(), which the client should connect + to instead of connecting to a server. This functionality is primarily + intended as a development aid, and works best when using a LMHOSTS + file</p></div><div class="refsect1" lang="en"><a name="id310091"></a><h2>INSTALLATION</h2><p>The location of the client program is a matter for + individual system administrators. The following are thus + suggestions only. </p><p>It is recommended that the smbclient software be installed + in the <code class="filename">/usr/local/samba/bin/</code> or <code class="filename"> + /usr/samba/bin/</code> directory, this directory readable + by all, writeable only by root. The client program itself should + be executable by all. The client should <span class="emphasis"><em>NOT</em></span> be + setuid or setgid! </p><p>The client log files should be put in a directory readable + and writeable only by the user. </p><p>To test the client, you will need to know the name of a + running SMB/CIFS server. It is possible to run <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> as an ordinary user - running that server as a daemon + on a user-accessible port (typically any port number over 1024) + would provide a suitable test server. </p></div><div class="refsect1" lang="en"><a name="id310140"></a><h2>DIAGNOSTICS</h2><p>Most diagnostics issued by the client are logged in a + specified log file. The log file name is specified at compile time, + but may be overridden on the command line. </p><p>The number and nature of diagnostics available depends + on the debug level used by the client. If you have problems, + set the debug level to 3 and peruse the log files. </p></div><div class="refsect1" lang="en"><a name="id310156"></a><h2>VERSION</h2><p>This man page is correct for version 3.2 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id310167"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbcontrol.1.html b/docs/htmldocs/manpages/smbcontrol.1.html new file mode 100644 index 0000000000..0c092546d1 --- /dev/null +++ b/docs/htmldocs/manpages/smbcontrol.1.html @@ -0,0 +1,72 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbcontrol</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbcontrol.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbcontrol — send messages to smbd, nmbd or winbindd processes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbcontrol</code> [-i] [-s]</p></div><div class="cmdsynopsis"><p><code class="literal">smbcontrol</code> [destination] [message-type] [parameter]</p></div></div><div class="refsect1" lang="en"><a name="id299210"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbcontrol</code> is a very small program, which + sends messages to a <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, a <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, or a <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon running on the system.</p></div><div class="refsect1" lang="en"><a name="id299260"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-i</span></dt><dd><p>Run interactively. Individual commands + of the form destination message-type parameters can be entered + on STDIN. An empty command line or a "q" will quit the + program.</p></dd><dt><span class="term">destination</span></dt><dd><p>One of <em class="parameter"><code>nmbd</code></em>, <em class="parameter"><code>smbd</code></em> or a process ID.</p><p>The <em class="parameter"><code>smbd</code></em> destination causes the + message to "broadcast" to all smbd daemons.</p><p>The <em class="parameter"><code>nmbd</code></em> destination causes the + message to be sent to the nmbd daemon specified in the + <code class="filename">nmbd.pid</code> file.</p><p>If a single process ID is given, the message is sent + to only that process.</p></dd><dt><span class="term">message-type</span></dt><dd><p>Type of message to send. See + the section <code class="constant">MESSAGE-TYPES</code> for details. + </p></dd><dt><span class="term">parameters</span></dt><dd><p>any parameters required for the message-type</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266827"></a><h2>MESSAGE-TYPES</h2><p>Available message types are:</p><div class="variablelist"><dl><dt><span class="term">close-share</span></dt><dd><p>Order smbd to close the client + connections to the named share. Note that this doesn't affect client + connections to any other shares. This message-type takes an argument of the + share name for which client connections will be closed, or the + "*" character which will close all currently open shares. + This may be useful if you made changes to the access controls on the share. + This message can only be sent to <code class="constant">smbd</code>.</p></dd><dt><span class="term">debug</span></dt><dd><p>Set debug level to the value specified by the + parameter. This can be sent to any of the destinations.</p></dd><dt><span class="term">force-election</span></dt><dd><p>This message causes the <code class="literal">nmbd</code> daemon to + force a new browse master election. </p></dd><dt><span class="term">ping</span></dt><dd><p> + Send specified number of "ping" messages and + wait for the same number of reply "pong" messages. This can be sent to + any of the destinations.</p></dd><dt><span class="term">profile</span></dt><dd><p>Change profile settings of a daemon, based on the + parameter. The parameter can be "on" to turn on profile stats + collection, "off" to turn off profile stats collection, "count" + to enable only collection of count stats (time stats are + disabled), and "flush" to zero the current profile stats. This can + be sent to any smbd or nmbd destinations.</p></dd><dt><span class="term">debuglevel</span></dt><dd><p> + Request debuglevel of a certain daemon and write it to stdout. This + can be sent to any of the destinations.</p></dd><dt><span class="term">profilelevel</span></dt><dd><p> + Request profilelevel of a certain daemon and write it to stdout. + This can be sent to any smbd or nmbd destinations.</p></dd><dt><span class="term">printnotify</span></dt><dd><p> + Order smbd to send a printer notify message to any Windows NT clients + connected to a printer. This message-type takes the following arguments: + </p><div class="variablelist"><dl><dt><span class="term">queuepause printername</span></dt><dd><p>Send a queue pause change notify + message to the printer specified.</p></dd><dt><span class="term">queueresume printername</span></dt><dd><p>Send a queue resume change notify + message for the printer specified.</p></dd><dt><span class="term">jobpause printername unixjobid</span></dt><dd><p>Send a job pause change notify + message for the printer and unix jobid + specified.</p></dd><dt><span class="term">jobresume printername unixjobid</span></dt><dd><p>Send a job resume change notify + message for the printer and unix jobid + specified.</p></dd><dt><span class="term">jobdelete printername unixjobid</span></dt><dd><p>Send a job delete change notify + message for the printer and unix jobid + specified.</p></dd></dl></div><p> + Note that this message only sends notification that an + event has occured. It doesn't actually cause the + event to happen. + </p><p>This message can only be sent to <code class="constant">smbd</code>. </p></dd><dt><span class="term">samsync</span></dt><dd><p>Order smbd to synchronise sam database from PDC (being BDC). Can only be sent to <code class="constant">smbd</code>. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Not working at the moment</p></div></dd><dt><span class="term">samrepl</span></dt><dd><p>Send sam replication message, with specified serial. Can only be sent to <code class="constant">smbd</code>. Should not be used manually.</p></dd><dt><span class="term">dmalloc-mark</span></dt><dd><p>Set a mark for dmalloc. Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support. </p></dd><dt><span class="term">dmalloc-log-changed</span></dt><dd><p> + Dump the pointers that have changed since the mark set by dmalloc-mark. + Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support. </p></dd><dt><span class="term">shutdown</span></dt><dd><p>Shut down specified daemon. Can be sent to both smbd and nmbd.</p></dd><dt><span class="term">pool-usage</span></dt><dd><p>Print a human-readable description of all + talloc(pool) memory usage by the specified daemon/process. Available + for both smbd and nmbd.</p></dd><dt><span class="term">drvupgrade</span></dt><dd><p>Force clients of printers using specified driver + to update their local version of the driver. Can only be + sent to smbd.</p></dd><dt><span class="term">reload-config</span></dt><dd><p>Force daemon to reload smb.conf configuration file. Can be sent + to <code class="constant">smbd</code>, <code class="constant">nmbd</code>, or <code class="constant">winbindd</code>. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308032"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308042"></a><h2>SEE ALSO</h2><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id308067"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbcquotas.1.html b/docs/htmldocs/manpages/smbcquotas.1.html new file mode 100644 index 0000000000..80dcf4b2a4 --- /dev/null +++ b/docs/htmldocs/manpages/smbcquotas.1.html @@ -0,0 +1,86 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbcquotas</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbcquotas.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbcquotas — Set or get QUOTAs of NTFS 5 shares</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbcquotas</code> {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]</p></div></div><div class="refsect1" lang="en"><a name="id266718"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">smbcquotas</code> program manipulates NT Quotas on SMB file shares. </p></div><div class="refsect1" lang="en"><a name="id266745"></a><h2>OPTIONS</h2><p>The following options are available to the <code class="literal">smbcquotas</code> program. </p><div class="variablelist"><dl><dt><span class="term">-u user</span></dt><dd><p> Specifies the user of whom the quotas are get or set. + By default the current user's username will be used.</p></dd><dt><span class="term">-L</span></dt><dd><p>Lists all quota records of the share.</p></dd><dt><span class="term">-F</span></dt><dd><p>Show the share quota status and default limits.</p></dd><dt><span class="term">-S QUOTA_SET_COMMAND</span></dt><dd><p>This command sets/modifies quotas for a user or on the share, + depending on the QUOTA_SET_COMMAND parameter which is described later.</p></dd><dt><span class="term">-n</span></dt><dd><p>This option displays all QUOTA information in numeric + format. The default is to convert SIDs to names and QUOTA limits + to a readable string format.</p></dd><dt><span class="term">-t</span></dt><dd><p> + Don't actually do anything, only validate the correctness of the arguments. + </p></dd><dt><span class="term">-v</span></dt><dd><p> + Be verbose. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266903"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-N</span></dt><dd><p>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </p><p>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</p><p>If a password is specified on the command line and this +option is also defined the password on the command line will +be silently ingnored and no password will be used.</p></dd><dt><span class="term">-k</span></dt><dd><p> +Try to authenticate with kerberos. Only useful in +an Active Directory environment. +</p></dd><dt><span class="term">-A|--authentication-file=filename</span></dt><dd><p>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +</p><pre class="programlisting"> +username = <value> +password = <value> +domain = <value> +</pre><p>Make certain that the permissions on the file restrict +access from unwanted users. </p></dd><dt><span class="term">-U|--user=username[%password]</span></dt><dd><p>Sets the SMB username or username and password. </p><p>If %password is not specified, the user will be prompted. The +client will first check the <code class="envar">USER</code> environment variable, then the +<code class="envar">LOGNAME</code> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <code class="constant">GUEST</code> is used. </p><p>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<em class="parameter"><code>-A</code></em> for more details. </p><p>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <code class="literal">ps</code> command. To be safe always allow +<code class="literal">rpcclient</code> to prompt for a password and type +it in directly. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307936"></a><h2>QUOTA_SET_COMAND</h2><p>The format of an the QUOTA_SET_COMMAND is an operation + name followed by a set of parameters specific to that operation. + </p><p>To set user quotas for the user specified by -u or for the + current username: </p><p><strong class="userinput"><code> + UQLIM:<username>:<softlimit>/<hardlimit> + </code></strong></p><p>To set the default quotas for a share: + </p><p><strong class="userinput"><code> + FSQLIM:<softlimit>/<hardlimit> + </code></strong></p><p> + To change the share quota settings: + </p><p><strong class="userinput"><code> + FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT + </code></strong></p><p>All limits are specified as a number of bytes.</p></div><div class="refsect1" lang="en"><a name="id307984"></a><h2>EXIT STATUS</h2><p>The <code class="literal">smbcquotas</code> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </p><p>If the operation succeeded, smbcquotas returns an exit + status of 0. If <code class="literal">smbcquotas</code> couldn't connect to the specified server, + or when there was an error getting or setting the quota(s), an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </p></div><div class="refsect1" lang="en"><a name="id308013"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308024"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p><code class="literal">smbcquotas</code> was written by Stefan Metzmacher.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbd.8.html b/docs/htmldocs/manpages/smbd.8.html new file mode 100644 index 0000000000..d7aa0fcc6b --- /dev/null +++ b/docs/htmldocs/manpages/smbd.8.html @@ -0,0 +1,163 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbd — server to provide SMB/CIFS services to clients</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbd</code> [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-P <profiling level>] [-O <socket option>] [-s <configuration file>]</p></div></div><div class="refsect1" lang="en"><a name="id267087"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbd</code> is the server daemon that + provides filesharing and printing services to Windows clients. + The server provides filespace and printer services to + clients using the SMB (or CIFS) protocol. This is compatible + with the LanManager protocol, and can service LanManager + clients. These include MSCLIENT 3.0 for DOS, Windows for + Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, + OS/2, DAVE for Macintosh, and smbfs for Linux.</p><p>An extensive description of the services that the + server can provide is given in the man page for the + configuration file controlling the attributes of those + services (see <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>. This man page will not describe the + services, but will concentrate on the administrative aspects + of running the server.</p><p>Please note that there are significant security + implications to running this server, and the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> manual page should be regarded as mandatory reading before + proceeding with installation.</p><p>A session is created whenever a client requests one. + Each client gets a copy of the server for each session. This + copy then services all connections made by the client during + that session. When all connections from its client are closed, + the copy of the server for that client terminates.</p><p>The configuration file, and any files that it includes, + are automatically reloaded every minute, if they change. You + can force a reload by sending a SIGHUP to the server. Reloading + the configuration file will not affect connections to any service + that is already established. Either the user will have to + disconnect from the service, or <code class="literal">smbd</code> killed and restarted.</p></div><div class="refsect1" lang="en"><a name="id299258"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-D</span></dt><dd><p>If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background, fielding requests + on the appropriate port. Operating the server as a + daemon is the recommended way of running <code class="literal">smbd</code> for + servers that provide more than casual use file and + print services. This switch is assumed if <code class="literal">smbd + </code> is executed on the command line of a shell. + </p></dd><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes + the main <code class="literal">smbd</code> process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + <code class="literal">smbd</code> under process supervisors such + as <code class="literal">supervise</code> and <code class="literal">svscan</code> + from Daniel J. Bernstein's <code class="literal">daemontools</code> + package, or the AIX process monitor. + </p></dd><dt><span class="term">-S</span></dt><dd><p>If specified, this parameter causes + <code class="literal">smbd</code> to log to standard output rather + than a file.</p></dd><dt><span class="term">-i</span></dt><dd><p>If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit deamon mode when run from the + command line. <code class="literal">smbd</code> also logs to standard + output, as if the <code class="literal">-S</code> parameter had been + given. + </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266843"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-b</span></dt><dd><p>Prints information about how + Samba was built.</p></dd><dt><span class="term">-p|--port<port number(s)></span></dt><dd><p><em class="replaceable"><code>port number(s)</code></em> is a + space or comma-separated list of TCP ports smbd should listen on. + The default value is taken from the <a class="indexterm" name="id307893"></a>ports parameter in <code class="filename">smb.conf</code></p><p>The default ports are 139 (used for SMB over NetBIOS over TCP) + and port 445 (used for plain SMB over TCP). + </p></dd><dt><span class="term">-P|--profiling-level<profiling level></span></dt><dd><p><em class="replaceable"><code>profiling level</code></em> is a + number specifying the level of profiling data to be collected. + 0 turns off profiling, 1 turns on counter profiling only, + 2 turns on complete profiling, and 3 resets all profiling data. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307926"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/inetd.conf</code></span></dt><dd><p>If the server is to be run by the + <code class="literal">inetd</code> meta-daemon, this file + must contain suitable startup information for the + meta-daemon. + </p></dd><dt><span class="term"><code class="filename">/etc/rc</code></span></dt><dd><p>or whatever initialization script your + system uses).</p><p>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. </p></dd><dt><span class="term"><code class="filename">/etc/services</code></span></dt><dd><p>If running the server via the + meta-daemon <code class="literal">inetd</code>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + </p></dd><dt><span class="term"><code class="filename">/usr/local/samba/lib/smb.conf</code></span></dt><dd><p>This is the default location of the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> server configuration file. Other common places that systems + install this file are <code class="filename">/usr/samba/lib/smb.conf</code> + and <code class="filename">/etc/samba/smb.conf</code>.</p><p>This file describes all the services the server + is to make available to clients. See <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> for more information.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308046"></a><h2>LIMITATIONS</h2><p>On some systems <code class="literal">smbd</code> cannot change uid back + to root after a setuid() call. Such systems are called + trapdoor uid systems. If you have such a system, + you will be unable to connect from a client (such as a PC) as + two different users at once. Attempts to connect the + second user will result in access denied or + similar.</p></div><div class="refsect1" lang="en"><a name="id308065"></a><h2>ENVIRONMENT VARIABLES</h2><div class="variablelist"><dl><dt><span class="term"><code class="envar">PRINTER</code></span></dt><dd><p>If no printer name is specified to + printable services, most systems will use the value of + this variable (or <code class="constant">lp</code> if this variable is + not defined) as the name of the printer to use. This + is not specific to the server, however.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308092"></a><h2>PAM INTERACTION</h2><p>Samba uses PAM for authentication (when presented with a plaintext + password), for account checking (is this account disabled?) and for + session management. The degree too which samba supports PAM is restricted + by the limitations of the SMB protocol and the <a class="indexterm" name="id308102"></a>obey pam restrictions <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> paramater. When this is set, the following restrictions apply: + </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Account Validation</em></span>: All accesses to a + samba server are checked + against PAM to see if the account is vaild, not disabled and is permitted to + login at this time. This also applies to encrypted logins. + </p></li><li><p><span class="emphasis"><em>Session Management</em></span>: When not using share + level secuirty, users must pass PAM's session checks before access + is granted. Note however, that this is bypassed in share level secuirty. + Note also that some older pam configuration files may need a line + added for session support. + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id308141"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308151"></a><h2>DIAGNOSTICS</h2><p>Most diagnostics issued by the server are logged + in a specified log file. The log file name is specified + at compile time, but may be overridden on the command line.</p><p>The number and nature of diagnostics available depends + on the debug level used by the server. If you have problems, set + the debug level to 3 and peruse the log files.</p><p>Most messages are reasonably self-explanatory. Unfortunately, + at the time this man page was created, there are too many diagnostics + available in the source code to warrant describing each and every + diagnostic. At this stage your best bet is still to grep the + source code and inspect the conditions that gave rise to the + diagnostics you are seeing.</p></div><div class="refsect1" lang="en"><a name="id308174"></a><h2>TDB FILES</h2><p>Samba stores it's data in several TDB (Trivial Database) files, usually located in <code class="filename">/var/lib/samba</code>.</p><p> + (*) information persistent across restarts (but not + necessarily important to backup). + </p><div class="variablelist"><dl><dt><span class="term">account_policy.tdb*</span></dt><dd><p>NT account policy settings such as pw expiration, etc...</p></dd><dt><span class="term">brlock.tdb</span></dt><dd><p>byte range locks</p></dd><dt><span class="term">browse.dat</span></dt><dd><p>browse lists</p></dd><dt><span class="term">connections.tdb</span></dt><dd><p>share connections (used to enforce max connections, etc...)</p></dd><dt><span class="term">gencache.tdb</span></dt><dd><p>generic caching db</p></dd><dt><span class="term">group_mapping.tdb*</span></dt><dd><p>group mapping information</p></dd><dt><span class="term">locking.tdb</span></dt><dd><p>share modes & oplocks</p></dd><dt><span class="term">login_cache.tdb*</span></dt><dd><p>bad pw attempts</p></dd><dt><span class="term">messages.tdb</span></dt><dd><p>Samba messaging system</p></dd><dt><span class="term">netsamlogon_cache.tdb*</span></dt><dd><p>cache of user net_info_3 struct from net_samlogon() request (as a domain member)</p></dd><dt><span class="term">ntdrivers.tdb*</span></dt><dd><p>installed printer drivers</p></dd><dt><span class="term">ntforms.tdb*</span></dt><dd><p>installed printer forms</p></dd><dt><span class="term">ntprinters.tdb*</span></dt><dd><p>installed printer information</p></dd><dt><span class="term">printing/</span></dt><dd><p>directory containing tdb per print queue of cached lpq output</p></dd><dt><span class="term">registry.tdb</span></dt><dd><p>Windows registry skeleton (connect via regedit.exe)</p></dd><dt><span class="term">sessionid.tdb</span></dt><dd><p>session information (e.g. support for 'utmp = yes')</p></dd><dt><span class="term">share_info.tdb*</span></dt><dd><p>share acls</p></dd><dt><span class="term">winbindd_cache.tdb</span></dt><dd><p>winbindd's cache of user lists, etc...</p></dd><dt><span class="term">winbindd_idmap.tdb*</span></dt><dd><p>winbindd's local idmap db</p></dd><dt><span class="term">wins.dat*</span></dt><dd><p>wins database when 'wins support = yes'</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308406"></a><h2>SIGNALS</h2><p>Sending the <code class="literal">smbd</code> a SIGHUP will cause it to + reload its <code class="filename">smb.conf</code> configuration + file within a short period of time.</p><p>To shut down a user's <code class="literal">smbd</code> process it is recommended + that <code class="literal">SIGKILL (-9)</code> <span class="emphasis"><em>NOT</em></span> + be used, except as a last resort, as this may leave the shared + memory area in an inconsistent state. The safe way to terminate + an <code class="literal">smbd</code> is to send it a SIGTERM (-15) signal and wait for + it to die on its own.</p><p>The debug log level of <code class="literal">smbd</code> may be raised + or lowered using <a href="smbcontrol.1.html"><span class="citerefentry"><span class="refentrytitle">smbcontrol</span>(1)</span></a> program (SIGUSR[1|2] signals are no longer + used since Samba 2.2). This is to allow transient problems to be diagnosed, + whilst still running at a normally low log level.</p><p>Note that as the signal handlers send a debug write, + they are not re-entrant in <code class="literal">smbd</code>. This you should wait until + <code class="literal">smbd</code> is in a state of waiting for an incoming SMB before + issuing them. It is possible to make the signal handlers safe + by un-blocking the signals before the select call and re-blocking + them after, however this would affect performance.</p></div><div class="refsect1" lang="en"><a name="id308492"></a><h2>SEE ALSO</h2><p><a href="hosts_access.5.html"><span class="citerefentry"><span class="refentrytitle">hosts_access</span>(5)</span></a>, <a href="inetd.8.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>, and the + Internet RFC's <code class="filename">rfc1001.txt</code>, <code class="filename">rfc1002.txt</code>. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page <a href="http://samba.org/cifs/" target="_top"> + http://samba.org/cifs/</a>.</p></div><div class="refsect1" lang="en"><a name="id308576"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbget.1.html b/docs/htmldocs/manpages/smbget.1.html new file mode 100644 index 0000000000..ebe9e9419e --- /dev/null +++ b/docs/htmldocs/manpages/smbget.1.html @@ -0,0 +1,26 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbget</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbget.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbget — wget-like utility for download files over SMB</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbget</code> [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]</p></div></div><div class="refsect1" lang="en"><a name="id266750"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line. + </p><p> + The files should be in the smb-URL standard, e.g. use smb://host/share/file + for the UNC path <span class="emphasis"><em>\\\\HOST\\SHARE\\file</em></span>. + </p></div><div class="refsect1" lang="en"><a name="id266781"></a><h2>OPTIONS</h2><dt><span class="term">-a, --guest</span></dt><dd><p>Work as user guest</p></dd><dt><span class="term">-r, --resume</span></dt><dd><p>Automatically resume aborted files</p></dd><dt><span class="term">-R, --recursive</span></dt><dd><p>Recursively download files</p></dd><dt><span class="term">-u, --username=STRING</span></dt><dd><p>Username to use</p></dd><dt><span class="term">-p, --password=STRING</span></dt><dd><p>Password to use</p></dd><dt><span class="term">-w, --workgroup=STRING</span></dt><dd><p>Workgroup to use (optional)</p></dd><dt><span class="term">-n, --nonprompt</span></dt><dd><p>Don't ask anything (non-interactive)</p></dd><dt><span class="term">-d, --debuglevel=INT</span></dt><dd><p>Debuglevel to use</p></dd><dt><span class="term">-D, --dots</span></dt><dd><p>Show dots as progress indication</p></dd><dt><span class="term">-P, --keep-permissions</span></dt><dd><p>Set same permissions on local file as are set on remote file.</p></dd><dt><span class="term">-o, --outputfile</span></dt><dd><p>Write the file that is being download to the specified file. Can not be used together with -R.</p></dd><dt><span class="term">-f, --rcfile</span></dt><dd><p>Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile.</p></dd><dt><span class="term">-q, --quiet</span></dt><dd><p>Be quiet</p></dd><dt><span class="term">-v, --verbose</span></dt><dd><p>Be verbose</p></dd><dt><span class="term">-b, --blocksize</span></dt><dd><p>Number of bytes to download in a block. Defaults to 64000.</p></dd><dt><span class="term">-?, --help</span></dt><dd><p>Show help message</p></dd><dt><span class="term">--usage</span></dt><dd><p>Display brief usage message</p></dd></div><div class="refsect1" lang="en"><a name="id267003"></a><h2>SMB URLS</h2><p> SMB URL's should be specified in the following format:</p><pre class="programlisting"> +smb://[[[domain;]user[:password@]]server[/share[/path[/file]]]] +</pre><pre class="programlisting"> +smb:// means all the workgroups +</pre><pre class="programlisting"> +smb://name/ means, if <em class="replaceable"><code>name</code></em> is a workgroup, all the servers in this workgroup, or if <em class="replaceable"><code>name</code></em> is a server, all the shares on this server. +</pre></div><div class="refsect1" lang="en"><a name="id307898"></a><h2>EXAMPLES</h2><pre class="programlisting"> +# Recursively download 'src' directory +smbget -R smb://rhonwyn/jelmer/src +# Download FreeBSD ISO and enable resuming +smbget -r smb://rhonwyn/isos/FreeBSD5.1.iso +# Recursively download all ISOs +smbget -Rr smb://rhonwyn/isos +# Backup my data on rhonwyn +smbget -Rr smb://rhonwyn/ +</pre></div><div class="refsect1" lang="en"><a name="id307912"></a><h2>BUGS</h2><p>Permission denied is returned in some cases where the cause of the error is unknown +(such as an illegally formatted smb:// url or trying to get a directory without -R +turned on).</p></div><div class="refsect1" lang="en"><a name="id307923"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id307934"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The smbget manpage was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbgetrc.5.html b/docs/htmldocs/manpages/smbgetrc.5.html new file mode 100644 index 0000000000..ecc95a8ec3 --- /dev/null +++ b/docs/htmldocs/manpages/smbgetrc.5.html @@ -0,0 +1,17 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbgetrc</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbgetrc.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbgetrc — configuration file for smbget</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">smbgetrc</code></p></div><div class="refsect1" lang="en"><a name="id267669"></a><h2>DESCRIPTION</h2><p> + This manual page documents the format and options of the <span class="emphasis"><em>smbgetrc</em></span> + file. This is the configuration file used by the <a href="smbget.1.html"><span class="citerefentry"><span class="refentrytitle">smbget</span>(1)</span></a> + utility. The file contains of key-value pairs, one pair on each line. The key + and value should be separated by a space. + </p><p>By default, smbget reads its configuration from <span class="emphasis"><em>$HOME/.smbgetrc</em></span>, though + other locations can be specified using the command-line options.</p></div><div class="refsect1" lang="en"><a name="id267698"></a><h2>OPTIONS</h2><p> + The following keys can be set: +</p><div class="variablelist"><dl><dt><span class="term">resume on|off</span></dt><dd><p> + Whether aborted downloads should be automatically resumed. + </p></dd><dt><span class="term">recursive on|off</span></dt><dd><p>Whether directories should be downloaded recursively</p></dd><dt><span class="term">username <em class="replaceable"><code>name</code></em></span></dt><dd><p>Username to use when logging in to the remote server. Use an empty string for anonymous access. + </p></dd><dt><span class="term">password <em class="replaceable"><code>pass</code></em></span></dt><dd><p>Password to use when logging in.</p></dd><dt><span class="term">workgroup <em class="replaceable"><code>wg</code></em></span></dt><dd><p>Workgroup to use when logging in</p></dd><dt><span class="term">nonprompt on|off</span></dt><dd><p>Turns off asking for username and password. Useful for scripts.</p></dd><dt><span class="term">debuglevel <em class="replaceable"><code>int</code></em></span></dt><dd><p>(Samba) debuglevel to run at. Useful for tracking down protocol level problems.</p></dd><dt><span class="term">dots on|off</span></dt><dd><p>Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator.</p></dd><dt><span class="term">blocksize <em class="replaceable"><code>int</code></em></span></dt><dd><p>Number of bytes to put in a block. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266742"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266752"></a><h2>SEE ALSO</h2><p><a href="smbget.1.html"><span class="citerefentry"><span class="refentrytitle">smbget</span>(1)</span></a> and <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>. + </p></div><div class="refsect1" lang="en"><a name="id266777"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>This manual page was written by Jelmer Vernooij</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbmnt.8.html b/docs/htmldocs/manpages/smbmnt.8.html new file mode 100644 index 0000000000..2706d6f556 --- /dev/null +++ b/docs/htmldocs/manpages/smbmnt.8.html @@ -0,0 +1,24 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbmnt</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbmnt.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbmnt — helper utility for mounting SMB filesystems</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbmnt</code> {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]</p></div></div><div class="refsect1" lang="en"><a name="id299231"></a><h2>DESCRIPTION</h2><p><code class="literal">smbmnt</code> is a helper application used + by the smbmount program to do the actual mounting of SMB shares. + <code class="literal">smbmnt</code> can be installed setuid root if you want + normal users to be able to mount their SMB shares.</p><p>A setuid smbmnt will only allow mounts on directories owned + by the user, and that the user has write permission on.</p><p>The <code class="literal">smbmnt</code> program is normally invoked + by <a href="smbmount.8.html"><span class="citerefentry"><span class="refentrytitle">smbmount</span>(8)</span></a>. It should not be invoked directly by users. </p><p>smbmount searches the normal PATH for smbmnt. You must ensure + that the smbmnt version in your path matches the smbmount used.</p></div><div class="refsect1" lang="en"><a name="id266713"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-r</span></dt><dd><p>mount the filesystem read-only + </p></dd><dt><span class="term">-u uid</span></dt><dd><p>specify the uid that the files will + be owned by </p></dd><dt><span class="term">-g gid</span></dt><dd><p>specify the gid that the files will be + owned by </p></dd><dt><span class="term">-f mask</span></dt><dd><p>specify the octal file mask applied + </p></dd><dt><span class="term">-d mask</span></dt><dd><p>specify the octal directory mask + applied </p></dd><dt><span class="term">-o options</span></dt><dd><p> + list of options that are passed as-is to smbfs, if this + command is run on a 2.4 or higher Linux kernel. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266803"></a><h2>AUTHOR</h2><p>Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.</p><p>The current maintainer of smbfs and the userspace + tools <code class="literal">smbmount</code>, <code class="literal">smbumount</code>, + and <code class="literal">smbmnt</code> is <a href="mailto:urban@teststation.com" target="_top">Urban Widmark</a>. + The <a href="mailto:samba@samba.org" target="_top">SAMBA Mailing list</a> + is the preferred place to ask questions regarding these programs. + </p><p>The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbmount.8.html b/docs/htmldocs/manpages/smbmount.8.html new file mode 100644 index 0000000000..4ff97eaecf --- /dev/null +++ b/docs/htmldocs/manpages/smbmount.8.html @@ -0,0 +1,110 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbmount</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbmount.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbmount — mount an smbfs filesystem</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbmount</code> {service} {mount-point} [-o options]</p></div></div><div class="refsect1" lang="en"><a name="id267695"></a><h2>DESCRIPTION</h2><p><code class="literal">smbmount</code> mounts a Linux SMB filesystem. It + is usually invoked as <code class="literal">mount.smbfs</code> by + the <a href="mount.8.html"><span class="citerefentry"><span class="refentrytitle">mount</span>(8)</span></a> command when using the + "-t smbfs" option. This command only works in Linux, and the kernel must + support the smbfs filesystem.</p><p>WARNING: <code class="literal">smbmount</code> is deprecated and not + maintained any longer. <code class="literal">mount.cifs</code> (mount -t cifs) + should be used instead of <code class="literal">smbmount</code>.</p><p>Options to <code class="literal">smbmount</code> are specified as a comma-separated + list of key=value pairs. It is possible to send options other + than those listed here, assuming that smbfs supports them. If + you get mount failures, check your kernel log for errors on + unknown options.</p><p><code class="literal">smbmount</code> is a daemon. After mounting it keeps running until + the mounted smbfs is umounted. It will log things that happen + when in daemon mode using the "machine name" smbmount, so + typically this output will end up in <code class="filename">log.smbmount</code>. The <code class="literal"> + smbmount</code> process may also be called mount.smbfs.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> <code class="literal">smbmount</code> + calls <a href="smbmnt.8.html"><span class="citerefentry"><span class="refentrytitle">smbmnt</span>(8)</span></a> to do the actual mount. You + must make sure that <code class="literal">smbmnt</code> is in the path so + that it can be found. </p></div></div><div class="refsect1" lang="en"><a name="id266728"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">username=<arg></span></dt><dd><p> + specifies the username to connect as. If this is not given, then the environment variable <code class="envar"> USER</code> + is used. This option can also take the form "user%password" or "user/workgroup" or "user/workgroup%password" + to allow the password and workgroup to be specified as part of the username. + </p></dd><dt><span class="term">password=<arg></span></dt><dd><p> + specifies the SMB password. If this option is not given then the environment + variable <code class="literal">PASSWD</code> is used. If it can find no password + <code class="literal">smbmount</code> will prompt for a password, unless the guest option is given. + </p><p> + Note that passwords which contain the argument delimiter character (i.e. a comma ',') will failed to be parsed + correctly on the command line. However, the same password defined in the PASSWD environment variable or a + credentials file (see below) will be read correctly. + </p></dd><dt><span class="term">credentials=<filename></span></dt><dd><p>specifies a file that contains a username and/or password. +The format of the file is: +</p><pre class="programlisting"> +username=value +password=value +</pre><p>This is preferred over having passwords in plaintext in a + shared file, such as <code class="filename">/etc/fstab</code>. Be sure to protect any + credentials file properly. + </p></dd><dt><span class="term">krb</span></dt><dd><p>Use kerberos (Active Directory). </p></dd><dt><span class="term">netbiosname=<arg></span></dt><dd><p>sets the source NetBIOS name. It defaults + to the local hostname. </p></dd><dt><span class="term">uid=<arg></span></dt><dd><p>sets the uid that will own all files on + the mounted filesystem. + It may be specified as either a username or a numeric uid. + </p></dd><dt><span class="term">gid=<arg></span></dt><dd><p>sets the gid that will own all files on + the mounted filesystem. + It may be specified as either a groupname or a numeric + gid. </p></dd><dt><span class="term">port=<arg></span></dt><dd><p>sets the remote SMB port number. The default + is 445, fallback is 139. </p></dd><dt><span class="term">fmask=<arg></span></dt><dd><p>sets the file mask. This determines the + permissions that remote files have in the local filesystem. + This is not a umask, but the actual permissions for the files. + The default is based on the current umask. </p></dd><dt><span class="term">dmask=<arg></span></dt><dd><p>Sets the directory mask. This determines the + permissions that remote directories have in the local filesystem. + This is not a umask, but the actual permissions for the directories. + The default is based on the current umask. </p></dd><dt><span class="term">debug=<arg></span></dt><dd><p>Sets the debug level. This is useful for + tracking down SMB connection problems. A suggested value to + start with is 4. If set too high there will be a lot of + output, possibly hiding the useful output.</p></dd><dt><span class="term">ip=<arg></span></dt><dd><p>Sets the destination host or IP address. + </p></dd><dt><span class="term">workgroup=<arg></span></dt><dd><p>Sets the workgroup on the destination </p></dd><dt><span class="term">sockopt=<arg></span></dt><dd><p>Sets the TCP socket options. See the <a href="smb.conf.5.html#SOCKETOPTIONS" target="_top"><a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></a> <em class="parameter"><code>socket options</code></em> option. + </p></dd><dt><span class="term">scope=<arg></span></dt><dd><p>Sets the NetBIOS scope </p></dd><dt><span class="term">guest</span></dt><dd><p>Don't prompt for a password </p></dd><dt><span class="term">ro</span></dt><dd><p>mount read-only </p></dd><dt><span class="term">rw</span></dt><dd><p>mount read-write </p></dd><dt><span class="term">iocharset=<arg></span></dt><dd><p> + sets the charset used by the Linux side for codepage + to charset translations (NLS). Argument should be the + name of a charset, like iso8859-1. (Note: only kernel + 2.4.0 or later) + </p></dd><dt><span class="term">codepage=<arg></span></dt><dd><p> + sets the codepage the server uses. See the iocharset + option. Example value cp850. (Note: only kernel 2.4.0 + or later) + </p></dd><dt><span class="term">ttl=<arg></span></dt><dd><p> + sets how long a directory listing is cached in milliseconds + (also affects visibility of file size and date + changes). A higher value means that changes on the + server take longer to be noticed but it can give + better performance on large directories, especially + over long distances. Default is 1000ms but something + like 10000ms (10 seconds) is probably more reasonable + in many cases. + (Note: only kernel 2.4.2 or later) + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307924"></a><h2>ENVIRONMENT VARIABLES</h2><p>The variable <code class="envar">USER</code> may contain the username of the + person using the client. This information is used only if the + protocol level is high enough to support session-level + passwords. The variable can be used to set both username and + password by using the format username%password.</p><p>The variable <code class="envar">PASSWD</code> may contain the password of the + person using the client. This information is used only if the + protocol level is high enough to support session-level + passwords.</p><p>The variable <code class="envar">PASSWD_FILE</code> may contain the pathname + of a file to read the password from. A single line of input is + read and used as the password.</p></div><div class="refsect1" lang="en"><a name="id307955"></a><h2>OTHER COMMANDS</h2><p> + File systems that have been mounted using the <code class="literal">smbmount</code> + can be unmounted using the <code class="literal">smbumount</code> or the UNIX system + <code class="literal">umount</code> command. + </p></div><div class="refsect1" lang="en"><a name="id307984"></a><h2>BUGS</h2><p>Passwords and other options containing , can not be handled. + For passwords an alternative way of passing them is in a credentials + file or in the PASSWD environment.</p><p>The credentials file does not handle usernames or passwords with + leading space.</p><p>One smbfs bug is important enough to mention here, even if it + is a bit misplaced:</p><div class="itemizedlist"><ul type="disc"><li><p>Mounts sometimes stop working. This is usually + caused by smbmount terminating. Since smbfs needs smbmount to + reconnect when the server disconnects, the mount will eventually go + dead. An umount/mount normally fixes this. At least 2 ways to + trigger this bug are known.</p></li></ul></div><p>Note that the typical response to a bug report is suggestion + to try the latest version first. So please try doing that first, + and always include which versions you use of relevant software + when reporting bugs (minimum: samba, kernel, distribution)</p></div><div class="refsect1" lang="en"><a name="id308018"></a><h2>SEE ALSO</h2><p>Documentation/filesystems/smbfs.txt in the linux kernel + source tree may contain additional options and information.</p><p>FreeBSD also has a smbfs, but it is not related to smbmount</p><p>For Solaris, HP-UX and others you may want to look at <a href="smbsh.1.html"><span class="citerefentry"><span class="refentrytitle">smbsh</span>(1)</span></a> or at other solutions, such as + Sharity or perhaps replacing the SMB server with a NFS server.</p></div><div class="refsect1" lang="en"><a name="id308046"></a><h2>AUTHOR</h2><p>Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.</p><p>The current maintainer of smbfs and the userspace + tools <code class="literal">smbmount</code>, <code class="literal">smbumount</code>, + and <code class="literal">smbmnt</code> is <a href="mailto:urban@teststation.com" target="_top">Urban Widmark</a>. + The <a href="mailto:samba@samba.org" target="_top">SAMBA Mailing list</a> + is the preferred place to ask questions regarding these programs. + </p><p>The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbpasswd.5.html b/docs/htmldocs/manpages/smbpasswd.5.html new file mode 100644 index 0000000000..53073de8ff --- /dev/null +++ b/docs/htmldocs/manpages/smbpasswd.5.html @@ -0,0 +1,91 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbpasswd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbpasswd.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbpasswd — The Samba encrypted password file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">smbpasswd</code></p></div><div class="refsect1" lang="en"><a name="id267669"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </p></div><div class="refsect1" lang="en"><a name="id267694"></a><h2>FILE FORMAT</h2><p>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <code class="filename">passwd(5)</code> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </p><div class="variablelist"><dl><dt><span class="term">name</span></dt><dd><p> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </p></dd><dt><span class="term">uid</span></dt><dd><p>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </p></dd><dt><span class="term">Lanman Password Hash</span></dt><dd><p>This is the LANMAN hash of the user's password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the user's password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the user's account is marked as + <code class="constant">disabled</code> and the user will not be able to + log onto the Samba server. </p><p><span class="emphasis"><em>WARNING !!</em></span> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <span class="emphasis"><em>plain text + equivalents</em></span> and must <span class="emphasis"><em>NOT</em></span> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </p></dd><dt><span class="term">NT Password Hash</span></dt><dd><p>This is the Windows NT hash of the user's + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the user's password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </p><p>This password hash is considered more secure than + the LANMAN Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </p><p><span class="emphasis"><em>WARNING !!</em></span>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <span class="emphasis"><em>plain text + equivalents</em></span> and must <span class="emphasis"><em>NOT</em></span> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </p></dd><dt><span class="term">Account Flags</span></dt><dd><p>This section contains flags that describe + the attributes of the users account. This field is bracketed by + '[' and ']' characters and is always 13 characters in length + (including the '[' and ']' characters). + The contents of this field may be any of the following characters: + </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>U</em></span> - This means + this is a "User" account, i.e. an ordinary user.</p></li><li><p><span class="emphasis"><em>N</em></span> - This means the + account has no password (the passwords in the fields LANMAN + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <em class="parameter"><code> + null passwords</code></em> parameter is set in the + <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> config file. </p></li><li><p><span class="emphasis"><em>D</em></span> - This means the account + is disabled and no SMB/CIFS logins will be allowed for this user. </p></li><li><p><span class="emphasis"><em>X</em></span> - This means the password + does not expire. </p></li><li><p><span class="emphasis"><em>W</em></span> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </p></li></ul></div><p>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. For further + information regarding the flags that are supported please refer to the + man page for the <code class="literal">pdbedit</code> command.</p></dd><dt><span class="term">Last Change Time</span></dt><dd><p>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </p></dd></dl></div><p>All other colon separated fields are ignored at this time.</p></div><div class="refsect1" lang="en"><a name="id266838"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266848"></a><h2>SEE ALSO</h2><p><a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>, and + the Internet RFC1321 for details on the MD4 algorithm. + </p></div><div class="refsect1" lang="en"><a name="id266895"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbpasswd.8.html b/docs/htmldocs/manpages/smbpasswd.8.html new file mode 100644 index 0000000000..6c200b6e9e --- /dev/null +++ b/docs/htmldocs/manpages/smbpasswd.8.html @@ -0,0 +1,171 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbpasswd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbpasswd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbpasswd — change a user's SMB password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbpasswd</code> [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]</p></div></div><div class="refsect1" lang="en"><a name="id266733"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The smbpasswd program has several different + functions, depending on whether it is run by the <span class="emphasis"><em>root</em></span> user + or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </p><p>By default (when run with no arguments) it will attempt to + change the current user's SMB password on the local machine. This is + similar to the way the <code class="literal">passwd(1)</code> program works. <code class="literal"> + smbpasswd</code> differs from how the passwd program works + however in that it is not <span class="emphasis"><em>setuid root</em></span> but works in + a client-server mode and communicates with a + locally running <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file. </p><p>When run by an ordinary user with no options, smbpasswd + will prompt them for their old SMB password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank SMB password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </p><p>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (<em class="parameter"><code>-r</code></em>) and <em class="parameter"><code>-U</code></em> options + below. </p><p>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, <code class="literal"> + smbpasswd</code> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </p></div><div class="refsect1" lang="en"><a name="id266836"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-a</span></dt><dd><p> + This option specifies that the username following should be added to the local smbpasswd file, with the new + password typed (type <Enter> for the old password). This option is ignored if the username following + already exists in the smbpasswd file and it is treated like a regular change password command. Note that the + default passdb backends require the user to already exist in the system password file (usually + <code class="filename">/etc/passwd</code>), else the request to add the user will fail. + </p><p>This option is only available when running smbpasswd + as root. </p></dd><dt><span class="term">-c</span></dt><dd><p> + This option can be used to specify the path and file name of the <code class="filename">smb.conf</code> configuration file when it + is important to use other than the default file and / or location. + </p></dd><dt><span class="term">-x</span></dt><dd><p> + This option specifies that the username following should be deleted from the local smbpasswd file. + </p><p> + This option is only available when running smbpasswd as root. + </p></dd><dt><span class="term">-d</span></dt><dd><p>This option specifies that the username following + should be <code class="constant">disabled</code> in the local smbpasswd + file. This is done by writing a <code class="constant">'D'</code> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </p><p>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the user's password entry to write + this information and the command will FAIL. See <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for details on the 'old' and new password file formats. + </p><p>This option is only available when running smbpasswd as + root.</p></dd><dt><span class="term">-e</span></dt><dd><p>This option specifies that the username following + should be <code class="constant">enabled</code> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </p><p>If the smbpasswd file is in the 'old' format, then <code class="literal"> + smbpasswd</code> will FAIL to enable the account. + See <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for + details on the 'old' and new password file formats. </p><p>This option is only available when running smbpasswd as root. + </p></dd><dt><span class="term">-D debuglevel</span></dt><dd><p><em class="replaceable"><code>debuglevel</code></em> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </p><p>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </p><p>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </p></dd><dt><span class="term">-n</span></dt><dd><p>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </p><p>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <code class="filename">smb.conf</code> file : </p><p><code class="literal">null passwords = yes</code></p><p>This option is only available when running smbpasswd as + root.</p></dd><dt><span class="term">-r remote machine name</span></dt><dd><p>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <em class="replaceable"><code>remote + machine name</code></em> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <em class="parameter"><code>-R + name resolve order</code></em> parameter for details on changing + this resolving mechanism. </p><p>The username whose password is changed is that of the + current UNIX logged on user. See the <em class="parameter"><code>-U username</code></em> + parameter for details on changing the password for a different + username. </p><p>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</p><p><span class="emphasis"><em>Note</em></span> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </p></dd><dt><span class="term">-R name resolve order</span></dt><dd><p>This option allows the user of smbpasswd to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </p><p>The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows: </p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">lmhosts</code>: Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> for details) then + any name type matches for lookup.</p></li><li><p><code class="constant">host</code>: Do a standard host + name to IP address resolution, using the system <code class="filename">/etc/hosts + </code>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <code class="filename">/etc/nsswitch.conf</code> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</p></li><li><p><code class="constant">wins</code>: Query a name with + the IP address listed in the <em class="parameter"><code>wins server</code></em> + parameter. If no WINS server has been specified this method + will be ignored.</p></li><li><p><code class="constant">bcast</code>: Do a broadcast on + each of the known local interfaces listed in the + <em class="parameter"><code>interfaces</code></em> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</p></li></ul></div><p>The default order is <code class="literal">lmhosts, host, wins, bcast</code> + and without this parameter or any entry in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file the name resolution methods will + be attempted in this order. </p></dd><dt><span class="term">-m</span></dt><dd><p>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</p><p>This option is only available when running smbpasswd as root. + </p></dd><dt><span class="term">-U username</span></dt><dd><p>This option may only be used in conjunction + with the <em class="parameter"><code>-r</code></em> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </p></dd><dt><span class="term">-h</span></dt><dd><p>This option prints the help string for <code class="literal"> + smbpasswd</code>, selecting the correct one for running as root + or as an ordinary user. </p></dd><dt><span class="term">-s</span></dt><dd><p>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read its old and new passwords from + standard input, rather than from <code class="filename">/dev/tty</code> + (like the <code class="literal">passwd(1)</code> program does). This option + is to aid people writing scripts to drive smbpasswd</p></dd><dt><span class="term">-w password</span></dt><dd><p>This parameter is only available if Samba + has been compiled with LDAP support. The <em class="parameter"><code>-w</code></em> + switch is used to specify the password to be used with the + <a class="indexterm" name="id308169"></a>ldap admin dn. Note that the password is stored in + the <code class="filename">secrets.tdb</code> and is keyed off + of the admin's DN. This means that if the value of <em class="parameter"><code>ldap + admin dn</code></em> ever changes, the password will need to be + manually updated as well. + </p></dd><dt><span class="term">-W</span></dt><dd><p><code class="literal">NOTE: </code> This option is same as "-w" + except that the password should be entered using stdin. + </p><p>This parameter is only available if Samba + has been compiled with LDAP support. The <em class="parameter"><code>-W</code></em> + switch is used to specify the password to be used with the + <a class="indexterm" name="id308217"></a>ldap admin dn. Note that the password is stored in + the <code class="filename">secrets.tdb</code> and is keyed off + of the admin's DN. This means that if the value of <em class="parameter"><code>ldap + admin dn</code></em> ever changes, the password will need to be + manually updated as well. + </p></dd><dt><span class="term">-i</span></dt><dd><p>This option tells smbpasswd that the account + being changed is an interdomain trust account. Currently this is used + when Samba is being used as an NT Primary Domain Controller. + The account contains the info about another trusted domain.</p><p>This option is only available when running smbpasswd as root. + </p></dd><dt><span class="term">-L</span></dt><dd><p>Run in local mode.</p></dd><dt><span class="term">username</span></dt><dd><p>This specifies the username for all of the + <span class="emphasis"><em>root only</em></span> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308287"></a><h2>NOTES</h2><p>Since <code class="literal">smbpasswd</code> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <code class="literal"> + smbd</code> running on the local machine by specifying either <em class="parameter"><code>allow + hosts</code></em> or <em class="parameter"><code>deny hosts</code></em> entry in + the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and neglecting to + allow "localhost" access to the smbd. </p><p>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. </p></div><div class="refsect1" lang="en"><a name="id308336"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308346"></a><h2>SEE ALSO</h2><p><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id308371"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbsh.1.html b/docs/htmldocs/manpages/smbsh.1.html new file mode 100644 index 0000000000..461a87d909 --- /dev/null +++ b/docs/htmldocs/manpages/smbsh.1.html @@ -0,0 +1,108 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbsh</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbsh.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbsh — Allows access to remote SMB shares + using UNIX commands</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbsh</code> [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]</p></div></div><div class="refsect1" lang="en"><a name="id267042"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbsh</code> allows you to access an NT filesystem + using UNIX commands such as <code class="literal">ls</code>, <code class="literal"> + egrep</code>, and <code class="literal">rcp</code>. You must use a + shell that is dynamically linked in order for <code class="literal">smbsh</code> + to work correctly.</p></div><div class="refsect1" lang="en"><a name="id267092"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-W WORKGROUP</span></dt><dd><p>Override the default workgroup specified in the + workgroup parameter of the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file + for this session. This may be needed to connect to some + servers. </p></dd><dt><span class="term">-U username[%pass]</span></dt><dd><p>Sets the SMB username or username and password. + If this option is not specified, the user will be prompted for + both the username and the password. If %pass is not specified, + the user will be prompted for the password. + </p></dd><dt><span class="term">-P prefix</span></dt><dd><p>This option allows + the user to set the directory prefix for SMB access. The + default value if this option is not specified is + <span class="emphasis"><em>smb</em></span>. + </p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266730"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-R <name resolve order></span></dt><dd><p>This option is used to determine what naming +services and in what order to resolve +host names to IP addresses. The option takes a space-separated +string of different name resolution options.</p><p>The options are: "lmhosts", "host", "wins" and "bcast". +They cause names to be resolved as follows :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">lmhosts</code>: +Lookup an IP address in the Samba lmhosts file. If the +line in lmhosts has no name type attached to the +NetBIOS name +(see the <a href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> for details) +then any name type matches for lookup. +</p></li><li><p><code class="constant">host</code>: +Do a standard host name to IP address resolution, using +the system <code class="filename">/etc/hosts</code>, NIS, or DNS +lookups. This method of name resolution is operating +system dependent, for instance on IRIX or Solaris this +may be controlled by the <code class="filename">/etc/nsswitch.conf +</code> file). Note that this method is only used +if the NetBIOS name type being queried is the 0x20 +(server) name type, otherwise it is ignored. +</p></li><li><p><code class="constant">wins</code>: +Query a name with the IP address listed in the +<em class="parameter"><code>wins server</code></em> parameter. If no +WINS server has been specified this method will be +ignored. +</p></li><li><p><code class="constant">bcast</code>: +Do a broadcast on each of the known local interfaces +listed in the <em class="parameter"><code>interfaces</code></em> +parameter. This is the least reliable of the name +resolution methods as it depends on the target host +being on a locally connected subnet. +</p></li></ul></div><p>If this parameter is not set then the name resolve order +defined in the <code class="filename">smb.conf</code> file parameter +(<a class="indexterm" name="id266838"></a>) will be used. +</p><p>The default order is lmhosts, host, wins, bcast. Without +this parameter or any entry in the <a class="indexterm" name="id266848"></a> parameter of the <code class="filename">smb.conf</code> file, the name +resolution methods will be attempted in this order. </p></dd><dt><span class="term">-L libdir</span></dt><dd><p>This parameter specifies the location of the + shared libraries used by <code class="literal">smbsh</code>. The default + value is specified at compile time. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266882"></a><h2>EXAMPLES</h2><p>To use the <code class="literal">smbsh</code> command, execute <code class="literal"> + smbsh</code> from the prompt and enter the username and password + that authenticates you to the machine running the Windows NT + operating system. +</p><pre class="programlisting"> +<code class="prompt">system% </code><strong class="userinput"><code>smbsh</code></strong> +<code class="prompt">Username: </code><strong class="userinput"><code>user</code></strong> +<code class="prompt">Password: </code><strong class="userinput"><code>XXXXXXX</code></strong> +</pre><p>Any dynamically linked command you execute from + this shell will access the <code class="filename">/smb</code> directory + using the smb protocol. For example, the command <code class="literal">ls /smb + </code> will show a list of workgroups. The command + <code class="literal">ls /smb/MYGROUP </code> will show all the machines in + the workgroup MYGROUP. The command + <code class="literal">ls /smb/MYGROUP/<machine-name></code> will show the share + names for that machine. You could then, for example, use the <code class="literal"> + cd</code> command to change directories, <code class="literal">vi</code> to + edit files, and <code class="literal">rcp</code> to copy files.</p></div><div class="refsect1" lang="en"><a name="id307941"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id307951"></a><h2>BUGS</h2><p><code class="literal">smbsh</code> works by intercepting the standard + libc calls with the dynamically loaded versions in <code class="filename"> + smbwrapper.o</code>. Not all calls have been "wrapped", so + some programs may not function correctly under <code class="literal">smbsh + </code>.</p><p>Programs which are not dynamically linked cannot make + use of <code class="literal">smbsh</code>'s functionality. Most versions + of UNIX have a <code class="literal">file</code> command that will + describe how a program was linked.</p></div><div class="refsect1" lang="en"><a name="id307996"></a><h2>SEE ALSO</h2><p><a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></p></div><div class="refsect1" lang="en"><a name="id308019"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbspool.8.html b/docs/htmldocs/manpages/smbspool.8.html new file mode 100644 index 0000000000..f3cd58c85f --- /dev/null +++ b/docs/htmldocs/manpages/smbspool.8.html @@ -0,0 +1,36 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbspool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbspool.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbspool — send a print file to an SMB printer</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbspool</code> {job} {user} {title} {copies} {options} [filename]</p></div></div><div class="refsect1" lang="en"><a name="id299208"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>smbspool is a very small print spooling program that + sends a print file to an SMB printer. The command-line arguments + are position-dependent for compatibility with the Common UNIX + Printing System, but you can use smbspool with any printing system + or from a program or script.</p><p><span class="emphasis"><em>DEVICE URI</em></span></p><p>smbspool specifies the destination using a Uniform Resource + Identifier ("URI") with a method of "smb". This string can take + a number of forms:</p><div class="itemizedlist"><ul type="disc"><li><p>smb://server[:port]/printer</p></li><li><p>smb://workgroup/server[:port]/printer</p></li><li><p>smb://username:password@server[:port]/printer</p></li><li><p>smb://username:password@workgroup/server[:port]/printer</p></li></ul></div><p>smbspool tries to get the URI from the environment variable + <code class="envar">DEVICE_URI</code>. If <code class="envar">DEVICE_URI</code> is not present, + smbspool will use argv[0] if that starts with “<span class="quote">smb://</span>” + or argv[1] if that is not the case.</p><p>Programs using the <code class="literal">exec(2)</code> functions can + pass the URI in argv[0], while shell scripts must set the + <code class="envar">DEVICE_URI</code> environment variable prior to + running smbspool.</p></div><div class="refsect1" lang="en"><a name="id266725"></a><h2>OPTIONS</h2><div class="itemizedlist"><ul type="disc"><li><p>The job argument (argv[1]) contains the + job ID number and is presently not used by smbspool. + </p></li><li><p>The user argument (argv[2]) contains the + print user's name and is presently not used by smbspool. + </p></li><li><p>The title argument (argv[3]) contains the + job title string and is passed as the remote file name + when sending the print job.</p></li><li><p>The copies argument (argv[4]) contains + the number of copies to be printed of the named file. If + no filename is provided then this argument is not used by + smbspool.</p></li><li><p>The options argument (argv[5]) contains + the print options in a single string and is currently + not used by smbspool.</p></li><li><p>The filename argument (argv[6]) contains the + name of the file to print. If this argument is not specified + then the print file is read from the standard input.</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id266769"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266779"></a><h2>SEE ALSO</h2><p><a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id266804"></a><h2>AUTHOR</h2><p><code class="literal">smbspool</code> was written by Michael Sweet + at Easy Software Products.</p><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbstatus.1.html b/docs/htmldocs/manpages/smbstatus.1.html new file mode 100644 index 0000000000..abef01c4f9 --- /dev/null +++ b/docs/htmldocs/manpages/smbstatus.1.html @@ -0,0 +1,41 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbstatus</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbstatus.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbstatus — report on current Samba connections</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbstatus</code> [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]</p></div></div><div class="refsect1" lang="en"><a name="id299237"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbstatus</code> is a very simple program to + list the current Samba connections.</p></div><div class="refsect1" lang="en"><a name="id299264"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-P|--profile</span></dt><dd><p>If samba has been compiled with the + profiling option, print only the contents of the profiling + shared memory area.</p></dd><dt><span class="term">-b|--brief</span></dt><dd><p>gives brief output.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266758"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-v|--verbose</span></dt><dd><p>gives verbose output.</p></dd><dt><span class="term">-L|--locks</span></dt><dd><p>causes smbstatus to only list locks.</p></dd><dt><span class="term">-B|--byterange</span></dt><dd><p>causes smbstatus to include byte range locks. + </p></dd><dt><span class="term">-p|--processes</span></dt><dd><p>print a list of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes and exit. + Useful for scripting.</p></dd><dt><span class="term">-S|--shares</span></dt><dd><p>causes smbstatus to only list shares.</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-u|--user=<username></span></dt><dd><p>selects information relevant to <em class="parameter"><code>username</code></em> only.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266940"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266951"></a><h2>SEE ALSO</h2><p><a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id266976"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbtar.1.html b/docs/htmldocs/manpages/smbtar.1.html new file mode 100644 index 0000000000..1049c82908 --- /dev/null +++ b/docs/htmldocs/manpages/smbtar.1.html @@ -0,0 +1,39 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbtar</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbtar.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbtar — shell script for backing up SMB/CIFS shares + directly to UNIX tape drives</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbtar</code> [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}</p></div></div><div class="refsect1" lang="en"><a name="id299276"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbtar</code> is a very small shell script on top + of <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a> which dumps SMB shares directly to tape.</p></div><div class="refsect1" lang="en"><a name="id266744"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-s server</span></dt><dd><p>The SMB/CIFS server that the share resides + upon.</p></dd><dt><span class="term">-x service</span></dt><dd><p>The share name on the server to connect to. + The default is "backup".</p></dd><dt><span class="term">-X</span></dt><dd><p>Exclude mode. Exclude filenames... from tar + create or restore. </p></dd><dt><span class="term">-d directory</span></dt><dd><p>Change to initial <em class="parameter"><code>directory + </code></em> before restoring / backing up files. </p></dd><dt><span class="term">-v</span></dt><dd><p>Verbose mode.</p></dd><dt><span class="term">-p password</span></dt><dd><p>The password to use to access a share. + Default: none </p></dd><dt><span class="term">-u user</span></dt><dd><p>The user id to connect as. Default: + UNIX login name. </p></dd><dt><span class="term">-a</span></dt><dd><p>Reset DOS archive bit mode to + indicate file has been archived. </p></dd><dt><span class="term">-t tape</span></dt><dd><p>Tape device. May be regular file or tape + device. Default: <em class="parameter"><code>$TAPE</code></em> environmental + variable; if not set, a file called <code class="filename">tar.out + </code>. </p></dd><dt><span class="term">-b blocksize</span></dt><dd><p>Blocking factor. Defaults to 20. See + <code class="literal">tar(1)</code> for a fuller explanation. </p></dd><dt><span class="term">-N filename</span></dt><dd><p>Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups. </p></dd><dt><span class="term">-i</span></dt><dd><p>Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read. </p></dd><dt><span class="term">-r</span></dt><dd><p>Restore. Files are restored to the share + from the tar file. </p></dd><dt><span class="term">-l log level</span></dt><dd><p>Log (debug) level. Corresponds to the + <em class="parameter"><code>-d</code></em> flag of <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266975"></a><h2>ENVIRONMENT VARIABLES</h2><p>The <em class="parameter"><code>$TAPE</code></em> variable specifies the + default tape device to write to. May be overridden + with the -t option. </p></div><div class="refsect1" lang="en"><a name="id266992"></a><h2>BUGS</h2><p>The <code class="literal">smbtar</code> script has different + options from ordinary tar and from smbclient's tar command. </p></div><div class="refsect1" lang="en"><a name="id267008"></a><h2>CAVEATS</h2><p>Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares; should work on file lists. smbtar works best + with GNU tar and may not work well with other versions. </p></div><div class="refsect1" lang="en"><a name="id267020"></a><h2>DIAGNOSTICS</h2><p>See the <span class="emphasis"><em>DIAGNOSTICS</em></span> section for the <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a> command.</p></div><div class="refsect1" lang="en"><a name="id307900"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id307910"></a><h2>SEE ALSO</h2><p><a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id307943"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p><a href="mailto:poultenr@logica.co.uk" target="_top">Ricky Poulten</a> + wrote the tar extension and this man page. The <code class="literal">smbtar</code> + script was heavily rewritten and improved by <a href="mailto:Martin.Kraemer@mch.sni.de" target="_top">Martin Kraemer</a>. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbtree.1.html b/docs/htmldocs/manpages/smbtree.1.html new file mode 100644 index 0000000000..c221a1b77b --- /dev/null +++ b/docs/htmldocs/manpages/smbtree.1.html @@ -0,0 +1,74 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbtree</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbtree.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbtree — A text based smb network browser + </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbtree</code> [-b] [-D] [-S]</p></div></div><div class="refsect1" lang="en"><a name="id267694"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">smbtree</code> is a smb browser program + in text mode. It is similar to the "Network Neighborhood" found + on Windows computers. It prints a tree with all + the known domains, the servers in those domains and + the shares on the servers. + </p></div><div class="refsect1" lang="en"><a name="id299211"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-b</span></dt><dd><p>Query network nodes by sending requests + as broadcasts instead of querying the local master browser. + </p></dd><dt><span class="term">-D</span></dt><dd><p>Only print a list of all + the domains known on broadcast or by the + master browser</p></dd><dt><span class="term">-S</span></dt><dd><p>Only print a list of + all the domains and servers responding on broadcast or + known by the master browser. + </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266718"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-N</span></dt><dd><p>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </p><p>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</p><p>If a password is specified on the command line and this +option is also defined the password on the command line will +be silently ingnored and no password will be used.</p></dd><dt><span class="term">-k</span></dt><dd><p> +Try to authenticate with kerberos. Only useful in +an Active Directory environment. +</p></dd><dt><span class="term">-A|--authentication-file=filename</span></dt><dd><p>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +</p><pre class="programlisting"> +username = <value> +password = <value> +domain = <value> +</pre><p>Make certain that the permissions on the file restrict +access from unwanted users. </p></dd><dt><span class="term">-U|--user=username[%password]</span></dt><dd><p>Sets the SMB username or username and password. </p><p>If %password is not specified, the user will be prompted. The +client will first check the <code class="envar">USER</code> environment variable, then the +<code class="envar">LOGNAME</code> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <code class="constant">GUEST</code> is used. </p><p>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<em class="parameter"><code>-A</code></em> for more details. </p><p>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <code class="literal">ps</code> command. To be safe always allow +<code class="literal">rpcclient</code> to prompt for a password and type +it in directly. </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266925"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id266935"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The smbtree man page was written by Jelmer Vernooij. </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/smbumount.8.html b/docs/htmldocs/manpages/smbumount.8.html new file mode 100644 index 0000000000..85b58cf5c2 --- /dev/null +++ b/docs/htmldocs/manpages/smbumount.8.html @@ -0,0 +1,17 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbumount</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbumount.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbumount — smbfs umount for normal users</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbumount</code> {mount-point}</p></div></div><div class="refsect1" lang="en"><a name="id267679"></a><h2>DESCRIPTION</h2><p>With this program, normal users can unmount smb-filesystems, + provided that it is suid root. <code class="literal">smbumount</code> has + been written to give normal Linux users more control over their + resources. It is safe to install this program suid root, because only + the user who has mounted a filesystem is allowed to unmount it again. + For root it is not necessary to use smbumount. The normal umount + program works perfectly well.</p><p>WARNING: <code class="literal">smbumount</code> is deprecated and not + maintained any longer. <code class="literal">umount.cifs</code> + should be used instead of <code class="literal">smbumount</code>.</p></div><div class="refsect1" lang="en"><a name="id299210"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">mount-point</span></dt><dd><p>The directory to unmount.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299231"></a><h2>SEE ALSO</h2><p><a href="smbmount.8.html"><span class="citerefentry"><span class="refentrytitle">smbmount</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id299246"></a><h2>AUTHOR</h2><p>Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.</p><p>The current maintainer of smbfs and the userspace + tools <code class="literal">smbmount</code>, <code class="literal">smbumount</code>, + and <code class="literal">smbmnt</code> is <a href="mailto:urban@teststation.com" target="_top">Urban Widmark</a>. + The <a href="mailto:samba@samba.org" target="_top">SAMBA Mailing list</a> + is the preferred place to ask questions regarding these programs. + </p><p>The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/swat.8.html b/docs/htmldocs/manpages/swat.8.html new file mode 100644 index 0000000000..267e25db78 --- /dev/null +++ b/docs/htmldocs/manpages/swat.8.html @@ -0,0 +1,88 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>swat</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="swat.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>swat — Samba Web Administration Tool</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">swat</code> [-s <smb config file>] [-a] [-P]</p></div></div><div class="refsect1" lang="en"><a name="id267689"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">swat</code> allows a Samba administrator to + configure the complex <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file via a Web browser. In addition, + a <code class="literal">swat</code> configuration page has help links + to all the configurable options in the <code class="filename">smb.conf</code> file allowing an + administrator to easily look up the effects of any change. </p><p><code class="literal">swat</code> is run from <code class="literal">inetd</code> </p></div><div class="refsect1" lang="en"><a name="id267070"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-s smb configuration file</span></dt><dd><p>The default configuration file path is + determined at compile time. The file specified contains + the configuration details required by the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> server. This is the file + that <code class="literal">swat</code> will modify. + The information in this file includes server-specific + information such as what printcap file to use, as well as + descriptions of all the services that the server is to provide. + See <code class="filename">smb.conf</code> for more information. + </p></dd><dt><span class="term">-a</span></dt><dd><p>This option disables authentication and + places <code class="literal">swat</code> in demo mode. In that mode anyone will be able to modify + the <code class="filename">smb.conf</code> file. </p><p><span class="emphasis"><em>WARNING: Do NOT enable this option on a production + server. </em></span></p></dd><dt><span class="term">-P</span></dt><dd><p>This option restricts read-only users to the password + management page. <code class="literal">swat</code> can then be used to change + user passwords without users seeing the "View" and "Status" menu + buttons.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266720"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266795"></a><h2>INSTALLATION</h2><p>Swat is included as binary package with most distributions. The + package manager in this case takes care of the installation and + configuration. This section is only for those who have compiled + swat from scratch. + </p><p>After you compile SWAT you need to run <code class="literal">make install + </code> to install the <code class="literal">swat</code> binary + and the various help files and images. A default install would put + these in: </p><div class="itemizedlist"><ul type="disc"><li><p>/usr/local/samba/sbin/swat</p></li><li><p>/usr/local/samba/swat/images/*</p></li><li><p>/usr/local/samba/swat/help/*</p></li></ul></div><div class="refsect2" lang="en"><a name="id266840"></a><h3>Inetd Installation</h3><p>You need to edit your <code class="filename">/etc/inetd.conf + </code> and <code class="filename">/etc/services</code> + to enable SWAT to be launched via <code class="literal">inetd</code>.</p><p>In <code class="filename">/etc/services</code> you need to + add a line like this: </p><p><code class="literal">swat 901/tcp</code></p><p>Note for NIS/YP and LDAP users - you may need to rebuild the + NIS service maps rather than alter your local <code class="filename"> + /etc/services</code> file. </p><p>the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + <code class="literal">inetd</code> daemon). </p><p>In <code class="filename">/etc/inetd.conf</code> you should + add a line like this: </p><p><code class="literal">swat stream tcp nowait.400 root + /usr/local/samba/sbin/swat swat</code></p><p>Once you have edited <code class="filename">/etc/services</code> + and <code class="filename">/etc/inetd.conf</code> you need to send a + HUP signal to inetd. To do this use <code class="literal">kill -1 PID + </code> where PID is the process ID of the inetd daemon. </p></div></div><div class="refsect1" lang="en"><a name="id307898"></a><h2>LAUNCHING</h2><p>To launch SWAT just run your favorite web browser and + point it at "http://localhost:901/".</p><p>Note that you can attach to SWAT from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire. </p></div><div class="refsect1" lang="en"><a name="id307914"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/inetd.conf</code></span></dt><dd><p>This file must contain suitable startup + information for the meta-daemon.</p></dd><dt><span class="term"><code class="filename">/etc/services</code></span></dt><dd><p>This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp). </p></dd><dt><span class="term"><code class="filename">/usr/local/samba/lib/smb.conf</code></span></dt><dd><p>This is the default location of the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> server configuration file that swat edits. Other + common places that systems install this file are <code class="filename"> + /usr/samba/lib/smb.conf</code> and <code class="filename">/etc/smb.conf + </code>. This file describes all the services the server + is to make available to clients. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id307992"></a><h2>WARNINGS</h2><p><code class="literal">swat</code> will rewrite your <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file. It will rearrange the entries and delete all + comments, <em class="parameter"><code>include=</code></em> and <em class="parameter"><code>copy= + </code></em> options. If you have a carefully crafted <code class="filename"> + smb.conf</code> then back it up or don't use swat! </p></div><div class="refsect1" lang="en"><a name="id308034"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308045"></a><h2>SEE ALSO</h2><p><code class="literal">inetd(5)</code>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></p></div><div class="refsect1" lang="en"><a name="id308075"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/tdbbackup.8.html b/docs/htmldocs/manpages/tdbbackup.8.html new file mode 100644 index 0000000000..6364bdf997 --- /dev/null +++ b/docs/htmldocs/manpages/tdbbackup.8.html @@ -0,0 +1,36 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbbackup</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbbackup.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>tdbbackup — tool for backing up and for validating the integrity of samba .tdb files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">tdbbackup</code> [-s suffix] [-v] [-h]</p></div></div><div class="refsect1" lang="en"><a name="id267694"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.1.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(1)</span></a> suite.</p><p><code class="literal">tdbbackup</code> is a tool that may be used to backup samba .tdb + files. This tool may also be used to verify the integrity of the .tdb files prior + to samba startup or during normal operation. If it finds file damage and it finds + a prior backup the backup file will be restored. + </p></div><div class="refsect1" lang="en"><a name="id299213"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p> + Get help information. + </p></dd><dt><span class="term">-s suffix</span></dt><dd><p> + The <code class="literal">-s</code> option allows the adminisistrator to specify a file + backup extension. This way it is possible to keep a history of tdb backup + files by using a new suffix for each backup. + </p></dd><dt><span class="term">-v</span></dt><dd><p> + The <code class="literal">-v</code> will check the database for damages (currupt data) + which if detected causes the backup to be restored. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299270"></a><h2>COMMANDS</h2><p><span class="emphasis"><em>GENERAL INFORMATION</em></span></p><p> + The <code class="literal">tdbbackup</code> utility can safely be run at any time. It was designed so + that it can be used at any time to validate the integrity of tdb files, even during Samba + operation. Typical usage for the command will be: + </p><p>tdbbackup [-s suffix] *.tdb</p><p> + Before restarting samba the following command may be run to validate .tdb files: + </p><p>tdbbackup -v [-s suffix] *.tdb</p><p> + Samba .tdb files are stored in various locations, be sure to run backup all + .tdb file on the system. Important files includes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="literal">secrets.tdb</code> - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + </p></li><li><p> + <code class="literal">passdb.tdb</code> - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + </p></li><li><p> + <code class="literal">*.tdb</code> located in the /usr/local/samba/var directory or on some + systems in the /var/cache or /var/lib/samba directories. + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id266779"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id266788"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. + </p><p>The tdbbackup man page was written by John H Terpstra.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/tdbdump.8.html b/docs/htmldocs/manpages/tdbdump.8.html new file mode 100644 index 0000000000..9fd92dd9a1 --- /dev/null +++ b/docs/htmldocs/manpages/tdbdump.8.html @@ -0,0 +1,10 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbdump</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbdump.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>tdbdump — tool for printing the contents of a TDB file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">tdbdump</code> {filename}</p></div></div><div class="refsect1" lang="en"><a name="id267679"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.1.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(1)</span></a> suite.</p><p><code class="literal">tdbdump</code> is a very simple utility that 'dumps' the + contents of a TDB (Trivial DataBase) file to standard output in a + human-readable format. + </p><p>This tool can be used when debugging problems with TDB files. It is + intended for those who are somewhat familiar with Samba internals. + </p></div><div class="refsect1" lang="en"><a name="id299201"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id299212"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. + </p><p>The tdbdump man page was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/tdbtool.8.html b/docs/htmldocs/manpages/tdbtool.8.html new file mode 100644 index 0000000000..69f38adf91 --- /dev/null +++ b/docs/htmldocs/manpages/tdbtool.8.html @@ -0,0 +1,65 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbtool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbtool.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>tdbtool — manipulate the contents TDB files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">tdbtool</code></p></div><div class="cmdsynopsis"><p><code class="literal">tdbtool</code> + <em class="replaceable"><code>TDBFILE</code></em> + [ + <em class="replaceable"><code>COMMANDS</code></em> + ...]</p></div></div><div class="refsect1" lang="en"><a name="id267705"></a><h2>DESCRIPTION</h2><p>This tool is part of the + <a href="samba.1.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(1)</span></a> suite.</p><p><code class="literal">tdbtool</code> a tool for displaying and + altering the contents of Samba TDB (Trivial DataBase) files. Each + of the commands listed below can be entered interactively or + provided on the command line.</p></div><div class="refsect1" lang="en"><a name="id299222"></a><h2>COMMANDS</h2><div class="variablelist"><dl><dt><span class="term"><code class="option">create</code> + <em class="replaceable"><code>TDBFILE</code></em></span></dt><dd><p>Create a new database named + <em class="replaceable"><code>TDBFILE</code></em>. + </p></dd><dt><span class="term"><code class="option">open</code> + <em class="replaceable"><code>TDBFILE</code></em></span></dt><dd><p>Open an existing database named + <em class="replaceable"><code>TDBFILE</code></em>. + </p></dd><dt><span class="term"><code class="option">erase</code></span></dt><dd><p>Erase the current database. + </p></dd><dt><span class="term"><code class="option">dump</code></span></dt><dd><p>Dump the current database as strings. + </p></dd><dt><span class="term"><code class="option">cdump</code></span></dt><dd><p>Dump the current database as connection records. + </p></dd><dt><span class="term"><code class="option">keys</code></span></dt><dd><p>Dump the current database keys as strings. + </p></dd><dt><span class="term"><code class="option">hexkeys</code></span></dt><dd><p>Dump the current database keys as hex values. + </p></dd><dt><span class="term"><code class="option">info</code></span></dt><dd><p>Print summary information about the + current database. + </p></dd><dt><span class="term"><code class="option">insert</code> + <em class="replaceable"><code>KEY</code></em> + <em class="replaceable"><code>DATA</code></em> + </span></dt><dd><p>Insert a record into the + current database. + </p></dd><dt><span class="term"><code class="option">move</code> + <em class="replaceable"><code>KEY</code></em> + <em class="replaceable"><code>TDBFILE</code></em> + </span></dt><dd><p>Move a record from the + current database into <em class="replaceable"><code>TDBFILE</code></em>. + </p></dd><dt><span class="term"><code class="option">store</code> + <em class="replaceable"><code>KEY</code></em> + <em class="replaceable"><code>DATA</code></em> + </span></dt><dd><p>Store (replace) a record in the + current database. + </p></dd><dt><span class="term"><code class="option">show</code> + <em class="replaceable"><code>KEY</code></em> + </span></dt><dd><p>Show a record by key. + </p></dd><dt><span class="term"><code class="option">delete</code> + <em class="replaceable"><code>KEY</code></em> + </span></dt><dd><p>Delete a record by key. + </p></dd><dt><span class="term"><code class="option">list</code> + </span></dt><dd><p>Print the current database hash table and free list. + </p></dd><dt><span class="term"><code class="option">free</code> + </span></dt><dd><p>Print the current database and free list. + </p></dd><dt><span class="term"><code class="option">!</code> + <em class="replaceable"><code>COMMAND</code></em> + </span></dt><dd><p>Execute the given system command. + </p></dd><dt><span class="term"> + <code class="option">first</code> + </span></dt><dd><p>Print the first record in the current database. + </p></dd><dt><span class="term"> + <code class="option">next</code> + </span></dt><dd><p>Print the next record in the current database. + </p></dd><dt><span class="term"> + <code class="option">quit</code> + </span></dt><dd><p>Exit <code class="literal">tdbtool</code>. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266994"></a><h2>CAVEATS</h2><p>The contents of the Samba TDB files are private + to the implementation and should not be altered with + <code class="literal">tdbtool</code>. + </p></div><div class="refsect1" lang="en"><a name="id267010"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id267021"></a><h2>AUTHOR</h2><p> The original Samba software and related utilities were + created by Andrew Tridgell. Samba is now developed by the + Samba Team as an Open Source project similar to the way the + Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/testparm.1.html b/docs/htmldocs/manpages/testparm.1.html new file mode 100644 index 0000000000..ff42f34ffe --- /dev/null +++ b/docs/htmldocs/manpages/testparm.1.html @@ -0,0 +1,60 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>testparm</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="testparm.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>testparm — check an smb.conf configuration file for + internal correctness</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">testparm</code> [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]</p></div></div><div class="refsect1" lang="en"><a name="id299215"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">testparm</code> is a very simple test program + to check an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> configuration file for + internal correctness. If this program reports no problems, you + can use the configuration file with confidence that <code class="literal">smbd + </code> will successfully load the configuration file.</p><p>Note that this is <span class="emphasis"><em>NOT</em></span> a guarantee that + the services specified in the configuration file will be + available or will operate as expected. </p><p>If the optional host name and host IP address are + specified on the command line, this test program will run through + the service entries reporting whether the specified host + has access to each service. </p><p>If <code class="literal">testparm</code> finds an error in the <code class="filename"> + smb.conf</code> file it returns an exit code of 1 to the calling + program, else it returns an exit code of 0. This allows shell scripts + to test the output from <code class="literal">testparm</code>.</p></div><div class="refsect1" lang="en"><a name="id266726"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-s</span></dt><dd><p>Without this option, <code class="literal">testparm</code> + will prompt for a carriage return after printing the service + names and before dumping the service definitions.</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-L servername</span></dt><dd><p>Sets the value of the %L macro to <em class="replaceable"><code>servername</code></em>. + This is useful for testing include files specified with the + %L macro. </p></dd><dt><span class="term">-v</span></dt><dd><p>If this option is specified, testparm + will also output all options that were not used in <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> and are thus set to their defaults.</p></dd><dt><span class="term">-t encoding</span></dt><dd><p> + Output data in specified encoding. + </p></dd><dt><span class="term">--parameter-name parametername</span></dt><dd><p> + Dumps the named parameter. If no section-name is set the view + is limited by default to the global section. + + It is also possible to dump a parametrical option. Therfore + the option has to be separated by a colon from the + parametername. + </p></dd><dt><span class="term">--section-name sectionname</span></dt><dd><p> + Dumps the named section. + </p></dd><dt><span class="term">configfilename</span></dt><dd><p>This is the name of the configuration file + to check. If this parameter is not present then the + default <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file will be checked. + </p></dd><dt><span class="term">hostname</span></dt><dd><p>If this parameter and the following are + specified, then <code class="literal">testparm</code> will examine the <em class="parameter"><code>hosts + allow</code></em> and <em class="parameter"><code>hosts deny</code></em> + parameters in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file to + determine if the hostname with this IP address would be + allowed access to the <code class="literal">smbd</code> server. If + this parameter is supplied, the hostIP parameter must also + be supplied.</p></dd><dt><span class="term">hostIP</span></dt><dd><p>This is the IP address of the host specified + in the previous parameter. This address must be supplied + if the hostname parameter is supplied. </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266947"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></span></dt><dd><p>This is usually the name of the configuration + file used by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266982"></a><h2>DIAGNOSTICS</h2><p>The program will issue a message saying whether the + configuration file loaded OK or not. This message may be preceded by + errors and warnings if the file did not load. If the file was + loaded OK, the program then dumps all known service details + to stdout. </p></div><div class="refsect1" lang="en"><a name="id266994"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id267005"></a><h2>SEE ALSO</h2><p><a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id307889"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/umount.cifs.8.html b/docs/htmldocs/manpages/umount.cifs.8.html new file mode 100644 index 0000000000..fc61900300 --- /dev/null +++ b/docs/htmldocs/manpages/umount.cifs.8.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>umount.cifs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="umount.cifs.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">umount.cifs</code> {mount-point} [-nVvhfle]</p></div></div><div class="refsect1" lang="en"><a name="id267688"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>umount.cifs unmounts a Linux CIFS filesystem. It can be invoked +indirectly by the +<a href="umount.8.html"><span class="citerefentry"><span class="refentrytitle">umount</span>(8)</span></a> command +when umount.cifs is in /sbin directory, unless you specify the "-i" option to umount. Specifying -i to umount avoids execution of umount helpers such as umount.cifs. The umount.cifs command only works in Linux, and the kernel must +support the cifs filesystem. The CIFS protocol is the successor to the +SMB protocol and is supported by most Windows servers and many other +commercial servers and Network Attached Storage appliances as well as +by the popular Open Source server Samba. + </p><p> + The umount.cifs utility detaches the local directory <span class="emphasis"><em>mount-point</em></span> from the corresponding UNC name (exported network resource) and frees the associated kernel resources. +It is possible to set the mode for umount.cifs to +setuid root (or equivalently update the /etc/permissions file) to allow non-root users to umount shares to directories for which they have write permission. The umount.cifs utility is typically +not needed if unmounts need only be performed by root users, or if user mounts and unmounts +can rely on specifying explicit entries in /etc/fstab See</p><p><a href="fstab.5.html"><span class="citerefentry"><span class="refentrytitle">fstab</span>(5)</span></a></p></div><div class="refsect1" lang="en"><a name="id299229"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--verbose</span></dt><dd><p>print additional debugging information</p></dd><dt><span class="term">--no-mtab</span></dt><dd><p>Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information)</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299262"></a><h2>NOTES</h2><p>This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab</p></div><div class="refsect1" lang="en"><a name="id299275"></a><h2>CONFIGURATION</h2><p> +The primary mechanism for making configuration changes and for reading +debug information for the cifs vfs is via the Linux /proc filesystem. +In the directory <code class="filename">/proc/fs/cifs</code> are various +configuration files and pseudo files which can display debug information. +For more information see the kernel file <code class="filename">fs/cifs/README</code>. +</p></div><div class="refsect1" lang="en"><a name="id266734"></a><h2>BUGS</h2><p>At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time). + </p><p>If the same mount point is mounted multiple times by cifs, umount.cifs will remove all of the matching entries from the mount table (although umount.cifs will actually only unmount the last one), rather than only removing the last matching entry in /etc/mtab. The pseudofile /proc/mounts will display correct information though, and the lack of an entry in /etc/mtab does not prevent subsequent unmounts.</p><p> +Note that the typical response to a bug report is a suggestion +to try the latest version first. So please try doing that first, +and always include which versions you use of relevant software +when reporting bugs (minimum: umount.cifs (try umount.cifs -V), kernel (see /proc/version) and +server type you are trying to contact. +</p></div><div class="refsect1" lang="en"><a name="id266759"></a><h2>VERSION</h2><p>This man page is correct for version 1.34 of + the cifs vfs filesystem (roughly Linux kernel 2.6.12).</p></div><div class="refsect1" lang="en"><a name="id266770"></a><h2>SEE ALSO</h2><p> + Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel + source tree may contain additional options and information. +</p><p><a href="mount.cifs.8.html"><span class="citerefentry"><span class="refentrytitle">mount.cifs</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id266790"></a><h2>AUTHOR</h2><p>Steve French</p><p>The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French</p><p>The maintainer of the Linux cifs vfs and the userspace + tool <span class="emphasis"><em>umount.cifs</em></span> is <a href="mailto:sfrench@samba.org" target="_top">Steve French</a>. + The <a href="mailto:linux-cifs-client@lists.samba.org" target="_top">Linux CIFS Mailing list</a> + is the preferred place to ask questions regarding these programs. + </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_audit.8.html b/docs/htmldocs/manpages/vfs_audit.8.html new file mode 100644 index 0000000000..3a7922853e --- /dev/null +++ b/docs/htmldocs/manpages/vfs_audit.8.html @@ -0,0 +1,19 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_audit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_audit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_audit — record selected Samba VFS operations in the system log</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = audit</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_audit</code> VFS module records selected + client operations to the system log using + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a>.</p><p>The following Samba VFS operations are recorded:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>connect</td></tr><tr><td>disconnect</td></tr><tr><td>opendir</td></tr><tr><td>mkdir</td></tr><tr><td>rmdir</td></tr><tr><td>open</td></tr><tr><td>close</td></tr><tr><td>rename</td></tr><tr><td>unlink</td></tr><tr><td>chmod</td></tr><tr><td>fchmod</td></tr><tr><td>chmod_acl</td></tr><tr><td>fchmod_acl</td></tr></table><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299254"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">audit:facility = FACILITY</span></dt><dd><p>Log messages to the named + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> facility. + + </p></dd><dt><span class="term">audit:priority = PRIORITY</span></dt><dd><p>Log messages with the named + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> priority. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266742"></a><h2>EXAMPLES</h2><p>Log operations on all shares using the LOCAL1 facility + and NOTICE priority:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id266761"></a>vfs objects = audit + <a class="indexterm" name="id266768"></a>audit:facility = LOCAL1 + <a class="indexterm" name="id266776"></a>audit:priority = NOTICE +</pre></div><div class="refsect1" lang="en"><a name="id266785"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266796"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_cacheprime.8.html b/docs/htmldocs/manpages/vfs_cacheprime.8.html new file mode 100644 index 0000000000..73b4fb2f7a --- /dev/null +++ b/docs/htmldocs/manpages/vfs_cacheprime.8.html @@ -0,0 +1,26 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_cacheprime</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_cacheprime.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_cacheprime — prime the kernel file data cache</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = cacheprime</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_cacheprime</code> VFS module reads chunks + of file data near the range requested by clients in order to + make sure the data is present in the kernel file data cache at + the time when it is actually requested by clients. </p><p>The size of the disk read operations performed + by <code class="literal">vfs_cacheprime</code> is determined by the + cacheprime:rsize option. All disk read operations are aligned + on boundaries that are a multiple of this size. Each range of + the file data is primed at most once during the time the client + has the file open. </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299206"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">cacheprime:rsize = BYTES</span></dt><dd><p>The number of bytes with which to prime + the kernel data cache.</p><p>The following suffixes may be applied to BYTES:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">K</code> - BYTES is a number of kilobytes</p></li><li><p><code class="literal">M</code> - BYTES is a number of megabytes</p></li><li><p><code class="literal">G</code> - BYTES is a number of gigabytes</p></li></ul></div></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299262"></a><h2>EXAMPLES</h2><p>For a hypothetical disk array, it is necessary to ensure + that all read operations are of size 1 megabyte (1048576 bytes), + and aligned on 1 megabyte boundaries: + </p><pre class="programlisting"> + <em class="parameter"><code>[hypothetical]</code></em> + <a class="indexterm" name="id266718"></a>vfs objects = cacheprime + <a class="indexterm" name="id266725"></a>cacheprime:rsize = 1M +</pre></div><div class="refsect1" lang="en"><a name="id266734"></a><h2>CAVEATS</h2><p><code class="literal">cacheprime</code> is not a a substitute for + a general-purpose readahead mechanism. It is intended for use + only in very specific environments where disk operations must + be aligned and sized to known values (as much as that is possible). + </p></div><div class="refsect1" lang="en"><a name="id266751"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266761"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_cap.8.html b/docs/htmldocs/manpages/vfs_cap.8.html new file mode 100644 index 0000000000..4c6cf7c6c8 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_cap.8.html @@ -0,0 +1,17 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_cap</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_cap.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_cap — CAP encode filenames</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = cap</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>CAP (Columbia Appletalk Protocol) encoding is a + technique for representing non-ASCII filenames in ASCII. The + <code class="literal">vfs_cap</code> VFS module translates filenames to and + from CAP format, allowing users to name files in their native + encoding. </p><p>CAP encoding is most commonly + used in Japanese language environments. </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299198"></a><h2>EXAMPLES</h2><p>On a system using GNU libiconv, use CAP encoding to support + users in the Shift_JIS locale:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id299217"></a>dos charset = CP932 + <a class="indexterm" name="id299224"></a>dos charset = CP932 + <a class="indexterm" name="id299232"></a>vfs objects = cap +</pre></div><div class="refsect1" lang="en"><a name="id299241"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299251"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_catia.8.html b/docs/htmldocs/manpages/vfs_catia.8.html new file mode 100644 index 0000000000..eb83c79511 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_catia.8.html @@ -0,0 +1,14 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_catia</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_catia.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_catia — translate illegal characters in Catia filenames</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = catia</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The Catia CAD package commonly creates filenames that + use characters that are illegal in CIFS filenames. The + <code class="literal">vfs_catia</code> VFS module implements a fixed character + mapping so that these files can be shared with CIFS clients. + </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267704"></a><h2>EXAMPLES</h2><p>Map Catia filenames on the [CAD] share:</p><pre class="programlisting"> + <em class="parameter"><code>[CAD]</code></em> + <a class="indexterm" name="id299213"></a>path = /data/cad + <a class="indexterm" name="id299220"></a>vfs objects = catia +</pre></div><div class="refsect1" lang="en"><a name="id299229"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299240"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_commit.8.html b/docs/htmldocs/manpages/vfs_commit.8.html new file mode 100644 index 0000000000..203f420122 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_commit.8.html @@ -0,0 +1,24 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_commit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_commit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_commit — flush dirty data at specified intervals</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = commit</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_commit</code> VFS module keeps track of + the amount of data written to a file and synchronizes it to + disk when a specified amount accumulates. + </p><p><code class="literal">vfs_commit</code> is useful in two + circumstances. First, if you have very precious data, the + impact of unexpected power loss can be minimized by a small + commit:dthresh value. Secondly, write performance can be + improved on some systems by flushing file data early and at + regular intervals.</p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299204"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">commit:dthresh = BYTES</span></dt><dd><p>Synchronize file data each time the specified + number of bytes has been written. + </p><p>The following suffixes may be applied to BYTES:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">K</code> - BYTES is a number of kilobytes</p></li><li><p><code class="literal">M</code> - BYTES is a number of megabytes</p></li><li><p><code class="literal">G</code> - BYTES is a number of gigabytes</p></li></ul></div></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299260"></a><h2>EXAMPLES</h2><p>Synchronize the file data on the [precious] share after + every 512 kilobytes (524288 bytes) of data is written:</p><pre class="programlisting"> + <em class="parameter"><code>[precious]</code></em> + <a class="indexterm" name="id266714"></a>path = /data/precious + <a class="indexterm" name="id266722"></a>vfs objects = commit + <a class="indexterm" name="id266729"></a>commit:dthresh = 512K +</pre></div><div class="refsect1" lang="en"><a name="id266738"></a><h2>CAVEATS</h2><p>On some systems, the data synchronization performed by + <code class="literal">commit</code> may reduce performance. + </p></div><div class="refsect1" lang="en"><a name="id266754"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266765"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_default_quota.8.html b/docs/htmldocs/manpages/vfs_default_quota.8.html new file mode 100644 index 0000000000..d0560dbf37 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_default_quota.8.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_default_quota</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_default_quota.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_default_quota — store default quota records for Windows clients</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = default_quota</code></p></div></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> + suite.</p><p>Many common quota implementations only store + quotas for users and groups, but do not store a default quota. The + <code class="literal">vfs_default_quota</code> module allows Samba to store + default quota values which can be examined using the Windows + Explorer interface. + </p><p>By default, Samba returns NO_LIMIT the default quota and + refuses to update them. <code class="literal">vfs_default_quota</code> maps + the default quota to the quota record of a user. By default the + root user is taken because quota limits for root are typically + not enforced.</p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299204"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">default_quota:uid = UID</span></dt><dd><p>UID specifies the user ID of the quota record where the + default user quota values are stored. + </p></dd><dt><span class="term">default_quota:gid = GID</span></dt><dd><p>GID specifies the group ID of the quota record where the + default group quota values are stored. + </p></dd><dt><span class="term">default_quota:uid nolimit = BOOL</span></dt><dd><p>If this parameter is True, then the user whose + quota record is storing the default user quota will + be reported as having a quota of NO_LIMIT. Otherwise, + the stored values will be reported. + </p></dd><dt><span class="term">default_quota:gid nolimit = BOOL</span></dt><dd><p>If this parameter is True, then the group whose + quota record is storing the default group quota will + be reported as having a quota of NO_LIMIT. Otherwise, + the stored values will be reported. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299271"></a><h2>EXAMPLES</h2><p>Store the default quota record in the quota record for + the user with ID 65535 and report that user as having no quota + limits:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id266726"></a>vfs objects = default_quota + <a class="indexterm" name="id266733"></a>default_quota:uid = 65535 + <a class="indexterm" name="id266740"></a>default_quota:uid nolimit = yes +</pre></div><div class="refsect1" lang="en"><a name="id266750"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266760"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_extd_audit.8.html b/docs/htmldocs/manpages/vfs_extd_audit.8.html new file mode 100644 index 0000000000..9cd78a2e32 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_extd_audit.8.html @@ -0,0 +1,14 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_extd_audit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_extd_audit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_extd_audit — record selected Samba VFS operations</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = extd_audit</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">extd_audit</code> VFS module records selected + client operations to both the + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log and + system log (using + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a>).</p><p>Other than logging to the + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log, + <code class="literal">vfs_extd_audit</code> is identical to + <a href="vfs_audit.8.html"><span class="citerefentry"><span class="refentrytitle">vfs_audit</span>(8)</span></a>. + </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299233"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299243"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_fake_perms.8.html b/docs/htmldocs/manpages/vfs_fake_perms.8.html new file mode 100644 index 0000000000..86d1c74129 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_fake_perms.8.html @@ -0,0 +1,17 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_fake_perms</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_fake_perms.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_fake_perms — enable read only Roaming Profiles</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = fake_perms</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_fake_perms</code> VFS module was created + to allow Roaming Profile files and directories to be set (on + the Samba server under UNIX) as read only. This module will, + if installed on the Profiles share, report to the client that + the Profile files and directories are writeable. This satisfies + the client even though the files will never be overwritten as + the client logs out or shuts down. + </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267706"></a><h2>EXAMPLES</h2><pre class="programlisting"> + <em class="parameter"><code>[Profiles]</code></em> + <a class="indexterm" name="id299211"></a>path = /profiles + <a class="indexterm" name="id299218"></a>vfs objects = fake_perms +</pre></div><div class="refsect1" lang="en"><a name="id299228"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299238"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_full_audit.8.html b/docs/htmldocs/manpages/vfs_full_audit.8.html new file mode 100644 index 0000000000..e49baf70ac --- /dev/null +++ b/docs/htmldocs/manpages/vfs_full_audit.8.html @@ -0,0 +1,42 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_full_audit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_full_audit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_full_audit — record Samba VFS operations in the system log</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = full_audit</code></p></div></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_full_audit</code> VFS module records selected + client operations to the system log using + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a>.</p><p><code class="literal">vfs_full_audit</code> is able to record the + complete set of Samba VFS operations:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>aio_cancel</td></tr><tr><td>aio_error</td></tr><tr><td>aio_fsync</td></tr><tr><td>aio_read</td></tr><tr><td>aio_return</td></tr><tr><td>aio_suspend</td></tr><tr><td>aio_write</td></tr><tr><td>chdir</td></tr><tr><td>chflags</td></tr><tr><td>chmod</td></tr><tr><td>chmod_acl</td></tr><tr><td>chown</td></tr><tr><td>close</td></tr><tr><td>closedir</td></tr><tr><td>connect</td></tr><tr><td>disconnect</td></tr><tr><td>disk_free</td></tr><tr><td>fchmod</td></tr><tr><td>fchmod_acl</td></tr><tr><td>fchown</td></tr><tr><td>fget_nt_acl</td></tr><tr><td>fgetxattr</td></tr><tr><td>flistxattr</td></tr><tr><td>fremovexattr</td></tr><tr><td>fset_nt_acl</td></tr><tr><td>fsetxattr</td></tr><tr><td>fstat</td></tr><tr><td>fsync</td></tr><tr><td>ftruncate</td></tr><tr><td>get_nt_acl</td></tr><tr><td>get_quota</td></tr><tr><td>get_shadow_copy_data</td></tr><tr><td>getlock</td></tr><tr><td>getwd</td></tr><tr><td>getxattr</td></tr><tr><td>kernel_flock</td></tr><tr><td>lgetxattr</td></tr><tr><td>link</td></tr><tr><td>linux_setlease</td></tr><tr><td>listxattr</td></tr><tr><td>llistxattr</td></tr><tr><td>lock</td></tr><tr><td>lremovexattr</td></tr><tr><td>lseek</td></tr><tr><td>lsetxattr</td></tr><tr><td>lstat</td></tr><tr><td>mkdir</td></tr><tr><td>mknod</td></tr><tr><td>open</td></tr><tr><td>opendir</td></tr><tr><td>pread</td></tr><tr><td>pwrite</td></tr><tr><td>read</td></tr><tr><td>readdir</td></tr><tr><td>readlink</td></tr><tr><td>realpath</td></tr><tr><td>removexattr</td></tr><tr><td>rename</td></tr><tr><td>rewinddir</td></tr><tr><td>rmdir</td></tr><tr><td>seekdir</td></tr><tr><td>sendfile</td></tr><tr><td>set_nt_acl</td></tr><tr><td>set_quota</td></tr><tr><td>setxattr</td></tr><tr><td>stat</td></tr><tr><td>statvfs</td></tr><tr><td>symlink</td></tr><tr><td>sys_acl_add_perm</td></tr><tr><td>sys_acl_clear_perms</td></tr><tr><td>sys_acl_create_entry</td></tr><tr><td>sys_acl_delete_def_file</td></tr><tr><td>sys_acl_free_acl</td></tr><tr><td>sys_acl_free_qualifier</td></tr><tr><td>sys_acl_free_text</td></tr><tr><td>sys_acl_get_entry</td></tr><tr><td>sys_acl_get_fd</td></tr><tr><td>sys_acl_get_file</td></tr><tr><td>sys_acl_get_perm</td></tr><tr><td>sys_acl_get_permset</td></tr><tr><td>sys_acl_get_qualifier</td></tr><tr><td>sys_acl_get_tag_type</td></tr><tr><td>sys_acl_init</td></tr><tr><td>sys_acl_set_fd</td></tr><tr><td>sys_acl_set_file</td></tr><tr><td>sys_acl_set_permset</td></tr><tr><td>sys_acl_set_qualifier</td></tr><tr><td>sys_acl_set_tag_type</td></tr><tr><td>sys_acl_to_text</td></tr><tr><td>sys_acl_valid</td></tr><tr><td>telldir</td></tr><tr><td>unlink</td></tr><tr><td>utime</td></tr><tr><td>write</td></tr></table><p>In addition to these operations, + <code class="literal">vfs_full_audit</code> recognizes the special operation + names "all" and "none ", which refer to all + the VFS operations and none of the VFS operations respectively. + </p><p><code class="literal">vfs_full_audit</code> records operations in fixed + format consisting of fields separated by '|' characters. The + format is: </p><pre class="programlisting"> + smbd_audit: PREFIX|OPERATION|RESULT|FILE + </pre><p>The record fields are:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">PREFIX</code> - the result of the full_audit:prefix string after variable substitutions</p></li><li><p><code class="literal">OPERATION</code> - the name of the VFS operation</p></li><li><p><code class="literal">RESULT</code> - whether the operation succeeded or failed</p></li><li><p><code class="literal">FILE</code> - the name of the file or directory the operation was performed on</p></li></ul></div><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id307921"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">vfs_full_audit:prefix = STRING</span></dt><dd><p>Prepend audit messages with STRING. STRING is + processed for standard substitution variables listed in + <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>. The default + prefix is "%u|%I". </p></dd><dt><span class="term">vfs_full_audit:success = LIST</span></dt><dd><p>LIST is a list of VFS operations that should be + recorded if they succeed. Operations are specified using + the names listed above. + </p></dd><dt><span class="term">vfs_full_audit:failure = LIST</span></dt><dd><p>LIST is a list of VFS operations that should be + recorded if they failed. Operations are specified using + the names listed above. + </p></dd><dt><span class="term">full_audit:facility = FACILITY</span></dt><dd><p>Log messages to the named + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> facility. + + </p></dd><dt><span class="term">full_audit:priority = PRIORITY</span></dt><dd><p>Log messages with the named + <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> priority. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308026"></a><h2>EXAMPLES</h2><p>Log file and directory open operations on the [records] + share using the LOCAL7 facility and ALERT priority, including + the username and IP address:</p><pre class="programlisting"> + <em class="parameter"><code>[records]</code></em> + <a class="indexterm" name="id308046"></a>path = /data/records + <a class="indexterm" name="id308053"></a>vfs objects = full_audit + <a class="indexterm" name="id308060"></a>full_audit:prefix = %u|%I + <a class="indexterm" name="id308068"></a>full_audit:success = open opendir + <a class="indexterm" name="id308075"></a>full_audit:failure = all + <a class="indexterm" name="id308082"></a>full_audit:facility = LOCAL7 + <a class="indexterm" name="id308089"></a>full_audit:priority = ALERT +</pre></div><div class="refsect1" lang="en"><a name="id308098"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id308109"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_gpfs.8.html b/docs/htmldocs/manpages/vfs_gpfs.8.html new file mode 100644 index 0000000000..27aba67d74 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_gpfs.8.html @@ -0,0 +1,37 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_gpfs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_gpfs.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_gpfs — gpfs specific samba extensions like acls and prealloc</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = gpfs</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">gpfs</code> VFS module is the home + for all gpfs extensions that Samba requires for proper integration + with GPFS. It uses the GPL library interfaces provided by GPFS. + </p><p>Currently the gpfs vfs module provides extensions in following areas : + </p><div class="itemizedlist"><ul type="disc"><li><p>NFSv4 ACL Interfaces with configurable options for GPFS</p></li><li><p>Kernel oplock support on GPFS</p></li><li><p>Lease support on GPFS</p></li></ul></div><p> + </p><p><code class="literal">NOTE:</code>This module follows the posix-acl behaviour + and hence allows permission stealing via chown. Samba might allow at a later + point in time, to restrict the chown via this module as such restrictions + are the responsibility of the underlying filesystem than of Samba. + </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299224"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">nfs4:mode = [ simple | special ]</span></dt><dd><p> + Enable/Disable substitution of special IDs on GPFS. This parameter + should not affect the windows users in anyway. It only ensures that Samba + sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids ) + that are relevant to GPFS. + </p><p>The following MODEs are understood by the module:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">simple(default)</code> - do not use special IDs in GPFS ACEs</p></li><li><p><code class="literal">special</code> - use special IDs in GPFS ACEs. </p></li></ul></div></dd><dt><span class="term">nfs4:acedup = [dontcare|reject|ignore|merge]</span></dt><dd><p> + This parameter configures how Samba handles duplicate ACEs encountered in GPFS ACLs. + GPFS allows/creates duplicate ACE for different bits for same ID. + </p><p>Following is the behaviour of Samba for different values :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">dontcare (default)</code> - copy the ACEs as they come</p></li><li><p><code class="literal">reject</code> - stop operation and exit with error on ACL set op</p></li><li><p><code class="literal">ignore</code> - don't include the second matching ACE</p></li><li><p><code class="literal">merge</code> - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE</p></li></ul></div></dd><dt><span class="term">nfs4:chown = [yes|no]</span></dt><dd><p>This parameter allows enabling or disabling the chown supported + by the underlying filesystem. This parameter should be enabled with + care as it might leave your system insecure.</p><p>Some filesystems allow chown as a) giving b) stealing. It is the latter + that is considered a risk.</p><p>Following is the behaviour of Samba for different values : </p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">yes</code> - Enable chown if as supported by the under filesystem</p></li><li><p><code class="literal">no (default)</code> - Disable chown</p></li></ul></div></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266814"></a><h2>EXAMPLES</h2><p>A GPFS mount can be exported via Samba as follows :</p><pre class="programlisting"> + <em class="parameter"><code>[samba_gpfs_share]</code></em> + <a class="indexterm" name="id266834"></a>vfs objects = gpfs + <a class="indexterm" name="id266841"></a>path = /test/gpfs_mount + <a class="indexterm" name="id266848"></a>nfs4: mode = special + <a class="indexterm" name="id266877"></a>nfs4: acedup = merge +</pre></div><div class="refsect1" lang="en"><a name="id266886"></a><h2>CAVEATS</h2><p>The gpfs gpl libraries are required by <code class="literal">gpfs</code> VFS + module during both compilation and runtime. + Also this VFS module is tested to work on SLES 9/10 and RHEL 4.4 + </p></div><div class="refsect1" lang="en"><a name="id266903"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266914"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The GPFS VFS module was created with contributions from + Volker Lendecke and the developers at IBM. + </p><p> This manpage was created by the IBM FSCC team </p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_netatalk.8.html b/docs/htmldocs/manpages/vfs_netatalk.8.html new file mode 100644 index 0000000000..99bfec138c --- /dev/null +++ b/docs/htmldocs/manpages/vfs_netatalk.8.html @@ -0,0 +1,15 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_netatalk</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_netatalk.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_netatalk — hide .AppleDouble files from CIFS clients</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = netatalk</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_netatalk</code> VFS module dynamically + hides .AppleDouble files, preventing spurious errors on some + CIFS clients. .AppleDouble files may be created by historic + implementations of AFP (Apple Filing Protocol) on servers. </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267704"></a><h2>EXAMPLES</h2><p>Hide .AppleDouble files on the [data] share:</p><pre class="programlisting"> + <em class="parameter"><code>[data]</code></em> + <a class="indexterm" name="id299213"></a>vfs objects = netatalk +</pre></div><div class="refsect1" lang="en"><a name="id299222"></a><h2>CAVEATS</h2><p>This module is largely historic and unlikely to be of use + in modern networks since current Apple systems are able to mount CIFS + shares natively. + </p></div><div class="refsect1" lang="en"><a name="id299233"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299244"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_notify_fam.8.html b/docs/htmldocs/manpages/vfs_notify_fam.8.html new file mode 100644 index 0000000000..67ee47ea70 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_notify_fam.8.html @@ -0,0 +1,12 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_notify_fam</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_notify_fam.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_notify_fam — FAM support for file change notifications</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = notify_fam</code></p></div></div><div class="refsect1" lang="en"><a name="id267671"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_notify_fam</code> module makes use of + the system FAM (File Alteration Monitor) daemon to implement + file change notifications for Windows clients. FAM is generally + present only on IRIX and some BSD systems.</p><p>This module is not stackable.</p></div><div class="refsect1" lang="en"><a name="id267703"></a><h2>EXAMPLES</h2><p>Support FAM notifications globally:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id299212"></a>vfs objects = notify_fam +</pre></div><div class="refsect1" lang="en"><a name="id299222"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id299232"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_prealloc.8.html b/docs/htmldocs/manpages/vfs_prealloc.8.html new file mode 100644 index 0000000000..fde6653a66 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_prealloc.8.html @@ -0,0 +1,22 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_prealloc</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_prealloc.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_prealloc — preallocate matching files to a predetermined size</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = prealloc</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_prealloc</code> VFS module preallocates + files to a specified size each time a new file is created. This + is useful in environments where files are of a predetermined + size will be written to a disk subsystem where extending file + allocations is expensive. </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267704"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">prealloc:EXT = BYTES</span></dt><dd><p>Preallocate all files with the extension EXT to + the size specified by BYTES. + </p><p>The following suffixes may be applied to BYTES:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">K</code> - BYTES is a number of kilobytes</p></li><li><p><code class="literal">M</code> - BYTES is a number of megabytes</p></li><li><p><code class="literal">G</code> - BYTES is a number of gigabytes</p></li></ul></div></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299251"></a><h2>EXAMPLES</h2><p>A process writes TIFF files to a Samba share, and the + is known these files will almost always be around 4 megabytes + (4194304 bytes): </p><pre class="programlisting"> + <em class="parameter"><code>[frames]</code></em> + <a class="indexterm" name="id299271"></a>path = /data/frames + <a class="indexterm" name="id266713"></a>vfs objects = prealloc + <a class="indexterm" name="id266721"></a>prealloc:tiff = 4M +</pre></div><div class="refsect1" lang="en"><a name="id266730"></a><h2>CAVEATS</h2><p><code class="literal">vfs_prealloc</code> is not supported on all + platforms and filesystems. Currently only XFS filesystems on + Linux and IRIX are supported. + </p></div><div class="refsect1" lang="en"><a name="id266745"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266755"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_readahead.8.html b/docs/htmldocs/manpages/vfs_readahead.8.html new file mode 100644 index 0000000000..bb61e8ad07 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_readahead.8.html @@ -0,0 +1,25 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_readahead</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_readahead.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_readahead — pre-load the kernel buffer cache</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = readahead</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>This <code class="literal">vfs_readahead</code> VFS module detects + read requests at multiples of a given offset (hex 0x80000 by + default) and then tells the kernel via either the readahead + system call (on Linux) or the posix_fadvise system call to + pre-fetch this data into the buffer cache.</p><p>This module is useful for Windows Vista clients reading + data using the Windows Explorer program, which asynchronously + does multiple file read requests at offset boundaries of 0x80000 + bytes.</p><p>The offset multiple used is given by the readahead:offset + option, which defaults to 0x80000.</p><p>The size of the disk read operations performed + by <code class="literal">vfs_readahead</code> is determined by the + readahead:length option. By default this is set to the + same value as the readahead:offset option and if not + set explicitly will use the current value of + readahead:offset.</p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299214"></a><h2>OPTIONS</h2><div class="variablelist"><p>The following suffixes may be applied to BYTES:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">K</code> - BYTES is a number of kilobytes</p></li><li><p><code class="literal">M</code> - BYTES is a number of megabytes</p></li><li><p><code class="literal">G</code> - BYTES is a number of gigabytes</p></li></ul></div><dl><dt><span class="term">readahead:offset = BYTES</span></dt><dd><p>The offset multiple that causes readahead to be + requested of the kernel buffer cache.</p></dd><dt><span class="term">readahead:length = BYTES</span></dt><dd><p>The number of bytes requested to be + read into the kernel buffer cache on each + readahead call.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266720"></a><h2>EXAMPLES</h2><pre class="programlisting"> + <em class="parameter"><code>[hypothetical]</code></em> + <a class="indexterm" name="id266736"></a>vfs objects = readahead +</pre></div><div class="refsect1" lang="en"><a name="id266745"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266755"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_readonly.8.html b/docs/htmldocs/manpages/vfs_readonly.8.html new file mode 100644 index 0000000000..7f8ed6b3db --- /dev/null +++ b/docs/htmldocs/manpages/vfs_readonly.8.html @@ -0,0 +1,24 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_readonly</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_readonly.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_readonly — make a Samba share read only for a specified time period</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = readonly</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_readonly</code> VFS module marks a share + as read only for all clients connecting within the configured + time period. Clients connecting during this time will be denied + write access to all files in the share, irrespective of ther + actual access privileges.</p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267704"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">readonly:period = BEGIN, END</span></dt><dd><p>Only mark the share as read only if the client + connection was made between the times marked by the + BEGIN and END date specifiers. + The syntax of these date specifiers is the + same as that accepted by the -d option of GNU + <a href="date.1.html"><span class="citerefentry"><span class="refentrytitle">date</span>(1)</span></a>. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id299226"></a><h2>EXAMPLES</h2><p>Mark all shares read only:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id299245"></a>vfs objects = readonly +</pre><p>Mark the [backup] share as read only during business hours:</p><pre class="programlisting"> + <em class="parameter"><code>[backup]</code></em> + <a class="indexterm" name="id299268"></a>path = /readonly + <a class="indexterm" name="id299275"></a>vfs objects = readonly + <a class="indexterm" name="id266717"></a>readonly:period = readonly:period = "today 9:00","today 17:00" +</pre></div><div class="refsect1" lang="en"><a name="id266726"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266736"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_recycle.8.html b/docs/htmldocs/manpages/vfs_recycle.8.html new file mode 100644 index 0000000000..4d3901b43a --- /dev/null +++ b/docs/htmldocs/manpages/vfs_recycle.8.html @@ -0,0 +1,60 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_recycle</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_recycle.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_recycle — Samba VFS recycle bin</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = recycle</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_recycle</code> intercepts file deletion + requests and moves the affected files to a temporary repository + rather than deleting them immediately. This gives the same effect + as the Recycle Bin on Windows computers. </p><p>The Recycle Bin will not appear in Windows Explorer + views of the network file system (share) nor on any mapped + drive. Instead, a directory called .recycle will be automatically + created when the first file is deleted and recycle:repository is + not configured. If recycle:repository is configured, the name + of the created directory depends on recycle:repository. Users + can recover files from the recycle bin. If the recycle:keeptree + option has been specified, deleted files will be found in a path + identical with that from which the file was deleted. </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id299202"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">recycle:repository = PATH</span></dt><dd><p>Path of the directory where deleted files should be moved. + </p><p>If this option is not set, the default path .recycle + is used. </p></dd><dt><span class="term">recycle:directory_mode = MODE</span></dt><dd><p>Set MODE to the octal mode the recycle repository + should be created with. The recycle repository will be + created when first file is deleted. If recycle:subdir_mode + is not set, MODE also applies to subdirectories. + </p><p>If this option is not set, the default mode + 0700 is used. </p></dd><dt><span class="term">recycle:subdir_mode = MODE</span></dt><dd><p>Set MODE to the octal mode with which + sub directories of the recycle repository should be created. + </p><p>If this option is not set, subdirectories + will be created with the mode from recycle:directory_mode. + </p></dd><dt><span class="term">recycle:keeptree = BOOL</span></dt><dd><p>Specifies whether the directory structure should + be preserved or whether the files in a directory that is being + deleted should be kept separately in the repository. + </p></dd><dt><span class="term">recycle:versions = BOOL</span></dt><dd><p>If this option is True, two files with the same + name that are deleted will both be kept in the repository. + Newer deleted versions of a file will be called + "Copy #x of filename". + </p></dd><dt><span class="term">recycle:touch = BOOL</span></dt><dd><p>Specifies whether a file's access date should be + updated when the file is moved to the repository. + </p></dd><dt><span class="term">recycle:touch_mtime = BOOL</span></dt><dd><p>Specifies whether a file's last modified date should be + updated when the file is moved to the repository. + </p></dd><dt><span class="term">recycle:minsize = BYTES</span></dt><dd><p>Files that are smaller than the number of bytes + specified by this parameter will not be put into the + repository. + </p></dd><dt><span class="term">recycle:maxsize = BYTES</span></dt><dd><p>Files that are larger than the number of bytes + specified by this parameter will not be put into the + repository. + </p></dd><dt><span class="term">recycle:exclude = LIST</span></dt><dd><p>List of files that should not be put into the + repository when deleted, but deleted in the normal way. + Wildcards such as * and ? are supported. + </p></dd><dt><span class="term">recycle:exclude_dir = LIST</span></dt><dd><p>List of directories whose files should not be put + into the repository when deleted, but deleted in the + normal way. Wildcards such as * and ? are supported. + </p></dd><dt><span class="term">recycle:noversions = LIST</span></dt><dd><p>Specifies a list of paths (wildcards such as * + and ? are supported) for which no versioning should + be used. Only useful when recycle:versions is enabled. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266831"></a><h2>EXAMPLES</h2><p>Log operations on all shares using the LOCAL1 facility + and NOTICE priority:</p><pre class="programlisting"> + <em class="parameter"><code>[global]</code></em> + <a class="indexterm" name="id266850"></a>vfs objects = recycle + <a class="indexterm" name="id266880"></a>recycle:facility = LOCAL1 + <a class="indexterm" name="id266887"></a>recycle:priority = NOTICE +</pre></div><div class="refsect1" lang="en"><a name="id266896"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266907"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfs_shadow_copy.8.html b/docs/htmldocs/manpages/vfs_shadow_copy.8.html new file mode 100644 index 0000000000..463787db98 --- /dev/null +++ b/docs/htmldocs/manpages/vfs_shadow_copy.8.html @@ -0,0 +1,32 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_shadow_copy</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_shadow_copy.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_shadow_copy — Make a Samba share read only for a specified time period</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = shadow_copy</code></p></div></div><div class="refsect1" lang="en"><a name="id267672"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_shadow_copy</code> VFS module functionality + that is similar to Microsoft Shadow Copy services. When setup properly, + this module allows Microsoft Shadow Copy clients to browse + "shadow copies" on Samba shares. + </p><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id267704"></a><h2>CONFIGURATION</h2><p><code class="literal">vfs_shadow_copy</code> relies on a filesystem + snapshot implementation. Many common filesystems have native + support for this. + </p><p>Filesystem snapshots must be mounted on + specially named directories in order to be recognized by + <code class="literal">vfs_shadow_copy</code>. The snapshot mount points must + be immediate children of a the directory being shared.</p><p>The snapshot naming convention is @GMT-YYYY.MM.DD-hh.mm.ss, + where: + </p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">YYYY</code> is the 4 digit year</p></li><li><p><code class="literal">MM</code> is the 2 digit month</p></li><li><p><code class="literal">DD</code> is the 2 digit day</p></li><li><p><code class="literal">hh</code> is the 2 digit hour</p></li><li><p><code class="literal">mm</code> is the 2 digit minute</p></li><li><p><code class="literal">ss</code> is the 2 digit second.</p></li></ul></div><p> + </p><p>The <code class="literal">vfs_shadow_copy</code> snapshot naming convention can be produced with the following + <a href="date.1.html"><span class="citerefentry"><span class="refentrytitle">date</span>(1)</span></a> command: + </p><pre class="programlisting"> + TZ=GMT date +@GMT-%Y.%m.%d-%H.%M.%S + </pre></div><div class="refsect1" lang="en"><a name="id266738"></a><h2>EXAMPLES</h2><p>Add shadow copy support to user home directories:</p><pre class="programlisting"> + <em class="parameter"><code>[homes]</code></em> + <a class="indexterm" name="id266757"></a>vfs objects = shadow_copy +</pre></div><div class="refsect1" lang="en"><a name="id266766"></a><h2>CAVEATS</h2><p>This is not a backup, archival, or version control solution. + </p><p>With Samba or Windows servers, + <code class="literal">vfs_shadow_copy</code> is designed to be an end-user + tool only. It does not replace or enhance your backup and + archival solutions and should in no way be considered as + such. Additionally, if you need version control, implement a + version control system.</p></div><div class="refsect1" lang="en"><a name="id266788"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. + </p></div><div class="refsect1" lang="en"><a name="id266799"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/vfstest.1.html b/docs/htmldocs/manpages/vfstest.1.html new file mode 100644 index 0000000000..bcd1b802e8 --- /dev/null +++ b/docs/htmldocs/manpages/vfstest.1.html @@ -0,0 +1,41 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfstest</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfstest.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfstest — tool for testing samba VFS modules </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfstest</code> [-d debuglevel] [-c command] [-l logdir] [-h]</p></div></div><div class="refsect1" lang="en"><a name="id267702"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">vfstest</code> is a small command line + utility that has the ability to test dso samba VFS modules. It gives the + user the ability to call the various VFS functions manually and + supports cascaded VFS modules. + </p></div><div class="refsect1" lang="en"><a name="id299220"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-c|--command=command</span></dt><dd><p>Execute the specified (colon-separated) commands. + See below for the commands that are available. + </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-l|--logfile=logbasename</span></dt><dd><p>File name for log/debug files. The extension + <code class="constant">'.client'</code> will be appended. The log file is never removed + by the client. + </p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id266729"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id266793"></a><h2>COMMANDS</h2><p><span class="emphasis"><em>VFS COMMANDS</em></span></p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">load <module.so></code> - Load specified VFS module </p></li><li><p><code class="literal">populate <char> <size></code> - Populate a data buffer with the specified data + </p></li><li><p><code class="literal">showdata [<offset> <len>]</code> - Show data currently in data buffer + </p></li><li><p><code class="literal">connect</code> - VFS connect()</p></li><li><p><code class="literal">disconnect</code> - VFS disconnect()</p></li><li><p><code class="literal">disk_free</code> - VFS disk_free()</p></li><li><p><code class="literal">opendir</code> - VFS opendir()</p></li><li><p><code class="literal">readdir</code> - VFS readdir()</p></li><li><p><code class="literal">mkdir</code> - VFS mkdir()</p></li><li><p><code class="literal">rmdir</code> - VFS rmdir()</p></li><li><p><code class="literal">closedir</code> - VFS closedir()</p></li><li><p><code class="literal">open</code> - VFS open()</p></li><li><p><code class="literal">close</code> - VFS close()</p></li><li><p><code class="literal">read</code> - VFS read()</p></li><li><p><code class="literal">write</code> - VFS write()</p></li><li><p><code class="literal">lseek</code> - VFS lseek()</p></li><li><p><code class="literal">rename</code> - VFS rename()</p></li><li><p><code class="literal">fsync</code> - VFS fsync()</p></li><li><p><code class="literal">stat</code> - VFS stat()</p></li><li><p><code class="literal">fstat</code> - VFS fstat()</p></li><li><p><code class="literal">lstat</code> - VFS lstat()</p></li><li><p><code class="literal">unlink</code> - VFS unlink()</p></li><li><p><code class="literal">chmod</code> - VFS chmod()</p></li><li><p><code class="literal">fchmod</code> - VFS fchmod()</p></li><li><p><code class="literal">chown</code> - VFS chown()</p></li><li><p><code class="literal">fchown</code> - VFS fchown()</p></li><li><p><code class="literal">chdir</code> - VFS chdir()</p></li><li><p><code class="literal">getwd</code> - VFS getwd()</p></li><li><p><code class="literal">utime</code> - VFS utime()</p></li><li><p><code class="literal">ftruncate</code> - VFS ftruncate()</p></li><li><p><code class="literal">lock</code> - VFS lock()</p></li><li><p><code class="literal">symlink</code> - VFS symlink()</p></li><li><p><code class="literal">readlink</code> - VFS readlink()</p></li><li><p><code class="literal">link</code> - VFS link()</p></li><li><p><code class="literal">mknod</code> - VFS mknod()</p></li><li><p><code class="literal">realpath</code> - VFS realpath()</p></li></ul></div><p><span class="emphasis"><em>GENERAL COMMANDS</em></span></p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">conf <smb.conf></code> - Load a different configuration file</p></li><li><p><code class="literal">help [<command>]</code> - Get list of commands or info about specified command</p></li><li><p><code class="literal">debuglevel <level></code> - Set debug level</p></li><li><p><code class="literal">freemem</code> - Free memory currently in use</p></li><li><p><code class="literal">exit</code> - Exit vfstest</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id308072"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba + suite.</p></div><div class="refsect1" lang="en"><a name="id308083"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p>The vfstest man page was written by Jelmer Vernooij.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/wbinfo.1.html b/docs/htmldocs/manpages/wbinfo.1.html new file mode 100644 index 0000000000..41fba35576 --- /dev/null +++ b/docs/htmldocs/manpages/wbinfo.1.html @@ -0,0 +1,91 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>wbinfo</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="wbinfo.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>wbinfo — Query information from winbind daemon</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">wbinfo</code> [-a user%password] [--all-domains] [--allocate-gid] [--allocate-uid] [-D domain] [--domain domain] [-g] [--getdcname domain] [--get-auth-user] [-G gid] [-h] [-i user] [-I ip] [-K user%password] [-m] [-n name] [-N netbios-name] [--own-domain] [-p] [-r user] [-s sid] [--separator] [--sequence] [--set-auth-user user%password] [-S sid] [-t] [-u] [--uid-info uid] [--user-domgroups sid] [--user-sids sid] [-U uid] [-V] [-Y sid]</p></div></div><div class="refsect1" lang="en"><a name="id266849"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">wbinfo</code> program queries and returns information + created and used by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. </p><p>The <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon must be configured + and running for the <code class="literal">wbinfo</code> program to be able + to return information.</p></div><div class="refsect1" lang="en"><a name="id266924"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-a|--authenticate username%password</span></dt><dd><p>Attempt to authenticate a user via winbindd. + This checks both authenticaion methods and reports its results. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Do not be tempted to use this + functionality for authentication in third-party + applications. Instead use <a href="ntlm_auth.1.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(1)</span></a>.</p></div></dd><dt><span class="term">--allocate-gid</span></dt><dd><p>Get a new GID out of idmap + </p></dd><dt><span class="term">--allocate-uid</span></dt><dd><p>Get a new UID out of idmap + </p></dd><dt><span class="term">--all-domains</span></dt><dd><p>List all domains (trusted and + own domain). + </p></dd><dt><span class="term">--domain name</span></dt><dd><p>This parameter sets the domain on which any specified + operations will performed. If special domain name '.' is used to represent + the current domain to which winbindd belongs. Currently only the + <code class="option">--sequence</code>, + <code class="option">-u</code>, and <code class="option">-g</code> options honor this parameter. + </p></dd><dt><span class="term">-D|--domain-info domain</span></dt><dd><p>Show most of the info we have about the domain. + </p></dd><dt><span class="term">-g|--domain-groups</span></dt><dd><p>This option will list all groups available + in the Windows NT domain for which the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> daemon is operating in. Groups in all trusted domains + will also be listed. Note that this operation does not assign + group ids to any groups that have not already been + seen by <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a>. </p></dd><dt><span class="term">--get-auth-user</span></dt><dd><p>Print username and password used by winbindd + during session setup to a domain controller. Username + and password can be set using <code class="option">--set-auth-user</code>. + Only available for root.</p></dd><dt><span class="term">--getdcname domain</span></dt><dd><p>Get the DC name for the specified domain. + </p></dd><dt><span class="term">-G|--gid-to-sid gid</span></dt><dd><p>Try to convert a UNIX group id to a Windows + NT SID. If the gid specified does not refer to one within + the idmap gid range then the operation will fail. </p></dd><dt><span class="term">-i|--user-info user</span></dt><dd><p>Get user info. + </p></dd><dt><span class="term">-I|--WINS-by-ip ip</span></dt><dd><p>The <em class="parameter"><code>-I</code></em> option + queries <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> to send a node status + request to get the NetBIOS name associated with the IP address + specified by the <em class="parameter"><code>ip</code></em> parameter. + </p></dd><dt><span class="term">-K|--krb5auth username%password</span></dt><dd><p>Attempt to authenticate a user via Kerberos. + </p></dd><dt><span class="term">-m|--trusted-domains</span></dt><dd><p>Produce a list of domains trusted by the + Windows NT server <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> contacts + when resolving names. This list does not include the Windows + NT domain the server is a Primary Domain Controller for. + </p></dd><dt><span class="term">-n|--name-to-sid name</span></dt><dd><p>The <em class="parameter"><code>-n</code></em> option + queries <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> for the SID + associated with the name specified. Domain names can be specified + before the user name by using the winbind separator character. + For example CWDOM1/Administrator refers to the Administrator + user in the domain CWDOM1. If no domain is specified then the + domain used is the one specified in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> <em class="parameter"><code>workgroup + </code></em> parameter. </p></dd><dt><span class="term">-N|--WINS-by-name name</span></dt><dd><p>The <em class="parameter"><code>-N</code></em> option + queries <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> to query the WINS + server for the IP address associated with the NetBIOS name + specified by the <em class="parameter"><code>name</code></em> parameter. + </p></dd><dt><span class="term">--own-domain</span></dt><dd><p>List own domain. + </p></dd><dt><span class="term">-p|--ping</span></dt><dd><p>Check whether winbindd is still alive. + Prints out either 'succeeded' or 'failed'. + </p></dd><dt><span class="term">-r|--user-groups username</span></dt><dd><p>Try to obtain the list of UNIX group ids + to which the user belongs. This only works for users + defined on a Domain Controller. + </p></dd><dt><span class="term">-s|--sid-to-name sid</span></dt><dd><p>Use <em class="parameter"><code>-s</code></em> to resolve + a SID to a name. This is the inverse of the <em class="parameter"><code>-n + </code></em> option above. SIDs must be specified as ASCII strings + in the traditional Microsoft format. For example, + S-1-5-21-1455342024-3071081365-2475485837-500. </p></dd><dt><span class="term">--separator</span></dt><dd><p>Get the active winbind separator. + </p></dd><dt><span class="term">--sequence</span></dt><dd><p>Show sequence numbers of + all known domains</p></dd><dt><span class="term">--set-auth-user username%password</span></dt><dd><p>Store username and password used by winbindd + during session setup to a domain controller. This enables + winbindd to operate in a Windows 2000 domain with Restrict + Anonymous turned on (a.k.a. Permissions compatible with + Windows 2000 servers only). + </p></dd><dt><span class="term">-S|--sid-to-uid sid</span></dt><dd><p>Convert a SID to a UNIX user id. If the SID + does not correspond to a UNIX user mapped by <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> then the operation will fail. </p></dd><dt><span class="term">-t|--check-secret</span></dt><dd><p>Verify that the workstation trust account + created when the Samba server is added to the Windows NT + domain is working. </p></dd><dt><span class="term">-u|--domain-users</span></dt><dd><p>This option will list all users available + in the Windows NT domain for which the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon is operating in. Users in all trusted domains + will also be listed. Note that this operation does not assign + user ids to any users that have not already been seen by <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> + .</p></dd><dt><span class="term">--uid-info UID</span></dt><dd><p>Get user info for the user conencted to + user id UID.</p></dd><dt><span class="term">--user-domgroups SID</span></dt><dd><p>Get user domain groups. + </p></dd><dt><span class="term">--user-sids SID</span></dt><dd><p>Get user group SIDs for user. + </p></dd><dt><span class="term">-U|--uid-to-sid uid</span></dt><dd><p>Try to convert a UNIX user id to a Windows NT + SID. If the uid specified does not refer to one within + the idmap uid range then the operation will fail. </p></dd><dt><span class="term">-Y|--sid-to-gid sid</span></dt><dd><p>Convert a SID to a UNIX group id. If the SID + does not correspond to a UNIX group mapped by <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> then + the operation will fail. </p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308346"></a><h2>EXIT STATUS</h2><p>The wbinfo program returns 0 if the operation + succeeded, or 1 if the operation failed. If the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon is not working <code class="literal">wbinfo</code> will always return + failure. </p></div><div class="refsect1" lang="en"><a name="id308372"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308383"></a><h2>SEE ALSO</h2><p><a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> and <a href="ntlm_auth.1.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(1)</span></a></p></div><div class="refsect1" lang="en"><a name="id308406"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p><code class="literal">wbinfo</code> and <code class="literal">winbindd</code> + were written by Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba + 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/manpages/winbindd.8.html b/docs/htmldocs/manpages/winbindd.8.html new file mode 100644 index 0000000000..b1143c93b5 --- /dev/null +++ b/docs/htmldocs/manpages/winbindd.8.html @@ -0,0 +1,241 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>winbindd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="winbindd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>winbindd — Name Service Switch daemon for resolving names + from NT servers</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">winbindd</code> [-D] [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]</p></div></div><div class="refsect1" lang="en"><a name="id299222"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">winbindd</code> is a daemon that provides + a number of services to the Name Service Switch capability found + in most modern C libraries, to arbitrary applications via PAM + and <code class="literal">ntlm_auth</code> and to Samba itself.</p><p>Even if winbind is not used for nsswitch, it still provides a + service to <code class="literal">smbd</code>, <code class="literal">ntlm_auth</code> + and the <code class="literal">pam_winbind.so</code> PAM module, by managing connections to + domain controllers. In this configuraiton the + <a class="indexterm" name="id299275"></a>idmap uid and + <a class="indexterm" name="id266717"></a>idmap gid + parameters are not required. (This is known as `netlogon proxy only mode'.)</p><p> The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the <code class="filename">/etc/nsswitch.conf</code> file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system.</p><p>The service provided by <code class="literal">winbindd</code> is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module. </p><p> + The <code class="filename">pam_winbind</code> module supports the + <em class="parameter"><code>auth</code></em>, <em class="parameter"><code>account</code></em> + and <em class="parameter"><code>password</code></em> + module-types. It should be noted that the + <em class="parameter"><code>account</code></em> module simply performs a getpwnam() to verify that + the system can obtain a uid for the user, as the domain + controller has already performed access control. If the + <code class="filename">libnss_winbind</code> library has been correctly + installed, or an alternate source of names configured, this should always succeed. + </p><p>The following nsswitch databases are implemented by + the winbindd service: </p><div class="variablelist"><dl><dt><span class="term">-D</span></dt><dd><p>If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background on the appropriate port. + This switch is assumed if <code class="literal">winbindd</code> is + executed on the command line of a shell. + </p></dd><dt><span class="term">hosts</span></dt><dd><p>This feature is only available on IRIX. + User information traditionally stored in + the <code class="filename">hosts(5)</code> file and used by + <code class="literal">gethostbyname(3)</code> functions. Names are + resolved through the WINS server or by broadcast. + </p></dd><dt><span class="term">passwd</span></dt><dd><p>User information traditionally stored in + the <code class="filename">passwd(5)</code> file and used by + <code class="literal">getpwent(3)</code> functions. </p></dd><dt><span class="term">group</span></dt><dd><p>Group information traditionally stored in + the <code class="filename">group(5)</code> file and used by + <code class="literal">getgrent(3)</code> functions. </p></dd></dl></div><p>For example, the following simple configuration in the + <code class="filename">/etc/nsswitch.conf</code> file can be used to initially + resolve user and group information from <code class="filename">/etc/passwd + </code> and <code class="filename">/etc/group</code> and then from the + Windows NT server. +</p><pre class="programlisting"> +passwd: files winbind +group: files winbind +## only available on IRIX; Linux users should us libnss_wins.so +hosts: files dns winbind +</pre><p>The following simple configuration in the + <code class="filename">/etc/nsswitch.conf</code> file can be used to initially + resolve hostnames from <code class="filename">/etc/hosts</code> and then from the + WINS server.</p><pre class="programlisting"> +hosts: files wins +</pre></div><div class="refsect1" lang="en"><a name="id266957"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes + the main <code class="literal">winbindd</code> process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + <code class="literal">winbindd</code> under process supervisors such + as <code class="literal">supervise</code> and <code class="literal">svscan</code> + from Daniel J. Bernstein's <code class="literal">daemontools</code> + package, or the AIX process monitor. + </p></dd><dt><span class="term">-S</span></dt><dd><p>If specified, this parameter causes + <code class="literal">winbindd</code> to log to standard output rather + than a file.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer +from 0 to 10. The default value if this parameter is +not specified is 0.</p><p>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.</p><p>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will +override the <a class="indexterm" name="id307913"></a> parameter +in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. +</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <code class="filename">smb.conf</code> for more information. +The default configuration file name is determined at +compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension +<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. +</p></dd><dt><span class="term">-i</span></dt><dd><p>Tells <code class="literal">winbindd</code> to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of <code class="literal">winbindd</code> is required. + <code class="literal">winbindd</code> also logs to standard output, + as if the <code class="literal">-S</code> parameter had been given. + </p></dd><dt><span class="term">-n</span></dt><dd><p>Disable caching. This means winbindd will + always have to wait for a response from the domain controller + before it can respond to a client and this thus makes things + slower. The results will however be more accurate, since + results from the cache might not be up-to-date. This + might also temporarily hang winbindd if the DC doesn't respond. + </p></dd><dt><span class="term">-Y</span></dt><dd><p>Single daemon mode. This means winbindd will run + as a single process (the mode of operation in Samba 2.2). Winbindd's + default behavior is to launch a child process that is responsible for + updating expired cache entries. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308052"></a><h2>NAME AND ID RESOLUTION</h2><p>Users and groups on a Windows NT server are assigned + a security id (SID) which is globally unique when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between SIDs and unix user + and group ids is required. This is one of the jobs that <code class="literal"> + winbindd</code> performs. </p><p>As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database and will be remembered. </p><p>WARNING: The SID to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + store is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids. </p><p>See the <a class="indexterm" name="id308084"></a> or the old <a class="indexterm" name="id308089"></a> parameters in + <code class="filename">smb.conf</code> for options for sharing this + database, such as via LDAP.</p></div><div class="refsect1" lang="en"><a name="id308104"></a><h2>CONFIGURATION</h2><p>Configuration of the <code class="literal">winbindd</code> daemon + is done through configuration parameters in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file. All parameters should be specified in the + [global] section of smb.conf. </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id308134"></a>winbind separator</p></li><li><p> + <a class="indexterm" name="id308145"></a>idmap uid</p></li><li><p> + <a class="indexterm" name="id308157"></a>idmap gid</p></li><li><p> + <a class="indexterm" name="id308168"></a>idmap backend</p></li><li><p> + <a class="indexterm" name="id308179"></a>winbind cache time</p></li><li><p> + <a class="indexterm" name="id308191"></a>winbind enum users</p></li><li><p> + <a class="indexterm" name="id308202"></a>winbind enum groups</p></li><li><p> + <a class="indexterm" name="id308213"></a>template homedir</p></li><li><p> + <a class="indexterm" name="id308225"></a>template shell</p></li><li><p> + <a class="indexterm" name="id308236"></a>winbind use default domain</p></li><li><p> + <a class="indexterm" name="id308248"></a>winbind: rpc only + Setting this parameter forces winbindd to use RPC + instead of LDAP to retrieve information from Domain + Controllers. + </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id308259"></a><h2>EXAMPLE SETUP</h2><p> + To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on an early Red Hat Linux box. + </p><p>In <code class="filename">/etc/nsswitch.conf</code> put the + following: +</p><pre class="programlisting"> +passwd: files winbind +group: files winbind +</pre><p> + </p><p>In <code class="filename">/etc/pam.d/*</code> replace the <em class="parameter"><code> + auth</code></em> lines with something like this: +</p><pre class="programlisting"> +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_unix.so \ + use_first_pass shadow nullok +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The PAM module pam_unix has recently replaced the module pam_pwdb. + Some Linux systems use the module pam_unix2 in place of pam_unix. + </p></div><p>Note in particular the use of the <em class="parameter"><code>sufficient + </code></em> keyword and the <em class="parameter"><code>use_first_pass</code></em> keyword. </p><p>Now replace the account lines with this: </p><p><code class="literal">account required /lib/security/pam_winbind.so + </code></p><p>The next step is to join the domain. To do that use the + <code class="literal">net</code> program like this: </p><p><code class="literal">net join -S PDC -U Administrator</code></p><p>The username after the <em class="parameter"><code>-U</code></em> can be any + Domain user that has administrator privileges on the machine. + Substitute the name or IP of your PDC for "PDC".</p><p>Next copy <code class="filename">libnss_winbind.so</code> to + <code class="filename">/lib</code> and <code class="filename">pam_winbind.so + </code> to <code class="filename">/lib/security</code>. A symbolic link needs to be + made from <code class="filename">/lib/libnss_winbind.so</code> to + <code class="filename">/lib/libnss_winbind.so.2</code>. If you are using an + older version of glibc then the target of the link should be + <code class="filename">/lib/libnss_winbind.so.1</code>.</p><p>Finally, setup a <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> containing directives like the + following: +</p><pre class="programlisting"> +[global] + winbind separator = + + winbind cache time = 10 + template shell = /bin/bash + template homedir = /home/%D/%U + idmap uid = 10000-20000 + idmap gid = 10000-20000 + workgroup = DOMAIN + security = domain + password server = * +</pre><p>Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands <code class="literal">getent passwd</code> and <code class="literal">getent group + </code> to confirm the correct operation of winbindd.</p></div><div class="refsect1" lang="en"><a name="id308450"></a><h2>NOTES</h2><p>The following notes are useful when configuring and + running <code class="literal">winbindd</code>: </p><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> must be running on the local machine + for <code class="literal">winbindd</code> to work. </p><p>PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system. </p><p>If more than one UNIX machine is running <code class="literal">winbindd</code>, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine, unless a shared <a class="indexterm" name="id308497"></a> is configured.</p><p>If the the Windows NT SID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost. </p></div><div class="refsect1" lang="en"><a name="id308509"></a><h2>SIGNALS</h2><p>The following signals can be used to manipulate the + <code class="literal">winbindd</code> daemon. </p><div class="variablelist"><dl><dt><span class="term">SIGHUP</span></dt><dd><p>Reload the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and + apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded. </p></dd><dt><span class="term">SIGUSR2</span></dt><dd><p>The SIGUSR2 signal will cause <code class="literal"> + winbindd</code> to write status information to the winbind + log file.</p><p>Log files are stored in the filename specified by the + log file parameter.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308571"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/nsswitch.conf(5)</code></span></dt><dd><p>Name service switch configuration file.</p></dd><dt><span class="term">/tmp/.winbindd/pipe</span></dt><dd><p>The UNIX pipe over which clients communicate with + the <code class="literal">winbindd</code> program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the <code class="filename">/tmp/.winbindd</code> directory + and <code class="filename">/tmp/.winbindd/pipe</code> file are owned by + root. </p></dd><dt><span class="term">$LOCKDIR/winbindd_privileged/pipe</span></dt><dd><p>The UNIX pipe over which 'privileged' clients + communicate with the <code class="literal">winbindd</code> program. For security + reasons, access to some winbindd functions - like those needed by + the <code class="literal">ntlm_auth</code> utility - is restricted. By default, + only users in the 'root' group will get this access, however the administrator + may change the group permissions on $LOCKDIR/winbindd_privileged to allow + programs like 'squid' to use ntlm_auth. + Note that the winbind client will only attempt to connect to the winbindd daemon + if both the <code class="filename">$LOCKDIR/winbindd_privileged</code> directory + and <code class="filename">$LOCKDIR/winbindd_privileged/pipe</code> file are owned by + root. </p></dd><dt><span class="term">/lib/libnss_winbind.so.X</span></dt><dd><p>Implementation of name service switch library. + </p></dd><dt><span class="term">$LOCKDIR/winbindd_idmap.tdb</span></dt><dd><p>Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the <em class="parameter"><code>--with-lockdir</code></em> option. + This directory is by default <code class="filename">/usr/local/samba/var/locks + </code>. </p></dd><dt><span class="term">$LOCKDIR/winbindd_cache.tdb</span></dt><dd><p>Storage for cached user and group information. + </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id308716"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of + the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id308726"></a><h2>SEE ALSO</h2><p><code class="filename">nsswitch.conf(5)</code>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a href="ntlm_auth.8.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="pam_winbind.8.html"><span class="citerefentry"><span class="refentrytitle">pam_winbind</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id308784"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</p><p><code class="literal">wbinfo</code> and <code class="literal">winbindd</code> were + written by Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> diff --git a/docs/htmldocs/samba.css b/docs/htmldocs/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/htmldocs/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/htmldocs/using_samba/book.html b/docs/htmldocs/using_samba/book.html new file mode 100644 index 0000000000..5145c80307 --- /dev/null +++ b/docs/htmldocs/using_samba/book.html @@ -0,0 +1,2924 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Using Samba</title><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id2491109"></a>Using Samba</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="#copyright"></a></span></dt><dt><span class="preface"><a href="#ch00">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch00-SECT-1">The Samba Suite</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-2">Audience for this Book</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-3">Samba Installation Checklist</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-4">Organization</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-5">Conventions</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-6">Request for Comments</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-7">Acknowledgments</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch01-48078">1. Learning the Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch01-28119">1.1. What is Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-2">1.2. What Can Samba Do For Me?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-2.1">1.2.1. Sharing a Disk Service</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-2.2">1.2.2. Sharing a Printer</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-88536">1.3. Getting Familiar with a SMB/CIFS Network</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-3.1">1.3.1. Understanding NetBIOS</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.2">1.3.2. Getting a Name</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.3">1.3.3. Node Types</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.4">1.3.4. What's in a Name?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.5">1.3.5. Datagrams and Sessions</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-43359">1.4. Microsoft Implementations</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-4.1">1.4.1. Windows Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.2">1.4.2. Browsing</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.3">1.4.3. Can a Windows Workgroup Span Multiple Subnets?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.4">1.4.4. The Windows Internet Name Service (WINS)</a></span></dt><dt><span class="sect2"><a href="#ch01-12452">1.4.5. What Can Samba Do?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-32691">1.5. An Overview of the Samba Distribution</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-6">1.6. How Can I Get Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-40528">1.7. What's New in Samba 2.0?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-7.1">1.7.1. NT Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.2">1.7.2. Ease of Administration</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.3">1.7.3. Performance</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.4">1.7.4. More Features</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.5">1.7.5. Compatibility Improvements</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.6">1.7.6. Smbwrapper</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-99818">1.8. And That's Not All...</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-2">2. Installing Samba on a Unix System</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch02-85028">2.1. Downloading the Samba Distribution</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-1.1">2.1.1. Binary or Source?</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-1.2">2.1.2. Read the Documentation</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-28558">2.2. Configuring Samba</a></span></dt><dt><span class="sect1"><a href="#ch02-13217">2.3. Compiling and Installing Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-3.1">2.3.1. Final Installation Steps</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-13464">2.4. A Basic Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-4.1">2.4.1. Using SWAT</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-4.2">2.4.2. Testing the Configuration File</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-29069">2.5. Starting the Samba Daemons</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-5.1">2.5.1. Starting the Daemons by Hand</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.2">2.5.2. Stand-alone Daemons</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.3">2.5.3. Starting From Inetd</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-67898">2.6. Testing the Samba Daemons</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-3">3. Configuring Windows Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch03-55770">3.1. Setting Up Windows 95/98 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-1.1">3.1.1. Accounts and Passwords</a></span></dt><dt><span class="sect2"><a href="#ch03-36280">3.1.2. Setting Up the Network</a></span></dt><dt><span class="sect2"><a href="#ch03-48802">3.1.3. Setting Your Name and Workgroup </a></span></dt><dt><span class="sect2"><a href="#ch03-13238">3.1.4. Accessing the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-23093">3.2. Setting Up Windows NT 4.0 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-2.1">3.2.1. Basic Configuration</a></span></dt><dt><span class="sect2"><a href="#ch03-85837">3.2.2. Configuring TCP/IP</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-2.3">3.2.3. Connecting to the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-64069">3.3. An Introduction to SMB/CIFS</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-3.1">3.3.1. SMB Format</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.2">3.3.2. SMB Clients and Servers</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.3">3.3.3. A Simple SMB Connection</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.4">3.3.4. Negotiating the Protocol Variant</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.5">3.3.5. Set Session and Login Parameters</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.6">3.3.6. Making Connection to a Resource</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch04-21486">4. Disk Shares </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch04-76968">4.1. Learning the Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-52415">4.1.1. Configuration File Structure</a></span></dt><dt><span class="sect2"><a href="#ch04-87365">4.1.2. Variables</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-81402">4.2. Special Sections</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-2.1">4.2.1. The [globals] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.2">4.2.2. The [ homes] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.3">4.2.3. The [printers] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.4">4.2.4. Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-46076">4.3. Configuration File Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-3.0.1">4.3.1. +config file</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.2">4.3.2. +include</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.3">4.3.3. +copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-71382">4.4. Server Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-4.1">4.4.1. Server Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-14274">4.5. Disk Share Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-5.1">4.5.1. Disk Share Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-86705">4.6. Networking Options with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-6.1">4.6.1. Networking Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-16899">4.7. Virtual Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-7.0.1">4.7.1. +netbios aliases</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-29331">4.8. Logging Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-97929">4.8.1. Using syslog</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-8.1">4.8.2. Logging Configuration Options</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-5">5. Browsing and Advanced Disk Shares </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch05-23763">5.1. Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-1.1">5.1.1. Preventing Browsing</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.2">5.1.2. Default Services</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.3">5.1.3. Browsing Elections</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.4">5.1.4. Domain Master Browser</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.5">5.1.5. Browsing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34221">5.2. Filesystem Differences</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-2.1">5.2.1. Hiding and Vetoing Files</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.2">5.2.2. Links</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.3">5.2.3. Filesystem Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34062">5.3. File Permissions and Attributes on MS-DOS and Unix</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-3.0.1">5.3.1. Creation masks</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-3.1">5.3.2. File and Directory Permission Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-30534">5.4. Name Mangling and Case</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-4.1">5.4.1. The Samba Mangling Operation</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-4.2">5.4.2. Mangling Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-75933">5.5. Locks and Oplocks</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-5.1">5.5.1. Opportunistic Locking</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-5.2">5.5.2. Unix and Locking</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-6">6. Users, Security, and Domains </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch06-92902">6.1. Users and Groups</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-1.1">6.1.1. The [ homes] Share</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-27678">6.2. Controlling Access to Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-2.1">6.2.1. Guest Access</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.2">6.2.2. Access Control Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.3">6.2.3. Username Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-88596">6.3. Authentication Security</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-3.1">6.3.1. Share-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.2">6.3.2. User-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.3">6.3.3. Server-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.4">6.3.4. Domain-level Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-61393">6.4. Passwords</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-4.0.1">6.4.1. Disabling encrypted passwords on the client</a></span></dt><dt><span class="sect2"><a href="#ch06-17782">6.4.2. The smbpasswd File</a></span></dt><dt><span class="sect2"><a href="#ch06-97004">6.4.3. Password Synchronization</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-4.3">6.4.4. Password Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-23084">6.5. Windows Domains</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-36822">6.5.1. Configuring Samba for Windows Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.2">6.5.2. Configuring Windows Clients for Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.3">6.5.3. Domain Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-38153">6.6. Logon Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-6.0.1">6.6.1. Roaming profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.0.2">6.6.2. Mandatory profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.1">6.6.3. Logon Script Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.2">6.6.4. Other Connection Scripts</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.3">6.6.5. Working with NIS and NFS</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-7">7. Printing and Name Resolution</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch07-61388">7.1. Sending Print Jobs to Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-1.1">7.1.1. Print Commands</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.2">7.1.2. Printing Variables</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.3">7.1.3. A Minimal Printing Setup</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.4">7.1.4. The [printers] Share</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.5">7.1.5. Test Printing</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.6">7.1.6. Setting Up and Testing a Windows Client</a></span></dt><dt><span class="sect2"><a href="#ch07-30008">7.1.7. Automatically Setting Up Printer Drivers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-31526">7.2. Printing to Windows Client Printers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-2.0.1">7.2.1. BSD printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.0.2">7.2.2. System V printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.1">7.2.3. Samba Printing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-12219">7.3. Name Resolution with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-3.1">7.3.1. The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.2">7.3.2. Setting Up Samba to Use Another WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-83429">7.3.3. Setting Up Samba as a WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.4">7.3.4. Name Resolution Configuration Options</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-8">8. Additional Samba Information </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch08-56646">8.1. Supporting Programmers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-1.1">8.1.1. Time Synchronization</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-79987">8.2. Magic Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-2.0.1">8.2.1. magic script</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-2.0.2">8.2.2. +magic output</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-91233">8.3. Internationalization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-17721">8.3.1. +client code page</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.2">8.3.2. character set</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.3">8.3.3. coding system</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.4">8.3.4. valid chars</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-82569">8.4. WinPopup Messages</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-4.0.1">8.4.1. message command</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-SECT-5">8.5. Recently Added Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-5.0.1">8.5.1. change notify timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.2">8.5.2. machine password timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.3">8.5.3. stat cache</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.4">8.5.4. stat cache size</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-70923">8.6. Miscellaneous Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-6.0.1">8.6.1. +deadtime</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.2">8.6.2. +dfree command</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.3">8.6.3. +fstype</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.4">8.6.4. keep alive</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.5">8.6.5. +max disk size</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.6">8.6.6. +max mux</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.7">8.6.7. +max open files</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.8">8.6.8. +max xmit</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.9">8.6.9. +nt pipe support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.10">8.6.10. +nt smb support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.11">8.6.11. +ole locking compatibility</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.12">8.6.12. +panic action</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.13">8.6.13. +set directory</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.14">8.6.14. +smbrun</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.15">8.6.15. +status</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.16">8.6.16. +strict sync</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.17">8.6.17. +sync always</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.18">8.6.18. +strip dot</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-74829">8.7. Backups with smbtar</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-9">9. Troubleshooting Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch09-36385">9.1. The Tool Bag</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-1.1">9.1.1. Samba Logs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.2">9.1.2. Samba Test Utilities</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.3">9.1.3. Unix Utilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-29538">9.2. The Fault Tree</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-2.1">9.2.1. How to use the fault tree</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.2">9.2.2. Troubleshooting Low-level IP </a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.3">9.2.3. Troubleshooting TCP</a></span></dt><dt><span class="sect2"><a href="#ch09-88968">9.2.4. Troubleshooting Server Daemons</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.5">9.2.5. Troubleshooting SMB Connections</a></span></dt><dt><span class="sect2"><a href="#ch09-23573">9.2.6. Troubleshooting Browsing </a></span></dt><dt><span class="sect2"><a href="#ch09-21713">9.2.7. Other Things that Fail </a></span></dt><dt><span class="sect2"><a href="#ch09-23768">9.2.8. Troubleshooting Name Services</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.9">9.2.9. Troubleshooting Network Addresses</a></span></dt><dt><span class="sect2"><a href="#ch09-35552">9.2.10. Troubleshooting NetBIOS Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-49719">9.3. Extra Resources</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-3.1">9.3.1. Documentation and FAQs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.2">9.3.2. Samba Newsgroups</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.3">9.3.3. Samba Mailing Lists</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.4">9.3.4. Samba Discussion Archives</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.5">9.3.5. Further Reading</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-A">A. Configuring Samba with SSL</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appa-SECT-1">A.1. About Certificates</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-1.1">A.1.1. What is a Certificate?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.2">A.1.2. What is an X.509 certificate, technically?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.3">A.1.3. What are the implications of this certificate structure?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-2">A.2. Requirements</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-3">A.3. Installing SSLeay</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-3.1">A.3.1. Configuring SSLeay for Your System</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.2">A.3.2. Configuring Samba to use SSL</a></span></dt><dt><span class="sect2"><a href="#appa-62097">A.3.3. Becoming a Certificate Authority</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.4">A.3.4. Creating Certificates for Clients</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.5">A.3.5. Configuring the Samba Server</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.6">A.3.6. Testing with smbclient</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-4">A.4. Setting Up SSL Proxy</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-5">A.5. SSL Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-5.0.1">A.5.1. +ssl</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.2">A.5.2. +ssl hosts</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.3">A.5.3. +ssl hosts resign</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.4">A.5.4. +ssl CA certDir</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.5">A.5.5. +ssl CA certFile</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.6">A.5.6. +ssl server cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.7">A.5.7. +ssl server key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.8">A.5.8. +ssl client cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.9">A.5.9. +ssl client key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.10">A.5.10. +ssl require clientcert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.11">A.5.11. +ssl require servercert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.12">A.5.12. +ssl ciphers</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.13">A.5.13. +ssl version</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.14">A.5.14. +ssl compatibility</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-B">B. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appb-47134">B.1. A Simple Benchmark</a></span></dt><dt><span class="sect1"><a href="#appb-50295">B.2. Samba Tuning</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-2.1">B.2.1. Benchmarking</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.2">B.2.2. Things to Tweak</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.3">B.2.3. Other Samba Options</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.4">B.2.4. Our Recommendations </a></span></dt></dl></dd><dt><span class="sect1"><a href="#appb-22511">B.3. Sizing Samba Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-3.1">B.3.1. The Bottlenecks</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.2">B.3.2. Reducing Bottlenecks </a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.3">B.3.3. Practical Examples</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.4">B.3.4. How Many Clients can Samba Handle?</a></span></dt><dt><span class="sect2"><a href="#appb-90359">B.3.5. Measurement Forms</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-C">C. Samba Configuration Option Quick Reference</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appc-SECT-1">C.1. Configuration Options</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-2">C.2. Glossary of Configuration Values</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-3">C.3. Configuration File Variables</a></span></dt></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-D">D. Summary of Samba Daemons and Commands</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appd-SECT-1">D.1. Samba Distribution Programs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appd-SECT-1.1">D.1.1. smbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.2">D.1.2. nmbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.3">D.1.3. Samba Startup File </a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.4">D.1.4. smbsh</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.5">D.1.5. smbclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.6">D.1.6. smbstatus</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.7">D.1.7. smbtar</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.8">D.1.8. nmblookup</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.9">D.1.9. smbpasswd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.10">D.1.10. testparm</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.11">D.1.11. testprns</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.12">D.1.12. rpcclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.13">D.1.13. tcpdump</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-E">E. Downloading Samba with CVS</a></span></dt><dt><span class="appendix"><a href="#SAMBA-AP-F">F. Sample Configuration File</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>1.1. <a href="#ch01-45964">A simple network setup with a Samba server</a></dt><dt>1.2. <a href="#ch01-60493">The Network Neighborhood directory</a></dt><dt>1.3. <a href="#ch01-76011">Shares available on the hydra sever as viewed from phoenix</a></dt><dt>1.4. <a href="#ch01-55465">Mapping a network drive to a Windows letter-drive</a></dt><dt>1.5. <a href="#ch01-32686">The Network directory mapped to the client letter-drive G</a></dt><dt>1.6. <a href="#ch01-29255">Shares available on hydra (viewed from chimaera) </a></dt><dt>1.7. <a href="#ch01-46265">A network printer available on hydra (viewed from chimaera)</a></dt><dt>1.8. <a href="#ch01-86658">NBNS versus non-NBNS name registration</a></dt><dt>1.9. <a href="#ch01-72484">NBNS versus non-NBNS name resolution</a></dt><dt>1.10. <a href="#ch01-74707">The structure of NetBIOS names</a></dt><dt>1.11. <a href="#ch01-96972">A simple Windows domain</a></dt><dt>1.12. <a href="#ch01-49344">Using a domain controller for authentication</a></dt><dt>1.13. <a href="#ch01-77521">A Windows domain with a local master and local backup browser</a></dt><dt>1.14. <a href="#ch01-52572">A workgroup that spans more than one subnet</a></dt><dt>2.1. <a href="#ch02-60915">SWAT login</a></dt><dt>2.2. <a href="#ch02-49138">SWAT Global Variables page</a></dt><dt>2.3. <a href="#ch02-29175">SWAT Share Creation screen</a></dt><dt>2.4. <a href="#ch02-37186">SWAT Share Parameters screen</a></dt><dt>3.1. <a href="#ch03-84319">The Passwords Properties panel</a></dt><dt>3.2. <a href="#ch03-26778">The Change Passwords tab</a></dt><dt>3.3. <a href="#ch03-97002">The Change Windows Password dialog box</a></dt><dt>3.4. <a href="#ch03-48947">Windows Networking profiles</a></dt><dt>3.5. <a href="#ch03-15320">The Windows 95/98 Network panel</a></dt><dt>3.6. <a href="#ch03-24245">Selecting a protocol to install</a></dt><dt>3.7. <a href="#ch03-50801">Selecting a protocol to install</a></dt><dt>3.8. <a href="#ch03-61576">Selecting the correct TCP/IP protocol</a></dt><dt>3.9. <a href="#ch03-73526">STCP/IP Properties panel</a></dt><dt>3.10. <a href="#ch03-86883">The DNS Configuration tab</a></dt><dt>3.11. <a href="#ch03-95608">The WINS Configuration tab</a></dt><dt>3.12. <a href="#ch03-42906">The Bindings tab</a></dt><dt>3.13. <a href="#ch03-42408">The Identification tab</a></dt><dt>3.14. <a href="#ch03-88553">Windows Network Neighborhood</a></dt><dt>3.15. <a href="#ch03-17463">Shares on Server</a></dt><dt>3.16. <a href="#ch03-82592">Network panel Identification tab</a></dt><dt>3.17. <a href="#ch03-67735">Changing the identification</a></dt><dt>3.18. <a href="#ch03-66055">The Protocols tab</a></dt><dt>3.19. <a href="#ch03-22321">Select Network Protocol dialog box</a></dt><dt>3.20. <a href="#ch03-97222">Network Services panel dialog box</a></dt><dt>3.21. <a href="#ch03-40000">Select Network Service dialog box </a></dt><dt>3.22. <a href="#ch03-97098">Microsoft TCP/IP Properties for Windows NT</a></dt><dt>3.23. <a href="#ch03-61878">The DNS panel</a></dt><dt>3.24. <a href="#ch03-20855">The WINS Address tab</a></dt><dt>3.25. <a href="#ch03-83060">Service bindings</a></dt><dt>3.26. <a href="#ch03-50785">Windows NT Network Neighborhood</a></dt><dt>3.27. <a href="#ch03-89532">Server's shares</a></dt><dt>3.28. <a href="#ch03-69480">Two computers that both have resources to share</a></dt><dt>4.1. <a href="#ch04-97340">The include option in a Samba configuration file</a></dt><dt>4.2. <a href="#ch04-38915">Network Neighborhood showing the Samba server</a></dt><dt>4.3. <a href="#ch04-50900">Network Neighborhood details listing</a></dt><dt>4.4. <a href="#ch04-13866">The initial data share on the Samba server</a></dt><dt>4.5. <a href="#ch04-88746">Windows client view of a network filesystem specified by path</a></dt><dt>4.6. <a href="#ch04-34850">Windows client view of a share comment</a></dt><dt>4.7. <a href="#ch04-28393">Using NetBIOS aliases for a Samba server + </a></dt><dt>5.1. <a href="#ch05-15706">Multiple subnets with Samba servers</a></dt><dt>5.2. <a href="#ch05-77260">Hidden files in the [data] share</a></dt><dt>5.3. <a href="#ch05-19743">Hiding files based on filename patterns</a></dt><dt>5.4. <a href="#ch05-62659">Contents of the [data] share with dont descend + + </a></dt><dt>5.5. <a href="#ch05-36377">An error dialog trying to follow symbolic links when forbidden by Samba</a></dt><dt>5.6. <a href="#ch05-76568">DOS and Windows file properties</a></dt><dt>5.7. <a href="#ch05-56404">How Samba and Unix view the permissions of a file</a></dt><dt>5.8. <a href="#ch05-74304">Opportunistic locking</a></dt><dt>6.1. <a href="#ch06-33100">Selecting share-level security on a Windows machine</a></dt><dt>6.2. <a href="#ch06-89929">A typical system setup using server level security</a></dt><dt>6.3. <a href="#ch06-54128">Structure of the smbpasswd file entry (actually one line)</a></dt><dt>6.4. <a href="#ch06-48609">Configuring a Windows 95/98 client for domain logons</a></dt><dt>6.5. <a href="#ch06-89804">Configuring a Windows NT client for domain logons</a></dt><dt>6.6. <a href="#ch06-71393">Local profiles versus roaming profiles</a></dt><dt>7.1. <a href="#ch07-35075">A Samba printer in the Network Neighborhood</a></dt><dt>7.2. <a href="#ch07-60084">A printer in the Network Neighborhood</a></dt><dt>7.3. <a href="#ch07-69466">Printer manufacturers and models</a></dt><dt>7.4. <a href="#ch07-43374">Printing successfully completed</a></dt><dt>7.5. <a href="#ch07-52397">The Printers window</a></dt><dt>7.6. <a href="#ch07-60108">Automatically configuring the printer driver</a></dt><dt>7.7. <a href="#ch07-32814">The Printers window</a></dt><dt>7.8. <a href="#ch07-92021">The Sharing tab of the printer</a></dt><dt>7.9. <a href="#ch07-46183">The Add Printer Wizard dialog box in Windows 98</a></dt><dt>8.1. <a href="#ch08-66444">The WinPopup application</a></dt><dt>8.2. <a href="#ch08-18303">The Networking window</a></dt><dt>8.3. <a href="#ch08-41042">TCP/IP Bindings</a></dt><dt>8.4. <a href="#ch08-64918">My Documents Properties</a></dt><dt>8.5. <a href="#ch08-29192">MyFiles Properties as shared</a></dt><dt>9.1. <a href="#ch09-91668">Pinging the Samba server from a Windows client</a></dt><dt>9.2. <a href="#ch09-99328">Results of the NET USE command</a></dt><dt>9.3. <a href="#ch09-74414">Accessing the /tmp directory with Windows Explorer</a></dt><dt>9.4. <a href="#ch09-83710">Using the net view command</a></dt><dt>9.5. <a href="#ch09-60004">List of shares on a server</a></dt><dt>A.1. <a href="#appa-89929">Two possible ways of proxying Windows 95/98 clients</a></dt><dt>B.1. <a href="#appb-34738">SO_SNDBUF size and performance</a></dt><dt>B.2. <a href="#appb-98866">Data flow through a Samba server, with possible bottlenecks</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1.1. <a href="#ch01-91681">NetBIOS Node Types </a></dt><dt>1.2. <a href="#ch01-11471">NetBIOS Unique Resource Types </a></dt><dt>1.3. <a href="#ch01-52395">NetBIOS Group Resource Types </a></dt><dt>1.4. <a href="#ch01-29352">Datagram Primitives </a></dt><dt>1.5. <a href="#ch01-75575">Session Primitives </a></dt><dt>1.6. <a href="#ch01-14021">Samba Roles (as of 2.0.4b) </a></dt><dt>2.1. <a href="#ch02-85125">Additional Configure Options </a></dt><dt>2.2. <a href="#SAMBA-CH-2-TBL-2.2">Samba Installation Directories </a></dt><dt>3.1. <a href="#ch03-31015">SMB Header Fields </a></dt><dt>3.2. <a href="#ch03-38178">SMB Command Contents </a></dt><dt>3.3. <a href="#ch03-67366">SMB Protocol Dialects </a></dt><dt>4.1. <a href="#ch04-10883">Samba Variables </a></dt><dt>4.2. <a href="#ch04-94939">Configuration File Options </a></dt><dt>4.3. <a href="#ch04-61150">Server Configuration Options </a></dt><dt>4.4. <a href="#ch04-82964">Basic Share Configuration Options </a></dt><dt>4.5. <a href="#ch04-32963">Networking Configuration Options </a></dt><dt>4.6. <a href="#ch04-92259">Virtual Server Configuration Options </a></dt><dt>4.7. <a href="#ch04-92838">Global Configuration Options </a></dt><dt>4.8. <a href="#ch04-80576">Syslog Priority Conversion </a></dt><dt>5.1. <a href="#ch05-51423">Operating System Values in an Election </a></dt><dt>5.2. <a href="#SAMBA-CH-5-TBL-5.2">Computer Role Settings in an Election </a></dt><dt>5.3. <a href="#ch05-81028">Browsing Configuration Options </a></dt><dt>5.4. <a href="#ch05-48353">Filesystem Configuration Options </a></dt><dt>5.5. <a href="#ch05-96508">File and Directory Permission Options </a></dt><dt>5.6. <a href="#ch05-24354">Operating System Filename Limitations </a></dt><dt>5.7. <a href="#ch05-47431">Name Mangling Options </a></dt><dt>5.8. <a href="#ch05-53407">Locks and Oplocks Configuration Options </a></dt><dt>5.9. <a href="#ch05-55885">SMB Deny-Mode Locks </a></dt><dt>6.1. <a href="#ch06-28077">Share-level Access Options </a></dt><dt>6.2. <a href="#ch06-82964">Username Options </a></dt><dt>6.3. <a href="#ch06-73905">Security Option </a></dt><dt>6.4. <a href="#ch06-80998">Share-Level Access Options </a></dt><dt>6.5. <a href="#ch06-75183">Windows Operating Systems with Encrypted Passwords </a></dt><dt>6.6. <a href="#ch06-77246">Password Chat Response Characters </a></dt><dt>6.7. <a href="#ch06-38512">Password Chat Send Characters </a></dt><dt>6.8. <a href="#ch06-68460">Password Configuration Options </a></dt><dt>6.9. <a href="#ch06-53106">Windows 95/98 Domain Logon Options </a></dt><dt>6.10. <a href="#ch06-46661">Logon Script Options </a></dt><dt>6.11. <a href="#ch06-67528">Connection Script Options </a></dt><dt>6.12. <a href="#ch06-27466">NIS Options </a></dt><dt>7.1. <a href="#ch07-29758">Printing Variables </a></dt><dt>7.2. <a href="#ch07-19361">Printing Configuration Options </a></dt><dt>7.3. <a href="#ch07-28758">Printing Types </a></dt><dt>7.4. <a href="#ch07-82964">Default Commands for Various Printing Commands </a></dt><dt>7.5. <a href="#ch07-82331">WINS Options </a></dt><dt>8.1. <a href="#ch08-73167">Programming Configuration Options </a></dt><dt>8.2. <a href="#ch08-33693">Networking Configuration Options </a></dt><dt>8.3. <a href="#ch08-40870">Networking Configuration Options </a></dt><dt>8.4. <a href="#ch08-20815">Valid Code Pages with Samba 2.0 </a></dt><dt>8.5. <a href="#ch08-14126">Valid Character Sets with Samba 2.0 </a></dt><dt>8.6. <a href="#ch08-57476">Valid Coding System Parameters with Samba 2.0 </a></dt><dt>8.7. <a href="#ch08-18671">WinPopup Configuration Option </a></dt><dt>8.8. <a href="#ch08-29758">Message Command Variables </a></dt><dt>8.9. <a href="#ch08-72538">Recently Added Options </a></dt><dt>8.10. <a href="#ch08-83566">Miscellaneous Options </a></dt><dt>8.11. <a href="#ch08-80519">Filesystem Types </a></dt><dt>A.1. <a href="#appa-61150">SSL Configuration Options </a></dt><dt>B.1. <a href="#appb-73167">Sample Benchmark Benchmarks </a></dt><dt>B.2. <a href="#appb-78077">Disk Throughput </a></dt><dt>B.3. <a href="#appb-42029">CPU Throughput </a></dt><dt>B.4. <a href="#appb-67604">Network Throughput </a></dt><dt>B.5. <a href="#appb-26613">Tuning a Medium-Sized Server </a></dt><dt>B.6. <a href="#appb-82208">Ethernet Interface to Same Host: FTP </a></dt><dt>B.7. <a href="#appb-34846">Ethernet Interface to Same Host: FTP </a></dt><dt>B.8. <a href="#appb-51003">Bottleneck Calculation Table</a></dt><dt>B.9. <a href="#appb-37370">Ethernet Interface to Same Host: FTP </a></dt><dt>B.10. <a href="#SAMBA-AP-B-TBL-10">Sparc 20 Example, Redux</a></dt><dt>C.1. <a href="#appc-88529">Variables in Alphabetic Order </a></dt><dt>D.1. <a href="#appd-89417">smbclient Commands </a></dt><dt>D.2. <a href="#appd-39300">smbclient Printing Commands </a></dt><dt>D.3. <a href="#appd-54517">smbclient Printing Commands </a></dt><dt>D.4. <a href="#appd-65243">rpcclient commands </a></dt></dl></div><div class="preface" lang="en"><div class="titlepage"></div><p>Copyright © 2000 O'Reilly & Associates, Inc. All rights reserved. This material may be redistributed only under the terms of the Open Content +License. For information on the Open Content License under which the +contents of this book are licensed, see <code class="systemitem">http://www.oreilly.com/catalog/samba/</code>.</p><p>Printed in the United States of America.</p><p>Published by O'Reilly & Associates, Inc., 101 Morris Street, +Sebastopol, CA 95472.</p><p>The O'Reilly logo is a registered trademark of O'Reilly & +Associates, Inc. Many of the designations used by manufacturers and +sellers to distinguish their products are claimed as trademarks. +Where those designations appear in this book, and O'Reilly & +Associates, Inc. was aware of a trademark claim, the designations have +been printed in caps or initial caps. The association between the +image of the North African ground hornbill and the topic of Samba is +a trademark of O'Reilly & Associates, Inc.</p><p>While every precaution has been taken in the preparation of this +book, the publisher assumes no responsibility for errors or omissions, +or for damages resulting from the use of the information contained +herein.</p></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch00"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch00-SECT-1">The Samba Suite</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-2">Audience for this Book</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-3">Samba Installation Checklist</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-4">Organization</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-5">Conventions</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-6">Request for Comments</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-7">Acknowledgments</a></span></dt></dl></div><p>It's nine in the morning and you've just arrived at the computer center after a refreshing night's sleep. Your pager hasn't gone off in months. Life is pretty good as a system administrator — and why shouldn't it be, with the network you're running? Two hundred identical machines, all running the same operating system. All of the printers are networked, accessible from anywhere in the building, and the auto-configuration scripts that the manufacturer supplied ensure that everyone in the company has a consistent view of the shared disks you've set up. Yes, this is the good life. You lean back and take that first delicious sip of morning coffee . . . .</p><p>And then, the alarm clock jolts you out of your blissful reverie. If you're like most system administrators, this could only be a dream. Your morning probably starts with a tireless struggle to get four different computer platforms running three different operating systems simply to talk to each other — that is, if the phone ever stops ringing. Most of your users don't understand why it's so hard to access a file on another computer or to send a job to a remote printer. The logs show that the backups are late. For some reason the PCs on the second floor can't find the tape server. With all these headaches, what's a network administrator to do?</p><p>Easy: take the day off, read this book, and learn Samba!</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-1"></a>The Samba Suite</h2></div></div></div><p>Samba is a suite of tools for sharing resources such as printers and files across a network. This may be a bit of an oversimplification, but Samba is really designed to make your life easier. Samba uses the Server Message Block (SMB) protocol, which is endorsed jointly by Microsoft and IBM, to communicate low-level data between Windows clients and Unix servers on a TCP/IP network.</p><p> +<a class="indexterm" name="ch00-idx-941381-0"></a>Four features of Samba make it extremely attractive:</p><div class="itemizedlist"><ul type="disc"><li><p>Samba speaks the same SMB protocol that Microsoft and IBM operating systems have used as their standard since DOS 3.0. This means that almost all Windows machines already understand it and there is no extra client software to install.</p></li><li><p>Samba runs on a variety of platforms, including most variants of Unix, OpenVMS, OS/2, AmigaDOS, and NetWare. This means that you can use a single program on the server to provide files and printers to a community of PCs.</p></li><li><p>Samba is free. There are several commercial products that duplicate Samba's features, and some of them are quite expensive. Samba offers you an alternative to packages that could gobble up a significant portion of your IS budget. Samba is distributed under the GNU General Public License (GPL), and is considered by its authors to be <em class="firstterm">Open Source</em> software. In other words, you can freely download both the application and the accompanying source code to your computer, and even improve on the original Samba programs if you like.</p></li><li><p>Samba administration is centralized on the server. You don't have to visit every one of your machines, floppy or CD-ROM in hand, to upgrade the client software.</p></li></ul></div><p>Samba is a complete solution for local area networks (LANs) of all sizes—everything from the two-computer home network to corporate installations with hundreds of nodes. Samba is simple to set up and to administer, and presents itself as a transparent network environment that offers users access to all of the resources they need to get their work done. Once you've set it up, Samba will let you:</p><div class="itemizedlist"><ul type="disc"><li><p>Serve Unix files to Windows, OS/2, and other OS clients</p></li><li><p>Allow Unix clients to access PC files</p></li><li><p>Serve network printers to Windows clients</p></li><li><p>Provide name services (broadcast and WINS)</p></li><li><p>Allow browsing of network resources from Windows clients</p></li><li><p>Create Windows workgroups or domains</p></li><li><p>Enforce username and password authentication of clients</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-2"></a>Audience for this Book</h2></div></div></div><p>The primary audience of this book is Unix administrators who need to support PCs on their network, and anyone who needs to provide a Unix server in a PC environment. But we don't want to burden you with an endless series of arcane system administration tools and vocabulary. While we assume you are familiar with basic Unix system administration, we will <span class="emphasis"><em>not</em></span> assume you are a networking expert. We'll do our best along the way to help out with unusual definitions and terms.</p><p>Because we don't assume a tremendous amount of experience with Microsoft Windows, we will go through the PC side of the installation task in considerable detail and give examples for both Windows 95/98 and Windows NT, which are subtly different. For the Unix side, we will give examples for common Unix operating systems, such as Linux 2.0 or Solaris 2.6.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-3"></a>Samba Installation Checklist</h2></div></div></div><p>Before you get started, you should have:</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="ch00-idx-941383-0"></a><a class="indexterm" name="ch00-idx-941383-1"></a><a class="indexterm" name="ch00-idx-941383-2"></a> + + + +The latest Samba distribution, which you can download directly off the Internet at <code class="systemitem">http://www.samba.org/</code>.</p></li><li><p>The names and IP addresses of the servers and client machines you plan to use, the netmask of your network, and the names and IP addresses of your domain name (DNS) servers.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-4"></a>Organization</h2></div></div></div><p>The book can be roughly divided into two sections: Samba installation (<a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a> through <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>) and Samba configuration and optimization (<a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a> through <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>). Here is a detailed breakdown of each of the chapters:</p><div class="variablelist"><dl><dt><span class="term"><a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a></span></dt><dd><p>This chapter introduces each of the Samba components and gives a brief overview of NetBIOS and Windows networking.</p></dd><dt><span class="term"><a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a></span></dt><dd><p>This chapter covers configuring, compiling, installing, and testing the Samba server on a Unix platform.</p></dd><dt><span class="term"><a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a></span></dt><dd><p>This chapter explains how to configure Microsoft Windows 95/98 and NT 4.0 clients to participate in an SMB network. It also gives a brief introduction to the SMB protocol in action.</p></dd><dt><span class="term"><a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a></span></dt><dd><p>This chapter gets you up to speed with the individual parts of the Samba configuration file and shows you how to configure disk services.</p></dd><dt><span class="term"><a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a></span></dt><dd><p>This chapter continues the discussion of disk options and examines browsing with Samba.</p></dd><dt><span class="term"><a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a></span></dt><dd><p>This chapter discusses how to set up users, introduces you to Samba security, and shows you how to work with encrypted and non-encrypted passwords. We also discuss how to set up Samba as a primary domain controller for Windows 95/98 and NT clients.</p></dd><dt><span class="term"><a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a></span></dt><dd><p>This chapter discusses printer and Windows Internet Naming Service (WINS) setup with Samba.</p></dd><dt><span class="term"><a href="#SAMBA-CH-8" title="Chapter 8. Additional Samba Information">Chapter 8</a></span></dt><dd><p>This chapter bundles several miscellaneous activities associated with Samba, such as configuring Samba shares for programmers, internationalization issues, and backing up with <span class="emphasis"><em>smbtar</em></span>.</p></dd><dt><span class="term"><a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a></span></dt><dd><p>If you have problems installing Samba, this comparatively large chapter is packed with troubleshooting hints and strategies as to what might be going wrong.</p></dd><dt><span class="term"><a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a></span></dt><dd><p>This appendix shows you the nitty-gritty of setting up Samba with Secure Sockets Layers (SSL) connections between the server and its clients.</p></dd><dt><span class="term"><a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a></span></dt><dd><p>This appendix discusses various techniques to optimize Samba processing on your network.</p></dd><dt><span class="term"><a href="#SAMBA-AP-C" title="Appendix C. Samba Configuration Option Quick Reference">Appendix C</a></span></dt><dd><p>This appendix covers each of the options used in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term"><a href="#SAMBA-AP-D" title="Appendix D. Summary of Samba Daemons and Commands">Appendix D</a></span></dt><dd><p>Each of the server daemons and tools that make up the Samba suite are covered in this appendix. In addition, we provide a list of mirror sites on the Internet from which Samba can be downloaded.</p></dd><dt><span class="term"><a href="#SAMBA-AP-E" title="Appendix E. Downloading Samba with CVS">Appendix E</a></span></dt><dd><p>This appendix explains how to download the latest version of Samba with CVS.</p></dd><dt><span class="term"><a href="#SAMBA-AP-F" title="Appendix F. Sample Configuration File">Appendix F</a></span></dt><dd><p>This appendix provides a large-scale Samba configuration file, which you might find in place at a large corporation. We have embedded comments in the file to explain the more arcane options.</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-5"></a>Conventions</h2></div></div></div><p>The following font conventions are followed throughout this book:</p><div class="variablelist"><dl><dt><span class="term">Italic </span></dt><dd><p>Filenames, file extensions, URLs, Internet addresses, executable files, commands, and emphasis.</p></dd><dt><span class="term"><code class="literal">Constant Width</code> </span></dt><dd><p>Samba configuration options and other code that appear in the text, and command-line information that should be typed verbatim on the screen.</p></dd><dt><span class="term"><strong class="userinput"><code>Bold Constant Width</code></strong> </span></dt><dd><p>Commands that are entered by the user, and new configuration options that we wish to bring to the attention of the reader.</p></dd><dt><span class="term"><em class="replaceable"><code>Constant Width Italic</code></em></span></dt><dd><p>Replaceable content in code and command-line information.</p></dd></dl></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch00-NOTE-0"></a>Tip</h3><p>This icon designates a note, which is an important aside to the nearby text.</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch00-NOTE-1"></a>Warning</h3><p>This icon designates a warning related to the nearby text.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-6"></a>Request for Comments</h2></div></div></div><p>As a reader of this book, you can help us to improve the next edition. If you find errors, inaccuracies, or typographical errors anywhere in the book, please let us at O'Reilly know about them. Also, if you find any misleading statements or confusing explanations, let us know that as well. Send all correspondence to:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>O'Reilly & Associates</td></tr><tr><td>101 Morris Street</td></tr><tr><td>Sebastopol, CA 95472</td></tr><tr><td>1-800-998-9938 (in the U.S. or Canada)</td></tr><tr><td>1-707-829-0515 (international/local)</td></tr><tr><td>1-707-829-0104 (fax)</td></tr><tr><td><code class="email"><<a href="mailto:bookquestions@ora.com">bookquestions@ora.com</a>></code></td></tr></table><p>Please let us know what we can do to make the book more helpful to you. We take your comments seriously, and will do whatever we can to make this book as useful as it can be.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-7"></a>Acknowledgments</h2></div></div></div><p>Robert Eckstein</p><div class="blockquote"><blockquote class="blockquote"><p>I'd first like to recognize Dave Collier-Brown and Peter Kelly for all their help in the creation of this book. I'd also like to thank each of the technical reviewers that helped polish this book into shape on such short notice: Matthew Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and Jeremy deserve special recognition, not only for creating such a wonderful product, but for providing a tireless amount of support in the final phase of this book—hats off to you, guys! A warm hug goes out to my wife Michelle, who once again put up with a husband loaded down with too much caffeine on a tight schedule. Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for hosting me on such short notice for Andrew Tridgell's visit. And finally, a huge amount of thanks to our editor, Andy Oram, who (very) patiently helped guide this book through its many stages until we got it right.</p></blockquote></div><p>David Collier-Brown</p><div class="blockquote"><blockquote class="blockquote"><p>I'd especially like to thank Joyce, who put up with me during the sometimes exciting development of the book. My thanks to Andy Oram, who was kind enough to provide the criticism that allowed me to contribute; the crew at Opcom who humored the obvious madman in their midst; and Ian MacMillan, who voluntarily translated several of my early drafts from nerd to English. I would also like to give special thanks to Perry Donham, Drew Sullivan, and Jerry DeRoo.</p></blockquote></div><p>Peter Kelly</p><div class="blockquote"><blockquote class="blockquote"><p>A few people really made this book possible, and I have to bow to them. Dave Collier-Brown, and then Bob Eckstein, took over my part of this project with style and professionalism and I can't explain how much I owe them for the great work that came out of it. Editor Andy Oram is by far the most patient and pleasant person I have met. Also, I don't think that I would have been involved in this book without the help of Xavier Cazin from O'Reilly, who originally came to me asking for a proposal after reading my Linux Journal article. I also would like to thank all of the JDP.COM consultants ( Jerry, Peggyann, Drew, Gord, Jerome, Mark, Rick—too many to list!) for allowing me to continue to work with them. I thank the O'Reilly staff that I have worked with as well; they are a great bunch of people. Also, thanks to the Samba Team for making Samba in the first place. And most importantly, Kate McKay, for staying with me this long!</p></blockquote></div><p>We would especially like to give thanks to Perry Donham for helping mold the first draft of this book. Although Perry was unable to contribute to subsequent drafts, his material was essential to getting this book off on the right foot. In addition, some of the browsing material came from text originally written by Dan Shearer for O'Reilly.</p><p>We are deeply indebted to the production department at O'Reilly for another fantastic job. Sarah Jane Shangraw worked long hours accommodating our seemingly endless edits, and Rob Romano tirelessly edited our images again and again until they were perfect. Special thanks also to Claire Cloutier LeBlanc, Rhon Porter, and Mike Sierra for their help—we couldn't have done it without any of them. It is largely through their collective efforts that this book arrived to you in November 1999 instead of November 2000.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch01-48078"></a>Chapter 1. Learning the Samba</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch01-28119">1.1. What is Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-2">1.2. What Can Samba Do For Me?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-2.1">1.2.1. Sharing a Disk Service</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-2.2">1.2.2. Sharing a Printer</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-88536">1.3. Getting Familiar with a SMB/CIFS Network</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-3.1">1.3.1. Understanding NetBIOS</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.2">1.3.2. Getting a Name</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.3">1.3.3. Node Types</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.4">1.3.4. What's in a Name?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.5">1.3.5. Datagrams and Sessions</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-43359">1.4. Microsoft Implementations</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-4.1">1.4.1. Windows Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.2">1.4.2. Browsing</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.3">1.4.3. Can a Windows Workgroup Span Multiple Subnets?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.4">1.4.4. The Windows Internet Name Service (WINS)</a></span></dt><dt><span class="sect2"><a href="#ch01-12452">1.4.5. What Can Samba Do?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-32691">1.5. An Overview of the Samba Distribution</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-6">1.6. How Can I Get Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-40528">1.7. What's New in Samba 2.0?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-7.1">1.7.1. NT Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.2">1.7.2. Ease of Administration</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.3">1.7.3. Performance</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.4">1.7.4. More Features</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.5">1.7.5. Compatibility Improvements</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.6">1.7.6. Smbwrapper</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-99818">1.8. And That's Not All...</a></span></dt></dl></div><p> +<a class="indexterm" name="ch01-idx-951466-0"></a>If you are a typical system administrator, then you know what it means to be <span class="emphasis"><em>swamped</em></span> with work. Your daily routine is filled with endless hardware incompatibility issues, system outages, data backup problems, and a steady stream of angry users. So adding another program to the mix of tools that you have to maintain may sound a bit perplexing. However, if you're determined to reduce the complexity of your work environment, as well as the workload of keeping it running smoothly, Samba may be the tool you've been waiting for.</p><p>A case in point: one of the authors of this book used to look after 70 Unix developers sharing 5 Unix servers. His neighbor administered 20 Windows 3.1 users and 5 OS/2 and Windows NT servers. To put it mildly, the Windows 3.1 administrator was swamped. When he finally left—and the domain controller melted—Samba was brought to the rescue. Our author quickly replaced the Windows NT and OS/2 servers with Samba running on a Unix server, and eventually bought PCs for most of the company developers. However, he did the latter without hiring a new PC administrator; the administrator now manages one centralized Unix application instead of fifty distributed PCs.</p><p>If you know you're facing a problem with your network and you're sure there is a better way, we encourage you to start reading this book. Or, if you've heard about Samba and you want to see what it can do for you, this is also the place to start. We'll get you started on the path to understanding Samba and its potential. Before long, you can provide Unix services to all your Windows machines—all without spending tons of extra time or money. Sound enticing? Great, then let's get started.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-28119"></a>What is Samba?</h2></div></div></div><p>Samba is a suite of Unix applications that speak the <a class="indexterm" name="ch01-idx-951468-0"></a> +<a class="indexterm" name="ch01-idx-951468-1"></a>SMB (Server Message Block) protocol. Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows products. Thus, a Samba-enabled Unix machine can masquerade as a server on your Microsoft network and offer the following services:</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="ch01-idx-951506-0"></a>Share one or more filesystems</p></li><li><p>Share printers installed on both the server and its clients</p></li><li><p>Assist clients with Network Neighborhood browsing</p></li><li><p>Authenticate clients logging onto a Windows domain</p></li><li><p>Provide or assist with WINS name server resolution</p></li></ul></div><p>Samba is the brainchild of <a class="indexterm" name="ch01-idx-951508-0"></a>Andrew Tridgell, who currently heads the Samba development team from his home of Canberra, Australia. The project was born in 1991 when Andrew created a fileserver program for his local network that supported an odd DEC protocol from Digital Pathworks. Although he didn't know it at the time, that protocol later turned out to be SMB. A few years later, he expanded upon his custom-made SMB server and began distributing it as a product on the Internet under the name SMB Server. However, Andrew couldn't keep that name—it already belonged to another company's product—so he tried the following Unix renaming approach:</p><pre class="programlisting">grep -i 's.*m.*b' /usr/dict/words<a class="indexterm" name="ch01-idx-951514-0"></a></pre><p>And the response was:</p><pre class="programlisting">salmonberry samba sawtimber scramble</pre><p>Thus, the name "Samba" was born.<sup>[<a name="ch01-pgfId-946532" href="#ftn.ch01-pgfId-946532">1</a>]</sup></p><p>Today, the Samba suite revolves around a pair of <a class="indexterm" name="ch01-idx-951515-0"></a> +<a class="indexterm" name="ch01-idx-951515-1"></a>Unix daemons that provide <a class="indexterm" name="ch01-idx-951518-0"></a>shared resources—or <em class="firstterm">shares</em>—to SMB clients on the network. (Shares are sometimes called <a class="indexterm" name="ch01-idx-951527-0"></a>s<em class="firstterm">ervices</em> as well.) These daemons are:</p><div class="variablelist"><dl><dt><span class="term">smbd</span></dt><dd><p> +<a class="indexterm" name="ch01-idx-951528-0"></a>A daemon that allows file and printer sharing on an SMB network and provides authentication and authorization for SMB clients.</p></dd><dt><span class="term">nmbd</span></dt><dd><p> +<a class="indexterm" name="ch01-idx-951529-0"></a>A daemon that looks after the <a class="indexterm" name="ch01-idx-951530-0"></a>Windows Internet Name Service (WINS), and assists with browsing.</p></dd></dl></div><p>Samba is currently maintained and extended by a group of volunteers under the active supervision of Andrew Tridgell. Like the Linux operating system, Samba is considered <em class="firstterm">Open Source software </em> +<a class="indexterm" name="ch01-idx-951531-0"></a> +<a class="indexterm" name="ch01-idx-951531-1"></a>(OSS) by its authors, and is distributed under the <a class="indexterm" name="ch01-idx-951532-0"></a>GNU General Public License (GPL). Since its inception, development of Samba has been sponsored in part by the <a class="indexterm" name="ch01-idx-951533-0"></a>Australian National University, where Andrew Tridgell earned his Ph.D.<sup>[<a name="ch01-pgfId-946542" href="#ftn.ch01-pgfId-946542">2</a>]</sup> In addition, some development has been sponsored by independent vendors such as <a class="indexterm" name="ch01-idx-951534-0"></a>Whistle and <a class="indexterm" name="ch01-idx-951535-0"></a>SGI. It is a true testament to Samba that both commercial and non-commercial entities are prepared to spend money to support an Open Source effort.</p><p> +<a class="indexterm" name="ch01-idx-951536-0"></a>Microsoft has also contributed materially by putting forward its definition of SMB and the Internet-savvy <a class="indexterm" name="ch01-idx-951537-0"></a> +<a class="indexterm" name="ch01-idx-951537-1"></a>Common Internet File System (CIFS), as a public <a class="indexterm" name="ch01-idx-951538-0"></a> +<a class="indexterm" name="ch01-idx-951538-1"></a>Request for Comments (RFC), a standards document. The CIFS protocol is Microsoft's renaming of future versions of the SMB protocol that will be used in Windows products—the two terms can be used interchangeably in this book. Hence, you will often see the protocol written as "<a class="indexterm" name="ch01-idx-951539-0"></a>SMB/CIFS."</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-SECT-2"></a>What Can Samba Do For Me?</h2></div></div></div><p>As explained earlier, Samba can help Windows and Unix machines coexist in the same network. However, there are some specific reasons why you might want to set up a Samba server on your network:</p><div class="itemizedlist"><ul type="disc"><li><p> +<a class="indexterm" name="ch01-idx-951583-0"></a>You don't want to pay for—or can't afford—a full-fledged Windows NT server, yet you still need the functionality that one provides.</p></li><li><p>You want to provide a common area for data or user directories in order to transition from a Windows server to a Unix one, or vice versa.</p></li><li><p>You want to be able to share printers across both Windows and Unix workstations.</p></li><li><p>You want to be able to access NT files from a Unix server.</p></li></ul></div><p>Let's take a quick tour of Samba in action. Assume that we have the following basic network configuration: a Samba-enabled Unix machine, to which we will assign the name <code class="literal">hydra</code>, and a pair of Windows clients, to which we will assign the names <code class="literal">phoenix</code> and <code class="literal">chimaera</code>, all connected via a local area network (LAN). Let's also assume that <code class="literal">hydra</code> also has a local inkjet printer connected to it, <code class="literal">lp</code>, and a disk share named <code class="literal">network</code>—both of which it can offer to the other two machines. A graphic of this network is shown in <a href="#ch01-45964" title="Figure 1.1. A simple network setup with a Samba server">Figure 1.1</a>.</p><div class="figure"><a name="ch01-45964"></a><p class="title"><b>Figure 1.1. A simple network setup with a Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0101.gif" height="209" alt="A simple network setup with a Samba server"></td></tr></table></div></div></div><br class="figure-break"><p>In this network, each of the computers listed share the same <em class="firstterm">workgroup</em> +<a class="indexterm" name="ch01-idx-951584-0"></a>. A workgroup is simply a group nametag that identifies an arbitrary collection of computers and their resources on an <a class="indexterm" name="ch01-idx-951585-0"></a>SMB network. There can be several workgroups on the network at any time, but for our basic network example, we'll have only one: the SIMPLE workgroup.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-2.1"></a>Sharing a Disk Service</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951617-0"></a>If <a class="indexterm" name="ch01-idx-951876-0"></a> +<a class="indexterm" name="ch01-idx-951876-1"></a>everything is properly configured, we should be able to see the Samba server, <code class="literal">hydra</code>, through the Network Neighborhood of the <code class="literal">phoenix</code> Windows desktop. In fact, <a href="#ch01-60493" title="Figure 1.2. The Network Neighborhood directory">Figure 1.2</a> shows the Network Neighborhood of the <code class="literal">phoenix</code> computer, including <code class="literal">hydra</code> and each of the computers that reside in the SIMPLE workgroup. Note the Entire Network icon at the top of the list. As we just mentioned, there can be more than one workgroup on an SMB network at any given time. If a user clicks on the <a class="indexterm" name="ch01-idx-951586-0"></a>Entire Network icon, he or she will see a list of all the workgroups that currently exist on the network.</p><div class="figure"><a name="ch01-60493"></a><p class="title"><b>Figure 1.2. The Network Neighborhood directory</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 174px"><td><img src="figs/sam.0102.gif" height="174" alt="The Network Neighborhood directory"></td></tr></table></div></div></div><br class="figure-break"><p>We can take a closer look at the <code class="literal">hydra</code> server by double-clicking on its icon. This contacts <code class="literal">hydra</code> itself and requests a list of its <em class="firstterm">shares</em>—the file and printer resources—that the machine provides. In this case, there is a printer entitled <code class="literal">lp</code> and a disk share entitled <code class="literal">network</code> on the server, as shown in <a href="#ch01-76011" title="Figure 1.3. Shares available on the hydra sever as viewed from phoenix">Figure 1.3</a>. Note that the Windows display shows hostnames in mixed case (Hydra). <a class="indexterm" name="ch01-idx-951589-0"></a>Case is irrelevant in <a class="indexterm" name="ch01-idx-951588-0"></a>hostnames, so you may see hydra, Hydra, and HYDRA in various displays or command output, but they all refer to a single system. Thanks to Samba, Windows 98 sees the Unix server as a valid SMB server, and can access the <code class="literal">network</code> folder as if it were just another system folder.</p><div class="figure"><a name="ch01-76011"></a><p class="title"><b>Figure 1.3. Shares available on the hydra sever as viewed from phoenix</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 148px"><td><img src="figs/sam.0103.gif" height="148" alt="Shares available on the hydra sever as viewed from phoenix"></td></tr></table></div></div></div><br class="figure-break"><p>One popular feature of Windows 95/98/NT is that you can map a letter-drive to a known network directory using the <a class="indexterm" name="ch01-idx-951590-0"></a> +<a class="indexterm" name="ch01-idx-951590-1"></a> +<a class="indexterm" name="ch01-idx-951590-2"></a> +<a class="indexterm" name="ch01-idx-951590-3"></a>Map Network Drive option in the Windows Explorer.<sup>[<a name="ch01-pgfId-941061" href="#ftn.ch01-pgfId-941061">3</a>]</sup> Once you do so, your applications can access the folder across the network with a standard <a class="indexterm" name="ch01-idx-951592-0"></a>drive letter. Hence, you can store data on it, install and run programs from it, and even password-protect it against unwanted visitors. See <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a> for an example of mapping a letter-drive to a network directory.</p><div class="figure"><a name="ch01-55465"></a><p class="title"><b>Figure 1.4. Mapping a network drive to a Windows letter-drive</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 336px"><td><img src="figs/sam.0104.gif" width="502" alt="Mapping a network drive to a Windows letter-drive"></td></tr></table></div></div></div><br class="figure-break"><p>Take a look at the Path: entry in the dialog box of <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a>. An equivalent way to represent a directory on a network machine is by using two <a class="indexterm" name="ch01-idx-951593-0"></a> +<a class="indexterm" name="ch01-idx-951593-1"></a>backslashes, followed by the name of the networked machine, another backslash, and the networked directory of the machine, as shown below:</p><pre class="programlisting"><span class="emphasis"><em>\\</em></span><em class="replaceable"><code>network-machine</code></em><span class="emphasis"><em>\</em></span><em class="replaceable"><code>directory</code></em></pre><p>This is known as the <em class="firstterm">UNC</em> +<a class="indexterm" name="ch01-idx-951594-0"></a> +<a class="indexterm" name="ch01-idx-951594-1"></a> (Universal Naming Convention) in the Windows world. For example, the dialog box in <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a> represents the network directory on the <code class="literal">hydra</code> server as:</p><pre class="programlisting">\\HYDRA\<em class="replaceable"><code>network</code></em></pre><p>If this looks somewhat familiar to you, you're probably thinking of <em class="firstterm">uniform resource locators</em> +<a class="indexterm" name="ch01-idx-951607-0"></a> +<a class="indexterm" name="ch01-idx-951607-1"></a> (URLs), which are addresses that web browsers such as Netscape Navigator and Internet Explorer use to resolve machines across the Internet. Be sure not to confuse the two: web browsers typically use <a class="indexterm" name="ch01-idx-951608-0"></a>forward slashes instead of back slashes, and they precede the initial slashes with the <a class="indexterm" name="ch01-idx-951611-0"></a>data transfer protocol (i.e., <a class="indexterm" name="ch01-idx-951612-0"></a>ftp, <a class="indexterm" name="ch01-idx-951613-0"></a>http) and a <a class="indexterm" name="ch01-idx-951610-0"></a> +<a class="indexterm" name="ch01-idx-951610-1"></a>colon (:). In reality, URLs and UNCs are two completely separate things.</p><p>Once the network drive is set up, Windows and its programs will behave as if the networked directory was a fixed disk. If you have any applications that support <a class="indexterm" name="ch01-idx-952014-0"></a> +<a class="indexterm" name="ch01-idx-952014-1"></a>multiuser functionality on a network, you can install those programs on the network drive.<sup>[<a name="ch01-pgfId-952017" href="#ftn.ch01-pgfId-952017">4</a>]</sup> <a href="#ch01-32686" title="Figure 1.5. The Network directory mapped to the client letter-drive G">Figure 1.5</a> shows the resulting network drive as it would appear with other storage devices in the Windows 98 client. Note the pipeline attachment in the icon for the G: drive; this indicates that it is a network drive instead of a fixed drive.</p><div class="figure"><a name="ch01-32686"></a><p class="title"><b>Figure 1.5. The Network directory mapped to the client letter-drive G</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 224px"><td><img src="figs/sam.0105.gif" height="224" alt="The Network directory mapped to the client letter-drive G"></td></tr></table></div></div></div><br class="figure-break"><p>From our Windows NT Workstation machine, <code class="literal">chimaera</code>, Samba looks almost identical to Windows 98. <a href="#ch01-29255" title="Figure 1.6. Shares available on hydra (viewed from chimaera)">Figure 1.6</a> shows the same view of the <code class="literal">hydra</code> server from the Windows NT 4.0 Network Neighborhood. Setting up the network drive using the Map Network Drive option in Windows NT Workstation 4.0 would have identical results as well.</p><div class="figure"><a name="ch01-29255"></a><p class="title"><b>Figure 1.6. Shares available on hydra (viewed from chimaera) </b></p><div class="figure-contents"><a class="indexterm" name="ch01-idx-951618-0"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 141px"><td><img src="figs/sam.0106.gif" height="141" alt="Shares available on hydra (viewed from chimaera)"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-2.2"></a>Sharing a Printer</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951620-0"></a> +<a class="indexterm" name="ch01-idx-951620-1"></a>You probably noticed that the printer <code class="literal">lp</code> appeared under the available shares for <code class="literal">hydra</code> in <a href="#ch01-76011" title="Figure 1.3. Shares available on the hydra sever as viewed from phoenix">Figure 1.3</a>. This indicates that the Unix server has a printer that can be shared by the various SMB clients in the workgroup. Data sent to the printer from any of the clients will be spooled on the Unix server and printed in the order it is received.</p><p> +<a class="indexterm" name="ch01-idx-951636-0"></a>Setting up a Samba-enabled printer on the Windows side is even easier than setting up a disk share. By double-clicking on the printer and identifying the manufacturer and model, you can install a driver for this printer on the Windows client. Windows can then properly format any information sent to the network printer and access it as if it were a local printer (we show you how to do this later in the chapter). <a href="#ch01-46265" title="Figure 1.7. A network printer available on hydra (viewed from chimaera)">Figure 1.7</a> shows the resulting network printer in the Printers window of Windows 98. Again, note the pipeline attachment below the printer, which identifies it as being on a network.</p><div class="figure"><a name="ch01-46265"></a><p class="title"><b>Figure 1.7. A network printer available on hydra (viewed from chimaera)</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 223px"><td><img src="figs/sam.0107.gif" height="223" alt="A network printer available on hydra (viewed from chimaera)"></td></tr></table></div></div></div><br class="figure-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-2.2.1"></a>Seeing things from the Unix side</h4></div></div></div><p>As mentioned earlier, Samba appears in Unix as a set of <a class="indexterm" name="ch01-idx-951638-0"></a> +<a class="indexterm" name="ch01-idx-951638-1"></a> +<a class="indexterm" name="ch01-idx-951638-2"></a> +<a class="indexterm" name="ch01-idx-951638-3"></a>daemon programs. You can view them with the Unix <code class="literal">ps</code> and <code class="literal">netstat</code> commands, you can read any messages they generate through custom debug files or the Unix <code class="literal">syslog</code> (depending on how Samba is set up), and you can configure it from a single Samba properties file: <span class="emphasis"><em>smb.conf</em></span> +<a class="indexterm" name="ch01-idx-951639-0"></a>. In addition, if you want to get an idea of what each of the <a class="indexterm" name="ch01-idx-951640-0"></a> +<a class="indexterm" name="ch01-idx-951640-1"></a>daemons are doing, Samba has a program called <span class="emphasis"><em>smbstatus</em></span> +<a class="indexterm" name="ch01-idx-951641-0"></a> that will lay it all on the line. Here is how it works:</p><pre class="programlisting"># <span class="bold"><strong>smbstatus</strong></span> +Samba version 2.0.4 +Service uid gid pid machine +---------------------------------------------- +network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 +network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 + +Locked files: +Pid DenyMode R/W Oplock Name +-------------------------------------------------- +7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp Sun May 16 21:23:40 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe +Sun May 16 20:51:08 1999 +7589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll Sun May 16 21:23:39 1999 +7589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat Sun May 16 21:23:41 1999 +7470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe +Sun May 16 20:51:09 1999 +7589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 21:20:33 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 20:51:11 1999 + +Share mode memory usage (bytes): + 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</pre><p>The Samba status from this output provides three sets of data, each divided into separate sections. The first section tells which systems have <a class="indexterm" name="ch01-idx-951646-0"></a>connected to the Samba server, identifying each client by its machine name (<code class="literal">phoenix</code> and <code class="literal">chimaera</code>) and IP address. The second section reports the name and status of the <a class="indexterm" name="ch01-idx-951647-0"></a>files that are currently in use on a share on the server, including the read/write status and any <a class="indexterm" name="ch01-idx-951648-0"></a>locks on the files. Finally, Samba reports the amount of <a class="indexterm" name="ch01-idx-951649-0"></a>memory it has currently allocated to the shares that it administers, including the amount actively used by the shares plus additional overhead. (Note that this is not the same as the total amount of memory that the <span class="emphasis"><em>smbd</em></span> or <span class="emphasis"><em>nmbd</em></span> processes are using.)</p><p>Don't worry if you don't understand these statistics; they will become easier to understand as you move through the<a class="indexterm" name="ch01-idx-951621-0"></a> book.<a class="indexterm" name="ch01-idx-951467-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-88536"></a>Getting Familiar with a SMB/CIFS Network</h2></div></div></div><p> +<a class="indexterm" name="ch01-idx-951651-0"></a>Now that you have had a brief tour of Samba, let's take some time to get familiar with Samba's adopted environment: an SMB/CIFS network. Networking with SMB is significantly different from working with a Unix <a class="indexterm" name="ch01-idx-951650-0"></a>TCP/IP network, because there are several new concepts to learn and a lot of information to cover. First, we will discuss the basic concepts behind an SMB network, followed by some Microsoft implementations of it, and finally we will show you where a Samba server can and cannot fit into the picture.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.1"></a>Understanding NetBIOS</h3></div></div></div><p>To begin, let's step back in time. In 1984, IBM authored a simple <a class="indexterm" name="ch01-idx-951659-0"></a>application programming interface (API) for networking its computers called the <em class="firstterm">Network Basic Input/Output System </em> +<a class="indexterm" name="ch01-idx-951660-0"></a> +<a class="indexterm" name="ch01-idx-951660-1"></a>(NetBIOS). The NetBIOS API provided a rudimentary design for an application to connect and share data with other computers.</p><p>It's helpful to think of the NetBIOS API as networking extensions to the standard BIOS API calls. With BIOS, each low-level call is confined to the hardware of the local machine and doesn't need any help traveling to its destination. NetBIOS, however, originally had to exchange instructions with computers across IBM PC or Token Ring networks. It therefore required a low-level transport protocol to carry its requests from one computer to the next.</p><p>In late 1985, IBM released one such protocol, which it merged with the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User Interface</em> +<a class="indexterm" name="ch01-idx-951661-0"></a> +<a class="indexterm" name="ch01-idx-951661-1"></a> (<span class="emphasis"><em>NetBEUI</em></span>). NetBEUI was designed for small local area networks (LANs), and it let each machine claim a name (up to 15 characters) that wasn't already in use on the network. By a "small LAN," we mean fewer than 255 nodes on the network—which was considered a practical restriction in 1985!</p><p>The NetBEUI protocol was very popular with networking applications, including those running under Windows for Workgroups. Later, implementations of NetBIOS over Novell's IPX networking protocols also emerged, which competed with NetBEUI. However, the networking protocols of choice for the burgeoning Internet community were TCP/IP and UDP/IP, and implementing the NetBIOS APIs over those protocols soon became a necessity.</p><p>Recall that <a class="indexterm" name="ch01-idx-951666-0"></a>TCP/IP uses numbers to represent computer addresses, such as 192.168.220.100, while <a class="indexterm" name="ch01-idx-951667-0"></a> +<a class="indexterm" name="ch01-idx-951667-1"></a>NetBIOS uses only names. This was a major issue when trying to mesh the two protocols together. In 1987, the Internet Engineering Task Force (IETF) published a series of standardization documents, titled RFC 1001 and 1002, that outlined how NetBIOS would work over a TCP/UDP network. This set of documents still governs each of the implementations that exist today, including those provided by Microsoft with their Windows operating systems as well as the Samba suite.</p><p>Since then, the standard this document governs has become known as <em class="firstterm">NetBIOS over TCP/IP</em> +<a class="indexterm" name="ch01-idx-951668-0"></a> +<a class="indexterm" name="ch01-idx-951668-1"></a> +<a class="indexterm" name="ch01-idx-951668-2"></a>, or NBT for short. The NBT standard (RFC 1001/1002) currently outlines a trio of services on a network:</p><div class="itemizedlist"><ul type="disc"><li><p>A name service</p></li><li><p>Two communication services:</p><div class="itemizedlist"><ul type="circle"><li><p>Datagrams</p></li><li><p>Sessions</p></li></ul></div></li></ul></div><p>The <a class="indexterm" name="ch01-idx-951671-0"></a>name service solves the name-to-address problem mentioned earlier; it allows each computer to declare a specific name on the network that can be translated to a machine-readable IP address, much like today's DNS on the Internet. The <a class="indexterm" name="ch01-idx-951672-0"></a> +<a class="indexterm" name="ch01-idx-951672-1"></a>datagram and session services are both secondary communication protocols used to transmit data back and forth from NetBIOS machines across the network.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.2"></a>Getting a Name</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951674-0"></a> +<a class="indexterm" name="ch01-idx-951674-1"></a>For a human being, getting a name is easy. However, for a machine on a NetBIOS network, it can be a little more complicated. Let's look at a few of the issues.</p><p>In the NetBIOS world, when each machine comes online, it wants to claim a name for itself; this is called <em class="firstterm">name registration</em> +<a class="indexterm" name="ch01-idx-951675-0"></a>. However, no two machines in the same workgroup should be able to claim the same name; this would cause endless confusion for any machine that wanted to communicate with either machine. There are two different approaches to ensuring that this doesn't happen:</p><div class="itemizedlist"><ul type="disc"><li><p>Use a <em class="firstterm">NetBIOS Name Server</em> +<a class="indexterm" name="ch01-idx-951677-0"></a> +<a class="indexterm" name="ch01-idx-951677-1"></a> (NBNS) to keep track of which hosts have registered a NetBIOS name.</p></li><li><p>Allow each machine on the network to defend its name in the event that another machine attempts to use it.</p></li></ul></div><p><a href="#ch01-86658" title="Figure 1.8. NBNS versus non-NBNS name registration">Figure 1.8</a> illustrates a (failed) name registration, with and without a NetBIOS Name Server.</p><div class="figure"><a name="ch01-86658"></a><p class="title"><b>Figure 1.8. NBNS versus non-NBNS name registration</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 391px"><td><img src="figs/sam.0108.gif" width="502" alt="NBNS versus non-NBNS name registration"></td></tr></table></div></div></div><br class="figure-break"><p>In addition, there must be a way to resolve a NetBIOS name to a specific IP address as mentioned earlier; this is known as <em class="firstterm">name resolution</em> +<a class="indexterm" name="ch01-idx-951679-0"></a>. There are two different approaches with NBT here as well:</p><div class="itemizedlist"><ul type="disc"><li><p>Have each machine report back its IP address when it "hears" a broadcast request for its NetBIOS name.</p></li><li><p>Use the NBNS to help resolve NetBIOS names to IP addresses.</p></li></ul></div><p><a href="#ch01-72484" title="Figure 1.9. NBNS versus non-NBNS name resolution">Figure 1.9</a> illustrates the two types of name resolution.</p><div class="figure"><a name="ch01-72484"></a><p class="title"><b>Figure 1.9. NBNS versus non-NBNS name resolution</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 391px"><td><img src="figs/sam.0109.gif" width="502" alt="NBNS versus non-NBNS name resolution"></td></tr></table></div></div></div><br class="figure-break"><p>As you might expect, having an NBNS on your network can help out tremendously. To see exactly why, let's look at the non-NBNS method.</p><p>Here, when a client machine boots, it will broadcast a message declaring that it wishes to register a specified NetBIOS name as its own. If nobody objects to the use of the name after multiple registration attempts, it keeps the name. On the other hand, if another machine on the local <a class="indexterm" name="ch01-idx-951896-0"></a>subnet is currently using the requested name, it will send a message back to the requesting client that the name is already taken. This is known as <em class="firstterm">defending</em> +<a class="indexterm" name="ch01-idx-951687-0"></a> the hostname. This type of system comes in handy when one client has unexpectedly dropped off the network—another can take its name unchallenged—but it does incur an inordinate amount of traffic on the network for something as simple as name registration.</p><p>With an NBNS, the same thing occurs, except that the communication is confined to the requesting machine and the NBNS server. No broadcasting occurs when the machine wishes to register the name; the registration message is simply sent directly from the client to NBNS server and the NBNS server replies whether or not the name is already taken. This is known as <em class="firstterm">point-to-point communication</em> +<a class="indexterm" name="ch01-idx-951688-0"></a>, and is often beneficial on networks with more than one subnet. This is because routers are often preconfigured to block incoming packets that are broadcast to all machines in the subnet.</p><p>The same principles apply to name resolution. Without an NBNS, NetBIOS name resolution would also be done with a broadcast mechanism. All request packets would be sent to each computer in the network, with the hope that one machine that might be affected will respond directly back to the machine that asked. At this point, it's clear that using an NBNS server and point-to-point communication for this purpose is far less taxing on the network than flooding the network with broadcasts for every name resolution request.<a class="indexterm" name="ch01-idx-951682-0"></a> +<a class="indexterm" name="ch01-idx-951682-1"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.3"></a>Node Types</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951690-0"></a>How can you tell what strategy each client on your network will use when performing name registration and resolution? Each machine on an NBT network earns one of the following designations, depending on how it handles name registration and resolution: <a class="indexterm" name="ch01-idx-951691-0"></a> +<a class="indexterm" name="ch01-idx-951691-1"></a> +<a class="indexterm" name="ch01-idx-951691-2"></a> +<a class="indexterm" name="ch01-idx-951691-3"></a>b-node, p-node, m-node, and h-node. The behaviors of each type of node are summarized in <a href="#ch01-91681" title="Table 1.1. NetBIOS Node Types">Table 1.1</a>.</p><div class="table"><a name="ch01-91681"></a><p class="title"><b>Table 1.1. NetBIOS Node Types </b></p><div class="table-contents"><table summary="NetBIOS Node Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p>b-node</p></td><td><p>Uses<a class="indexterm" name="ch01-idx-951692-0"></a> +<a class="indexterm" name="ch01-idx-951692-1"></a> broadcast registration and resolution only.</p></td></tr><tr><td><p>p-node</p></td><td><p>Uses <a class="indexterm" name="ch01-idx-951693-0"></a>point-to-point registration and resolution only.</p></td></tr><tr><td><p>m-node</p></td><td><p>Uses broadcast for registration. If successful, it notifies the NBNS server of the result. Uses broadcast for resolution; uses NBNS server if broadcast is unsuccessful.</p></td></tr><tr><td><p>h-node (hybrid)</p></td><td><p>Uses NBNS server for registration and resolution; uses broadcast if the NBNS server is unresponsive or inoperative.</p></td></tr></tbody></table></div></div><br class="table-break"><p>In the case of Windows clients, you will usually find them listed as <em class="firstterm">h-nodes</em> or <em class="firstterm">hybrid nodes</em>. Incidentally, h-nodes were invented later by Microsoft, as a more fault-tolerant route, and do not appear in RFC 1001/1002.</p><p>You can find out the node type of any Windows machine by typing the command <code class="literal">ipconfig</code> <code class="literal">/all</code> and searching for the line that says <code class="literal">Node Type</code>.</p><pre class="programlisting"><span class="bold"><strong>C:\>ipconfig /all</strong></span> +Windows 98 IP Configuration +... + Node Type . . . . . . . . . . : Hybrid +...</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.4"></a>What's in a Name?</h3></div></div></div><p>The <a class="indexterm" name="ch01-idx-951695-0"></a>names NetBIOS uses are quite different from the DNS hostnames you might be familiar with. First, NetBIOS names exist in a <a class="indexterm" name="ch01-idx-951696-0"></a>flat namespace. In other words, there are no qualifiers such as <span class="emphasis"><em>ora.com</em></span> or <span class="emphasis"><em>samba.org</em></span> to section off hostnames; there is only a single unique name to represent each computer. Second, NetBIOS names are allowed to be only 15 characters, may not begin with an asterisk (*), and can consist only of standard alphanumeric characters (a-z, A-Z, 0-9) and the following:</p><pre class="programlisting">! @ # $ % ^ & ( ) - ' { } . ~</pre><p>Although you are allowed to use a period (.) in a NetBIOS name, we recommend against it because those names are not guaranteed to work in future versions of NetBIOS over TCP/IP.</p><p>It's not a coincidence that all valid <a class="indexterm" name="ch01-idx-952041-0"></a>DNS names are also valid NetBIOS names. In fact, the DNS name for a Samba server is often reused as its NetBIOS name. For example, if you had a machine <code class="literal">phoenix.ora.com </code>, its NetBIOS name would likely be PHOENIX (followed by 8 blanks).</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-3.4.1"></a>Resource names and types</h4></div></div></div><p>With NetBIOS, a machine not only advertises its presence, but also tells others what types of services it offers. For example, <code class="literal">phoenix</code> can indicate that it's not just a workstation, but is also a file server and can receive WinPopup messages. This is done by adding a 16th byte to the end of the machine (<a class="indexterm" name="ch01-idx-951698-0"></a>resource) name, called the <a class="indexterm" name="ch01-idx-951704-0"></a><em class="firstterm">resource type</em>, and registering the name more than once. See <a href="#ch01-74707" title="Figure 1.10. The structure of NetBIOS names">Figure 1.10</a>.</p><div class="figure"><a name="ch01-74707"></a><p class="title"><b>Figure 1.10. The structure of NetBIOS names</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 153px"><td><img src="figs/sam.0110.gif" height="153" alt="The structure of NetBIOS names"></td></tr></table></div></div></div><br class="figure-break"><p>The one-byte resource type indicates a unique service the named machine provides. In this book, you will often see the resource type shown in <a class="indexterm" name="ch01-idx-951708-0"></a>angled brackets (<a class="indexterm" name="ch01-idx-951709-0"></a><>) after the NetBIOS name, such as:</p><pre class="programlisting">PHOENIX<00></pre><p>You can see which names are registered for a particular NBT machine using the Windows command-line <a class="indexterm" name="ch01-idx-951710-0"></a>NBTSTAT utility. Because these services are unique (i.e., there cannot be more than one registered), you will see them listed as type UNIQUE in the output. For example, the following partial output describes the <code class="literal">hydra</code> server:</p><pre class="programlisting"><span class="bold"><strong>D:\>NBTSTAT -a hydra</strong></span> + + NetBIOS Remote Machine Name Table + Name Type Status +--------------------------------------------- +HYDRA <00> UNIQUE Registered +HYDRA <03> UNIQUE Registered +HYDRA <20> UNIQUE Registered +...</pre><p>This says the server has registered the NetBIOS name <code class="literal">hydra</code> as a <a class="indexterm" name="ch01-idx-951711-0"></a> +<a class="indexterm" name="ch01-idx-951711-1"></a>machine (workstation) name, a recipient of WinPopup messages, and a file server. Some possible attributes a name can have are listed in <a href="#ch01-11471" title="Table 1.2. NetBIOS Unique Resource Types">Table 1.2</a>.</p><div class="table"><a name="ch01-11471"></a><p class="title"><b>Table 1.2. NetBIOS Unique Resource Types </b></p><div class="table-contents"><table summary="NetBIOS Unique Resource Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p> +<a class="indexterm" name="ch01-idx-951723-0"></a>Named Resource</p></th><th><p> +<a class="indexterm" name="ch01-idx-951735-0"></a>Hexidecimal Byte Value</p></th></tr></thead><tbody><tr><td><p>Standard Workstation Service</p></td><td><p>00</p></td></tr><tr><td><p>Messenger Service (WinPopup)</p></td><td><p>03</p></td></tr><tr><td><p>RAS Server Service</p></td><td><p>06</p></td></tr><tr><td><p>Domain Master Browser Service (associated with primary domain controller)</p></td><td><p>1B</p></td></tr><tr><td><p>Master Browser name</p></td><td><p>1D</p></td></tr><tr><td><p>NetDDE Service</p></td><td><p>1F</p></td></tr><tr><td><p>Fileserver (including printer server)</p></td><td><p>20</p></td></tr><tr><td><p>RAS Client Service</p></td><td><p>21</p></td></tr><tr><td><p>Network Monitor Agent</p></td><td><p>BE</p></td></tr><tr><td><p>Network Monitor Utility</p></td><td><p>BF</p></td></tr></tbody></table></div></div><br class="table-break"><p>Note that because <a class="indexterm" name="ch01-idx-951737-0"></a>DNS names don't have resource types, the designers intentionally made hexidecimal value 20 (an ASCII space) default to the type for a file server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-3.4.2"></a>Group names and types</h4></div></div></div><p> +<a class="indexterm" name="ch01-idx-951786-0"></a> +<a class="indexterm" name="ch01-idx-951786-1"></a>SMB also uses the concept of groups, with which machines can register themselves. Earlier, we mentioned that the machines in our example belonged to a <em class="firstterm">workgroup</em>, which is a partition of machines on the same network. For example, a business might very easily have an ACCOUNTING and a SALES workgroup, each with different servers and printers. In the Windows world, a workgroup and an SMB group are the same thing.</p><p>Continuing our NBTSTAT example, the <code class="literal">hydra</code> Samba server is also a member of the SIMPLE workgroup (the GROUP attribute hex 00), and will stand for election as a browse master (GROUP attribute 1E). Here is the remainder of the NBTSTAT utility output:</p><pre class="programlisting"> NetBIOS Remote Machine Name Table, continued + Name Type Status +--------------------------------------------- +SIMPLE <00> GROUP Registered +SIMPLE <1E> GROUP Registered +.._ _MSBROWSE_ _.<01> GROUP Registered</pre><p>The possible group attributes a machine can have are illustrated in <a href="#ch01-52395" title="Table 1.3. NetBIOS Group Resource Types">Table 1.3</a>. More information is available in <a class="indexterm" name="ch01-idx-951787-0"></a><em class="citetitle">Windows NT in a Nutshell</em> by Eric Pearce, also published by O'Reilly.</p><div class="table"><a name="ch01-52395"></a><p class="title"><b>Table 1.3. NetBIOS Group Resource Types </b></p><div class="table-contents"><table summary="NetBIOS Group Resource Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Named Resource</p></th><th><p> +<a class="indexterm" name="ch01-idx-951781-0"></a>Hexidecimal Byte Value</p></th></tr></thead><tbody><tr><td><p>Standard Workstation group</p></td><td><p>00</p></td></tr><tr><td><p>Logon Server</p></td><td><p>1C</p></td></tr><tr><td><p>Master Browser name</p></td><td><p>1D</p></td></tr><tr><td><p>Normal Group name (used in browser elections)</p></td><td><p>1E</p></td></tr><tr><td><p>Internet Group name (administrative)</p></td><td><p>20</p></td></tr><tr><td><p><code class="literal"><01><02>_ _MSBROWSE_ _<02></code></p></td><td><p>01</p></td></tr></tbody></table></div></div><br class="table-break"><p>The final entry, <code class="literal">_ _ MSBROWSE _ _ </code>, is used to announce a group to other master browsers. The nonprinting characters in the name show up as dots in a NBTSTAT printout. Don't worry if you don't understand all of the resource or group types. Some of them you will not need with Samba, and others you will pick up as you move through the rest of the chapter. The important thing to remember here is the logistics of the naming mechanism.<a class="indexterm" name="ch01-idx-951790-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.5"></a>Datagrams and Sessions</h3></div></div></div><p><em class="firstterm"></em> +<a class="indexterm" name="ch01-idx-951800-0"></a> +<a class="indexterm" name="ch01-idx-951800-1"></a>At this point, let's digress to introduce another responsibility of NBT: to provide connection services between two NetBIOS machines. There are actually two services offered by NetBIOS over TCP/IP: the <em class="firstterm">session service</em> and the <em class="firstterm">datagram service</em>. Understanding how these two services work is not essential to using Samba, but it does give you an idea of how NBT works and how to troubleshoot Samba when it doesn't work.</p><p>The datagram service has no stable connection between one machine and another. Packets of data are simply sent or broadcast from one machine to another, without regard for the order that they arrive at the destination, or even if they arrive at all. The use of datagrams is not as network intensive as sessions, although they can bog down a network if used unwisely (remember broadcast name resolution earlier?) Datagrams, therefore, are used for quickly sending simple blocks of data to one or more machines. The datagram service communicates using the simple primitives shown in <a href="#ch01-29352" title="Table 1.4. Datagram Primitives">Table 1.4</a>.</p><div class="table"><a name="ch01-29352"></a><p class="title"><b>Table 1.4. Datagram Primitives </b></p><div class="table-contents"><table summary="Datagram Primitives " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Primitive</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p>Send Datagram</p></td><td><p>Send datagram packet to machine or groups of machines.</p></td></tr><tr><td><p>Send Broadcast Datagram</p></td><td><p>Broadcast datagram to any machine waiting with a Receive Broadcast Datagram.</p></td></tr><tr><td><p>Receive Datagram</p></td><td><p>Receive a datagram from a machine.</p></td></tr><tr><td><p>Receive Broadcast Datagram</p></td><td><p>Wait for a broadcast datagram.</p></td></tr></tbody></table></div></div><br class="table-break"><p>The session service is more complex. Sessions are a communication method that, in theory, offers the ability to detect problematic or inoperable connections between two NetBIOS applications. It helps to think of an NBT session in terms of a telephone call.<sup>[<a name="ch01-pgfId-946249" href="#ftn.ch01-pgfId-946249">5</a>]</sup> A full-duplex connection is opened between a caller machine and a called machine, and it must remain open throughout the duration of their conversation. Each side knows who the caller and the called machine is, and can communicate with the simple primitives shown in <a href="#ch01-75575" title="Table 1.5. Session Primitives">Table 1.5</a>.</p><div class="table"><a name="ch01-75575"></a><p class="title"><b>Table 1.5. Session Primitives </b></p><div class="table-contents"><table summary="Session Primitives " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Primitive</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p>Call</p></td><td><p>Initiate a session with a machine listening under a specified name.</p></td></tr><tr><td><p>Listen</p></td><td><p>Wait for a call from a known caller or any caller.</p></td></tr><tr><td><p>Hang-up</p></td><td><p>Exit a call.</p></td></tr><tr><td><p>Send</p></td><td><p>Send data to the other machine.</p></td></tr><tr><td><p>Receive</p></td><td><p>Receive data from the other machine.</p></td></tr><tr><td><p>Session Status</p></td><td><p>Get information on requested sessions.</p></td></tr></tbody></table></div></div><br class="table-break"><p>Sessions are the backbone of resource sharing on an NBT network. They are typically used for establishing stable connections from client machines to disk or printer shares on a server. The client "calls" the server and starts trading information such as which files it wishes to open, which data it wishes to exchange, etc. These calls can last a long time—hours, even days—and all of this occurs within the context of a single connection. If there is an error, the session software (TCP) will retransmit until the data is received properly, unlike the "punt-and-pray" approach of the datagram service (UDP).</p><p>In truth, while sessions are supposed to be able to handle problematic communications, they often don't. As you've probably already discovered when using Windows networks, this is a serious detriment to using NBT sessions. If the connection is interrupted for some reason, session information that is open between the two computers can easily become invalidated. If that happens, the only way to regain the session information is for the same two computers to call each other again and start over.</p><p>If you want more information on each of these services, we recommend you look at RFC 1001. However, there are two important things to remember here:</p><div class="itemizedlist"><ul type="disc"><li><p>Sessions always occur between <span class="emphasis"><em>two</em></span> NetBIOS machines—no more and no less. If a session service is interrupted, the client is supposed to store sufficient state information for it to re-establish the connection. However, in practice, this is rarely the case.</p></li><li><p>Datagrams can be broadcast to multiple machines, but they are unreliable. In other words, there is no way for the source to know that the datagrams it sent have indeed arrived at their<em class="firstterm"></em> +<a class="indexterm" name="ch01-idx-951807-0"></a> +<a class="indexterm" name="ch01-idx-951807-1"></a> destinations.<a class="indexterm" name="ch01-idx-951654-0"></a></p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-43359"></a>Microsoft Implementations</h2></div></div></div><p> +<a class="indexterm" name="ch01-idx-951821-0"></a> +<a class="indexterm" name="ch01-idx-951821-1"></a>With that amount of background, we can now talk about some of Microsoft's implementations of the preceding concepts in the CIFS/SMB networking world. And, as you might expect, there are some complex extensions to introduce as well.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.1"></a>Windows Domains</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951815-0"></a>Recall that a workgroup is a collection of SMB computers that all reside on a subnet and subscribe to the same SMB group. A <em class="firstterm">Windows domain</em> goes a step further. It is a workgroup of SMB machines that has one addition: a server acting as a <em class="firstterm">domain controller</em>. You must have a domain controller in order to have a Windows domain.<sup>[<a name="ch01-pgfId-947021" href="#ftn.ch01-pgfId-947021">6</a>]</sup> Otherwise, it is only a workgroup. See <a href="#ch01-96972" title="Figure 1.11. A simple Windows domain">Figure 1.11</a>.</p><div class="figure"><a name="ch01-96972"></a><p class="title"><b>Figure 1.11. A simple Windows domain</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0111.gif" height="209" alt="A simple Windows domain"></td></tr></table></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="ch01-idx-951829-0"></a> +<a class="indexterm" name="ch01-idx-951829-1"></a>There are currently two separate protocols used by a domain controller (logon server): one for communicating with Windows 95/98 machines and one for communicating with Windows NT machines. While Samba currently implements the domain controller protocol for Windows 95/98 (which allows it to act as a domain controller for Windows 9<span class="emphasis"><em>x</em></span> machines), it still does not fully support the protocol for Windows NT computers. However, the Samba team promises that support for the Windows NT domain controller protocol is forthcoming in Samba 2.1.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch01-NOTE-0"></a>Tip</h3><p>Why all the difficulty? The protocol that Windows domain controllers use to communicate with their clients and other domain controllers is proprietary and has not been released by Microsoft. This has forced the Samba development team to reverse-engineer the domain controller protocol to see which codes perform specific tasks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.1.1"></a>Domain controllers</h4></div></div></div><p>The domain controller is the nerve center of a Windows domain, much like an NIS server is the nerve center of the Unix network information service. Domain controllers have a variety of responsibilities. One responsibility that you need to be concerned with is <em class="firstterm">authentication</em> +<a class="indexterm" name="ch01-idx-951839-0"></a>. Authentication is the process of granting or denying a user access to a shared resource on another network machine, typically through the use of a password.</p><p>Each domain controller uses a <em class="firstterm">security account manager</em> +<a class="indexterm" name="ch01-idx-951840-0"></a> +<a class="indexterm" name="ch01-idx-951840-1"></a> (SAM) to maintain a list of username-password combinations. The domain controller then forms a central repository of passwords that are tied to usernames (one password per user), which is more efficient than each client machine maintaining hundreds of passwords for every network resource available.</p><p>On a Windows domain, when a non-authenticated client requests access to a server's shares, the server will turn around and ask the domain controller whether that user is authenticated. If it is, the server will establish a session connection with the access rights it has for that service and user. If not, the connection is denied. Once a user is authenticated by the domain controller, a special authenticated token will be returned to the client so that the user will not need to relogin to other resources on that domain. At this point, the user is considered "logged in" to the domain itself. See <a href="#ch01-49344" title="Figure 1.12. Using a domain controller for authentication">Figure 1.12</a>.</p><div class="figure"><a name="ch01-49344"></a><p class="title"><b>Figure 1.12. Using a domain controller for authentication</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 242px"><td><img src="figs/sam.0112.gif" height="242" alt="Using a domain controller for authentication"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.1.2"></a>Primary and backup domain controllers</h4></div></div></div><p> +<a class="indexterm" name="ch01-idx-951842-0"></a> +<a class="indexterm" name="ch01-idx-951842-1"></a> +<a class="indexterm" name="ch01-idx-951842-2"></a> +<a class="indexterm" name="ch01-idx-951842-3"></a> +<a class="indexterm" name="ch01-idx-951842-4"></a>Redundancy is a key idea behind a Windows domain. The domain controller that is currently active on a domain is called the <em class="firstterm">primary domain controller</em> (PDC). There can be one or more <em class="firstterm">backup domain controllers</em> (BDCs) in the domain as well, which will take over in the event that the primary domain controller fails or becomes inaccessible. BDCs frequently synchronize their SAM data with the primary domain controller so that, if the need arises, any one of them can perform DC services transparently without impacting its clients. Note that BDCs, however, have only read-only copies of the SAM; they can update their data only by synchronizing with a PDC. A server in a Windows domain can use the SAM of any primary or backup domain controller to authenticate a user who attempts to access its resources and logon to the domain.</p><p>Note that in many aspects, the behaviors of a <a class="indexterm" name="ch01-idx-951844-0"></a> +<a class="indexterm" name="ch01-idx-951844-1"></a>Windows workgroup and a Windows domain overlap. This is not accidental since the concept of Windows domains did not evolve until Windows NT 3.5 was introduced, and Windows domains were forced to remain <a class="indexterm" name="ch01-idx-951873-0"></a>backwards compatible with the workgroups present in Windows for Workgroups 3.1. The key thing to remember here is that a Windows domain is simply a Windows workgroup with one or more domain controllers added.</p><p>Samba can function as a primary domain controller for Windows 95/98 machines without any problems. However, <a class="indexterm" name="ch01-idx-951845-0"></a> +<a class="indexterm" name="ch01-idx-951845-1"></a>Samba 2.0 can act as a primary domain controller only for authentication purposes; it currently cannot assume any other PDC responsibilities. (By the time you read this, Samba 2.1 may be available so you can use Samba as a PDC for NT clients.) Also, because of the closed protocol used by Microsoft to synchronize SAM data, Samba currently cannot serve as a backup domain<a class="indexterm" name="ch01-idx-951832-0"></a> +<a class="indexterm" name="ch01-idx-951832-1"></a> controller.<a class="indexterm" name="ch01-idx-951820-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.2"></a>Browsing</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951846-0"></a>Browsing is a high-level answer to the user question: "What machines are out there on the Windows network?" Note that there is no connection with a World Wide Web browser, apart from the general idea of "discovering what's there." And, like the Web, what's out there can change without warning.</p><p>Before browsing, users had to know the name of the specific computer they wanted to connect to on the network, and then manually enter a UNC such as the following into an application or file manager to access resources:</p><pre class="programlisting">\\HYDRA\network\</pre><p>With browsing, however, you can examine the contents of a machine using a standard point-and-click GUI—in this case, the<a class="indexterm" name="ch01-idx-951848-0"></a> Network Neighborhood window in a Windows client.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.2.1"></a>Levels of browsing</h4></div></div></div><p>As we hinted at the beginning of the chapter, there are actually two types of browsing that you will encounter in an SMB/CIFS network:</p><div class="itemizedlist"><ul type="disc"><li><p>Browsing a list of machines (with shared resources)</p></li><li><p>Browsing the shared resources of a specific machine</p></li></ul></div><p> +<a class="indexterm" name="ch01-idx-951851-0"></a>Let's look at the first one. On each Windows workgroup (or domain) subnet, one computer has the responsibility of maintaining a list of the machines that are currently accessible through the network. This computer is called the <em class="firstterm">local master browser</em> +<a class="indexterm" name="ch01-idx-951850-0"></a> +<a class="indexterm" name="ch01-idx-951850-1"></a>, and the list that it maintains is called the <em class="firstterm">browse list</em>. Machines on a subnet use the browse list in order to cut down on the amount of network traffic generated while browsing. Instead of each computer dynamically polling to determine a list of the currently available machines, the computer can simply query the local master browser to obtain a complete, up-to-date list.</p><p> +<a class="indexterm" name="ch01-idx-951852-0"></a>To browse the actual resources on a machine, a user must connect to the specific machine; this information cannot be obtained from the browse list. Browsing the list of resources on a machine can be done by clicking on the machine's icon when it is presented in the Network Neighborhood in Windows 95/98 or NT. As you saw at the opening of the chapter, the machine will respond with a list of shared resources that can be accessed if that user is successfully authenticated.</p><p>Each of the servers on a Windows workgroup is required to announce its presence to the local master browser after it has registered a NetBIOS name, and (theoretically) announce that it is leaving the workgroup when it is shut down. It is the local master browser's responsibility to record what the servers have announced. Note that the local master browser is not necessarily the same machine as a NetBIOS name server (NBNS), which we discussed earlier.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch01-NOTE-1"></a>Warning</h3><p>The <a class="indexterm" name="ch01-idx-952154-0"></a>Windows Network Neighborhood can behave oddly: until you select a particular machine to browse, the Network Neighborhood window may contain data that is not up-to-date. That means that the Network Neighborhood window can be showing machines that have crashed, or can be missing machines that haven't been noticed yet. Put succinctly, once you've selected a server and connected to it, you can be a lot more confident that the shares and printers really exist on the network.</p></div><p>Unlike the roles you've seen earlier, almost any Windows machine (NT Server, NT Workstation, 98, 95, or Windows 3.1 for Workgroups) can act as a local master browser. As with the domain controller, the local master browser can have one or more <em class="firstterm">backup browsers</em> +<a class="indexterm" name="ch01-idx-952161-0"></a> on the local subnet that will take over in the event that the local master browser fails or becomes inaccessible. To ensure fluid operation, the local backup browsers will frequently synchronize their browse list with the local master browser. Let's update our Windows domain diagram to include both a local master and local backup browser. The result is shown in <a href="#ch01-77521" title="Figure 1.13. A Windows domain with a local master and local backup browser">Figure 1.13</a>.</p><div class="figure"><a name="ch01-77521"></a><p class="title"><b>Figure 1.13. A Windows domain with a local master and local backup browser</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0113.gif" height="209" alt="A Windows domain with a local master and local backup browser"></td></tr></table></div></div></div><br class="figure-break"><p>Here is how to calculate the minimum number of <a class="indexterm" name="ch01-idx-951868-0"></a>backup browsers that will be allocated on a workgroup:</p><div class="itemizedlist"><ul type="disc"><li><p>If there are between 1 and 32 Windows NT workstations on the network, or between 1 and 16 Windows 95/98 machines on the network, the local master browser allocates one backup browser in addition to the local master browser.</p></li><li><p>If the number of Windows NT workstations falls between 33 and 64, or the number of Windows 95/98 workstations falls between 17 and 32, the local master browser allocates two backup browsers.</p></li><li><p>For each group of 32 NT workstations or 16 Windows 95/98 machines beyond this, the local master browser allocates another backup browser.</p></li></ul></div><p>There is currently no upper limit on the number of <a class="indexterm" name="ch01-idx-951869-0"></a> +<a class="indexterm" name="ch01-idx-951869-1"></a>backup browsers that can be allocated by the local master browser.<a class="indexterm" name="ch01-idx-951855-0"></a></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.2.2"></a>Browsing elections</h4></div></div></div><p>Browsing is a critical aspect of any Windows workgroup. However, not everything runs perfectly on any network. For example, let's say that the Windows NT Server on the desk of a small company's CEO is the local master browser—that is, until he switches it off while plugging in his massage chair. At this point the Windows NT Workstation in the spare parts department might agree to take over the job. However, that computer is currently running a large, poorly written program that has brought its processor to its knees. The moral: browsing has to be very tolerant of servers coming and going. Because nearly every Windows machine can serve as a browser, there has to be a way of deciding at any time who will take on the job. This decision-making process is called an <em class="firstterm">election</em> +<a class="indexterm" name="ch01-idx-951870-0"></a> +<a class="indexterm" name="ch01-idx-951870-1"></a>.</p><p>An election algorithm is built into nearly all Windows operating systems such that they can each agree who is going to be a local master browser and who will be local backup browsers. An election can be forced at any time. For example, let's assume that the CEO has finished his massage and reboots his server. As the server comes online, it will announce its presence and an election will take place to see if the PC in the spare parts department should still be the master browser.</p><p>When an election is performed, each machine broadcasts via datagrams information about itself. This information includes the following:</p><div class="itemizedlist"><ul type="disc"><li><p>The version of the election protocol used</p></li><li><p>The operating system on the machine</p></li><li><p>The amount of time the client has been on the network</p></li><li><p>The hostname of the client</p></li></ul></div><p>These values determine which operating system has seniority and will fulfill the role of the local master browser. (<a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, describes the election process in more detail.) The architecture developed to achieve this is not elegant and has built-in security problems. While a browsing domain can be integrated with domain security, the election algorithm does not take into consideration which computers become browsers. Thus it is possible for any machine running a browser service to register itself as participating in the browsing election, and (after winning) being able to change the browse list. Nevertheless, browsing is a key feature of Windows networking and <a class="indexterm" name="ch01-idx-951871-0"></a>backwards compatibility requirements will ensure that it is in use for years to come.<a class="indexterm" name="ch01-idx-951847-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.3"></a>Can a Windows Workgroup Span Multiple Subnets?</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951886-0"></a> +<a class="indexterm" name="ch01-idx-951886-1"></a> +<a class="indexterm" name="ch01-idx-951886-2"></a>Yes, but most people who have done it have had their share of headaches. Spanning multiple subnets was not part of the initial design of Windows NT 3.5 or Windows for Workgroups. As a result, a Windows domain that spans two or more subnets is, in reality, the "gluing" together of two or more workgroups that share an identical name. The good news is that you can still use a primary domain controller to control authentication across each of the subnets. The bad news is that things are not as simple with browsing.</p><p>As mentioned previously, each subnet must have its own local master browser. When a Windows domain spans multiple subnets, a system administrator will have to assign one of the machines as the <em class="firstterm">domain master browser</em>. The domain master browser will keep a browse list for the entire Windows domain. This browse list is created by periodically synchronizing the browse lists of each of the local master browsers with the browse list of the domain master browser. After the synchronization, the local master browser and the domain master browser should contain identical entries. See <a href="#ch01-52572" title="Figure 1.14. A workgroup that spans more than one subnet">Figure 1.14</a> for an illustration.</p><div class="figure"><a name="ch01-52572"></a><p class="title"><b>Figure 1.14. A workgroup that spans more than one subnet</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 438px"><td><img src="figs/sam.0114.gif" width="502" alt="A workgroup that spans more than one subnet"></td></tr></table></div></div></div><br class="figure-break"><p>Sound good? Well, it's not quite nirvana for the following reasons:</p><div class="itemizedlist"><ul type="disc"><li><p>If it exists, a primary domain controller always plays the role of the domain master browser. By Microsoft design, the two always share the NetBIOS <a class="indexterm" name="ch01-idx-951898-0"></a> +<a class="indexterm" name="ch01-idx-951898-1"></a>resource type <1B>, and (unfortunately) cannot be separated.</p></li><li><p>Windows 95/98 machines cannot become <span class="emphasis"><em>or</em></span> <span class="emphasis"><em>even contact</em></span> a domain master browser. The Samba group feels that this is a marketing decision from Microsoft that forces customers to have at least one Windows NT workstation (or Samba server) on each <a class="indexterm" name="ch01-idx-951900-0"></a>subnet of a multi-subnet workgroup.</p></li></ul></div><p>Each subnet's local master browser continues to maintain the browse list for its subnet, for which it becomes authoritative. So if a computer wants to see a list of servers within its own subnet, the local master browser of that subnet will be queried. If a computer wants to see a list of servers outside the subnet, it can still go only as far as the local master browser. This works because, at appointed intervals, the authoritative browse list of a subnet's local master browser is synchronized with the domain master browser, which is synchronized with the local master browser of the other subnets in the domain. This is called <em class="firstterm">browse list propagation</em> +<a class="indexterm" name="ch01-idx-951902-0"></a> +<a class="indexterm" name="ch01-idx-951902-1"></a>.</p><p>Samba can act as a domain master browser on a Windows domain if required. In addition, it can also act as a local master browser for a Windows subnet, synchronizing its browse list with the domain master browser.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.4"></a>The Windows Internet Name Service (WINS)</h3></div></div></div><p>The <a class="indexterm" name="ch01-idx-951904-0"></a> +<a class="indexterm" name="ch01-idx-951904-1"></a>Windows Internet Name Service (WINS) is Microsoft's implementation of a <a class="indexterm" name="ch01-idx-951906-0"></a>NetBIOS name server (NBNS). As such, WINS inherits much of NetBIOS's characteristics. First, WINS is <a class="indexterm" name="ch01-idx-951907-0"></a>flat; you can only have machines named <code class="literal">fred</code> or workgroups like CANADA or USA. In addition, WINS is dynamic: when a client first comes online, it is required to report its hostname, its address, and its workgroup to the local WINS server. This WINS server will retain the information so long as the client periodically refreshes its WINS registration, which indicates that it's still connected to the network. Note that <a class="indexterm" name="ch01-idx-951908-0"></a>WINS servers are not domain or workgroup specific; they can appear anywhere and serve anyone.</p><p>Multiple WINS servers can be set to synchronize with each other after a specified amount of time. This allows entries for machines that come online and offline on the network to propagate from one WINS server to another. While in theory this seems efficient, it can quickly become cumbersome if there are several WINS servers covering a network. Because WINS services can cross multiple subnets (you'll either hardcode the address of a WINS server in each of your clients or obtain it via DHCP), it is often more efficient to have each Windows client, no matter how many Windows domains there are, point themselves to the same WINS server. That way, there will only be one authoritative WINS server with the correct information, instead of several WINS servers continually struggling to synchronize themselves with the most recent changes.</p><p>The currently active WINS server is known as the <em class="firstterm">primary WINS server</em> +<a class="indexterm" name="ch01-idx-951910-0"></a> +<a class="indexterm" name="ch01-idx-951910-1"></a> +<a class="indexterm" name="ch01-idx-951910-2"></a>. You can also install a secondary WINS server, which will take over in the event that the primary WINS server fails or becomes inaccessible. Note that there is no <a class="indexterm" name="ch01-idx-951912-0"></a>election to determine which machine becomes a primary or backup WINS server—the choice of WINS servers is static and must be predetermined by the <a class="indexterm" name="ch01-idx-951913-0"></a>system administrator. Both the primary and any backup WINS servers will synchronize their address databases on a periodic basis.</p><p>In the Windows family of operating systems, only an NT Workstation or an NT server can serve as a <em class="firstterm"></em> +<a class="indexterm" name="ch01-idx-951916-0"></a>WINS server. Samba can also function as a primary WINS server, but not a secondary WINS server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-12452"></a>What Can Samba Do?</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951921-0"></a> +<a class="indexterm" name="ch01-idx-951921-1"></a> +<a class="indexterm" name="ch01-idx-951921-2"></a>Whew! Bet you never thought Microsoft networks would be that complex, did you? Now, let's wrap up by showing where Samba can help out. <a href="#ch01-14021" title="Table 1.6. Samba Roles (as of 2.0.4b)">Table 1.6</a> summarizes which roles Samba can and cannot play in a Windows NT Domain or Windows workgroup. As you can see, because many of the NT domain protocols are proprietary and have not been documented by Microsoft, Samba cannot properly synchronize its data with a Microsoft server and cannot act as a backup in most roles. However, with version 2.0.<span class="emphasis"><em>x</em></span>, Samba does have limited support for the primary domain controller's authentication protocols and is gaining more functionality every day.</p><div class="table"><a name="ch01-14021"></a><p class="title"><b>Table 1.6. Samba Roles (as of 2.0.4b) </b></p><div class="table-contents"><table summary="Samba Roles (as of 2.0.4b) " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Can Perform?</p></th></tr></thead><tbody><tr><td><p>File Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Printer Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Primary Domain Controller</p></td><td><p>Yes (Samba 2.1 or higher recommended)</p></td></tr><tr><td><p>Backup Domain Controller</p></td><td><p>No</p></td></tr><tr><td><p>Windows 95/98 Authentication</p></td><td><p>Yes</p></td></tr><tr><td><p>Local Master Browser</p></td><td><p>Yes</p></td></tr><tr><td><p>Local Backup Browser</p></td><td><p>No</p></td></tr><tr><td><p>Domain Master Browser</p></td><td><p>Yes</p></td></tr><tr><td><p>Primary WINS Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Secondary WINS Server</p></td><td><p>No<a class="indexterm" name="ch01-idx-951824-0"></a> +<a class="indexterm" name="ch01-idx-951824-1"></a></p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-32691"></a>An Overview of the Samba Distribution</h2></div></div></div><p>As mentioned earlier, Samba actually contains several programs that serve different but related purposes. Let's introduce each of them briefly, and show how they work together. The majority of the programs that come with the Samba distribution center on its two daemons. Let's take a refined look at the responsibilities of each daemon:</p><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>smbd</em></span></span></dt><dd><p>The <span class="emphasis"><em>smbd</em></span> daemon is responsible for managing the shared resources between the Samba server machine and its clients. It provides file, print, and browser services to <acronym class="acronym">SMB</acronym> clients across one or more networks. <span class="emphasis"><em>smdb</em></span> handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the <acronym class="acronym">SMB</acronym> protocol.</p></dd><dt><span class="term"><span class="emphasis"><em>nmbd</em></span></span></dt><dd><p>The <span class="emphasis"><em>nmbd</em></span> daemon is a simple nameserver that mimics the WINS and NetBIOS name server functionality, as you might expect to encounter with the LAN Manager package. This daemon listens for nameserver requests and provides the appropriate information when called upon. It also provides browse lists for the Network Neighborhood and participates in browsing elections.</p></dd></dl></div><p>The Samba distribution also comes with a small set of Unix command-line tools:</p><div class="variablelist"><dl><dt><span class="term">smbclient</span></dt><dd><p>An FTP-like Unix client that can be used to connect to Samba shares</p></dd><dt><span class="term">smbtar</span></dt><dd><p>A program for backing up data in shares, similar to the Unix <code class="filename">tar</code> command</p></dd><dt><span class="term">nmblookup</span></dt><dd><p>A program that provides NetBIOS over TCP/IP name lookups</p></dd><dt><span class="term">smbpasswd</span></dt><dd><p>A program that allows an administrator to change the encrypted passwords used by Samba</p></dd><dt><span class="term">smbstatus</span></dt><dd><p>A program for reporting the current network connections to the shares on a Samba server</p></dd><dt><span class="term">testparm</span></dt><dd><p>A simple program to validate the Samba configuration file</p></dd><dt><span class="term">testprns</span></dt><dd><p>A program that tests whether various printers are recognized by the <code class="filename">smbd</code> daemon</p></dd></dl></div><p>Each significant release of Samba goes through a significant exposure test before it's announced. In addition, it is quickly updated afterward if problems or unwanted side-effects are found. The latest stable distribution as of this writing is Samba 2.0.5, the long-awaited production version of Samba 2.0. This book focuses on the functionality supported in Samba 2.0, as opposed to the older 1.9.<span class="emphasis"><em>x</em></span> versions of Samba, which are now obsolete.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-SECT-6"></a>How Can I Get Samba?</h2></div></div></div><p> +<a class="indexterm" name="ch01-idx-951923-0"></a>Samba is available in both binary and source format from a set of <a class="indexterm" name="ch01-idx-951925-0"></a>mirror sites across the Internet. The primary home site for Samba is located at <a class="indexterm" name="ch01-idx-951924-0"></a> +<a class="indexterm" name="ch01-idx-951924-1"></a><code class="systemitem">http://www.samba.org/</code>.</p><p>However, if you don't want to wait for packets to arrive all the way from Australia, mirror sites for Samba can be found at any of several locations on the Internet. A list of mirrors is given at the primary Samba home page.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-40528"></a>What's New in Samba 2.0?</h2></div></div></div><p> +<a class="indexterm" name="ch01-idx-951929-0"></a> +<a class="indexterm" name="ch01-idx-951929-1"></a>Samba 2.0 was an eagerly-awaited package. The big additions to Samba 2.0 are more concrete support for NT Domains and the new Samba Web Administration Tool (SWAT), a browser-based utility for configuring Samba. However, there are dozens of other improvements that were introduced in the summer and fall of 1998.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.1"></a>NT Domains</h3></div></div></div><p>Samba's support for <a class="indexterm" name="ch01-idx-951930-0"></a> +<a class="indexterm" name="ch01-idx-951930-1"></a>NT Domains (starting with version 2.0.<span class="emphasis"><em>x</em></span>) produced a big improvement: it allows SMB servers to use its authentication mechanisms, which is essential for future NT compatibility, and to support <em class="firstterm">NT domain logons</em> +<a class="indexterm" name="ch01-idx-951931-0"></a> +<a class="indexterm" name="ch01-idx-951931-1"></a> +<a class="indexterm" name="ch01-idx-951931-2"></a> +<a class="indexterm" name="ch01-idx-951931-3"></a>. Domain logons allow a user to log in to a Windows NT domain and use all the computers in the domain without logging into them individually. Previous to version 2.0.0, Samba supported Windows 95/98 logon services, but not NT domain logons. Although domain logons support is not complete is Samba 2.0, it is partially implemented.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.2"></a>Ease of Administration</h3></div></div></div><p> +<a class="indexterm" name="ch01-idx-951933-0"></a>SWAT, the <a class="indexterm" name="ch01-idx-951934-0"></a>Samba Web Administration Tool, makes it easy to set up a server and change its configuration, without giving up the simple text-based configuration file. SWAT provides a graphical interface to the resources that Samba shares with its clients. In addition, SWAT saves considerable experimentation and memory work in setting up or changing configurations across the network. You can even create an initial setup with SWAT and then modify the file later by hand, or vice versa. Samba will not complain.</p><p>On the <a class="indexterm" name="ch01-idx-951935-0"></a>compilation side, <a class="indexterm" name="ch01-idx-951936-0"></a>GNU <code class="filename">autoconf</code> is now used to make the task of initial compilation and setup easier so you can get to SWAT quicker.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.3"></a>Performance</h3></div></div></div><p>There are major performance and scalability increases in Samba: the code has been reorganized and <span class="emphasis"><em>nmbd</em></span> +<a class="indexterm" name="ch01-idx-951937-0"></a> (the Samba name service daemon) heavily rewritten:</p><div class="itemizedlist"><ul type="disc"><li><p>Name/browsing service now supports approximately 35,000 simultaneous clients.</p></li><li><p>File and print services support 500 concurrent users from a single medium-sized server without noticeable performance degradation.</p></li><li><p> +<a class="indexterm" name="ch01-idx-951938-0"></a>Linux/Samba on identical hardware now consistently performs better than NT Server. And best of all, Samba is improving.</p></li><li><p>Improved <a class="indexterm" name="ch01-idx-951939-0"></a> +<a class="indexterm" name="ch01-idx-951939-1"></a> +<a class="indexterm" name="ch01-idx-951939-2"></a>"opportunistic" locking allows client machines to cache entire files locally, greatly improving speed without running the risk of accidentally overwriting the cached files.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.4"></a>More Features</h3></div></div></div><p>There are several additional features in Samba 2.0. You can now have multiple Samba <a class="indexterm" name="ch01-idx-951942-0"></a>aliases on the same machine, each pretending to be a different server, a feature similar to <a class="indexterm" name="ch01-idx-951943-0"></a>virtual hosts in modern web servers. This allows a host to serve multiple departments and groups, or provide disk shares with normal username/password security while also providing printers to everyone without any security. Printing has been changed to make it easier for <a class="indexterm" name="ch01-idx-951944-0"></a>Unix System V owners: Samba can now find the available printers automatically, just as it does with Berkeley-style printing. In addition, Samba now has the capability to use <a class="indexterm" name="ch01-idx-951945-0"></a> +<a class="indexterm" name="ch01-idx-951945-1"></a> +<a class="indexterm" name="ch01-idx-951945-2"></a> +<a class="indexterm" name="ch01-idx-951945-3"></a>multiple code pages, so it can be used with non-European languages, and to use the <a class="indexterm" name="ch01-idx-951946-0"></a>Secure Sockets Layer protocol (SSL) to encrypt all the data it sends across the Internet, instead of just passwords.<sup>[<a name="ch01-pgfId-938280" href="#ftn.ch01-pgfId-938280">7</a>]</sup></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.5"></a>Compatibility Improvements</h3></div></div></div><p>At the same time as it's becoming more capable, Samba is also becoming more <a class="indexterm" name="ch01-idx-951947-0"></a> +<a class="indexterm" name="ch01-idx-951947-1"></a>compatible with Windows NT. Samba has always supported Microsoft-style password encryption. It now provides tools and options for changing over to <a class="indexterm" name="ch01-idx-951948-0"></a> +<a class="indexterm" name="ch01-idx-951948-1"></a>Microsoft encryption, and for keeping the Unix and Microsoft password files synchronized while doing so. Finally, a Samba master browser can be instructed to hunt down and synchronize itself with other SMB servers on different LANs, allowing <a class="indexterm" name="ch01-idx-951950-0"></a>SMB to work seamlessly across multiple networks. Samba uses a different method of accomplishing this from the Microsoft method, which is undocumented.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.6"></a>Smbwrapper</h3></div></div></div><p>Finally, there is an entirely new version of the Unix client called <em class="firstterm">smbwrapper</em> +<a class="indexterm" name="ch01-idx-951955-0"></a>. Instead of a kernel module that allows Linux to act as a Samba client, there is now a command-line entry to load the library that provides a complete SMB filesystem on some brands of Unix. Once loaded, the command <code class="literal">ls</code> <code class="literal">/smb</code> will list all the machines in your workgroup, and <code class="literal">cd</code> <code class="literal">/smb/</code><em class="replaceable"><code>server_name</code></em><code class="literal">/</code><em class="replaceable"><code>share_name</code></em> will take you to a particular <a class="indexterm" name="ch01-idx-951956-0"></a> +<a class="indexterm" name="ch01-idx-951956-1"></a>share (shared directory), similar to the <a class="indexterm" name="ch01-idx-951957-0"></a> +<a class="indexterm" name="ch01-idx-951957-1"></a>Network File System (NFS). As of this writing, <span class="emphasis"><em>smbwrapper</em></span> currently runs on Linux, Solaris, SunOS 4, IRIX, and OSF/1, and is expected to run on several more operating systems in the near future.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-99818"></a>And That's Not All...</h2></div></div></div><p>Samba is a wonderful tool with potential for even the smallest SMB/CIFS network. This chapter presented you with a thorough introduction to what Samba is, and more importantly, how it fits into a Windows network. The next series of chapters will help you set up Samba on both the Unix server side, where its two daemons reside, as well as configure the Windows 95, 98, and NT clients to work with Samba. Before long, the aches and pains of your heterogeneous network may seem like a thing of the past. Welcome to the wonderful world of Samba!</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946532" href="#ch01-pgfId-946532">1</a>] </sup>Which is a good thing, because our marketing people highly doubt you would have picked up a book called "Using Salmonberry"!</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946542" href="#ch01-pgfId-946542">2</a>] </sup>At the time of this printing, Andrew had completed his Ph.D. work and had joined San Francisco-based LinuxCare.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-941061" href="#ch01-pgfId-941061">3</a>] </sup>You can also right-click on the shared resource in the <a class="indexterm" name="ch01-idx-951603-0"></a>Network Neighborhood, and then select the Map Network Drive menu item.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-952017" href="#ch01-pgfId-952017">4</a>] </sup>Be warned that many end-user license agreements forbid installing a program on a network such that multiple clients can access it. Check the legal agreements that accompany the product to be absolutely sure.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946249" href="#ch01-pgfId-946249">5</a>] </sup>As you can see in RFC 1001, the telephone analogy was strongly evident in the creation of the NBT service.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-947021" href="#ch01-pgfId-947021">6</a>] </sup>Windows domains are called <a class="indexterm" name="ch01-idx-953044-0"></a> +<a class="indexterm" name="ch01-idx-953044-1"></a>"Windows NT domains" by Microsoft because they assume that Windows NT machines will take the role of the domain controller. However, because Samba can perform this function as well, we'll simply call them "Windows domains" to avoid confusion.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-938280" href="#ch01-pgfId-938280">7</a>] </sup>If you reside in the United States, there are some federal rules and regulations dealing with strong cryptography. We'll talk about his later when we set up Samba and SSL in <a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a>.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-2"></a>Chapter 2. Installing Samba on a Unix System</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch02-85028">2.1. Downloading the Samba Distribution</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-1.1">2.1.1. Binary or Source?</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-1.2">2.1.2. Read the Documentation</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-28558">2.2. Configuring Samba</a></span></dt><dt><span class="sect1"><a href="#ch02-13217">2.3. Compiling and Installing Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-3.1">2.3.1. Final Installation Steps</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-13464">2.4. A Basic Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-4.1">2.4.1. Using SWAT</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-4.2">2.4.2. Testing the Configuration File</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-29069">2.5. Starting the Samba Daemons</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-5.1">2.5.1. Starting the Daemons by Hand</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.2">2.5.2. Stand-alone Daemons</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.3">2.5.3. Starting From Inetd</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-67898">2.6. Testing the Samba Daemons</a></span></dt></dl></div><p> +<a class="indexterm" name="ch02-idx-947293-0"></a> +<a class="indexterm" name="ch02-idx-947293-1"></a>Now that you know what Samba can do for you and your users, it's time to get your own network set up. Let's start with the installation of Samba itself on a Unix system. When dancing the samba, one learns by taking small steps. It's just the same when installing Samba; we need to teach it step by step. This chapter will help you to start off on the right foot.</p><p>For illustrative purposes, we will be installing the 2.0.4 version of the Samba server on a <a class="indexterm" name="ch02-idx-947307-0"></a>Linux<sup>[<a name="ch02-pgfId-939741" href="#ftn.ch02-pgfId-939741">1</a>]</sup> system running version 2.0.31 of the kernel. However, the installation steps are the same for all of the platforms that Samba supports. A typical installation will take about an <a class="indexterm" name="ch02-idx-947305-0"></a>hour to complete, including downloading the source files and compiling them, setting up the configuration files, and testing the server.</p><p> +<a class="indexterm" name="ch02-idx-947306-0"></a>Here is an overview of the steps:</p><div class="orderedlist"><ol type="1"><li><p>Download the source or binary files.</p></li><li><p>Read the installation documentation.</p></li><li><p>Configure a makefile.</p></li><li><p>Compile the server code.</p></li><li><p>Install the server files.</p></li><li><p>Create a Samba configuration file.</p></li><li><p>Test the configuration file.</p></li><li><p>Start the Samba daemons.</p></li><li><p>Test the Samba daemons.</p></li></ol></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-85028"></a>Downloading the Samba Distribution</h2></div></div></div><p> +<a class="indexterm" name="ch02-idx-947308-0"></a> +<a class="indexterm" name="ch02-idx-947308-1"></a> + +</p><p>If you want to download the latest version, the primary web site +for the Samba software is <a class="indexterm" name="ch02-idx-947318-0"></a><code class="systemitem">http://www.samba.org</code>. Once connected to this +page, you'll see links to several Samba mirror sites across the +world, both for the standard Samba web pages and sites devoted +exclusively to downloading Samba. For the best performance, choose a +site that is closest to your own geographic location.</p><p>The standard <a class="indexterm" name="ch02-idx-947320-0"></a> <a class="indexterm" name="ch02-idx-947320-1"></a>Samba web +sites have Samba documentation and tutorials, mailing list archives, +and the latest Samba news, as well as source and binary distributions +of Samba. The download sites (sometimes called <span class="emphasis"><em>FTP +sites</em></span>) have only the source and binary +distributions. Unless you specifically want an older version of the +Samba server or are going to install a binary distribution, download +the latest source distribution from the closest mirror site. This +distribution is always named:</p><pre class="programlisting">samba-latest.tar.gz</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-1.1"></a>Binary or Source?</h3></div></div></div><p> +<a class="indexterm" name="ch02-idx-947323-0"></a> +<a class="indexterm" name="ch02-idx-947323-1"></a>Precompiled packages are also available for a large number of Unix platforms. These packages contain binaries for each of the Samba executables as well as the standard Samba documentation. Note that while installing a binary distribution can save you a fair amount of trouble and time, there are a couple of issues that you should keep in mind when deciding whether to use the binary or compile the source yourself:</p><div class="itemizedlist"><ul type="disc"><li><p>The binary packages can lag behind the latest version +of the software by one or two (maybe more) minor releases, especially +after a series of small changes and for less popular +platforms. Compare the release notes for the source and binary +packages to make sure that there aren't any new features that +you need on your platform. + +</p></li><li><p>If you use a precompiled binary, you will need to ensure that you have the correct libraries required by the executables. On some platforms the executables are statically linked so this isn't an issue, but on modern Unix operating systems (e.g., Linux, SGI Irix, Solaris, HP-UX, etc.), libraries are often <a class="indexterm" name="ch02-idx-947325-0"></a>dynamically linked. This means that the binary looks for the right version of each library on your system, so you may have to install a new version of a library. The <code class="filename">README</code> file or <code class="filename">makefile</code> +<a class="indexterm" name="ch02-idx-947333-0"></a> that accompanies the binary distribution should list any special requirements.<sup>[<a name="ch02-pgfId-943622" href="#ftn.ch02-pgfId-943622">2</a>]</sup></p><p>Many machines with shared libraries come with a nifty tool called <span class="emphasis"><em>ldd</em></span> +<a class="indexterm" name="ch02-idx-947322-0"></a>. This tool will tell you which libraries a specific binary requires and which libraries on the system satisfy that requirement. For example, checking the <span class="emphasis"><em>smbd</em></span> program on our test machine gave us:</p></li></ul></div><pre class="programlisting">$ <span class="bold"><strong>ldd smbd</strong></span> +libreadline.so.3 => /usr/lib/libreadline.so.3 +libdl.so.2 => /lib/libdl.so.2 +libcrypt.so.1 => /lib/libcrypt.so.1 +libc.so.6 => /lib/libc.so.6 +libtermcap.so.2 => /lib/libtermcap.so.2 +/lib/ld-linux.so.2 => /lib/ld-linux.so.2</pre><div class="itemizedlist"><ul type="disc"><li><p>If there are any incompatibilities between Samba and specific libraries on your machine, the distribution-specific documentation should highlight those.</p></li><li><p>Keep in mind that each binary distribution carries preset values about the target platform, such as default directories and configuration option values. Again, check the documentation and the makefile included in the source directory to see which directives and variables were used when the binary was compiled. In some cases, these will not be appropriate for your situation.</p><p>A few configuration items can be reset with command-line options at runtime instead of at compile time. For example, if your binary tries to place any log, lock, or status files in the "wrong" place (for example, in <code class="filename">/usr/local</code> ), you can override this without recompiling.</p></li></ul></div><p>One point worth mentioning is that the Samba source requires an <a class="indexterm" name="ch02-idx-947324-0"></a> +<a class="indexterm" name="ch02-idx-947324-1"></a> +<a class="indexterm" name="ch02-idx-947324-2"></a>ANSI C compiler. If you are on a platform with a non-ANSI compiler, such as the <span class="emphasis"><em>cc</em></span> compiler on SunOS version 4, you'll have to install an ANSI-compliant compiler such as <span class="emphasis"><em>gcc</em></span> before you do anything else.<sup>[<a name="ch02-pgfId-939049" href="#ftn.ch02-pgfId-939049">3</a>]</sup> If installing a compiler isn't something you want to wrestle with, you can start off with a binary package. However, for the most flexibility and compatibility on your system, we always recommend compiling from the latest source.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-1.2"></a>Read the Documentation</h3></div></div></div><p> +<a class="indexterm" name="ch02-idx-947327-0"></a> +<a class="indexterm" name="ch02-idx-947327-1"></a> +<a class="indexterm" name="ch02-idx-947327-2"></a>This sounds like an obvious thing to say, but there have probably been times where you have uncompressed a package, blindly typed <code class="literal">configure</code>, <code class="literal">make</code>, and <code class="literal">make</code> <code class="literal">install</code>, and walked away to get another cup of coffee. We'll be the first to admit that we do that, many more times than we should. It's a bad idea—especially when planning a network with Samba.</p><p>Samba 2.0 automatically configures itself prior to compilation. This reduces the likelihood of a machine-specific problem, but there may be an option mentioned in the <code class="filename">README</code> file that you end up wishing for after Samba's been installed. With both source and binary packages you'll find a large number of documents in the <code class="filename">docs</code> +<a class="indexterm" name="ch02-idx-947328-0"></a> directory, in a variety of formats. The most important files to look at in the distribution are:</p><pre class="programlisting"><a class="indexterm" name="ch02-idx-947329-0"></a> +<a class="indexterm" name="ch02-idx-947329-1"></a>WHATSNEW.txt +docs/textdocs/UNIX_INSTALL.txt</pre><p>These files tell you what features you can expect in your Samba distribution, and will highlight common installation problems that you're likely to face. Be sure to look over both of them before you start the compilation process.<a class="indexterm" name="ch02-idx-947311-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-28558"></a>Configuring Samba</h2></div></div></div><p> +<a class="indexterm" name="ch02-idx-947339-0"></a> +<a class="indexterm" name="ch02-idx-947339-1"></a>The <a class="indexterm" name="ch02-idx-947330-0"></a>source distribution of Samba 2.0 and above doesn't initially have a <a class="indexterm" name="ch02-idx-947337-0"></a>makefile. Instead, one is generated through a GNU <code class="filename">configure</code> +<a class="indexterm" name="ch02-idx-947338-0"></a> +<a class="indexterm" name="ch02-idx-947338-1"></a> script, which is located in the <code class="filename">samba-2.0.x /source/</code> directory. The <em class="firstterm">configure</em> script, which must be run as root, takes care of the machine-specific issues of building Samba. However, you still may want to decide on some global options. Global options can be set by passing options on the command-line:</p><pre class="programlisting"># ./configure --with-ssl</pre><p>For example, this will configure the Samba makefile with support for the<a class="indexterm" name="ch02-idx-947347-0"></a> +<a class="indexterm" name="ch02-idx-947347-1"></a> Secure Sockets Layer (SSL) encryption protocol. If you would like a complete list of <a class="indexterm" name="ch02-idx-947348-0"></a>options, type the following:</p><pre class="programlisting">#./configure --help</pre><p> +<a class="indexterm" name="ch02-idx-947349-0"></a> +<a class="indexterm" name="ch02-idx-947349-1"></a>Each of these options enable or disable various features. You typically enable a feature by specifying the <code class="literal">--with-</code><em class="replaceable"><code>feature</code></em> option, which will cause the feature to be compiled and installed. Likewise, if you specify a <code class="literal">--without-</code><em class="replaceable"><code>feature</code></em> option, the feature will be disabled. As of Samba 2.0.5, each of the following features is disabled by default:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">--with-smbwrapper</code></span></dt><dd><p>Include SMB <a class="indexterm" name="ch02-idx-947350-0"></a> +<a class="indexterm" name="ch02-idx-947350-1"></a>wrapper support, which allows executables on the Unix side to access <a class="indexterm" name="ch02-idx-947351-0"></a>SMB/CIFS filesystems as if they were regular Unix filesystems. We recommend using this option. However, at this time this book went to press, there were several incompatibilities between the <code class="filename">smbwrapper</code> +<a class="indexterm" name="ch02-idx-947352-0"></a> package and the GNU <code class="filename">libc</code> version 2.1, and it would not compile on Red Hat 6.0. Look for more information on these incompatibilities on the Samba home page.</p></dd><dt><span class="term"><code class="literal">--with-afs</code></span></dt><dd><p>Include support of the <a class="indexterm" name="ch02-idx-947353-0"></a>Andrew Filesystem from <a class="indexterm" name="ch02-idx-947354-0"></a>Carnegie Mellon University. If you're going to serve <a class="indexterm" name="ch02-idx-947355-0"></a>AFS files via Samba, we recommend compiling Samba once first without enabling this feature to ensure that everything runs smoothly. Once that version is working smoothly, recompile Samba with this feature enabled and compare any errors you might receive against the previous setup.</p></dd><dt><span class="term"><code class="literal">--with-dfs</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947356-0"></a>DFS, a later version of AFS, used by <a class="indexterm" name="ch02-idx-947357-0"></a>OSF/1 (Digital Unix). Note that this is <span class="emphasis"><em>not</em></span> the same as Microsoft DFS, which is an entirely different filesystem. Again, we recommend compiling Samba once first without this feature to ensure that everything runs smoothly, then recompile with this feature to compare any errors against the previous setup.</p></dd><dt><span class="term"><code class="literal">--with-krb4</code>=<em class="replaceable"><code>base-directory</code></em></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947358-0"></a>Kerberos version 4.0, explicitly specifying the base directory of the distribution. Kerberos is a network security protocol from <a class="indexterm" name="ch02-idx-947359-0"></a>MIT that uses <a class="indexterm" name="ch02-idx-947360-0"></a> +<a class="indexterm" name="ch02-idx-947360-1"></a>private key cryptography to provide strong security between nodes. Incidentally, Microsoft has announced that Kerberos 5.0 will be the standard <a class="indexterm" name="ch02-idx-947362-0"></a>authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, the Kerberos 5.0 authentication mechanisms are quite different from the Kerberos 4.0 <a class="indexterm" name="ch02-idx-947363-0"></a>security mechanisms. If you have Kerberos version 4 on your system, the Samba team recommends that you upgrade and use the <code class="literal">--with-krb5</code> option (see the next item). You can find more information on <a class="indexterm" name="ch02-idx-947364-0"></a>Kerberos at <code class="systemitem">http://web.mit.edu/kerberos/www</code>.</p></dd><dt><span class="term"><code class="literal">--with-krb5</code>=<em class="replaceable"><code>base-directory</code></em></span></dt><dd><p>Include support for Kerberos version 5.0, explicitly specifying the base directory of the distribution. Microsoft has announced that Kerberos 5.0 will be the standard authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, there is no guarantee that Microsoft will not extend Kerberos for their own needs in the future. Currently, Samba's Kerberos support only uses a plaintext password interface and not an encrypted one. You can find more information on Kerberos at its home page: <code class="systemitem">http://web.mit.edu/kerberos/www</code>.</p></dd><dt><span class="term"><code class="literal">--with-automount</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947365-0"></a>automounter, a feature often used on sites that offer NFS.</p></dd><dt><span class="term"><code class="literal">--with-smbmount</code></span></dt><dd><p>Include <span class="emphasis"><em>smbmount</em></span> +<a class="indexterm" name="ch02-idx-947366-0"></a> support, which is for <a class="indexterm" name="ch02-idx-947367-0"></a>Linux only. This feature wasn't being maintained at the time the book was written, so the Samba team made it an optional feature and provided <span class="emphasis"><em>smbwrapper</em></span> instead. The <span class="emphasis"><em>smbwrapper</em></span> feature works on more Unix platforms than <span class="emphasis"><em>smbmount</em></span>, so you'll usually want to use <code class="literal">--with-smbwrapper</code> instead of this option.</p></dd><dt><span class="term"><code class="literal">--with-pam</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947368-0"></a> +<a class="indexterm" name="ch02-idx-947368-1"></a>pluggable authentication modules (PAM), an authentication feature common in the Linux operating system.</p></dd><dt><span class="term"><code class="literal">--with-ldap</code></span></dt><dd><p>Include support for the <a class="indexterm" name="ch02-idx-947369-0"></a> +<a class="indexterm" name="ch02-idx-947369-1"></a>Lightweight Directory Access Protocol (LDAP). A future version of LDAP will be used in the Windows 2000 (NT 5.0) operating system; this Samba support is experimental. LDAP is a flexible client-server directory protocol that can carry information such as certificates and group memberships.<sup>[<a name="ch02-pgfId-943655" href="#ftn.ch02-pgfId-943655">4</a>]</sup></p></dd><dt><span class="term"><code class="literal">--with-nis</code></span></dt><dd><p>Include support for getting password-file information from <a class="indexterm" name="ch02-idx-947370-0"></a>NIS (network yellow pages).</p></dd><dt><span class="term"><code class="literal">--with-nisplus</code></span></dt><dd><p>Include support for obtaining password-file information from NIS+, the successor to NIS.</p></dd><dt><span class="term"><code class="literal">--with-ssl</code></span></dt><dd><p>Include experimental support for the <a class="indexterm" name="ch02-idx-947374-0"></a>Secure Sockets Layer (SSL), which is used to provide encrypted connections from client to server. <a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a>, describes setting up Samba with SSL support.</p></dd><dt><span class="term"><code class="literal">--with-nisplus-home</code></span></dt><dd><p>Include support for locating which server contains a particular user's <a class="indexterm" name="ch02-idx-947380-0"></a> +<a class="indexterm" name="ch02-idx-947380-1"></a>home directory and telling the client to connect to it. Requires <code class="literal">--with-nis</code> and, usually, <code class="literal">--with-automounter</code>.</p></dd><dt><span class="term"><code class="literal">--with-mmap</code></span></dt><dd><p>Include experimental<a class="indexterm" name="ch02-idx-947381-0"></a> memory mapping code. This is not required for <a class="indexterm" name="ch02-idx-947382-0"></a>fast locking, which already uses mmap or System V shared memory.</p></dd><dt><span class="term"><code class="literal">--with-syslog</code></span></dt><dd><p>Include support for using the <a class="indexterm" name="ch02-idx-947383-0"></a>SYSLOG utility for logging information generated from the Samba server. There are a couple of Samba configuration options that you can use to enable SYSLOG support; <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, discusses these options.</p></dd><dt><span class="term"><code class="literal">--with-netatalk</code></span></dt><dd><p>Include experimental support for interoperating with the (Macintosh) <a class="indexterm" name="ch02-idx-947412-0"></a>Netatalk file server.</p></dd><dt><span class="term"><code class="literal">--with-quotas</code></span></dt><dd><p>Include <a class="indexterm" name="ch02-idx-947413-0"></a>disk-quota support.</p></dd></dl></div><p>Because each of these options is disabled by default, none of these features are essential to Samba. However, you may want to come back and build a modified version of Samba if you discover that you need one at a later time.</p><p>In addition, <a href="#ch02-85125" title="Table 2.1. Additional Configure Options">Table 2.1</a> shows some other parameters that you can give the <code class="filename">configure</code> script if you wish to store parts of the Samba distribution in different places, perhaps to make use of multiple disks or partitions. Note that the defaults sometimes refer to a prefix specified earlier in the table.</p><div class="table"><a name="ch02-85125"></a><p class="title"><b>Table 2.1. Additional Configure Options </b></p><div class="table-contents"><table summary="Additional Configure Options " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Meaning</p></th><th><p>Default</p></th></tr></thead><tbody><tr><td><p><code class="literal">--prefix</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install architecture-independent files at the base directory specified.</p></td><td><p><code class="filename">/usr/local/samba</code></p></td></tr><tr><td><p><code class="literal">--eprefix</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install architecture-dependent files at the base directory specified.</p></td><td><p><code class="filename">/usr/local/samba</code></p></td></tr><tr><td><p><code class="literal">--bindir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install user executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/bin</code></p></td></tr><tr><td><p><code class="literal">--sbindir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install administrator executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/bin</code></p></td></tr><tr><td><p><code class="literal">--libexecdir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install program executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/libexec</code></p></td></tr><tr><td><p><code class="literal">--datadir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install read-only architecture independent data in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/share</code></p></td></tr><tr><td><p><code class="literal">--libdir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install program libraries in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/lib</code></p></td></tr><tr><td><p><code class="literal">--includedir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install package include files in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/include</code></p></td></tr><tr><td><p><code class="literal">--infodir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install additional information files in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/info</code></p></td></tr><tr><td><p><code class="literal">--mandir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install manual pages in the directory specified.<a class="indexterm" name="ch02-idx-947428-0"></a></p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/man</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>Again, before running the <code class="filename">configure</code> script, it is important that you are the <a class="indexterm" name="ch02-idx-947433-0"></a>root user on the system. Otherwise, you may get a warning such as:</p><pre class="programlisting">configure: warning: running as non-root will disable some tests</pre><p>You don't want any test to be disabled when the Samba makefile is being created; this leaves the potential for errors down the road when compiling or running Samba on your system.</p><p>Here is a sample execution of the <code class="filename">configure</code> +<a class="indexterm" name="ch02-idx-947434-0"></a> script, which creates a Samba 2.0.4 makefile for the Linux platform. Note that you must run the configure script in the <span class="emphasis"><em>source</em></span> directory, and that several lines from the middle of the excerpt have been omitted:</p><pre class="programlisting"># cd samba-2.0.4b/source/ +# ./configure | tee mylog + +loading cache ./config.cache +checking for gcc... (cached) gcc +checking whether the C compiler (gcc -O ) works... yes +checking whether the C compiler (gcc -O ) is a cross-compiler... no +checking whether we are using GNU C... (cached) yes +checking whether gcc accepts -g... (cached) yes +checking for a BSD compatible install... (cached) /usr/bin/install -c + +<span class="emphasis"><em>...(content omitted)...</em></span> + +checking configure summary +configure OK +creating ./config.status +creating include/stamp-h +creating Makefile +creating include/config.h</pre><p>In general, any message from <code class="filename">configure</code> that doesn't begin with the words <code class="literal">checking</code> or <code class="literal">creating</code> is an error; it often helps to redirect the output of the configure script to a file so you can quickly search for <a class="indexterm" name="ch02-idx-947435-0"></a>errors, as we did with the <code class="literal">tee</code> command above. If there was an error during configuration, more detailed information about it can be found in the <code class="filename">config.log</code> file, which is written to the local directory by the <code class="filename">configure</code> script.</p><p>If the configuration works, you'll see a <code class="literal">checking</code> <code class="literal">configure</code> <code class="literal">summary</code> message followed by a <code class="literal">configure</code> <code class="literal">OK</code> message and four or five file creation messages. So far, so good.... Next step: compiling.<a class="indexterm" name="ch02-idx-947719-0"></a></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-13217"></a>Compiling and Installing Samba</h2></div></div></div><p> +<a class="indexterm" name="ch02-idx-947438-0"></a>At <a class="indexterm" name="ch02-idx-947440-0"></a>this point you should be ready to build the Samba executables. Compiling is also easy: in the <code class="filename">source</code> directory, type <code class="literal">make</code> on the command line. The <code class="filename">make</code> +<a class="indexterm" name="ch02-idx-947436-0"></a> utility will produce a stream of explanatory and success messages, beginning with:</p><pre class="programlisting">Using FLAGS = -O -Iinclude ...</pre><p>This build includes compiles for both <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span>, and ends in a linking command for <code class="filename">bin/make_ printerdef</code>. For example, here is a sample make of Samba version 2.0.4 on a Linux server:</p><pre class="programlisting"># make +Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/ +usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" - +DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/lib/ +lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" - +DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" - +DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/ +printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_ +PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" +Using FLAGS32 = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper - +DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log. +nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/ +lib/lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" +-DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" - +DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/ +printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_ +PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" +Using LIBS = -lreadline -ldl -lcrypt -lpam +Compiling smbd/server.c +Compiling smbd/files.c +Compiling smbd/chgpasswd.c + +<span class="emphasis"><em>...(content omitted)...</em></span> + +Compiling rpcclient/cmd_samr.c +Compiling rpcclient/cmd_reg.c +Compiling rpcclient/cmd_srvsvc.c +Compiling rpcclient/cmd_netlogon.c +Linking bin/rpcclient +Compiling utils/smbpasswd.c +Linking bin/smbpasswd +Compiling utils/make_smbcodepage.c +Linking bin/make_smbcodepage +Compiling utils/nmblookup.c +Linking bin/nmblookup +Compiling utils/make_printerdef.c +Linking bin/make_printerdef</pre><p>If you encounter problems when compiling, check the Samba documentation to see if it is easily fixable. Another possibility is to search or post to the <a class="indexterm" name="ch02-idx-947437-0"></a>Samba mailing lists, which are given at the end of <a href="#SAMBA-AP-D" title="Appendix D. Summary of Samba Daemons and Commands">Appendix D</a>, and on the Samba home page. Most compilation issues are system specific and almost always easy to overcome.</p><p>Now that the files have been compiled, you can install them into the directories you identified with the command:</p><pre class="programlisting">#<strong class="userinput"><code> make install</code></strong></pre><p>If you happen to be upgrading, your old Samba files will be saved with the extension <span class="emphasis"><em>.old</em></span> <a class="indexterm" name="ch02-idx-947448-0"></a>, and you can go back to that previous version with the command <code class="literal">make</code> <code class="literal">revert</code>. After doing a <code class="literal">make</code> <code class="literal">install</code>, you should copy the <span class="emphasis"><em>.old</em></span> files (if they exist) to a new location or name. Otherwise, the next time you install Samba, the original <span class="emphasis"><em>.old</em></span> will be overwritten without warning and you could lose your earlier version. If you configured Samba to use the default locations for files, the new files will be installed in the directories listed in <a href="#SAMBA-CH-2-TBL-2.2" title="Table 2.2. Samba Installation Directories">Table 2.2</a>. Remember that you need to perform the installation from an account that has <a class="indexterm" name="ch02-idx-947451-0"></a>write privileges on these target <a class="indexterm" name="ch02-idx-947452-0"></a>directories; this is typically the root account.</p><div class="table"><a name="SAMBA-CH-2-TBL-2.2"></a><p class="title"><b>Table 2.2. Samba Installation Directories </b></p><div class="table-contents"><table summary="Samba Installation Directories " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Directory</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><span class="emphasis"><em>/usr/local/samba</em></span></p></td><td><p> +<a class="indexterm" name="ch02-idx-947450-0"></a> +<a class="indexterm" name="ch02-idx-947450-1"></a>Main tree</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/bin</em></span></p></td><td><p>Binaries</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/lib</em></span></p></td><td><p><span class="emphasis"><em>smb.conf</em></span>, <span class="emphasis"><em>lmhosts</em></span>, configuration files, etc.</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/man</em></span></p></td><td><p>Samba documentation</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/private</em></span></p></td><td><p>Samba encrypted password file</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/swat</em></span></p></td><td><p>SWAT files</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/var</em></span></p></td><td><p>Samba log files, lock files, browse list info, shared memory files, process ID files</p></td></tr></tbody></table></div></div><br class="table-break"><p>Throughout the remainder of the book, we occasionally refer to the location of the <a class="indexterm" name="ch02-idx-947454-0"></a>main tree as <em class="replaceable"><code>samba_dir</code></em>. In most configurations, this is the <a class="indexterm" name="ch02-idx-947479-0"></a>base directory of the installed Samba package: <code class="filename">/usr/local/samba </code> +<a class="indexterm" name="ch02-idx-947455-0"></a>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Watch out if you've made <code class="filename">/usr</code> a <a class="indexterm" name="ch02-idx-947472-0"></a>read-only partition. You will want to put the logs, locks, and password files somewhere else.</p></div><p>Here is the installation that we performed on our machine. You can see that we used <code class="filename">/usr/local/samba</code> as the base directory for the distribution (e.g., <em class="replaceable"><code>samba_dir</code></em>):</p><pre class="programlisting"># <strong class="userinput"><code>make install</code></strong> +Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/ +usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" - +DCONFIGFILE="/usr/local/samba/lib/smb.conf" - + +<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em> + +The binaries are installed. You may restore the old binaries +(if there were any) using the command "make revert". You may +uninstall the binaries using the command "make uninstallbin" +or "make uninstall" to uninstall binaries, man pages and shell +scripts. + +<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em> + +============================================================ +The SWAT files have been installed. Remember to read the +README for information on enabling and using SWAT. +============================================================</pre><p>If the last message is about SWAT, you've successfully installed all the files. Congratulations! You now have Samba on your system!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-3.1"></a>Final Installation Steps</h3></div></div></div><p> +<a class="indexterm" name="ch02-idx-947480-0"></a>There are a couple of final steps to perform. Specifically, add the <a class="indexterm" name="ch02-idx-947486-0"></a> +<a class="indexterm" name="ch02-idx-947486-1"></a>Samba Web Administration Tool (SWAT) to the <code class="filename">/etc/services</code> +<a class="indexterm" name="ch02-idx-947491-0"></a> and <code class="filename">/etc/inetd.conf</code> +<a class="indexterm" name="ch02-idx-947493-0"></a> configuration files. SWAT runs as a daemon under <span class="emphasis"><em>inetd</em></span> and provides a forms-based editor in your web browser for creating and modifying SMB configuration files.</p><div class="orderedlist"><ol type="1"><li><p>To add SWAT, add the following line to the end of the <code class="filename">/etc/services</code> file:</p><pre class="programlisting">swat 901/tcp</pre></li><li><p>Add these lines to <code class="filename">/etc/inetd.conf.</code> (Check your <code class="filename">inetd.conf</code> manual page to see the exact format of the<code class="filename"> inetd.conf</code> file if it differs from the following example.) Don't forget to change the path to the SWAT binary if you installed it in a different location from the default <code class="filename">/usr/local/samba</code>.</p><pre class="programlisting">swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat</pre></li></ol></div><p>And that's pretty much it for the installation. Before you can start up Samba, however, you need to create a configuration file for it.<a class="indexterm" name="ch02-idx-947442-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-13464"></a>A Basic Samba Configuration File</h2></div></div></div><p>The <a class="indexterm" name="ch02-idx-947692-0"></a>key to configuring Samba is its lone configuration file: <code class="filename">smb.conf</code> +<a class="indexterm" name="ch02-idx-947693-0"></a>. This configuration file can be very simple or extremely complex, and the rest of this book is devoted to helping you get deeply personal with this file. For now, however, we'll show you how to set up a single file service, which will allow you to fire up the Samba daemons and see that everything is running as it should be. In later chapters, you will see how to configure Samba for more complicated and interesting tasks.</p><p>The installation process does not automatically create an <code class="filename">smb.conf</code> configuration file, although several example files are included in the Samba distribution. <a class="indexterm" name="ch02-idx-947541-0"></a>To test the server software, though, we'll use the following file. It should be named <code class="filename">smb.conf</code> and placed in the <span class="emphasis"><em>/usr/local/samba/lib</em></span> directory.<sup>[<a name="ch02-pgfId-943223" href="#ftn.ch02-pgfId-943223">5</a>]</sup></p><pre class="programlisting">[global] + workgroup = SIMPLE +[test] + comment = For testing only, please + path = /export/samba/test + read only = no + guest ok = yes</pre><p>This brief configuration file tells the Samba server to offer the directory <code class="filename">/export/samba/test</code> +<a class="indexterm" name="ch02-idx-947498-0"></a> on the server as an SMB/CIFS share called <a class="indexterm" name="ch02-idx-947499-0"></a><code class="literal">test</code>. The server also becomes part of the named workgroup SIMPLE, which each of the clients must also be a part of. (Use your own workgroup here if you already know what it is.) We'll use the <code class="literal">[test]</code> share in the next chapter to set up the Windows clients. For now, you can complete the setup by performing the following commands as root on your Unix server:</p><pre class="programlisting"># <strong class="userinput"><code>mkdir /export/samba/test</code></strong> +# <strong class="userinput"><code>chmod 777 /export/samba/test</code></strong></pre><p>We should point out that in terms of system security, this is the worst setup possible. For the moment, however, we only wish to test Samba, so we'll leave security out of the picture. In addition, there are some encrypted password issues that we will encounter with Windows clients later on, so this setup will afford us the least amount of headaches.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you are using Windows 98 or Windows NT Service Pack 3 or above, you must add the following entry to the <code class="literal">[global]</code> section of the Samba configuration file: <code class="literal">encrypt passwords = yes</code>. In addition, you must use the <code class="filename">smbpassword</code> program (typically located in <code class="filename">/usr/local/samba/bin/ </code>) to reenter the username/password combinations of those users on the Unix server who should be able to access shares into Samba's encrypted client database. For example, if you wanted to allow Unix user <code class="literal">steve</code> to access shares from an SMB client, you could type: <code class="literal">smbpassword -a steve</code>. The first time a user is added, the program will output an error saying that the encrypted password database does not exist. Don't worry, it will then create the database for you. Make sure that the username/password combinations that you add to the encrypted database match the usernames and passwords that you intend to use on the Windows client side.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-4.1"></a>Using SWAT</h3></div></div></div><p> +<a class="indexterm" name="ch02-idx-947510-0"></a>With Samba 2.0, creating a configuration file is even easier than writing a configuration file by hand. You can use your browser to connect to <span class="emphasis"><em>http://localhost:901</em></span>, and log on as the root account, as shown in <a href="#ch02-60915" title="Figure 2.1. SWAT login">Figure 2.1</a>.</p><div class="figure"><a name="ch02-60915"></a><p class="title"><b>Figure 2.1. SWAT login</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 188px"><td><img src="figs/sam.0201.gif" height="188" alt="SWAT login"></td></tr></table></div></div></div><br class="figure-break"><p>After logging in, press the GLOBALS button at the top of the screen. You should see the Global Variables page shown in <a href="#ch02-49138" title="Figure 2.2. SWAT Global Variables page">Figure 2.2</a>.</p><div class="figure"><a name="ch02-49138"></a><p class="title"><b>Figure 2.2. SWAT Global Variables page</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 455px"><td><img src="figs/sam.0202.gif" width="502" alt="SWAT Global Variables page"></td></tr></table></div></div></div><br class="figure-break"><p>In this example, set the workgroup field to SIMPLE and the security field to USER. The only other option you need to change from the menu is one determining which system on the LAN resolves NetBIOS addresses; this system is called the <span class="emphasis"><em>WINS server</em></span> +<a class="indexterm" name="ch02-idx-947528-0"></a>. At the very bottom of the page, set the wins support field to Yes, unless you already have a WINS server on your network. If you do, put the WINS server's IP address in the wins server field instead. Then return to the top and press the Commit Changes button to write the changes out to the <span class="emphasis"><em>smb.conf</em></span> file.</p><div class="figure"><a name="ch02-29175"></a><p class="title"><b>Figure 2.3. SWAT Share Creation screen</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 392px"><td><img src="figs/sam.0203.gif" width="502" alt="SWAT Share Creation screen"></td></tr></table></div></div></div><br class="figure-break"><p>Next, press the Shares icon. You should see a page similar to <a href="#ch02-29175" title="Figure 2.3. SWAT Share Creation screen">Figure 2.3</a>. Choose Test in the field beside the Choose Share button. You will see the Share Parameters screen, as shown in <a href="#ch02-37186" title="Figure 2.4. SWAT Share Parameters screen">Figure 2.4</a>. We added a comment to remind us that this is a test share in the <code class="filename">smb.conf</code> file. SWAT has copies of all that information here.</p><div class="figure"><a name="ch02-37186"></a><p class="title"><b>Figure 2.4. SWAT Share Parameters screen</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 407px"><td><img src="figs/sam.0204.gif" width="502" alt="SWAT Share Parameters screen"></td></tr></table></div></div></div><br class="figure-break"><p>If you press the View button, SWAT shows you the following <code class="filename">smb.conf</code> file:</p><pre class="programlisting"># Samba config file created using SWAT +# from localhost (127.0.0.1) +# Date: 1998/11/27 15:42:40 + +# Global parameters + workgroup = SIMPLE +[test] + comment = For testing only, please + path = /export/samba/test + read only = no + guest ok = yes</pre><p>Once this configuration file is completed, you can skip the next step because the output of SWAT is guaranteed to be syntactically correct.<a class="indexterm" name="ch02-idx-947704-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-4.2"></a>Testing the Configuration File</h3></div></div></div><p> +<a class="indexterm" name="ch02-idx-947573-0"></a> +<a class="indexterm" name="ch02-idx-947573-1"></a>If you didn't use SWAT to create your configuration file, you should probably test it to ensure that it is syntactically correct. It may seem silly to run a test program against an eight-line configuration file, but it's good practice for the real ones that we'll be writing later on.</p><p>The<a class="indexterm" name="ch02-idx-947577-0"></a> test parser, <code class="filename">testparm</code> +<a class="indexterm" name="ch02-idx-947578-0"></a>, examines an <code class="filename">smb.conf</code> file for <a class="indexterm" name="ch02-idx-947583-0"></a> +<a class="indexterm" name="ch02-idx-947583-1"></a>syntax errors and reports any it finds along with a list of the <a class="indexterm" name="ch02-idx-947579-0"></a>services enabled on your machine. An example follows; you'll notice that in our haste to get the server running we mistyped <code class="literal">workgroup</code> as <code class="literal">workgrp</code> (the output is often lengthy, so we recommend capturing the last parts with the <code class="literal">tee</code> command):</p><pre class="programlisting">Load smb config files from smb.conf +Unknown parameter encountered: "workgrp" +Ignoring unknown parameter "workgrp" +Processing section "[test]" +Loaded services file OK. +Press enter to see a dump of your service definitions +# Global parameters +[global] + workgroup = WORKGROUP + netbios name = + netbios aliases = + server string = Samba 2.0.5a + interfaces = + bind interfaces only = No + +<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em> + +[test] + comment = For testing only, please + path = /export/samba/test + read only = No + guest ok = Yes</pre><p>The interesting parts are at the top and bottom. The top of the output will flag any syntax errors that you may have made, and the bottom lists the services that the server thinks it should offer. A word of advice: make sure that you and the server have the same expectations.<a class="indexterm" name="ch02-idx-947566-0"></a></p><p>If everything looks good, then you are ready to fire up the server daemons!</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-29069"></a>Starting the Samba Daemons</h2></div></div></div><p>There <a class="indexterm" name="ch02-idx-947584-0"></a> +<a class="indexterm" name="ch02-idx-947584-1"></a>are two Samba processes, <span class="emphasis"><em>smbd</em></span> +<a class="indexterm" name="ch02-idx-947586-0"></a> and <span class="emphasis"><em>nmbd</em></span> +<a class="indexterm" name="ch02-idx-947587-0"></a>, that need to be running for Samba to work correctly. There are three ways to start:</p><div class="itemizedlist"><ul type="disc"><li><p>By hand</p></li><li><p>As stand-alone daemons</p></li><li><p>From <span class="emphasis"><em>inetd</em></span></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.1"></a>Starting the Daemons by Hand</h3></div></div></div><p>If you're in a hurry, you can start the Samba daemons by hand. As root, simply enter the following commands:</p><pre class="programlisting">#<strong class="userinput"><code> /usr/local/samba/bin/smbd -D</code></strong> +#<strong class="userinput"><code> /usr/local/samba/bin/nmbd -D</code></strong></pre><p>At this point, Samba will be running on your system and will be ready to accept connections.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.2"></a>Stand-alone Daemons</h3></div></div></div><p>To run the Samba processes as <a class="indexterm" name="ch02-idx-947591-0"></a> +<a class="indexterm" name="ch02-idx-947591-1"></a>stand-alone daemons, you need to add the commands listed in the previous section to your standard Unix startup scripts. This varies depending on whether you have a BSD-style <a class="indexterm" name="ch02-idx-947596-0"></a>Unix system or a System V Unix.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch02-SECT-5.2.1"></a>BSD Unix</h4></div></div></div><p>WIth a <a class="indexterm" name="ch02-idx-947597-0"></a>BSD-style Unix, you need to append the following code to the <code class="filename">rc.local </code> +<a class="indexterm" name="ch02-idx-947598-0"></a>file, which is typically found in the <code class="filename">/etc</code> +<a class="indexterm" name="ch02-idx-947599-0"></a> +<a class="indexterm" name="ch02-idx-947599-1"></a> or <code class="filename">/etc/rc.d</code> directories:</p><pre class="programlisting">if [ -x /usr/local/samba/bin/smbd]; then + echo "Starting smbd..." + /usr/local/samba/bin/smbd -D + echo "Starting nmbd..." + /usr/local/samba/bin/nmbd -D +fi</pre><p>This code is very simple; it checks to see if the <code class="filename">smbd</code> +<a class="indexterm" name="ch02-idx-947600-0"></a> file has <a class="indexterm" name="ch02-idx-947601-0"></a>execute permissions on it, and if it does, it starts up each of the Samba daemons on system boot.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch02-SECT-5.2.2"></a>System V Unix</h4></div></div></div><p>With<a class="indexterm" name="ch02-idx-947602-0"></a> System V, things can get a little more complex. System V typically uses scripts to start and stop daemons on the system. Hence, you need to instruct Samba how to operate when it starts and when it stops. You can modify the contents of the <code class="filename">/etc/rc.local</code> directory and add something similar to the following program entitled <code class="filename">smb </code>:</p><pre class="programlisting">#!/bin/sh + +# Contains the "killproc" function on Red Hat Linux +./etc/rc.d/init.d/functions + +PATH="/usr/local/samba/bin:$PATH" + +case $1 in + 'start') + echo "Starting smbd..." + smbd -D + echo "Starting nmbd..." + nmbd -D + ;; + 'stop') + echo "Stopping smbd and nmbd..." + killproc smbd + killproc nmbd + rm -f /usr/local/samba/var/locks/smbd.pid + rm -f /usr/local/samba/var/locks/nmbd.pid + ;; + *) + echo "usage: smb {start|stop}" + ;; +esac</pre><p>With this script, you can start and stop the SMB service with the following commands:</p><pre class="programlisting"># /etc/rc.local/smb start +Starting smbd... +Starting nmbd... +# /etc/rc.local/smb stop +Stopping smbd and nmbd...</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.3"></a>Starting From Inetd</h3></div></div></div><p>The <span class="emphasis"><em>inetd</em></span> +<a class="indexterm" name="ch02-idx-947588-0"></a> daemon is a Unix system's Internet "super daemon." It listens on TCP ports defined in <code class="filename">/etc/services</code> +<a class="indexterm" name="ch02-idx-947610-0"></a> and executes the appropriate program for each port, which is defined in <code class="filename">/etc/inetd.conf</code> +<a class="indexterm" name="ch02-idx-947618-0"></a>. The advantage of this scheme is that you can have a large number of daemons ready to answer queries, but they don't all have to be running. Instead, the <span class="emphasis"><em>inetd</em></span> daemon listens in places of all the others. The penalty is a small overhead cost of creating a new daemon process, and the fact that you need to edit two files rather than one to set things up. This is handy if you have only one or two users or your machine has too many daemons already. It's also easier to perform an upgrade without disturbing an existing connection.</p><p>If you wish to start from <code class="filename">inetd</code>, first open <code class="filename">/etc/services</code> in your text editor. If you don't already have them defined, add the following two lines:</p><pre class="programlisting">netbios-ssn 139/tcp +netbios-ns 137/udp</pre><p>Next, edit <code class="filename">/etc/inetd.conf</code>. Look for the following two lines and add them if they don't exist. If you already have <code class="literal">smbd</code> and <code class="literal">nmbd</code> lines in the file, edit them to point at the new <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> you've installed. Your brand of Unix may use a slightly different syntax in this file; use the existing entries and the <code class="filename">inetd.conf </code><span><strong class="command"> </strong></span>manual page<span><strong class="command"> </strong></span>as a guide:</p><pre class="programlisting">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre><p>Finally, kill any <span class="emphasis"><em>smbd</em></span> +<a class="indexterm" name="ch02-idx-947623-0"></a> or <span class="emphasis"><em>nmbd</em></span> +<a class="indexterm" name="ch02-idx-947634-0"></a> +<a class="indexterm" name="ch02-idx-947634-1"></a> processes and send the <span class="emphasis"><em>inetd</em></span> process a <a class="indexterm" name="ch02-idx-947624-0"></a> +<a class="indexterm" name="ch02-idx-947624-1"></a>hangup (HUP) signal. (The <span class="emphasis"><em>inetd</em></span> daemon rereads its configuration file on a HUP signal.) To do this, use the <code class="literal">ps</code> command to find its process ID, then signal it with the following command:</p><pre class="programlisting"># <strong class="userinput"><code>kill -HUP process_id</code></strong></pre><p>After that, Samba should be up and running.<a class="indexterm" name="ch02-idx-947585-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-67898"></a>Testing the Samba Daemons</h2></div></div></div><p> +<a class="indexterm" name="ch02-idx-947635-0"></a> +<a class="indexterm" name="ch02-idx-947635-1"></a>It's hard to believe, but we're nearly done with the Samba server setup. All that's left to do is to make sure that everything is working as we think it should. A convenient way to do this is to use the <code class="filename">smbclient</code> +<a class="indexterm" name="ch02-idx-947636-0"></a> program to examine what the server is offering to the network. If everything is set up properly, you should be able to do the following:</p><pre class="programlisting"><strong class="userinput"><code># smbclient -U% -L localhost</code></strong> + +Added interface ip=192.168.220.100 bcast=192.168.220.255 nmask=255.255.255.0 +Domain=[SIMPLE] OS=[Unix] Server=[Samba 2.0.5a] + + Sharename Type Comment + --------- ---- ------- + test Disk For testing only, please + IPC$ IPC IPC Service (Samba 2.0.5a) + + Server Comment + --------- ------- + HYDRA Samba 2.0.5a + + Workgroup Master + --------- ------- + SIMPLE HYDRA</pre><p>If there is a problem, don't panic! Try to start the daemons manually, and check the system output or the <a class="indexterm" name="ch02-idx-947637-0"></a>debug files at <code class="filename">/usr/local/samba/var/log.smb</code> +<a class="indexterm" name="ch02-idx-947638-0"></a> to see if you can determine what happened. If you think it may be a more serious problem, skip to <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for help on troubleshooting the Samba daemons.</p><p>If it worked, congratulations! You now have successfully set up the Samba server with a <a class="indexterm" name="ch02-idx-947664-0"></a>disk share. It's a simple one, but we can use it to set up and test the Windows 95 and NT clients in the next chapter. Then we will start making it more interesting by adding services such as home directories, printers, and security, and seeing how to integrate the server into a larger Windows domain.<a class="indexterm" name="ch02-idx-947297-0"></a></p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-939741" href="#ch02-pgfId-939741">1</a>] </sup>If you haven't heard of Linux yet, then you're in for a treat. Linux is a freely distributed Unix-like operating system that runs on the Intel x86, Motorola PowerPC, and Sun Sparc platforms. The operating system is relatively easy to configure, extremely robust, and is gaining in popularity. You can get more information on the Linux operating system at <code class="systemitem">http://www.linux.org/</code>.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943622" href="#ch02-pgfId-943622">2</a>] </sup>This is especially true with programs that use <span class="emphasis"><em>glibc-2.1</em></span> (which comes standard with Red Hat Linux 6). This library caused quite a consternation in the development community when it was released because it was incompatable with previous versions of <span class="emphasis"><em>g</em></span><code class="filename">libc</code>.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-939049" href="#ch02-pgfId-939049">3</a>] </sup><span class="emphasis"><em>gcc</em></span> binaries are available for almost every modern machine. See <code class="systemitem">http://www.gnu.org/</code> for a list of sites with <span class="emphasis"><em>gcc</em></span> and other GNU software.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943655" href="#ch02-pgfId-943655">4</a>] </sup>By <span class="emphasis"><em>directory</em></span>, we don't mean a directory in a file system, but instead an indexed directory (such as a phone directory). Information is stored and can be easily retrieved in a public LDAP system.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943223" href="#ch02-pgfId-943223">5</a>] </sup>If you did not compile Samba, but instead downloaded a binary, check with the documentation for the package to find out where it expects the <code class="filename">smb.conf</code> file. If Samba came preinstalled with your Unix system, there is probably already an <code class="filename">smb.conf</code> file somewhere on your system.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-3"></a>Chapter 3. Configuring Windows Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch03-55770">3.1. Setting Up Windows 95/98 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-1.1">3.1.1. Accounts and Passwords</a></span></dt><dt><span class="sect2"><a href="#ch03-36280">3.1.2. Setting Up the Network</a></span></dt><dt><span class="sect2"><a href="#ch03-48802">3.1.3. Setting Your Name and Workgroup </a></span></dt><dt><span class="sect2"><a href="#ch03-13238">3.1.4. Accessing the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-23093">3.2. Setting Up Windows NT 4.0 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-2.1">3.2.1. Basic Configuration</a></span></dt><dt><span class="sect2"><a href="#ch03-85837">3.2.2. Configuring TCP/IP</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-2.3">3.2.3. Connecting to the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-64069">3.3. An Introduction to SMB/CIFS</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-3.1">3.3.1. SMB Format</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.2">3.3.2. SMB Clients and Servers</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.3">3.3.3. A Simple SMB Connection</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.4">3.3.4. Negotiating the Protocol Variant</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.5">3.3.5. Set Session and Login Parameters</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.6">3.3.6. Making Connection to a Resource</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="ch03-idx-947918-0"></a> +<a class="indexterm" name="ch03-idx-947918-1"></a>You'll be glad to know that configuring Windows to use your new Samba server is quite simple. SMB is Microsoft's native language for resource sharing on a local area network, so much of the installation and setup on the Windows client side has been taken care of already. The primary issues that we will cover in this chapter involve communication and coordination between Windows and Unix, two completely different operating systems.</p><p>Samba uses TCP/IP to talk to its clients on the network. If you aren't already using TCP/IP on your Windows computers, this chapter will show you how to install it. Then you'll need to configure your Windows machines to operate on a TCP/IP network. Once these two requirements have been taken care of, we can show how to access a shared disk on the Samba server.</p><p>This chapter is divided into three sections. The first section covers setting up Windows 95/98 computers while the second covers Windows NT 4.0 machines. The final section provides some prerequisite information on how SMB connections are made from Windows clients and servers, which is useful as we move into the later chapters of the book.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-55770"></a>Setting Up Windows 95/98 Computers</h2></div></div></div><p> +<a class="indexterm" name="ch03-idx-947927-0"></a> +<a class="indexterm" name="ch03-idx-947927-1"></a>Unfortunately, Windows 95/98 wasn't designed for a PC to have more than one user; that concept is more inherent to a Unix operating system or Windows NT. However, <a class="indexterm" name="ch03-idx-947953-0"></a>Windows 95/98 does have <span class="emphasis"><em>limited</em></span> support for multiple users: if you tell it, the operating system will keep a separate <a class="indexterm" name="ch03-idx-947955-0"></a>profile (desktop layout) and password file for each user. This is a far cry from true multiuser security. In other words, Windows 95/98 won't try to keep one user from destroying the work of another on the local hard drive like Unix, but profiles are a place to start.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-1.1"></a>Accounts and Passwords</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-947956-0"></a> +<a class="indexterm" name="ch03-idx-947956-1"></a> +<a class="indexterm" name="ch03-idx-947956-2"></a>The first thing we need to do is to tell Windows to keep user profiles separate, and to collect usernames and passwords to authenticate anyone trying to access a Samba share. We do so via the <a class="indexterm" name="ch03-idx-947957-0"></a>Password settings in the Control Panel. If you are not familiar with the Windows Control Panel, you can access it by choosing the Settings menu item from the pop-up menu of the Start button in the lower-left corner of the screen. Alternatively, you'll find it as a folder under the icon in the upper-left corner that represents your computer and is typically labeled <a class="indexterm" name="ch03-idx-947958-0"></a>My Computer.</p><p>After selecting the Passwords icon in the Control Panel, click on the User Profiles tab on the far right. You should see the dialog box shown in <a href="#ch03-84319" title="Figure 3.1. The Passwords Properties panel">Figure 3.1</a>. Then click the lower of the two radio buttons that starts "Users can customize their preferences...." This causes Windows to store a separate profile for each user, and saves the username and password you provide, which it will use later when it connects to an SMB/CIFS server. Finally, check <span class="emphasis"><em>both</em></span> the options under the User Profile Settings border, as shown in the figure.</p><div class="figure"><a name="ch03-84319"></a><p class="title"><b>Figure 3.1. The Passwords Properties panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 289px"><td><img src="figs/sam.0301.gif" height="289" alt="The Passwords Properties panel"></td></tr></table></div></div></div><br class="figure-break"><p>The next step is to select the Change Passwords tab on the left side of the dialog box. In order for Samba to allow you access to its shares, the username and password you give to Windows must match the account and password on the Samba server. If you don't have this tab in your dialog box, don't worry; it's probably because you haven't given yourself a Windows username and password yet. Simply click the OK button at the bottom and respond Yes when Windows asks to reboot. Then, skip down to <a href="#ch03-57581" title="Logging in for the first time">Section 3.1.1.2</a>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.1.1"></a>Changing the Windows password</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-947966-0"></a>After selecting the Change Passwords tab, the dialog box in <a href="#ch03-26778" title="Figure 3.2. The Change Passwords tab">Figure 3.2</a> will appear.</p><div class="figure"><a name="ch03-26778"></a><p class="title"><b>Figure 3.2. The Change Passwords tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 306px"><td><img src="figs/sam.0302.gif" height="306" alt="The Change Passwords tab"></td></tr></table></div></div></div><br class="figure-break"><p>Select the Change Windows Password button. The <a class="indexterm" name="ch03-idx-947967-0"></a>Change Windows Password dialog box should appear, as shown in <a href="#ch03-97002" title="Figure 3.3. The Change Windows Password dialog box">Figure 3.3</a>. From here, you can change your password to match the password of the account on the Samba server through which you intend to log in.</p><div class="figure"><a name="ch03-97002"></a><p class="title"><b>Figure 3.3. The Change Windows Password dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 135px"><td><img src="figs/sam.0303.gif" height="135" alt="The Change Windows Password dialog box"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-57581"></a>Logging in for the first time</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-947969-0"></a> +<a class="indexterm" name="ch03-idx-947969-1"></a>If you didn't have a Change Passwords tab in the Passwords Properties window, then after Windows has finished rebooting, it will ask you to log in with a username and a password. Give yourself the same username and password that you have on the Samba server. After confirming your new username and password, or if you already have one, Windows should ask you if you want to have a <a class="indexterm" name="ch03-idx-947970-0"></a>profile, using the dialog shown in <a href="#ch03-48947" title="Figure 3.4. Windows Networking profiles">Figure 3.4</a>. <a class="indexterm" name="ch03-idx-947961-0"></a> +<a class="indexterm" name="ch03-idx-947961-1"></a> +<a class="indexterm" name="ch03-idx-947961-2"></a></p><div class="figure"><a name="ch03-48947"></a><p class="title"><b>Figure 3.4. Windows Networking profiles</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 121px"><td><img src="figs/sam.0304.gif" height="121" alt="Windows Networking profiles"></td></tr></table></div></div></div><br class="figure-break"><p>Answer Yes, upon which Windows will create a separate profile and password file for you and save a copy of your password in the file. Now when you connect to Samba, Windows will send its password, which will be used to authenticate you for each share. We won't worry about profiles for the moment; we'll cover them in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>. We should point out, however, that there is a small security risk: someone can steal the <a class="indexterm" name="ch03-idx-947972-0"></a>password file and decrypt the passwords because it's weakly encrypted. Unfortunately, there isn't a solution to this with Windows 95/98. In Windows 2000 (NT 5.0), the password encryption should be replaced with a much better algorithm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-36280"></a>Setting Up the Network</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-947983-0"></a>The next thing we need to do is make sure we have the <a class="indexterm" name="ch03-idx-947973-0"></a>TCP/IP networking protocol set up correctly. To do this, double-click on the <a class="indexterm" name="ch03-idx-947975-0"></a>Network icon in the Control Panel. You should see the network configuration dialog box, as shown in <a href="#ch03-15320" title="Figure 3.5. The Windows 95/98 Network panel">Figure 3.5</a>.</p><div class="figure"><a name="ch03-15320"></a><p class="title"><b>Figure 3.5. The Windows 95/98 Network panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 371px"><td><img src="figs/sam.0305.gif" width="502" alt="The Windows 95/98 Network panel"></td></tr></table></div></div></div><br class="figure-break"><p>Microsoft networking works by binding specific protocols, such as IPX or TCP/IP, to a specific hardware device, such as an <a class="indexterm" name="ch03-idx-947977-0"></a>Ethernet card or a <a class="indexterm" name="ch03-idx-948013-0"></a>dialup connection. By routing a <a class="indexterm" name="ch03-idx-947976-0"></a>protocol through a hardware device, the machine can act as a client or server for a particular type of network. For Samba, we are interested in binding the TCP/IP protocol through a networking device, making the machine a client for Microsoft networks. Thus, when the dialog box appears, you should see at least the Client for Microsoft Networks component installed on the machine, and hopefully a networking device (preferably an Ethernet card) bound to the TCP/IP protocol. If there is only one networking hardware device, you'll see the TCP/IP protocol listed below that device. If it appears similar to <a href="#ch03-15320" title="Figure 3.5. The Windows 95/98 Network panel">Figure 3.5</a>, the protocol is bound to the device.</p><p>You may also see <a class="indexterm" name="ch03-idx-947979-0"></a>"File and printer sharing for Microsoft Networks," which is useful. In addition, you might see <a class="indexterm" name="ch03-idx-947981-0"></a>NetBEUI or <a class="indexterm" name="ch03-idx-947982-0"></a>Novell Networking, which are standard with Windows installations but undesirable when TCP/IP is running. Remove NetBEUI if you possibly can—it's unnecessary and makes debugging Windows browsing difficult. If you don't have any Novell servers on your network, you can remove Novell (IPX/SPX) as well.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.1"></a>Adding TCP/IP</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-947991-0"></a>If you don't see TCP/IP listed at all, you'll need to install the protocol. If you already have TCP/IP, skip this section, and continue with <a href="#ch03-48802" title="Setting Your Name and Workgroup">Section 3.1.3</a>, later in this chapter.</p><p>Installing TCP/IP isn't difficult since Microsoft distributes its own version of TCP/IP for free on their installation CD-ROM. You can add the protocol by clicking on the Add button below the component window. Indicate that you wish to add a specific protocol by selecting Protocol and clicking Add... on the following dialog box, which should look similar to <a href="#ch03-24245" title="Figure 3.6. Selecting a protocol to install">Figure 3.6</a>.</p><div class="figure"><a name="ch03-24245"></a><p class="title"><b>Figure 3.6. Selecting a protocol to install</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 195px"><td><img src="figs/sam.0306.gif" height="195" alt="Selecting a protocol to install"></td></tr></table></div></div></div><br class="figure-break"><p>After that, select the protocol TCP/IP from manufacturer Microsoft, as shown in <a href="#ch03-50801" title="Figure 3.7. Selecting a protocol to install">Figure 3.7</a>, then click OK. After doing so, you will be returned to the network dialog. Click OK there to close the dialog box, upon which Windows will install the necessary components from disk and reboot the machine.</p><div class="figure"><a name="ch03-50801"></a><p class="title"><b>Figure 3.7. Selecting a protocol to install</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0307.gif" height="296" alt="Selecting a protocol to install"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.2"></a>Configuring TCP/IP</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948011-0"></a>If you have more than one networking device (for example, both an <a class="indexterm" name="ch03-idx-948014-0"></a>Ethernet card and a dialup networking <a class="indexterm" name="ch03-idx-948015-0"></a>modem), each appropriate hardware device should be "linked" to the TCP/IP protocol with an arrow, as shown in <a href="#ch03-61576" title="Figure 3.8. Selecting the correct TCP/IP protocol">Figure 3.8</a>. Select the TCP/IP protocol linked to the networking device that will be accessing the Samba network. When it is highlighted, click the<a class="indexterm" name="ch03-idx-948019-0"></a> Properties button.</p><div class="figure"><a name="ch03-61576"></a><p class="title"><b>Figure 3.8. Selecting the correct TCP/IP protocol</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 389px"><td><img src="figs/sam.0308.gif" width="502" alt="Selecting the correct TCP/IP protocol"></td></tr></table></div></div></div><br class="figure-break"><p>After doing so, the <a class="indexterm" name="ch03-idx-948028-0"></a>TCP/IP Properties panel for that device is displayed, as shown in <a href="#ch03-73526" title="Figure 3.9. STCP/IP Properties panel">Figure 3.9</a>.</p><div class="figure"><a name="ch03-73526"></a><p class="title"><b>Figure 3.9. STCP/IP Properties panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 303px"><td><img src="figs/sam.0309.gif" height="303" alt="STCP/IP Properties panel"></td></tr></table></div></div></div><br class="figure-break"><p>There are seven tabs near the top of this panel, and you will need to configure four of them:</p><div class="itemizedlist"><ul type="disc"><li><p>IP address</p></li><li><p>DNS configuration</p></li><li><p>WINS configuration</p></li><li><p>Bindings</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.3"></a>IP Address tab </h4></div></div></div><p>The <a class="indexterm" name="ch03-idx-948038-0"></a> +<a class="indexterm" name="ch03-idx-948038-1"></a>IP Address tab is shown in <a href="#ch03-73526" title="Figure 3.9. STCP/IP Properties panel">Figure 3.9</a>. Press the "Specify an IP address" radio button and enter the client's address and subnet <a class="indexterm" name="ch03-idx-948214-0"></a> +<a class="indexterm" name="ch03-idx-948214-1"></a>mask in the space provided. You or your network manager should have selected an address for the machine. The values should place the computer on the same subnet as the Samba server. For example, if the server's address is 192.168.236.86, and its network <a class="indexterm" name="ch03-idx-948217-0"></a> +<a class="indexterm" name="ch03-idx-948217-1"></a> +<a class="indexterm" name="ch03-idx-948217-2"></a>mask 255.255.255.0, you might use address 192.168.236.10 (if it is available) for the Windows 98 computer, along with the same netmask as the server. If you already use DHCP on your network to provide IP addresses to Windows machines, select the "Obtain an IP address automatically" button.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.4"></a>DNS Configuration tab</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948039-0"></a>Domain Name Service (<a class="indexterm" name="ch03-idx-948040-0"></a> +<a class="indexterm" name="ch03-idx-948040-1"></a>DNS) is responsible for translating Internet computer names such as <span class="emphasis"><em>hobbes.example.com</em></span> into machine-readable IP addresses such as 192.168.236.10. There are two ways to accomplish this on a Windows 98 machine: you can specify a server to do the translation for you or you can keep a local list of name/address pairs to refer to.</p><p>Networks that are connected to the Internet typically use a server, since the hosts files required would otherwise be huge. For an unconnected LAN, the list of possible hosts is small and well-known and might be kept on a Unix machine in the <span class="emphasis"><em>/etc/hosts</em></span> +<a class="indexterm" name="ch03-idx-948046-0"></a> file. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <span class="emphasis"><em>/etc/resolv.conf</em></span> +<a class="indexterm" name="ch03-idx-948047-0"></a> on your Unix servers. Any machine using DNS will have this file, which looks like:</p><pre class="programlisting">#resolv.conf +domain example.com +nameserver 127.0.0.1 +nameserver 192.168.236.20</pre><p>In the example shown, the second <code class="literal">nameserver</code> line in the list contains the IP address of another machine on the local network: 192.168.236.20. It's a good candidate for a DNS server.<sup>[<a name="ch03-pgfId-942097" href="#ftn.ch03-pgfId-942097">1</a>]</sup></p><p>You must type the correct IP address of one or more DNS servers (note that you <span class="emphasis"><em>cannot</em></span> use its Internet name, such as <span class="emphasis"><em>dns.oreilly.com</em></span>) into the appropriate field in <a href="#ch03-86883" title="Figure 3.10. The DNS Configuration tab">Figure 3.10</a>. Be sure not to use 127.0.0.1—that will never be the correct DNS server address!</p><p>Try to select addresses on your own network. Any name servers listed in <span class="emphasis"><em>/etc/resolv.conf</em></span> should work, but you'll get better performance by using a server nearby. (If you don't find <span class="emphasis"><em>/etc/resolv.conf</em></span> files on your Unix machines, just disable DNS until you can find the address of at least one DNS server.) Let's assume you only have one DNS server, and its address is 192.168.236.20. Click the Enable DNS radio button, as shown in <a href="#ch03-86883" title="Figure 3.10. The DNS Configuration tab">Figure 3.10</a>, and add the server's address to the top DNS Server Search Order field.</p><div class="figure"><a name="ch03-86883"></a><p class="title"><b>Figure 3.10. The DNS Configuration tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0310.gif" width="502" alt="The DNS Configuration tab"></td></tr></table></div></div></div><br class="figure-break"><p>Also, provide the name of the Windows 95/98 machine and the Internet domain you're in. You can safely ignore the Domain Suffix Search Order field for anything related to Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.5"></a>WINS Configuration tab</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948063-0"></a>WINS is the <a class="indexterm" name="ch03-idx-948065-0"></a> +<a class="indexterm" name="ch03-idx-948065-1"></a>Windows Internet Name Service, its version of a <a class="indexterm" name="ch03-idx-948066-0"></a>NetBIOS name server. If you've enabled WINS on Samba, you must tell Windows the Samba server's address. If you are using WINS servers that are entirely Windows NT, enter each of them here as well. The dialog box shown after selecting the WINS Configuration tab is shown in <a href="#ch03-95608" title="Figure 3.11. The WINS Configuration tab">Figure 3.11</a>.</p><div class="figure"><a name="ch03-95608"></a><p class="title"><b>Figure 3.11. The WINS Configuration tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 389px"><td><img src="figs/sam.0311.gif" width="502" alt="The WINS Configuration tab"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do <span class="emphasis"><em>not</em></span> mix a Samba WINS server and a Windows NT server as a primary/backup combination in the WINS dialog. Because the two cannot replicate their databases, this will cause name resolution to perform incorrectly.</p></div><p>From here, select Enable WINS Resolution and enter the <a class="indexterm" name="ch03-idx-948058-0"></a>WINS server's address in the space provided, then press Add. Do not enter anything in the Scope ID field.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.6"></a>Hosts files</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948067-0"></a>If you do not have either DNS or WINS, and you don't wish to use <a class="indexterm" name="ch03-idx-948070-0"></a>broadcast resolution, you'll need to provide a table of IP addresses and hostnames, in the standard Unix <code class="filename">/etc/hosts</code> format. On a Windows machine, this goes in <a class="indexterm" name="ch03-idx-948075-0"></a>\WINDOWS\HOSTS under whichever drive you installed Windows on (typically C:\). A sample host file follows:</p><pre class="programlisting"># 127.0.0.1 localhost +192.168.236.1 escrime.example.com escrime +192.168.236.2 riposte.example.com riposte +192.168.236.3 wizzin.example.com wizzin +192.168.236.4 touche.example.com touche +192.168.236.10 hobbes.example.com hobbes</pre><p>You can copy this file directly from any of your Unix machines' <span class="emphasis"><em>/etc/hosts</em></span> <a class="indexterm" name="ch03-idx-948074-0"></a>; the format is identical. However, <span class="emphasis"><em>you should only use hosts files in Windows as a last resort for name resolution</em></span> +<a class="indexterm" name="ch03-idx-948069-0"></a>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.7"></a>Check the bindings</h4></div></div></div><p>The final tab to look at is <a class="indexterm" name="ch03-idx-948076-0"></a>Bindings, as shown in <a href="#ch03-42906" title="Figure 3.12. The Bindings tab">Figure 3.12</a>.</p><div class="figure"><a name="ch03-42906"></a><p class="title"><b>Figure 3.12. The Bindings tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 249px"><td><img src="figs/sam.0312.gif" height="249" alt="The Bindings tab"></td></tr></table></div></div></div><br class="figure-break"><p>You should have a check beside Client for Microsoft Networks, indicating that it's using TCP/IP. If you have <a class="indexterm" name="ch03-idx-948077-0"></a>"File and printer sharing for Microsoft Networks" in the dialog, it should also be checked, as shown in the figure.<a class="indexterm" name="ch03-idx-947986-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-48802"></a>Setting Your Name and Workgroup </h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948082-0"></a> +<a class="indexterm" name="ch03-idx-948082-1"></a>Finally, press the OK button in the TCP/IP configuration panel, and you'll be taken back to the Network Configuration screen. Then select the <a class="indexterm" name="ch03-idx-948078-0"></a>Identification tab, which will take you to the dialog box shown in <a href="#ch03-42408" title="Figure 3.13. The Identification tab">Figure 3.13</a>.</p><div class="figure"><a name="ch03-42408"></a><p class="title"><b>Figure 3.13. The Identification tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0313.gif" height="285" alt="The Identification tab"></td></tr></table></div></div></div><br class="figure-break"><p>Here, for the second time, set your machine's name. This time, instead of your DNS hostname and domain, you're setting your <a class="indexterm" name="ch03-idx-948084-0"></a>NetBIOS name. However, it is best to make this the <span class="emphasis"><em>same</em></span> as your hostname. Try not to make a <a class="indexterm" name="ch03-idx-948085-0"></a>spelling mistake: it can be very confusing to configure a machine if TCP thinks it's <code class="literal">fred</code> and SMB thinks its <code class="literal">ferd</code> !</p><p>You also set your workgroup name here. In our case, it's SIMPLE, but if you used a different one in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, when creating the Samba configuration file, use that here as well. Try to avoid calling it WORKGROUP or you'll be in the same workgroup as every unconfigured (or ill-configured) machine in the world.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-13238"></a>Accessing the Samba Server</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948086-0"></a> +<a class="indexterm" name="ch03-idx-948086-1"></a>Click on the OK button to complete the configuration; you will need to reboot in order for your changes to take effect.</p><p>Now for the big moment. Your Samba server is running, and you have set up your Windows 95/98 client to communicate with it. After rebooting, log in and double-click the <a class="indexterm" name="ch03-idx-948087-0"></a>Network Neighborhood icon on the desktop. You should see your Samba server listed as a member of the workgroup, as shown in <a href="#ch03-88553" title="Figure 3.14. Windows Network Neighborhood">Figure 3.14</a>.</p><div class="figure"><a name="ch03-88553"></a><p class="title"><b>Figure 3.14. Windows Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 139px"><td><img src="figs/sam.0314.gif" height="139" alt="Windows Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <a href="#ch03-17463" title="Figure 3.15. Shares on Server">Figure 3.15</a> (in this case a printer and the <span class="emphasis"><em>test</em></span> directory).</p><div class="figure"><a name="ch03-17463"></a><p class="title"><b>Figure 3.15. Shares on Server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 152px"><td><img src="figs/sam.0315.gif" height="152" alt="Shares on Server"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you are presented with a dialog requesting the password for a user <code class="literal">IPC$</code>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <span class="emphasis"><em>must</em></span> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <code class="literal">[global]</code> section of your Samba configuration file: <code class="literal">encrypt password=yes</code>. Second, find the <code class="filename">smbpasswd</code> program on the samba server (it is located in <code class="filename">/usr/local/samba/bin</code> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <code class="literal">steve</code> to Samba's encrypted password database, type <em class="replaceable"><code>smbpasswd -a steve</code></em>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <code class="filename">/usr/local/samba/private/smbpasswd</code>.</p></div><p>If you don't see the server listed, start Windows Explorer (not Internet Explorer!) and select <a class="indexterm" name="ch03-idx-948088-0"></a>Map Network Drive from the Tools menu. This will give you a dialog box into which you can type the name of your server and the share <code class="literal">test </code>in the <a class="indexterm" name="ch03-idx-948089-0"></a>Windows UNC format: <code class="filename">\\</code><em class="replaceable"><code>server</code></em><code class="filename">\test</code>, like we did in the first chapter. This should attempt to contact the Samba server and its temporary share. If things still aren't right, go to <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>, for troubleshooting assistance.<a class="indexterm" name="ch03-idx-947933-0"></a> +<a class="indexterm" name="ch03-idx-947933-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-23093"></a>Setting Up Windows NT 4.0 Computers</h2></div></div></div><p> +<a class="indexterm" name="ch03-idx-947940-0"></a> +<a class="indexterm" name="ch03-idx-947940-1"></a>Configuring Windows NT is a little different than configuring Windows 95/98. In order to use Samba with Windows NT, you will need both the Workstation service and the TCP/IP protocol. Both come standard with NT, but we'll work through installing and configuring them because they may not be configured correctly.</p><p>There are six basic steps:</p><div class="orderedlist"><ol type="1"><li><p>Assign the machine a name.</p></li><li><p>Install the Workstation service.</p></li><li><p>Install the TCP/IP protocol.</p></li><li><p>Set the machine's name and IP address.</p></li><li><p>Configure the DNS and WINS name services.</p></li><li><p>Bind the protocol and service together.</p></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-2.1"></a>Basic Configuration</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948108-0"></a>This section presents an outline of the steps to follow for getting Windows NT to cooperate with Samba. If you need more details on Windows NT network administration, refer to Craig Hunt and Robert Bruce Thompsom's <em class="citetitle">Windows NT TCP/IP Network Administration </em>(O'Reilly), an excellent guide. You should perform these steps as the "Administrator" user.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.1"></a>Name the machine</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948120-0"></a> +<a class="indexterm" name="ch03-idx-948120-1"></a>The first thing you need to do is to give the machine a <a class="indexterm" name="ch03-idx-948122-0"></a>NetBIOS name. From the Control Panel, double click on the <a class="indexterm" name="ch03-idx-948123-0"></a>Network icon. This will take you to the <a class="indexterm" name="ch03-idx-948124-0"></a>Network dialog box for the machine. The first tab in this dialog box should be the Identification tab, as illustrated in <a href="#ch03-82592" title="Figure 3.16. Network panel Identification tab">Figure 3.16</a>.</p><div class="figure"><a name="ch03-82592"></a><p class="title"><b>Figure 3.16. Network panel Identification tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 260px"><td><img src="figs/sam.0316.gif" height="260" alt="Network panel Identification tab"></td></tr></table></div></div></div><br class="figure-break"><p>Here, you need to identify your machine with a name (we use the name Artish here) and change the default workgroup to the one you specified in the <span class="emphasis"><em>smb.conf</em></span> +<a class="indexterm" name="ch03-idx-948125-0"></a> file of your Samba server. In this case, the workgroup name is SIMPLE. However, you cannot edit either name here (as you could in Windows 95/98), but instead must use the Change button below the two text fields. Pressing this button raises an <a class="indexterm" name="ch03-idx-948126-0"></a>Identification Changes dialog box, where you can reset the workgroup and the machine name, as shown in <a href="#ch03-67735" title="Figure 3.17. Changing the identification">Figure 3.17</a>.</p><div class="figure"><a name="ch03-67735"></a><p class="title"><b>Figure 3.17. Changing the identification</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0317.gif" width="502" alt="Changing the identification"></td></tr></table></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="ch03-idx-948129-0"></a>A word of warning: you will have to set the machine name again later while configuring TCP/IP, so be sure that the two names match. The name you set here is the NetBIOS name. You're allowed to make it different from the TCP/IP hostname, but doing so is usually not a good thing. Don't worry that Windows NT forces the computer name and the workgroup to be all capital letters; it's smart enough to figure out what you mean when it connects to the network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.2"></a>Installing the TCP/IP protocol</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948143-0"></a> +<a class="indexterm" name="ch03-idx-948143-1"></a>Next, select the <a class="indexterm" name="ch03-idx-948150-0"></a>Protocols tab in the Network dialog box, and look to see if you have the TCP/IP protocol installed, as shown in <a href="#ch03-66055" title="Figure 3.18. The Protocols tab">Figure 3.18</a>.</p><div class="figure"><a name="ch03-66055"></a><p class="title"><b>Figure 3.18. The Protocols tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 257px"><td><img src="figs/sam.0318.gif" height="257" alt="The Protocols tab"></td></tr></table></div></div></div><br class="figure-break"><p>If the protocol is not installed, you need to add it. Press the Add button, which will display the <a class="indexterm" name="ch03-idx-948148-0"></a>Select Network Protocol dialog box shown in <a href="#ch03-22321" title="Figure 3.19. Select Network Protocol dialog box">Figure 3.19</a>. Unlike Windows 95/98, you should immediately see the TCP/IP protocol as one of the last protocols listed.</p><div class="figure"><a name="ch03-22321"></a><p class="title"><b>Figure 3.19. Select Network Protocol dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0319.gif" height="285" alt="Select Network Protocol dialog box"></td></tr></table></div></div></div><br class="figure-break"><p>Select TCP/IP<span class="emphasis"><em></em></span> as the protocol and confirm it. If possible, install only the TCP/IP protocol. You usually do not want <a class="indexterm" name="ch03-idx-948149-0"></a>NetBEUI installed because this causes the machine to look for services under two different protocols, only one of which is likely in use.<sup>[<a name="ch03-pgfId-943371" href="#ftn.ch03-pgfId-943371">2</a>]</sup></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.3"></a>Installing the Workstation service</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948151-0"></a> +<a class="indexterm" name="ch03-idx-948151-1"></a> +<a class="indexterm" name="ch03-idx-948151-2"></a>After installing TCP/IP, press the <a class="indexterm" name="ch03-idx-948152-0"></a>Services tab in the Network panel and check that you have a Workstation service, as shown at the end of the list in <a href="#ch03-97222" title="Figure 3.20. Network Services panel dialog box">Figure 3.20</a>.</p><div class="figure"><a name="ch03-97222"></a><p class="title"><b>Figure 3.20. Network Services panel dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 289px"><td><img src="figs/sam.0320.gif" height="289" alt="Network Services panel dialog box"></td></tr></table></div></div></div><br class="figure-break"><p>This service is actually the <a class="indexterm" name="ch03-idx-948153-0"></a>Microsoft Networking Client, which allows the machine to access SMB services. The Workstation service is mandatory. The service is installed by default on both <a class="indexterm" name="ch03-idx-948154-0"></a> +<a class="indexterm" name="ch03-idx-948155-0"></a>Windows NT Workstation 4.0 and <a class="indexterm" name="ch03-idx-948159-0"></a> +<a class="indexterm" name="ch03-idx-948159-1"></a>Server 4.0. If it's not there, you can install it much like TCP/IP. In this case you need to press the Add button and then select Workstation Service, as shown in <a href="#ch03-40000" title="Figure 3.21. Select Network Service dialog box">Figure 3.21</a>.</p><div class="figure"><a name="ch03-40000"></a><p class="title"><b>Figure 3.21. Select Network Service dialog box </b></p><div class="figure-contents"><a class="indexterm" name="ch03-idx-948115-0"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0321.gif" height="285" alt="Select Network Service dialog box"></td></tr></table></div></div></div><br class="figure-break"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-85837"></a>Configuring TCP/IP</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948163-0"></a> +<a class="indexterm" name="ch03-idx-948163-1"></a>After you've installed the Workstation service, return to the <a class="indexterm" name="ch03-idx-948172-0"></a>Protocols tab and select the TCP/IP Protocol entry in the window. Then click the Properties button below the window. The Microsoft TCP/IP Protocol panel will be displayed. There are five tabs on the Windows NT panel, and (like Windows 95/98) you will need to work on three of them:</p><div class="itemizedlist"><ul type="disc"><li><p>IP address</p></li><li><p>DNS</p></li><li><p>WINS address</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.1"></a>IP Address tab</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948191-0"></a>The IP Address tab is shown in <a href="#ch03-97098" title="Figure 3.22. Microsoft TCP/IP Properties for Windows NT">Figure 3.22</a>.</p><div class="figure"><a name="ch03-97098"></a><p class="title"><b>Figure 3.22. Microsoft TCP/IP Properties for Windows NT</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 380px"><td><img src="figs/sam.0322.gif" width="502" alt="Microsoft TCP/IP Properties for Windows NT"></td></tr></table></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="ch03-idx-948212-0"></a> +<a class="indexterm" name="ch03-idx-948212-1"></a>Select the "Specify an IP address" radio button and enter the computer's address and <a class="indexterm" name="ch03-idx-948231-0"></a> +<a class="indexterm" name="ch03-idx-948231-1"></a>subnet mask in the space provided for the proper adapter (Ethernet card). You or your network manager should have selected an address for the client on the same subnet (LAN) as the Samba server. For example, if the server's address is 192.168.236.86 and its network mask 255.255.255.0, you might use the address 192.168.236.10, if it is available, for the NT workstation, along with the same <a class="indexterm" name="ch03-idx-948235-0"></a>netmask. If you use <a class="indexterm" name="ch03-idx-948242-0"></a>DHCP on your network, select the "Obtain an IP Address from a DHCP server" button.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you don't have an IP address to use, and you are on a network by yourself, steal ours, as the 192.168.<span class="emphasis"><em>x.x</em></span> subnet is specifically reserved by the Internic for LANs. If you're not by yourself, see your system administrator for some available addresses on your network.</p></div><p>The<a class="indexterm" name="ch03-idx-948244-0"></a> gateway field refers to a machine typically known as a <span class="emphasis"><em>router</em></span> +<a class="indexterm" name="ch03-idx-948243-0"></a>. If you have routers connecting multiple networks, you should put in the IP address of the one on your subnet.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.2"></a>DNS tab</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948199-0"></a>Next we go to the tab for DNS, as shown in <a href="#ch03-61878" title="Figure 3.23. The DNS panel">Figure 3.23</a>. This brings up the DNS panel.</p><div class="figure"><a name="ch03-61878"></a><p class="title"><b>Figure 3.23. The DNS panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 407px"><td><img src="figs/sam.0323.gif" width="502" alt="The DNS panel"></td></tr></table></div></div></div><br class="figure-break"><p>The <a class="indexterm" name="ch03-idx-948248-0"></a> +<a class="indexterm" name="ch03-idx-948248-1"></a>Domain Name System (DNS) is responsible for translating human-readable computer names such as <span class="emphasis"><em>atrish.example.com</em></span> into IP addresses such as 192.168.236.10. There are two ways to accomplish this on a NT machine. First, you can specify a DNS server to do the translation for you, or you can keep a local list of name/address pairs for your workstation to refer to.</p><p>For a LAN that's not on the Internet, the list of possible hosts is typically small and well known, and may be kept in a file locally. Networks that are connected to the Internet typically use DNS service since it isn't possible to guess ahead of time what addresses you might be accessing out on the net. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <span class="emphasis"><em>/etc/resolv.conf</em></span> on your Samba server: any machine using DNS will have this file. It looks like the following:</p><pre class="programlisting">#resolv.conf +domain example.com +nameserver 127.0.0.1 +nameserver 192.168.236.20</pre><p>In this example, the first nameserver in the list is 127.0.0.1, which indicates that the Samba server is also a DNS server for this LAN.<sup>[<a name="ch03-pgfId-946587" href="#ftn.ch03-pgfId-946587">3</a>]</sup> In that case, you would use its network IP address (not 127.0.0.1, its localhost address) when filling in the DNS Configuration dialog box. Otherwise, use the other addresses you find in the lines beginning with <code class="literal">nameserver</code>. Try to select ones on your own network. Any name servers listed in <span class="emphasis"><em>/etc/resolv.conf</em></span> should work, but you'll get better performance by using a server nearby.</p><p>Finally, enter the machine name once more, making sure that it's the same one listed in the Identification tab of the Network dialog box (before the NetBIOS name). Also, enter the DNS domain on which this machine resides. For example, if your workstation has a domain name such as <span class="emphasis"><em>example.com</em></span>, enter it here. You can safely ignore the other options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.3"></a>WINS Address tab</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948207-0"></a> +<a class="indexterm" name="ch03-idx-948207-1"></a> +<a class="indexterm" name="ch03-idx-948207-2"></a>If you are not using a DNS server, you still need a way of translating NetBIOS names to addresses and back again. We recommend that you configure both DNS and WINS; <a class="indexterm" name="ch03-idx-948268-0"></a>NT has a preference for WINS and WINS can use DNS as a fallback if it cannot resolve any machine address. The WINS Address tab is shown in <a href="#ch03-20855" title="Figure 3.24. The WINS Address tab">Figure 3.24</a>.</p><div class="figure"><a name="ch03-20855"></a><p class="title"><b>Figure 3.24. The WINS Address tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 342px"><td><img src="figs/sam.0324.gif" width="502" alt="The WINS Address tab"></td></tr></table></div></div></div><br class="figure-break"><p>If you have a WINS server, enter its address in the space marked Primary WINS Server. If your Samba server is providing WINS service (in other words, you have the line <code class="literal">wins</code> <code class="literal">service</code> <code class="literal">=</code> <code class="literal">yes</code> in the <span class="emphasis"><em>smb.conf</em></span> file of your Samba server), provide the Samba server's IP address here. Otherwise, provide the address of another WINS server on your network.</p><p>You probably noticed that there is a field here for the adaptor; this field must specify the <a class="indexterm" name="ch03-idx-948269-0"></a>Ethernet adaptor that you're running TCP/IP on so that WINS will provide name service on the correct network. If you have both a LAN and a dialup adaptor, make sure you have the LAN's adaptor here.</p><p>Finally, select the "Enable DNS for Windows Resolution" checkbox, so WINS will try <a class="indexterm" name="ch03-idx-948270-0"></a>DNS as a fallback if it can't find a name. You can safely ignore the other options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.4"></a>Hosts files</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948271-0"></a>If you don't have either DNS or WINS, and you don't wish to use broadcast name resolution, you'll need to provide a table of IP addresses and hosts names, in standard Unix <code class="filename">/etc/hosts</code> format. We recommend against this because maintenance of this file on any dynamic network is troublesome, but we will explain it just the same. The Windows host file should appear in the <span class="emphasis"><em>\WINDOWS\HOSTS</em></span> +<a class="indexterm" name="ch03-idx-948273-0"></a> directory of whatever local drive Windows is installed on. A sample follows:</p><pre class="programlisting">127.0.0.1 localhost +192.168.236.1 escrime escrime.example.com +192.168.236.2 riposte riposte.example.com +192.168.236.3 wizzin wizzin.example.com +192.168.236.4 touche touche.example.com +192.168.236.5 gurgi gurgi.example.com +192.168.236.6 jessiac jessiac.example.com +192.168.236.7 skyline skyline.example.com</pre><p>If you wish, you can copy the contents directly from the Samba server's<code class="filename"> /etc/hosts</code>. The format is identical. This file will then serve the same purpose as the hosts file on the Unix server. Again, <span class="emphasis"><em>hosts</em></span> files on Windows should only be used as a last resort.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.5"></a>Bindings</h4></div></div></div><p>The term <em class="firstterm">bindings</em> +<a class="indexterm" name="ch03-idx-948274-0"></a> +<a class="indexterm" name="ch03-idx-948274-1"></a> is a way of saying "connected together at configuration time." It means that the TCP/IP protocol will channel through the Ethernet card (instead of, say, a dialup connection), and is actually connected properly. If you return to the Network dialog box and set the Show field to "all services" and click on all the + buttons in the tree, you should see a display similar to <a href="#ch03-83060" title="Figure 3.25. Service bindings">Figure 3.25</a>.</p><div class="figure"><a name="ch03-83060"></a><p class="title"><b>Figure 3.25. Service bindings</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 332px"><td><img src="figs/sam.0325.gif" height="332" alt="Service bindings"></td></tr></table></div></div></div><br class="figure-break"><p>This means that the Workstation, Server, and NetBIOS interface services are connected to the WINS client. This is the correct binding for Microsoft TCP/IP.<a class="indexterm" name="ch03-idx-948166-0"></a> +<a class="indexterm" name="ch03-idx-948166-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-2.3"></a>Connecting to the Samba Server</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948286-0"></a>You can safely leave the default values for the remainder of the tabs in the Network dialog box. Click on the OK button to complete the configuration. Once the proper files are loaded (if any), you will need to reboot in order for your changes to take effect.</p><p>Now for the big moment. Your Samba server is running and you have set up your NT client to communicate with it. After the machine reboots, login and double-click the <a class="indexterm" name="ch03-idx-948283-0"></a> +<a class="indexterm" name="ch03-idx-948283-1"></a>Network Neighborhood icon on the desktop, and you should see your Samba server listed as a member of the workgroup, as shown in <a href="#ch03-50785" title="Figure 3.26. Windows NT Network Neighborhood">Figure 3.26</a>.</p><div class="figure"><a name="ch03-50785"></a><p class="title"><b>Figure 3.26. Windows NT Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 163px"><td><img src="figs/sam.0326.gif" height="163" alt="Windows NT Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="ch03-idx-949153-0"></a>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <a href="#ch03-89532" title="Figure 3.27. Server's shares">Figure 3.27</a>. In this case, the test and the default printer are offered to the Window NT workstation. For more information, see the warning under <a href="#ch03-13238" title="Accessing the Samba Server">Section 3.1.4</a> earlier in this chapter.</p><div class="figure"><a name="ch03-89532"></a><p class="title"><b>Figure 3.27. Server's shares</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 152px"><td><img src="figs/sam.0327.gif" height="152" alt="Server's shares"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you are presented with a dialog requesting the password for a user <code class="literal">IPC$</code>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <span class="emphasis"><em>must</em></span> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <code class="literal">[global]</code> section of your Samba configuration file: <code class="literal">encrypt password=yes</code>. Second, find the <code class="filename">smbpasswd</code> program on the samba server (it is located in <code class="filename">/usr/local/samba/bin</code> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <code class="literal">steve</code> to Samba's encrypted password database, type <em class="replaceable"><code>smbpasswd -a steve</code></em>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <code class="filename">/usr/local/samba/private/smbpasswd</code>.</p></div><p>If you don't see the server listed, don't panic. Start the Windows NT Explorer (not Internet Explorer!) and select Map Network Drive from the Tools menu. A dialog box appears that allows you to type the name of your server and its share directory in Windows format. For example, you would enter <code class="filename">\\</code><em class="replaceable"><code>server</code></em><code class="filename">\temp</code> if your server happened to be named "server." If things still aren't right, go directly to <a href="#ch09-29538" title="The Fault Tree">Section 9.2</a> in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>, to see if you can troubleshoot what is wrong with the network.</p><p>If it works, congratulations! Try writing to the server and sending data to the network printer. You will be pleasantly surprised how seamlessly everything works! Now that you've finished setting up the Samba server and its clients, we can starting talking about how Samba works and how to configure it to your liking. <a class="indexterm" name="ch03-idx-947946-0"></a> +<a class="indexterm" name="ch03-idx-947946-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-64069"></a>An Introduction to SMB/CIFS</h2></div></div></div><p> +<a class="indexterm" name="ch03-idx-948288-0"></a>We'll wrap up this chapter with a short tutorial on SMB/CIFS. SMB/CIFS is the protocol that Windows 95/98 and NT machines use to communicate with the Samba server and each other. At a high level, the SMB protocol suite is relatively simple. It includes commands for all of the file and print operations that you might do on a local disk or printer, such as:</p><div class="itemizedlist"><ul type="disc"><li><p> Opening and closing a file</p></li><li><p> Creating and deleting files and directories</p></li><li><p> Reading and writing a file</p></li><li><p> Searching for files</p></li><li><p> Queueing and dequeueing files to a print spool</p></li></ul></div><p>Each of these operations can be encoded into an SMB message and transmitted to and from a server. The original name SMB comes from their data format: these are versions of the standard DOS system-call data structures, or <em class="firstterm">Server Message Blocks</em>, redesigned for transmitting to another machine across a network.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.1"></a>SMB Format</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948317-0"></a>Richard <a class="indexterm" name="ch03-idx-948318-0"></a>Sharpe of the Samba team defines SMB as a "request-response" protocol.<sup>[<a name="ch03-pgfId-942928" href="#ftn.ch03-pgfId-942928">4</a>]</sup> In effect, this means that a client sends an SMB request to a server, and the server sends an <a class="indexterm" name="ch03-idx-948320-0"></a> +<a class="indexterm" name="ch03-idx-948320-1"></a>SMB response back to the client. Rarely does a server send a message that is not in response to a client.</p><p>An SMB message is not as complex as you might think. Let's take a closer look at the internal structure of such a message. It can be broken down into two parts: the <em class="firstterm">header</em> +<a class="indexterm" name="ch03-idx-948321-0"></a>, which is a fixed size, and the <em class="firstterm">command string</em>, whose size can vary dramatically based on the contents of the message.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.1"></a>SMB header format</h4></div></div></div><p><a href="#ch03-31015" title="Table 3.1. SMB Header Fields">Table 3.1</a> shows the format of an SMB header. SMB commands are not required to use all the fields in the SMB header. For example, when a client first attempts to connect to a server, it does not yet have a <a class="indexterm" name="ch03-idx-948332-0"></a> +<a class="indexterm" name="ch03-idx-948332-1"></a>tree identifier (TID) value—one is assigned after it successfully connects—so a <a class="indexterm" name="ch03-idx-948333-0"></a>null TID (0xFFFF) is placed in its header field. Other fields may be padded with zeros when not used.</p><p>The fields of the SMB header are listed in <a href="#ch03-31015" title="Table 3.1. SMB Header Fields">Table 3.1</a>.</p><div class="table"><a name="ch03-31015"></a><p class="title"><b>Table 3.1. SMB Header Fields </b></p><div class="table-contents"><table summary="SMB Header Fields " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Field</p></th><th><p>Size (bytes)</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">0xFF 'SMB'</code></p></td><td><p><code class="literal">1</code></p></td><td><p> +<a class="indexterm" name="ch03-idx-948337-0"></a>Protocol identifier</p></td></tr><tr><td><p><code class="literal">COM</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Command code, from 0x00 to 0xFF</p></td></tr><tr><td><p><code class="literal">RCLS</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Error class</p></td></tr><tr><td><p><code class="literal">REH</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">ERR</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Error code</p></td></tr><tr><td><p><code class="literal">REB</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">RES</code></p></td><td><p><code class="literal">14</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">TID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Tree identifier; a unique ID for a resource in use by client</p></td></tr><tr><td><p><code class="literal">PID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Caller process ID</p></td></tr><tr><td><p><code class="literal">UID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>User identifier</p></td></tr><tr><td><p><code class="literal">MID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Multiplex identifier; used to route requests inside a process</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.2"></a>SMB command format</h4></div></div></div><p><em class="firstterm"></em> +<a class="indexterm" name="ch03-idx-948328-0"></a>Immediately after the header is a variable number of bytes that constitute an SMB command or reply. Each command, such as Open File (COM field identifier: <code class="literal">SMBopen</code>) or Get Print Queue (<code class="literal">SMBsplretq </code>), has its own set of parameters and data. Like the SMB header fields, not all of the command fields need to be filled, depending on the specific command. For example, the Get Server Attributes (<code class="literal">SMBdskattr</code>) command sets the WCT and BCC fields to zero. The fields of the command segment are shown in <a href="#ch03-38178" title="Table 3.2. SMB Command Contents">Table 3.2</a>.</p><div class="table"><a name="ch03-38178"></a><p class="title"><b>Table 3.2. SMB Command Contents </b></p><div class="table-contents"><table summary="SMB Command Contents " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Field</p></th><th><p>Size in Bytes</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">WCT</code></p></td><td><p><code class="literal">1</code></p></td><td><p><em class="firstterm"></em> +<a class="indexterm" name="ch03-idx-948340-0"></a>Word count</p></td></tr><tr><td><p><code class="literal">VWV</code></p></td><td><p>Variable</p></td><td><p>Parameter words (size given by WCT)</p></td></tr><tr><td><p><code class="literal">BCC</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Parameter byte count</p></td></tr><tr><td><p><code class="literal">DATA</code></p></td><td><p>Variable</p></td><td><p>Data (size given by BCC)</p></td></tr></tbody></table></div></div><br class="table-break"><p>Don't worry if you don't understand each of these fields; they are not necessary for using Samba at an administrator level. However, they do come in handy when debugging system messages. We will show you some of the more common SMB messages that clients and servers send using a modified version of <code class="filename">tcpdump</code> later in this section. (If you would like an SMB sniffer with a graphical interface, try "ethereal," which uses the GTK libraries; see the Samba homepage for more information on this tool.)</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch03-resources-for-further-information"></a>Tip</h3><p>If you would like more information on each of the commands for the SMB protocol, see the SMB/CIFS documentation at <code class="systemitem">ftp://ftp.microsoft.com/developr/drg/CIFS/</code>.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.3"></a>SMB variations</h4></div></div></div><p>The SMB protocol has been extended with new commands several times since its inception. Each new version is backwards compatible with the previous versions. This makes it quite possible for a LAN to have various clients and servers running different versions of the SMB protocol at once.</p><p><a href="#ch03-67366" title="Table 3.3. SMB Protocol Dialects">Table 3.3</a> outlines the major versions of the SMB protocol. Within each "dialect" of SMB are many sub-versions that include commands supporting particular releases of major operating systems. The ID string is used by clients and servers to determine what level of the protocol they will speak to each other.</p><div class="table"><a name="ch03-67366"></a><p class="title"><b>Table 3.3. SMB Protocol Dialects </b></p><div class="table-contents"><table summary="SMB Protocol Dialects " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Protocol Name</p></th><th><p>ID String</p></th><th><p>Used By</p></th></tr></thead><tbody><tr><td><p>Core</p></td><td><p><code class="literal">PC NETWORK PROGRAM 1.0</code></p></td><td> </td></tr><tr><td><p>Core Plus</p></td><td><p><code class="literal">MICROSOFT NETWORKS 1.03 </code></p></td><td> </td></tr><tr><td><p>LAN Manager 1.0</p></td><td><p><code class="literal">LANMAN1.0</code></p></td><td> </td></tr><tr><td><p>LAN Manager 2.0</p></td><td><p><code class="literal">LM1.2X002</code></p></td><td> </td></tr><tr><td><p>LAN Manager 2.1</p></td><td><p><code class="literal">LANMAN2.1</code></p></td><td> </td></tr><tr><td><p>NT LAN Manager 1.0</p></td><td><p><code class="literal">NT LM 0.12</code></p></td><td><p>Windows NT 4.0</p></td></tr><tr><td><p>Samba's NT LM 0.12</p></td><td><p><code class="literal">Samba</code></p></td><td><p>Samba</p></td></tr><tr><td><p>Common Internet File System</p></td><td><p><code class="literal">CIFS 1.0</code></p></td><td><p>Windows 2000</p></td></tr></tbody></table></div></div><br class="table-break"><p>Samba implements the <code class="literal">NT</code> <code class="literal">LM</code> <code class="literal">0.12</code> specification for NT LAN Manager 1.0. It is backwards compatible with all of the other SMB variants. The CIFS specification is, in reality, LAN Manager 0.12 with a few specific additions.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.2"></a>SMB Clients and Servers</h3></div></div></div><p>As mentioned earlier, SMB is a client/server protocol. In the purest sense, this means that a client sends a request to a server, which acts on the request and returns a reply. However, the client/server roles can often be reversed, sometimes within the context of a single SMB session. For example, consider the two Windows 95/98 computers in <a href="#ch03-69480" title="Figure 3.28. Two computers that both have resources to share">Figure 3.28</a>. The computer named WIZZIN shares a printer to the network, and the computer named ESCRIME shares a disk directory. WIZZIN is in the client role when accessing ESCRIME's network drive, and in the server role when printing a job for ESCRIME.</p><div class="figure"><a name="ch03-69480"></a><p class="title"><b>Figure 3.28. Two computers that both have resources to share</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 153px"><td><img src="figs/sam.0328.gif" height="153" alt="Two computers that both have resources to share"></td></tr></table></div></div></div><br class="figure-break"><p>This brings out an important point in Samba terminology:</p><div class="itemizedlist"><ul type="disc"><li><p>A <em class="firstterm">server</em> is a machine with a resource to share.</p></li><li><p>A <em class="firstterm">client</em> is a machine that wishes to use that resource.</p></li><li><p>A server can be a client (of another computer's resource) at any given time.</p></li></ul></div><p>Note that there are no implications as to the amount of resources that make up a server, or whether it has a large disk space or fast processor. A server could be an old 486 with a printer attached to it, or it could be an UltraSparc station with a 10 gigabyte disk service.</p><p>Microsoft Windows products have both the SMB client and server built in to the operating system. <a class="indexterm" name="ch03-idx-948356-0"></a>Wndows NT 4.0 uses a newer SMB protocol than Windows for Workgroups, and it offers an enhanced form of network security which will be discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>. In addition, there are a large number of commercial <a class="indexterm" name="ch03-idx-948361-0"></a>SMB server products available from companies such as Sun, Compaq, SCO, Hewlett-Packard, Syntax, and IBM. Unfortunately, on the client side there are far fewer offerings, limited mainly to Digital Equipment's Pathworks product, and of course, Samba.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.3"></a>A Simple SMB Connection</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948363-0"></a> +<a class="indexterm" name="ch03-idx-948363-1"></a>Before we close this chapter, let's take a look at a simple SMB connection. This is some pretty technical data—which isn't really necessary to administer Samba—so you can skip over it if you like. We present this information largely as a way to help you get familiar with how the SMB protocol negotiates connections with other computers on the network.</p><p>There are four steps that the client and server must complete in order to establish a connection to a resource:</p><div class="orderedlist"><ol type="1"><li><p> Establish a virtual connection.</p></li><li><p> Negotiate the protocol variant to speak.</p></li><li><p> Set session parameters.</p></li><li><p> Make a tree connection to a resource.</p></li></ol></div><p>We will examine each of these steps through the eyes of a useful tool that we mentioned earlier: the modified <code class="filename">tcpdump</code> +<a class="indexterm" name="ch03-idx-948362-0"></a> +<a class="indexterm" name="ch03-idx-948362-1"></a> that is available from the Samba web site.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>You can download this program at <code class="filename">samba.org</code> in the <code class="filename">samba/ftp/tcpdump-smb</code> directory; the latest version as of this writing is 3.4-5. Use this program as you would use the standard <code class="filename">tcpdump</code> application, but add the <code class="literal">-s 1500</code> switch to ensure that you get the whole packet and not just the first few bytes.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.3.1"></a>Establishing a virtual connection</h4></div></div></div><p> +<a class="indexterm" name="ch03-idx-948365-0"></a> +<a class="indexterm" name="ch03-idx-948365-1"></a>When a user first makes a request to access a network disk or send a print job to a remote printer, NetBIOS takes care of making a connection at the <a class="indexterm" name="ch03-idx-948366-0"></a>session layer. The result is a bidirectional virtual channel between the client and server. In reality, there are only two messages that the client and server need to establish this connection. This is shown in the following example session request and response, as captured by <code class="filename">tcpdump</code> :</p><pre class="programlisting">>>> NBT Packet +NBT Session Request +Flags=0x81000044 +Destination=ESCRIME NameType=0x20 (Server) +Source=WIZZIN NameType=0x00 (Workstation) + +>>> NBT Packet +NBT Session Granted +Flags=0x82000000</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.4"></a>Negotiating the Protocol Variant</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948367-0"></a>At this point, there is an open channel between the client and server. Next, the client sends a message to the server to negotiate an SMB protocol. As mentioned earlier, the client sets its <a class="indexterm" name="ch03-idx-948373-0"></a> +<a class="indexterm" name="ch03-idx-948373-1"></a>tree identifier (TID) field to zero, since it does not yet know what TID to use. A <span class="emphasis"><em>tree identifier</em></span> is a number that represents a connection to a share on a server.</p><p>The command in the message is <code class="literal">SMBnegprot</code>, a request to negotiate a protocol variant that will be used for the entire session. Note that the client sends to the server a list of all of the variants that it can speak, not vice versa.</p><p>The server responds to the <code class="literal">SMBnegprot</code> request with an index into the list of variants that the client offered, starting with index 0, or with the value 0xFF if none of the protocol variants are acceptable. Continuing this example, the server responds with the value 5, which indicates that the <code class="literal">NT</code> <code class="literal">LM</code> <code class="literal">0.12</code> dialect will be used for the remainder of the session:</p><pre class="programlisting">>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=154 + +SMB PACKET: SMBnegprot (REQUEST) +SMB Command = 0x72 +Error class = 0x0 +Error code = 0 +Flags1 = 0x0 +Flags2 = 0x0 +Tree ID = 0 +Proc ID = 5371 +UID = 0 +MID = 385 +Word Count = 0 +Dialect=PC NETWORK PROGRAM 1.0 +Dialect=MICROSOFT NETWORKS 3.0 +Dialect=DOS LM1.2X002 +Dialect=DOS LANMAN2.1 +Dialect=Windows for Workgroups 3.1a +Dialect=NT LM 0.12 + +>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=69 + +SMB PACKET: SMBnegprot (REPLY) +SMB Command = 0x72 +Error class = 0x0 +Error code = 0 +Flags1 = 0x0 +Flags2 = 0x1 +Tree ID = 0 +Proc ID = 5371 +UID = 0 +MID = 385 +Word Count = 02 +[000] 05 00</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.5"></a>Set Session and Login Parameters</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948377-0"></a> +<a class="indexterm" name="ch03-idx-948377-1"></a>The next step is to transmit session and login parameters for the session. This includes the account name and password (if there is one), the workgroup name, the maximum size of data that can be transferred, and the number of pending requests that may be in the queue at any one time.</p><p>In the following example, the Session Setup command presented allows for an additional SMB command to be piggybacked onto it. The letter X at the end of the command name indicates this, and the hexadecimal code of the second command is given in the <code class="literal">Com2</code> field. In this case the command is <code class="literal">0x75</code>, which is the Tree Connect and X command. The <code class="literal">SMBtconX</code> message looks for the name of the resource in the <span><strong class="command">smb_buf</strong></span> buffer. (This is the last field listed in the following request.) In this example, <span><strong class="command">smb_buf</strong></span> contains the string <code class="literal">\\ESCRIME\PUBLIC</code>, which is the full pathname to a shared directory on node ESCRIME. Using the "and X" commands like this speeds up each transaction, since the server doesn't have to wait on the client to make a second request.</p><p>Note that the <a class="indexterm" name="ch03-idx-948382-0"></a> +<a class="indexterm" name="ch03-idx-948382-1"></a>TID is still zero. The server will provide a TID to the client once the session has been established and a connection has been made to the requested resource. In addition, note that the password is sent in the open. We can change this later using encrypted passwords:</p><pre class="programlisting">>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=139 + +SMB PACKET: SMBsesssetupX (REQUEST) +SMB Command = 0x73 +Error class = 0x0 +Error code = 0 +Flags1 = 0x10 +Flags2 = 0x0 +Tree ID = 0 +Proc ID = 5371 +UID = 1 +MID = 385 +Word Count = 13 +Com2=0x75 +Res1=0x0 +Off2=106 +MaxBuffer=2920 +MaxMpx=2 +VcNumber=0 +SessionKey=0x1FF2 +CaseInsensitivePasswordLength=1 +CaseSensitivePasswordLength=1 +Res=0x0 +Capabilities=0x1 +Pass1&Pass2&Account&Domain&OS&LanMan= + KRISTIN PARKSTR Windows 4.0 Windows 4.0 +PassLen=2 +Passwd&Path&Device= +smb_bcc=22 +smb_buf[]=\\ESCRIME\PUBLIC</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.6"></a>Making Connection to a Resource</h3></div></div></div><p> +<a class="indexterm" name="ch03-idx-948383-0"></a> +<a class="indexterm" name="ch03-idx-948383-1"></a>For the final step, the server returns a TID to the client, indicating that the user has been authorized access and that the resource is ready to be used. It also sets the <span><strong class="command">ServiceType</strong></span> field to "A" to indicate that this is a file service. Available service types are:</p><div class="itemizedlist"><ul type="disc"><li><p> "A" for a disk or file</p></li><li><p> "LPT1" for a spooled output</p></li><li><p> "COMM" for a direct-connect printer or modem</p></li><li><p> "IPC" for a named pipe</p></li></ul></div><p>The output is:</p><pre class="programlisting">>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=78 + +SMB PACKET: SMBsesssetupX (REPLY) +SMB Command = 0x73 +Error class = 0x0 +Error code = 0 +Flags1 = 0x80 +Flags2 = 0x1 +Tree ID = 121 +Proc ID = 5371 +UID = 1 +MID = 385 +Word Count = 3 +Com2=0x75 +Off2=68 +Action=0x1 +[000] Unix Samba 1.9.1 +[010] PARKSTR + +SMB PACKET: SMBtconX (REPLY) (CHAINED) +smbvwv[]= +Com2=0xFF +Off2=78 +smbbuf[]= +ServiceType=A:</pre><p>Now that a TID has been assigned, the client may issue any sort of command that it would use on a local disk drive. It can open files, read and write to them, delete them, create new files, search for filenames, and so<a class="indexterm" name="ch03-idx-948291-0"></a> on.<a class="indexterm" name="ch03-idx-947921-0"></a> +<a class="indexterm" name="ch03-idx-947921-1"></a></p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-942097" href="#ch03-pgfId-942097">1</a>] </sup>We can disqualify the other address because every Unix machine has a localhost address of 127.0.0.1 whether it is connected to a network or not. This address is required for some system tools to operate correctly.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-943371" href="#ch03-pgfId-943371">2</a>] </sup>A common occurrence: after looking at the unused protocol for a while, the machine will time out and try the good one. This fruitless searching gives you terrible performance and mysterious delays.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-946587" href="#ch03-pgfId-946587">3</a>] </sup>The address 127.0.0.1 is known as the <span class="emphasis"><em>localhost</em></span> +<a class="indexterm" name="ch03-idx-948263-0"></a> address, and always refers to itself. For example, if you type <code class="literal">ping 127.0.0.1</code> on a Unix server, you should always get a response, as you're pinging the host itself.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-942928" href="#ch03-pgfId-942928">4</a>] </sup>See <code class="systemitem">http://anu.samba.org/cifs/docs/what-is-smb.html</code> for Richard's excellent summary of SMB.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch04-21486"></a>Chapter 4. Disk Shares </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch04-76968">4.1. Learning the Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-52415">4.1.1. Configuration File Structure</a></span></dt><dt><span class="sect2"><a href="#ch04-87365">4.1.2. Variables</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-81402">4.2. Special Sections</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-2.1">4.2.1. The [globals] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.2">4.2.2. The [ homes] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.3">4.2.3. The [printers] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.4">4.2.4. Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-46076">4.3. Configuration File Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-3.0.1">4.3.1. +config file</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.2">4.3.2. +include</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.3">4.3.3. +copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-71382">4.4. Server Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-4.1">4.4.1. Server Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-14274">4.5. Disk Share Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-5.1">4.5.1. Disk Share Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-86705">4.6. Networking Options with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-6.1">4.6.1. Networking Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-16899">4.7. Virtual Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-7.0.1">4.7.1. +netbios aliases</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-29331">4.8. Logging Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-97929">4.8.1. Using syslog</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-8.1">4.8.2. Logging Configuration Options</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="ch04-idx-967030-0"></a>In the previous three chapters, we showed you how to install Samba on a Unix server and set up Windows clients to use a simple disk share. This chapter will show you how Samba can assume more productive roles on your network.</p><p>Samba's <a class="indexterm" name="ch04-idx-967124-0"></a>daemons, <span class="emphasis"><em>smbd</em></span> +<a class="indexterm" name="ch04-idx-967122-0"></a> and <span class="emphasis"><em>nmbd</em></span> +<a class="indexterm" name="ch04-idx-967123-0"></a>, are controlled through a single ASCII file, <code class="filename">smb.conf</code>, that can contain over 200 unique options. These options define how Samba reacts to the network around it, including everything from simple permissions to encrypted connections and NT domains. The next five chapters are designed to help you get familiar with this file and its options. Some of these options you will use and change frequently; others you may never use—it all depends on how much functionality you want Samba to offer its clients.</p><p>This chapter introduces the structure of the Samba configuration file and shows you how to use these options to create and modify disk shares. Subsequent chapters will discuss browsing, how to configure users, security, domains, and printers, and a host of other myriad topics that you can implement with Samba on your network.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-76968"></a>Learning the Samba Configuration File</h2></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-968372-0"></a>Here is an <code class="filename"></code> +<a class="indexterm" name="ch04-idx-968374-0"></a>example of a Samba configuration file. If you have worked with a Windows .INI file, the structure of the <code class="filename">smb.conf </code> file should look very familiar:</p><pre class="programlisting">[global] + log level = 1 + max log size = 1000 + socket options = TCP_NODELAY IPTOS_LOWDELAY + guest ok = no +[homes] + browseable = no + map archive = yes +[printers] + path = /usr/tmp + guest ok = yes + printable = yes +[test] + browseable = yes + read only = yes + guest ok = yes + path = /export/samba/test</pre><p>Although you may not understand the contents yet, this is a good configuration file to grab if you're in a hurry. (If you're not, we'll create a new one from scratch shortly.) In a nutshell, this configuration file sets up basic debug logging in a default log file not to exceed 1MB, optimizes TCP/IP socket connections between the Samba server and any SMB clients, and allows Samba to create a disk share for each user that has a standard Unix account on the server. In addition, each of the printers registered on the server will be publicly available, as will a single read-only share that maps to the <code class="filename">/export/samba/test</code> directory. The last part of this file is similar to the disk share you used to test Samba in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-52415"></a>Configuration File Structure</h3></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-967054-0"></a>Let's take another look at this configuration file, this time from a higher level:</p><pre class="programlisting">[global] + ... +[homes] + ... +[printers] + ... +[test] + ...</pre><p>The names inside the <a class="indexterm" name="ch04-idx-967103-0"></a>square brackets delineate unique sections of the <code class="filename">smb.conf</code> file; each <a class="indexterm" name="ch04-idx-967104-0"></a>section names the <em class="firstterm">share</em> +<a class="indexterm" name="ch04-idx-967105-0"></a> (or <a class="indexterm" name="ch04-idx-967106-0"></a>service) that the section refers to. For example, the <code class="literal">[test]</code> and <code class="literal">[homes]</code> sections are each unique disk shares; they contain options that map to specific directories on the Samba server. The <code class="literal">[printers]</code> share contains options that map to various printers on the server. All the sections defined in the <code class="filename">smb.conf</code> file, with the exception of the <code class="literal">[global]</code> section, will be available as a disk or printer share to clients connecting to the Samba server.</p><p>The remaining lines are individual configuration options unique to that share. These options will continue until a new bracketed section is encountered, or until the end of the file is reached. Each <a class="indexterm" name="ch04-idx-967107-0"></a> +<a class="indexterm" name="ch04-idx-967107-1"></a>configuration option follows a simple format:</p><pre class="programlisting"><em class="replaceable"><code>option</code></em> = <em class="replaceable"><code>value</code></em></pre><p>Options in the <code class="filename">smb.conf</code> file are set by assigning a value to them. We should warn you up front that some of the <a class="indexterm" name="ch04-idx-967109-0"></a>option names in Samba are poorly chosen. For example, <code class="literal">read</code> <code class="literal">only</code> is self-explanatory, and is typical of many recent Samba options. <code class="literal">public</code> is an older option, and is vague; it now has a less-confusing synonym <code class="literal">guest</code> <code class="literal">ok</code> (may be accessed by guests). We describe some of the more common historical names in this chapter in sections that highlight each major task. In addition, <a href="#SAMBA-AP-C" title="Appendix C. Samba Configuration Option Quick Reference">Appendix C</a>, contains an alphabetical index of all the configuration options and their meanings.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.1"></a>Whitespaces, quotes, and commas</h4></div></div></div><p>An important item to remember about configuration options is that all <a class="indexterm" name="ch04-idx-967110-0"></a>whitespaces in the <em class="replaceable"><code>value</code></em> are significant. For example, consider the following option:</p><pre class="programlisting">volume = The Big Bad Hard Drive Number 3543</pre><p>Samba strips away the spaces between the final <code class="literal">e</code> in <code class="literal">volume</code> and the first <code class="literal">T</code> in <code class="literal">The</code>. These whitespaces are insignificant. The rest of the whitespaces are significant and will be recognized and preserved by Samba when reading in the file. Space is not significant in option names (such as <code class="literal">guest</code> <code class="literal">ok</code>), but we recommend you follow convention and keep spaces between the words of options.</p><p>If you feel safer including <a class="indexterm" name="ch04-idx-967111-0"></a>quotation marks at the beginning and ending of a configuration option's value, you may do so. Samba will ignore these quotation marks when it encounters them. Never use quotation marks around an option itself; Samba will treat this as an error.</p><p>Finally, you can use whitespaces to separate a series of values in a list, or you can use commas. These two options are equivalent:</p><pre class="programlisting">netbios aliases = sales, accounting, payroll +netbios aliases = sales accounting payroll</pre><p>In some values, however, you must use one form of separation—<a class="indexterm" name="ch04-idx-967367-0"></a>spaces in some cases, <a class="indexterm" name="ch04-idx-967112-0"></a>commas in others.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.2"></a>Capitalization</h4></div></div></div><p> +<a class="indexterm" name="ch04-idx-967113-0"></a>Capitalization is not important in the Samba configuration file except in locations where it would confuse the underlying operating system. For example, let's assume that you included the following option in a share that pointed to <code class="filename">/export/samba/simple </code>:</p><pre class="programlisting">PATH = /EXPORT/SAMBA/SIMPLE</pre><p>Samba would have no problem with the <code class="literal">path</code> configuration option appearing entirely in capital letters. However, when it tries to connect to the given directory, it would be unsuccessful because the Unix filesystem in the underlying operating system <span class="emphasis"><em>is</em></span> case sensitive. Consequently, the path listed would not be found and clients would be unable to connect to the share.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.3"></a>Line continuation</h4></div></div></div><p>You can continue a <a class="indexterm" name="ch04-idx-967114-0"></a>line in the Samba configuration file using the <a class="indexterm" name="ch04-idx-967115-0"></a> +<a class="indexterm" name="ch04-idx-967115-1"></a>backslash, as follows:</p><pre class="programlisting">comment = The first share that has the primary copies \ + of the new Teamworks software product.</pre><p>Because of the backslash, these two lines will be treated as one line by Samba. The second line begins at the first non-whitespace character that Samba encounters; in this case, the <code class="literal">o</code> in <code class="literal">of</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.4"></a>Comments</h4></div></div></div><p>You can insert <a class="indexterm" name="ch04-idx-967118-0"></a>comments in the <code class="filename">smb.conf</code> configuration file by preceding a line with either a<a class="indexterm" name="ch04-idx-967119-0"></a> +<a class="indexterm" name="ch04-idx-967119-1"></a> hash mark (#) or a<a class="indexterm" name="ch04-idx-967120-0"></a> +<a class="indexterm" name="ch04-idx-967120-1"></a> semicolon ( ; ). Both characters are equivalent. For example, the first three lines in the following example would be considered comments:</p><pre class="programlisting"># This is the printers section. We have given a minimum print +; space of 2000 to prevent some errors that we've seen when +; the spooler runs out of space. + +[printers] + public = yes + min print space = 2000</pre><p>Samba will ignore all comment lines in its configuration file; there are no limitations to what can be placed on a comment line after the initial hash mark or semicolon. Note that the line <a class="indexterm" name="ch04-idx-967121-0"></a> +<a class="indexterm" name="ch04-idx-967121-1"></a>continuation character (<code class="literal">\</code>) will <span class="emphasis"><em>not</em></span> be honored on a commented line. Like the rest of the line, it is ignored.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.5"></a>Changes at runtime</h4></div></div></div><p> +<a class="indexterm" name="ch04-idx-967126-0"></a>You can modify the <code class="filename">smb.conf</code> configuration file and any of its options at any time while the Samba daemons are running. By default, Samba checks the configuration file every 60 seconds for changes. If it finds any, the changes are immediately put into effect. If you don't wish to wait that long, you can force a reload by either sending a <a class="indexterm" name="ch04-idx-967127-0"></a>SIGHUP signal to the <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> processes, or simply restarting the daemons.</p><p>For example, if the <span class="emphasis"><em>smbd</em></span> <a class="indexterm" name="ch04-idx-967128-0"></a> +<a class="indexterm" name="ch04-idx-967128-1"></a> +<a class="indexterm" name="ch04-idx-967128-2"></a>process was 893, you could force it to reread the configuration file with the following command:</p><pre class="programlisting"># <span class="bold"><strong>kill -SIGHUP 893</strong></span></pre><p>Not all changes will be immediately recognized by clients. For example, changes to a share that is currently in use will not be registered until the client disconnects and reconnects to that share. In addition, server-specific parameters such as the workgroup or NetBIOS name of the server will not register immediately either. This keeps active clients from being suddenly disconnected or encountering unexpected access problems while a session is open.<code class="filename"></code> +<a class="indexterm" name="ch04-idx-967061-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-87365"></a>Variables</h3></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-967393-0"></a> +<a class="indexterm" name="ch04-idx-967393-1"></a>Samba includes a complete set of variables for determining characteristics of the Samba server and the clients to which it connects. Each of these variables begins with a <a class="indexterm" name="ch04-idx-967129-0"></a> +<a class="indexterm" name="ch04-idx-967129-1"></a>percent sign, followed by a single uppercase or lowercase letter, and can be used only on the right side of a configuration option (e.g., after the equal sign):</p><pre class="programlisting">[pub] + path = /home/ftp/pub/%a</pre><p>The <code class="literal">%a</code> stands for the client machine's architecture (e.g., <code class="literal">WinNT</code> for Windows NT, <code class="literal">Win95</code> for Windows 95 or 98, or <code class="literal">WfWg</code> for Windows for Workgroups). Because of this, Samba will assign a unique <a class="indexterm" name="ch04-idx-967130-0"></a>path for the <code class="literal">[pub]</code> share to client machines running Windows NT, a different path for client machines running Windows 95, and another path for Windows for Workgroups. In other words, the paths that each client would see as its share differ according to the client's architecture, as follows:</p><pre class="programlisting">/home/ftp/pub/WinNT +/home/ftp/pub/Win95 +/home/ftp/pub/WfWg</pre><p>Using variables in this manner comes in handy if you wish to have different users run custom configurations based on their own unique characteristics or conditions. Samba has 19 variables, as shown in <a href="#ch04-10883" title="Table 4.1. Samba Variables">Table 4.1</a>.</p><div class="table"><a name="ch04-10883"></a><p class="title"><b>Table 4.1. Samba Variables </b></p><div class="table-contents"><table summary="Samba Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td colspan="2"><p><span class="bold"><strong> +<a class="indexterm" name="ch04-idx-968086-0"></a>Client variables</strong></span></p></td></tr><tr><td><p><code class="literal">%a</code></p></td><td><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-968093-0"></a>Client's architecture (e.g., Samba, WfWg, WinNT, Win95, or UNKNOWN)</p></td></tr><tr><td><p><code class="literal">%I</code></p></td><td><p>Client's IP address (e.g., 192.168.220.100)</p></td></tr><tr><td><p><code class="literal">%m</code></p></td><td><p>Client's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%M</code></p></td><td><p>Client's DNS name</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong> +<a class="indexterm" name="ch04-idx-968108-0"></a>User variables</strong></span></p></td></tr><tr><td><p><code class="literal">%g</code></p></td><td><p>Primary group of <code class="literal">%u</code></p></td></tr><tr><td><p><code class="literal">%G</code></p></td><td><p>Primary group of <code class="literal">%U</code></p></td></tr><tr><td><p><code class="literal">%H</code></p></td><td><p>Home directory of <code class="literal">%u</code></p></td></tr><tr><td><p><code class="literal">%u</code></p></td><td><p>Current Unix username</p></td></tr><tr><td><p><code class="literal">%U</code></p></td><td><p>Requested client username (not always used by Samba)</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Share variables</strong></span></p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Automounter's path to the share's root directory, if different from <code class="literal">%P</code></p></td></tr><tr><td><p><code class="literal">%P</code></p></td><td><p>Current share's root directory</p></td></tr><tr><td><p><code class="literal">%S</code></p></td><td><p>Current share's name</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Server variables</strong></span></p></td></tr><tr><td><p><code class="literal">%d</code></p></td><td><p>Current server process ID</p></td></tr><tr><td><p><code class="literal">%h</code></p></td><td><p>Samba server's DNS hostname</p></td></tr><tr><td><p><code class="literal">%L</code></p></td><td><p>Samba server's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%N</code></p></td><td><p>Home directory server, from the automount map</p></td></tr><tr><td><p><code class="literal">%v</code></p></td><td><p>Samba version</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Miscellaneous variables</strong></span></p></td></tr><tr><td><p><code class="literal">%R</code></p></td><td><p>The SMB protocol level that was negotiated</p></td></tr><tr><td><p><code class="literal">%T</code></p></td><td><p>The current date and time</p></td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="ch04-idx-967143-0"></a>Here's another example of using variables: let's say that there are five clients on your network, but one client, <code class="literal">fred</code>, requires a slightly different <code class="literal">[homes]</code> configuration loaded when it connects to the Samba server. With Samba, it's simple to attack such a problem:</p><pre class="programlisting">[homes] + ... + include = /usr/local/samba/lib/smb.conf.%m + ...</pre><p>The <code class="literal">include</code> option here causes a separate configuration file for each particular NetBIOS machine (<code class="literal">%m</code>) to be read in addition to the current file. If the hostname of the client machine is <code class="literal">fred</code>, and if a <code class="filename">smb.conf.fred</code> file exists in the <em class="replaceable"><code>samba_dir</code></em><code class="filename">/lib/</code> directory (or whatever directory you've specified for your configuration files), Samba will insert that configuration file into the default one. If any configuration options are restated in <code class="filename">smb.conf.fred</code>, those values will override any options previously encountered in that share. Note that we say "previously." If any options are restated in the main configuration file after the <code class="literal">include</code> option, Samba will honor those restated values for the share in which they are defined.</p><p>Here's the important part: if there is no such file, Samba will not generate an error. In fact, it won't do anything at all. This allows you to create only one extra configuration file for <code class="literal">fred</code> when using this strategy, instead of one for each NetBIOS machine that is on the network.</p><p>Machine-specific configuration files can be used both to customize particular clients and to make debugging Samba easier. Consider the latter; if we have one client with a problem, we can use this approach to give it a private log file with a more verbose logging level. This allows us to see what Samba is doing without slowing down all the other clients or overflowing the disk with useless logs. Remember, with large networks you may not always have the option to restart the Samba server to perform debugging!</p><p>You can use each of the variables in <a href="#ch04-10883" title="Table 4.1. Samba Variables">Table 4.1</a> to give custom values to a variety of Samba options. We will highlight several of these options as we move through the next few chapters.<code class="filename"></code> +<a class="indexterm" name="ch04-idx-967084-0"></a> +<a class="indexterm" name="ch04-idx-967084-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-81402"></a>Special Sections</h2></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-967091-0"></a> +<a class="indexterm" name="ch04-idx-967091-1"></a>Now that we've gotten our feet wet with variables, there are a few special sections of the Samba configuration file that we should talk about. Again, don't worry if you do not understand each and every configuration options listed below; we'll go over each of them over the course of the upcoming chapters.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.1"></a>The [globals] Section</h3></div></div></div><p>The <code class="literal">[globals]</code> +<a class="indexterm" name="ch04-idx-967171-0"></a> +<a class="indexterm" name="ch04-idx-967171-1"></a> section appears in virtually every Samba configuration file, even though it is not mandatory to define one. Any option set in this section of the file will apply to all the other shares, as if the contents of the section were copied into the share itself. There is one catch: other sections can list the same option in their section with a new value; this has the effect of overriding the value specified in the <code class="literal">[globals]</code> section.</p><p>To illustrate this, let's again look at the opening example of the chapter:</p><pre class="programlisting">[global] + log level = 1 + max log size = 1000 + socket options = TCP_NODELAY IPTOS_LOWDELAY + guest ok = no +[homes] + browseable = no + map archive = yes +[printers] + path = /usr/tmp + guest ok = yes + printable = yes + min print space = 2000 +[test] + browseable = yes + read only = yes + guest ok = yes + path = /export/samba/test</pre><p>In the previous example, if we were going to connect a client to the <code class="literal">[test]</code> share, Samba would first read in the <code class="literal">[globals]</code> section. At that point, it would set the option <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">no</code> as the global default for each share it encounters throughout the configuration file. This includes the <code class="literal">[homes]</code> and <code class="literal">[printers]</code> shares. When it reads in the <code class="literal">[test]</code> share, however, it would then find the configuration option <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code>, and override the default from the <code class="literal">[globals]</code> section with the value <code class="literal">yes</code> in the context of the <code class="literal">[pub]</code> share.</p><p>Any option that appears outside of a section (before the first marked section) is also assumed to be a global option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.2"></a>The [ homes] Section</h3></div></div></div><p>If a client attempts to connect to a share that doesn't appear in the <code class="filename">smb.conf</code> file, Samba will search for a <code class="literal">[homes]</code> +<a class="indexterm" name="ch04-idx-967172-0"></a> share in the configuration file. If one exists, the unidentified share name is assumed to be a Unix username, which is queried in the password database of the Samba server. If that username appears, Samba assumes the client is a Unix user trying to connect to his or her home directory on the server.</p><p>For example, assume a client machine is connecting to the Samba server <code class="literal">hydra</code> for the first time, and tries to connect to a share named [<code class="literal">alice]</code>. There is no <code class="literal">[alice]</code> share defined in the <code class="filename">smb.conf</code> file, but there is a <code class="literal">[homes]</code>, so Samba searches the password database file and finds an <code class="literal">alice</code> user account is present on the system. Samba then checks the password provided by the client against user <code class="literal">alice</code>'s Unix password—either with the password database file if it's using non-encrypted passwords, or Samba's <code class="filename">smbpasswd</code> file if encrypted passwords are in use. If the passwords match, then Samba knows it has guessed right: the user <code class="literal">alice</code> is trying to connect to her home directory. Samba will then create a share called <code class="literal">[alice]</code> for her.</p><p>The process of using the <code class="literal">[homes]</code> section to create <a class="indexterm" name="ch04-idx-967175-0"></a>users (and dealing with their passwords) is discussed in more detail in the <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.3"></a>The [printers] Section</h3></div></div></div><p>The third special section is called <code class="literal">[printers]</code> +<a class="indexterm" name="ch04-idx-967173-0"></a> and is similar to <code class="literal">[homes]</code>. If a client attempts to connect to a share that isn't in the <code class="filename">smb.conf</code> file, and its name can't be found in the password file, Samba will check to see if it is a printer share. Samba does this by reading the <a class="indexterm" name="ch04-idx-967182-0"></a>printer capabilities file (usually <code class="filename">/etc/printcap</code>) to see if the share name appears there.<sup>[<a name="ch04-pgfId-960558" href="#ftn.ch04-pgfId-960558">1</a>]</sup> If it does, Samba creates a share named after the printer.</p><p>Like <code class="literal">[homes]</code>, this means you don't have to maintain a share for each of your system printers in the <code class="filename">smb.conf</code> file. Instead, Samba honors the Unix printer registry if you request it to, and provides the registered printers to the client machines. There is, however, an obvious limitation: if you have an account named <code class="literal">fred</code> and a printer named <code class="literal">fred</code>, Samba will always find the user account first, even if the client really needed to connect to the printer.</p><p>The process of setting up the <code class="literal">[printers]</code> +<a class="indexterm" name="ch04-idx-968220-0"></a> share is discussed in more detail in <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>.<code class="filename"></code> +<a class="indexterm" name="ch04-idx-968225-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.4"></a>Configuration Options</h3></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch04-idx-967407-0"></a>Options in the Samba configuration files fall into one of two categories: <em class="firstterm">global</em> or <em class="firstterm">share</em>. Each category dictates where an option can appear in the configuration file.</p><div class="variablelist"><dl><dt><span class="term">Global</span></dt><dd><p> +<a class="indexterm" name="ch04-idx-967207-0"></a>Global options <span class="emphasis"><em>must</em></span> appear in the <code class="literal">[global]</code> section and nowhere else. These are options that typically apply to the behavior of the Samba server itself, and not to any of its shares.</p></dd><dt><span class="term">Share</span></dt><dd><p> +<a class="indexterm" name="ch04-idx-967209-0"></a>Share options can appear in specific shares, or they can appear in the <code class="literal">[global]</code> section. If they appear in the <code class="literal">[global]</code> section, they will define a default behavior for all shares, unless a share overrides the option with a value of its own.</p></dd></dl></div><p>In addition, the values that a configuration option can take can be divided into four categories. They are as follows:</p><div class="variablelist"><dl><dt><span class="term">Boolean</span></dt><dd><p> +<a class="indexterm" name="ch04-idx-967210-0"></a>These are simply yes or no values, but can be represented by any of the following: <code class="literal">yes</code>, <code class="literal">no</code>, <code class="literal">true</code>, <code class="literal">false</code>, <code class="literal">0</code>, <code class="literal">1</code>. The values are case insensitive: <code class="literal">YES</code> is the same as <code class="literal">yes</code>.</p></dd><dt><span class="term">Numerical</span></dt><dd><p> +<a class="indexterm" name="ch04-idx-967220-0"></a>An integer, hexidecimal, or octal number. The standard <code class="literal">0x</code><span class="emphasis"><em>nn</em></span> syntax is used for hexadecimal and <code class="literal">0</code><span class="emphasis"><em>nnn</em></span> for octal.</p></dd><dt><span class="term">String</span></dt><dd><p>A <a class="indexterm" name="ch04-idx-967222-0"></a>string of case-sensitive characters, such as a filename or a username.</p></dd><dt><span class="term">Enumerated list</span></dt><dd><p>A finite list of known values. In effect, a boolean is an <a class="indexterm" name="ch04-idx-967223-0"></a>enumerated list with only two values.<code class="filename"></code> +<a class="indexterm" name="ch04-idx-967166-0"></a> +<a class="indexterm" name="ch04-idx-967166-1"></a></p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-46076"></a>Configuration File Options</h2></div></div></div><p>Samba has well over 200 configuration options at its disposal. So let's start off easy by introducing some of the options you can use to modify the configuration file itself.</p><p>As we hinted earlier in the chapter, configuration files are by no means static. You can instruct Samba to include or even replace configuration options as it is processing them. The options to do this are summarized in <a href="#ch04-94939" title="Table 4.2. Configuration File Options">Table 4.2</a>.</p><div class="table"><a name="ch04-94939"></a><p class="title"><b>Table 4.2. Configuration File Options </b></p><div class="table-contents"><table summary="Configuration File Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">config file</code></p></td><td><p>string (fully-qualified name)</p></td><td><p>Sets the location of a configuration file to use instead of the current one.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">include</code></p></td><td><p>string (fully-qualified name)</p></td><td><p>Specifies an additional segment of configuration options to be included at this point in the configuration file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">copy</code></p></td><td><p>string (name of share)</p></td><td><p>Allows you to clone the configuration options of another share in the current share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.1"></a> +config file</h3></div></div></div><a class="indexterm" name="ch04-idx-968272-0"></a><p>The global <code class="literal">config</code> <code class="literal">file</code> option specifies a replacement configuration file that will be loaded when the option is encountered. If the target file exists, the remainder of the current configuration file, as well as the options encounter so far, will be discarded; Samba will configure itself entirely with the options in the new file. The <code class="literal">config</code> <code class="literal">file</code> option takes advantage of the variables above, which is useful in the event that you want load a special configuration file based on the machine name or user of the client that it connecting.</p><p>For example, the following line instructs Samba to use a configuration file specified by the NetBIOS name of the client connecting, if such a file exists. If it does, options specified in the original configuration file are ignored. The following example attempts to lead a new configuration file based on the client's NetBIOS name:</p><pre class="programlisting">[global] + config file = /usr/local/samba/lib/smb.conf.%m</pre><p>If the configuration file specified does not exist, the option is ignored and Samba will continue to configure itself based on the current file.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.2"></a> +include</h3></div></div></div><a class="indexterm" name="ch04-idx-968282-0"></a><p>This option, discussed in greater detail earlier, copies the target file into the current configuration file at the point specified, as shown in <a href="#ch04-97340" title="Figure 4.1. The include option in a Samba configuration file">Figure 4.1</a>. This option also takes advantage of the variables specified earlier in the chapter, which is useful in the event that you want load configuration options based on the machine name or user of the client that it connecting. You can use this option as follows:</p><pre class="programlisting">[global] + include = /usr/local/samba/lib/smb.conf.%m</pre><p>If the configuration file specified does not exist, the option is ignored. Remember that any option specified previously is overridden. In <a href="#ch04-97340" title="Figure 4.1. The include option in a Samba configuration file">Figure 4.1</a>, all three options will override their previous values.</p><div class="figure"><a name="ch04-97340"></a><p class="title"><b>Figure 4.1. The include option in a Samba configuration file</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 232px"><td><img src="figs/sam.0401.gif" height="232" alt="The include option in a Samba configuration file"></td></tr></table></div></div></div><br class="figure-break"><p>The <code class="literal">include</code> option cannot understand the variables <code class="literal">%u</code> (user), <code class="literal">%p</code> (current share's rout directory), or <code class="literal">%s</code> (current share) because they are not set at the time the file is read.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.3"></a> +copy</h3></div></div></div><a class="indexterm" name="ch04-idx-968285-0"></a><p>The <code class="literal">copy</code> configuration option allows you to clone the configuration options of the share name that you specify in the current share. The target share must appear earlier in the configuration file than the share that is performing the copy. For example:</p><pre class="programlisting">[template] + writable = yes + browsable = yes + valid users = andy, dave, peter + +[data] + path = /usr/local/samba + copy = template</pre><p>Note that any options in the share that invoked the <code class="literal">copy</code> directive will override those in the cloned share; it does not matter whether they appear before or after the <code class="literal">copy</code><code class="filename"></code> +<a class="indexterm" name="ch04-idx-968230-0"></a> directive.<code class="filename"></code> +<a class="indexterm" name="ch04-idx-967416-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-71382"></a>Server Configuration</h2></div></div></div><p> +<a class="indexterm" name="ch04-idx-967242-0"></a>Now it's time to begin configuring your Samba server. Let's introduce three basic configuration options that can appear in the <code class="literal">[global]</code> section of your <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global] + # Server configuration parameters + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE</pre><p>This configuration file is pretty simple; it advertises the Samba server on a NBT network under the NetBIOS name <code class="literal">hydra</code>. In addition, the machine belongs to the workgroup SIMPLE and displays a description to clients that includes the Samba version number as well as the NetBIOS name of the Samba server.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you had to enter <code class="literal">encrypt passwords=yes</code> in your earlier configuration file, you should do so here as well.</p></div><p>Go ahead and try this configuration file. Create a file named <code class="filename">smb.conf</code> +<a class="indexterm" name="ch04-idx-967246-0"></a> under the <code class="filename">/usr/local/samba/lib</code> directory with the text listed above. Then reset the Samba server and use a Windows client to verify the results. Be sure that your Windows clients are in the SIMPLE workgroup as well. After clicking on the <a class="indexterm" name="ch04-idx-967247-0"></a>Network Neighborhood on a Windows client, you should see a window similar to <a href="#ch04-38915" title="Figure 4.2. Network Neighborhood showing the Samba server">Figure 4.2</a>. (In this figure, <code class="literal">phoenix</code> and <code class="literal">chimaera</code> are our Windows clients.)</p><div class="figure"><a name="ch04-38915"></a><p class="title"><b>Figure 4.2. Network Neighborhood showing the Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 206px"><td><img src="figs/sam.0402.gif" height="206" alt="Network Neighborhood showing the Samba server"></td></tr></table></div></div></div><br class="figure-break"><p>You can verify the <code class="literal">server</code> <code class="literal">string</code> by listing the details of the Network Neighborhood window (select the Details menu item under the View menu), at which point you should see a window similar to <a href="#ch04-50900" title="Figure 4.3. Network Neighborhood details listing">Figure 4.3</a>.</p><div class="figure"><a name="ch04-50900"></a><p class="title"><b>Figure 4.3. Network Neighborhood details listing</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 220px"><td><img src="figs/sam.0403.gif" height="220" alt="Network Neighborhood details listing"></td></tr></table></div></div></div><br class="figure-break"><p>If you were to click on the Hydra icon, a window should appear that shows the services that it provides. In this case, the window would be completely empty because there are no shares on the server yet.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-4.1"></a>Server Configuration Options</h3></div></div></div><p> +<a class="indexterm" name="ch04-idx-967248-0"></a> +<a class="indexterm" name="ch04-idx-967248-1"></a><a href="#ch04-61150" title="Table 4.3. Server Configuration Options">Table 4.3</a> summarizes the server configuration options introduced previously. Note that all three of these options are global in scope; in other words, they must appear in the <code class="literal">[global]</code> section of the configuration file.</p><div class="table"><a name="ch04-61150"></a><p class="title"><b>Table 4.3. Server Configuration Options </b></p><div class="table-contents"><table summary="Server Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">netbios name</code></p></td><td><p>string</p></td><td><p>Sets the primary NetBIOS name of the Samba server.</p></td><td><p>Server DNS hostname</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">server string</code></p></td><td><p>string</p></td><td><p>Sets a descriptive string for the Samba server.</p></td><td><p><code class="literal">Samba %v</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">workgroup</code></p></td><td><p>string</p></td><td><p>Sets the NetBIOS group of machines that the server belongs to.</p></td><td><p>Defined at compile time</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.1"></a> +netbios name</h4></div></div></div><a class="indexterm" name="ch04-idx-968288-0"></a><p>The <code class="literal">netbios</code> <code class="literal">name</code> option allows you to set the NetBIOS name of the server. For example:</p><pre class="programlisting">netbios name = YORKVM1</pre><p>The default value for this configuration option is the server's hostname; that is, the first part of its complete DNS machine name. For example, a machine with the DNS name <code class="literal">ruby.ora.com</code> would be given the NetBIOS name <code class="literal">RUBY</code> by default. While you can use this option to restate the machine's NetBIOS name in the configuration file (as we did previously), it is more commonly used to assign the Samba server a NetBIOS name other than its current DNS name. Remember that the name given must follow the rules for valid NetBIOS machine names as outlines in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>.</p><p>Changing the NetBIOS name of the server is not recommended unless you have a good reason. One such reason might be if the hostname of the machine is not unique because the LAN is divided over two or more DNS domains. For example, YORKVM1 is a good NetBIOS candidate for <span class="emphasis"><em>vm1.york.example.com</em></span> to differentiate it from <span class="emphasis"><em>vm1.falkirk.example.com</em></span>, which has the same hostname but resides in a different DNS domain.</p><p>Another use of this option is for relocating SMB services from a dead or retired machine. For example, if <code class="literal">SALES</code> is the SMB server for the department, and it suddenly dies, you could immediately reset <code class="literal">netbios</code> <code class="literal">name</code> <code class="literal">=</code> <code class="literal">SALES</code> on a backup Samba machine that's taking over for it. Users won't have to change their drive mappings to a different machine; new connections to <code class="literal">SALES</code> will simply go to the new machine.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.2"></a> +server string</h4></div></div></div><a class="indexterm" name="ch04-idx-968291-0"></a><p>The <code class="literal">server</code> <code class="literal">string</code> parameter defines a comment string that will appear next to the server name in both the Network Neighborhood (when shown with the Details menu) and the comment entry of the Microsoft Windows print manager. You can use the standard variables to provide information in the description. For example, our entry earlier was:</p><pre class="programlisting">[global] + server string = Samba %v on (%h)</pre><p>The default for this option simply presents the current version of Samba and is equivalent to:</p><pre class="programlisting">server string = Samba %v</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.3"></a> +workgroup</h4></div></div></div><a class="indexterm" name="ch04-idx-968294-0"></a><p>The <code class="literal">workgroup</code> parameter sets the current workgroup where the Samba server will advertise itself. Clients that wish to access shares on the Samba server should be on the same NetBIOS workgroup. Remember that workgroups are really just NetBIOS group names, and must follow the standard NetBIOS naming conventions outlined in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>. For example:</p><pre class="programlisting">[global] + workgroup = SIMPLE</pre><p>The default option for this parameter is set at compile time. If the entry is not changed in the makefile, it will be <code class="literal">WORKGROUP</code>. Because this tends to be the workgroup name of every unconfigured NetBIOS network, we recommend that you always set your workgroup name in the Samba configuration<a class="indexterm" name="ch04-idx-967252-0"></a> +<a class="indexterm" name="ch04-idx-967252-1"></a> file.<sup>[<a name="ch04-pgfId-962322" href="#ftn.ch04-pgfId-962322">2</a>]</sup> +<a class="indexterm" name="ch04-idx-967243-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-14274"></a>Disk Share Configuration</h2></div></div></div><p> +<a class="indexterm" name="ch04-idx-967244-0"></a> +<a class="indexterm" name="ch04-idx-967244-1"></a>We mentioned in the previous section that there were no disk shares on the <code class="literal">hydra</code> server. Let's continue with the configuration file and create an empty <a class="indexterm" name="ch04-idx-967268-0"></a>disk share called [<code class="literal">data</code>]. Here are the additions that will do it:</p><pre class="programlisting">[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + +[data] + path = /export/samba/data + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes + guest ok = yes</pre><p>The <code class="literal">[data]</code> share is typical for a Samba disk share. The share maps to a directory on the Samba server: <code class="filename">/export/samba/data</code>. We've also provided a comment that describes the share as a <code class="literal">Data</code> <code class="literal">Drive</code>, as well as a volume name for the share itself.</p><p>The share is set to writeable so that users can write data to it; the default with Samba is to create a read-only share. As a result, this option needs to be explicitly set for each disk share you wish to make writeable.</p><p>You may have noticed that we set the <code class="literal">guest</code> <code class="literal">ok</code> parameter to <code class="literal">yes</code>. While this isn't very security-conscious, there are some password issues that we need to understand before setting up individual users and authentication. For the moment, this will sidestep those issues and let anyone connect to the share.</p><p>Go ahead and make these additions to your configuration file. In addition, create the <code class="filename">/export/samba/data</code> directory as root on your Samba machine with the following commands:</p><pre class="programlisting"># <span class="bold"><strong>mkdir /export/samba/data</strong></span> +# <span class="bold"><strong>chmod 777 /export/samba/data</strong></span></pre><p>Now, if you connect to the <code class="literal">hydra</code> server again (you can do this by clicking on its icon in the Windows Network Neighborhood), you should see a single share listed entitled <code class="literal">data</code>, as shown in <a href="#ch04-13866" title="Figure 4.4. The initial data share on the Samba server">Figure 4.4</a>. This share should also have read/write access to it. Try creating or copying a file into the share. Or, if you're really feeling adventurous, you can even try mapping a network drive to it!</p><div class="figure"><a name="ch04-13866"></a><p class="title"><b>Figure 4.4. The initial data share on the Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 175px"><td><img src="figs/sam.0404.gif" height="175" alt="The initial data share on the Samba server"></td></tr></table></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-5.1"></a>Disk Share Configuration Options</h3></div></div></div><p> +<a class="indexterm" name="ch04-idx-967272-0"></a>The basic Samba configuration options for disk shares previously introduced are listed in <a href="#ch04-82964" title="Table 4.4. Basic Share Configuration Options">Table 4.4</a>.</p><div class="table"><a name="ch04-82964"></a><p class="title"><b>Table 4.4. Basic Share Configuration Options </b></p><div class="table-contents"><table summary="Basic Share Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">path (directory)</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the Unix directory that will be provided for a disk share or used for spooling by a printer share</p></td><td><p><code class="literal">/tmp</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest ok (public)</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, authentication is not needed to access this share</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">comment</code></p></td><td><p>string</p></td><td><p>Sets the comment that appears with the share</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">volume</code></p></td><td><p>string</p></td><td><p>Sets the volume name: the DOS name of the physical drive</p></td><td><p>Share name</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">read only</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows read only access to a share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">writeable (write ok)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">no</code>, allows read only access to a share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.1"></a>path</h4></div></div></div><p> +<a class="indexterm" name="ch04-idx-967257-0"></a> +<a class="indexterm" name="ch04-idx-967257-1"></a> +<a class="indexterm" name="ch04-idx-967257-2"></a>This option, which has the synonym <code class="literal">directory</code>, indicates the pathname at the root of the file or printing share. You can choose any path on the Samba server, so long as the owner of the Samba process that is connecting has read and write access to that directory. If the path is for a printing share, it should point to a temporary directory where files can be written on the server before being spooled to the target printer ( <code class="filename"> /tmp</code> and <code class="filename">/var/spool</code> are popular choices). If this path is for a <a class="indexterm" name="ch04-idx-967258-0"></a>disk share, the contents of the folder representing the share name on the client will match the content of the directory on the Samba server. For example, if we have the following disk share listed in our configuration file:</p><pre class="programlisting">[network] + path = /export/samba/network + writable = yes + guest ok = yes</pre><p>And the contents of the directory <code class="filename">/usr/local/network</code> on the Unix side are:</p><pre class="programlisting">$ <span class="bold"><strong>ls -al /export/samba/network</strong></span> +drwxrwxrwx 9 root nobody 1024 Feb 16 17:17 . +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 .. +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 quicken +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 tax98 +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 taxdocuments</pre><p>Then we should see the equivalent of <a href="#ch04-88746" title="Figure 4.5. Windows client view of a network filesystem specified by path">Figure 4.5</a> on the client side.</p><div class="figure"><a name="ch04-88746"></a><p class="title"><b>Figure 4.5. Windows client view of a network filesystem specified by path</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 155px"><td><img src="figs/sam.0405.gif" height="155" alt="Windows client view of a network filesystem specified by path"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.2"></a> +guest ok</h4></div></div></div><a class="indexterm" name="ch04-idx-968300-0"></a><p>This option (which has an older synonym <code class="literal">public</code>) allows or prohibits guest access to a share. The default value is <code class="literal">no</code>. If set to <code class="literal">yes</code>, it means that no username or password will be needed to connect to the share. When a user connects, the access rights will be equivalent to the designated guest user. The default account to which Samba offers the share is <code class="literal">nobody</code>. However, this can be reset with the <code class="literal">guest</code> <code class="literal">account</code> configuration option. For example, the following lines allow guest user access to the <code class="literal">[accounting]</code> share with the permissions of the <span class="emphasis"><em>ftp</em></span> account:</p><pre class="programlisting">[global] + guest account = ftp +[accounting] + path = /usr/local/account + guest ok = yes</pre><p>Note that users can still connect to the share using a valid username/password combination. If successful, they will hold the access rights granted by their own account and not the guest account. If a user attempts to log in and fails, however, he or she will default to the access rights of the guest account. You can mandate that every user who attaches to the share will be using the guest account (and will have the permissions of the guest) by setting the option <code class="literal">guest</code> <code class="literal">only</code> <code class="literal">=</code> <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.3"></a> +comment</h4></div></div></div><a class="indexterm" name="ch04-idx-968303-0"></a><p>The <code class="literal">comment</code> option allows you to enter a comment that will be sent to the client when it attempts to browse the share. The user can see the comment by listing Details on the share folder under the appropriate computer in the Windows Network Neighborhood, or type the command <code class="literal">NET</code> <code class="literal">VIEW</code> at an MS-DOS prompt. For example, here is how you might insert a comment for a <code class="literal">[network]</code> share:</p><pre class="programlisting">[network] + comment = Network Drive + path = /export/samba/network</pre><p>This yields a folder similar to <a href="#ch04-34850" title="Figure 4.6. Windows client view of a share comment">Figure 4.6</a> on the client side. Note that with the current configuration of Windows, this comment will not be shown once a share is mapped to a Windows network drive.</p><div class="figure"><a name="ch04-34850"></a><p class="title"><b>Figure 4.6. Windows client view of a share comment</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 135px"><td><img src="figs/sam.0406.gif" height="135" alt="Windows client view of a share comment"></td></tr></table></div></div></div><br class="figure-break"><p>Be sure not to confuse the <code class="literal">comment</code> option, which documents a Samba server's shares, with the <code class="literal">server</code> <code class="literal">string</code> option, which documents the server itself.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.4"></a> +volume</h4></div></div></div><a class="indexterm" name="ch04-idx-968306-0"></a><p>This option allows you to specify the volume name of the share as reported by SMB. This normally resolves to the name of the share given in the <code class="filename">smb.conf</code> file. However, if you wish to name it something else (for whatever reason) you can do so with this option.</p><p>For example, an installer program may check the volume name of a CD-ROM to make sure the right CD-ROM is in the drive before attempting to install it. If you copy the contents of the CD-ROM into a network share, and wish to install from there, you can use this option to get around the issue:</p><pre class="programlisting">[network] + comment = Network Drive + volume = ASVP-102-RTYUIKA + path = /home/samba/network</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.5"></a> + +read only and writeable</h4></div></div></div><a class="indexterm" name="ch04-idx-968309-0"></a><a class="indexterm" name="ch04-idx-968309-1"></a><p>The options <code class="literal">read</code> <code class="literal">only</code> and <code class="literal">writeable</code> (or <code class="literal">write</code> <code class="literal">ok </code>) are really two ways of saying the same thing, but approached from opposite ends. For example, you can set either of the following options in the <code class="literal">[global]</code> section or in an individual share:</p><pre class="programlisting">read only = yes +writeable = no</pre><p>If either option is set as shown, data can be read from a share, but cannot be written to it. You might think you would need this option only if you were creating a read-only share. However, note that this read-only behavior is the <span class="emphasis"><em>default</em></span> action for shares; if you want to be able to write data to a share, you must explicitly specify one of the following options in the configuration file for each share:</p><pre class="programlisting">read only = no +writeable = yes</pre><p>Note that if you specify more than one occurrence of either option, Samba will adhere to the last value it encounters for the<a class="indexterm" name="ch04-idx-967387-0"></a> share.<a class="indexterm" name="ch04-idx-967245-0"></a> +<a class="indexterm" name="ch04-idx-967245-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-86705"></a>Networking Options with Samba</h2></div></div></div><p> +<a class="indexterm" name="ch04-idx-967291-0"></a>If you're running Samba on a multi-homed machine (that is, one on multiple subnets), or even if you want to implement a security policy on your own subnet, you should take a close look at the networking configuration options:</p><p>For the purposes of this exercise, let's assume that our Samba server is connected to a network with more than one subnet. Specifically, the machine can access both the 192.168.220.* and 134.213.233.* subnets. Here are our additions to the ongoing configuration file for the networking configuration options:</p><pre class="programlisting">[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + bind interfaces only = yes + +[data] + path = /home/samba/data + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</pre><p> +<a class="indexterm" name="ch04-idx-967305-0"></a>Let's first talk about the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options. If these options sound familiar, you're probably thinking of the <code class="filename">hosts.allow</code> and <code class="filename">hosts.deny</code> files that are found in the <code class="filename">/etc</code> directories of many Unix systems. The purpose of these options is identical to those files; they provide a means of security by allowing or denying the connections of other hosts based on their IP addresses. Why not just use the <code class="filename">hosts.allow</code> and <code class="filename">hosts.deny</code> files themselves? Because there may be services on the server that you want others to access without giving them access Samba's disk or printer shares</p><p>With the <code class="literal">hosts</code> <code class="literal">allow</code> option above, we've specified a cropped IP address: 192.168.220. (Note that there is still a third period; it's just missing the fourth number.) This is equivalent to saying: "All hosts on the 192.168.220 subnet." However, we've explicitly specified in a hosts deny line that 192.168.220.102 is not to be allowed access.</p><p>You might be wondering: why will 192.168.220.102 be denied even though it is still in the subnet matched by the <code class="literal">hosts</code> <code class="literal">allow</code> option? Here is how Samba sorts out the rules specified by <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny </code>:</p><div class="orderedlist"><ol type="1"><li><p>If there are no <code class="literal">allow</code> or <code class="literal">deny</code> options defined anywhere in <code class="filename">smb.conf</code>, Samba will allow connections from any machine allowed by the system itself.</p></li><li><p>If there are <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> options defined in the <code class="literal">[global]</code> section of <code class="filename">smb.conf</code>, they will apply to all shares, even if the shares have an overriding option defined.</p></li><li><p>If there is only a <code class="literal">hosts</code> <code class="literal">allow</code> option defined for a share, only the hosts listed will be allowed to use the share. All others will be denied.</p></li><li><p>If there is only a <code class="literal">hosts</code> <code class="literal">deny</code> option defined for a share, any machine which is not on the list will be able to use the share.</p></li><li><p>If both a <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> option are defined, a host must appear in the allow list and not appear in the deny list (in any form) in order to access the share. Otherwise, the host will not be allowed.</p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="ch04-idx-967307-0"></a> +<a class="indexterm" name="ch04-idx-967307-1"></a>Take care that you don't explicity +allow a host to access a share, but then deny access to the entire +subnet of which the host is part.</p></div><p>Let's look at another example of that final item. Consider the following options:</p><pre class="programlisting">hosts allow = 111.222. +hosts deny = 111.222.333.</pre><p>In this case, only the hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. However, if a client belongs to the 111.222.333.* subnet, it will be denied access, even though it still matches the qualifications outlined by <code class="literal">hosts</code> <code class="literal">allow</code>. The client must appear on the <code class="literal">hosts</code> <code class="literal">allow</code> list and <span class="emphasis"><em>must not</em></span> appear on the <code class="literal">hosts</code> <code class="literal">deny</code> list in order to gain access to a Samba share. If a computer attempts to access a share to which it is not allowed access, it will receive an error message.</p><p>The other two options that we've specified are the <code class="literal">interfaces</code> and the <code class="literal">bind</code> <code class="literal">interface</code> <code class="literal">only</code> address. Let's look at the <code class="literal">interfaces</code> option first. Samba, by default, sends data only from the primary network interface, which in our example is the 192.168.220.100 subnet. If we would like it to send data to more than that one <a class="indexterm" name="ch04-idx-967310-0"></a>interface, we need to specify the complete list with the <code class="literal">interfaces</code> option. In the previous example, we've bound Samba to interface with both subnets (192.168.220 and 134.213.233) on which the machine is operating by specifying the other network interface address: 134.213.233.100. If you have more than one interface on your computer, you should always set this option as there is no guarantee that the primary interface that Samba chooses will be the right one.</p><p>Finally, the <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option instructs the <code class="filename">nmbd</code> process not to accept any broadcast messages other than those subnets specified with the <code class="literal">interfaces</code> option. Note that this is different from the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options, which prevent machines from making connections to services, but not from receiving broadcast messages. Using the <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option is a way to shut out even datagrams from foreign subnets from being received by the Samba server. In addition, it instructs the <span class="emphasis"><em>smbd</em></span> process to bind to only the interface list given by the <span class="emphasis"><em>interfaces</em></span> option. This restricts the networks that Samba will serve.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-6.1"></a>Networking Options</h3></div></div></div><p> +<a class="indexterm" name="ch04-idx-967302-0"></a>The networking options we introduced above are summarized in <a href="#ch04-32963" title="Table 4.5. Networking Configuration Options">Table 4.5</a>.</p><div class="table"><a name="ch04-32963"></a><p class="title"><b>Table 4.5. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">hosts allow (allow hosts)</code></p></td><td><p>string (list of hostnames)</p></td><td><p>Specifies the machines that can connect to Samba.</p></td><td><p>none</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hosts deny (deny hosts)</code></p></td><td><p>string (list of hostnames)</p></td><td><p>Specifies the machines that cannot connect to Samba.</p></td><td><p>none</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">interfaces</code></p></td><td><p>string (list of IP/netmask combinations)</p></td><td><p>Sets the network interfaces Samba will respond to. Allows correcting defaults.</p></td><td><p>system-dependent</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">bind</code></p> + +<p><code class="literal">interfaces only</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will bind only to those interfaces specified by the <code class="literal">interfaces</code> option.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">socket</code></p> + +<p><code class="literal">address</code></p></td><td><p>string (IP address)</p></td><td><p>Sets IP address to listen on, for use with multiple virtual interfaces on a server.</p></td><td><p>none</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.1"></a> +hosts allow</h4></div></div></div><a class="indexterm" name="ch04-idx-968312-0"></a><p> +<a class="indexterm" name="ch04-idx-967314-0"></a>The <code class="literal">hosts</code> <code class="literal">allow</code> option (sometimes written as <code class="literal">allow</code> <code class="literal">hosts</code>) specifies the machines that have permission to access shares on the Samba server, written as a comma- or space-separated list of names of machines or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option. For example, we specified the following in our example:</p><pre class="programlisting">hosts allow = 192.168.220. localhost</pre><p>Note that we placed <code class="literal">localhost</code> after the subnet address. One of the most common mistakes when attempting to use the <code class="literal">hosts</code> <code class="literal">allow</code> option is to accidentally disallow the Samba server from communicating with itself. The <code class="filename">smbpasswd</code> program will occasionally need to connect to the Samba server as a client in order to change a user's encrypted password. In addition, local browsing propagation requires local host access. If this option is enabled and the localhost address is not specified, the locally-generated packets requesting the change of the encrypted password will be discarded by Samba, and browsing propagation will not work properly. To avoid this, explicitly allow the loopback address (either <code class="literal">localhost</code> or <code class="literal">127.0.0.1</code>) to be used.<sup>[<a name="ch04-pgfId-965714" href="#ftn.ch04-pgfId-965714">3</a>]</sup></p><p>You can specify any of the following formats for this option:</p><div class="itemizedlist"><ul type="disc"><li><p>Hostnames, such as <code class="literal">ftp.example.com </code>.</p></li><li><p>IP addresses, like <code class="literal">130.63.9.252</code>.</p></li><li><p>Domain names, which can be differentiated from individual hostnames because they start with a dot. For example, <code class="literal">.ora.com</code> represents all machines within the <span class="emphasis"><em>ora.com</em></span> domain.</p></li><li><p>Netgroups, which start with an at-sign, such as <code class="literal">@printerhosts</code>. Netgroups are available on systems running yellow pages/NIS or NIS+, but rarely otherwise. If netgroups are supported on your system, there should be a <code class="literal">netgroups</code> manual page that describes them in more detail.</p></li><li><p>Subnets, which end with a dot. For example, <code class="literal">130.63.9.</code> means all the machines whose IP addresses begin with 130.63.9.</p></li><li><p>The keyword <code class="literal">ALL</code>, which allows any client access.</p></li><li><p>The keyword <code class="literal">EXCEPT</code> followed by more one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet with <code class="literal">hosts</code> <code class="literal">allow</code> <code class="literal">=</code> <code class="literal">ALL</code> <code class="literal">EXCEPT</code> <code class="literal">192.168.110.</code> (remember the trailing dot).</p></li></ul></div><p>Using the <code class="literal">ALL</code> keyword is almost always a bad idea, since it means that anyone on any network can browse your files if they guess the name of your server.</p><p>Note that there is no default value for the <code class="literal">hosts</code> <code class="literal">allow</code> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. In addition, if you specify this option in the <code class="literal">[global]</code> section of the configuration file, it will override any <code class="literal">hosts</code> <code class="literal">allow</code> options defined shares.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.2"></a> +hosts deny</h4></div></div></div><a class="indexterm" name="ch04-idx-968319-0"></a><p>The <code class="literal">hosts</code> <code class="literal">deny</code> option (also <code class="literal">deny</code> <code class="literal">hosts</code>) specifies machines that do not have permission to access a share, written as a comma- or space-separated list of machine names or their IP addresses. Use the same format as specifying clients as the <code class="literal">hosts</code> <code class="literal">allow</code> option above. For example, to restrict access to the server from everywhere but <code class="filename">example.com</code>, you could write:</p><pre class="programlisting">hosts deny = ALL EXCEPT .example.com</pre><p>Like <code class="literal">hosts</code> <code class="literal">allow</code>, there is no default value for the <code class="literal">hosts</code> <code class="literal">deny</code> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. Also, if you specify this option in the <code class="literal">[global]</code> section of the configuration file, it will override any <code class="literal">hosts</code> <code class="literal">deny</code> options defined in shares. If you wish to deny <span class="emphasis"><em>hosts</em></span> access to specific shares, omit both the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options in the <code class="literal">[global]</code> section of the configuration file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.3"></a> +interfaces</h4></div></div></div><a class="indexterm" name="ch04-idx-968322-0"></a><p> +<a class="indexterm" name="ch04-idx-967320-0"></a>The <code class="literal">interfaces</code> option outlines the network addresses to which you want the Samba server to recognize and respond. This option is handy if you have a computer that resides on more than one network subnet. If this option is not set, Samba searches for the primary network interface of the server (typically the first Ethernet card) upon startup and configures itself to operate on only that subnet. If the server is configured for more than one subnet and you do not specify this option, Samba will only work on the first subnet it encounters. You must use this option to force Samba to serve the other subnets on your network.</p><p>The value of this option is one or more sets of IP address/netmask pairs, such as the following:</p><pre class="programlisting">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre><p>You can optionally specify a CIDR format bitmask, as follows:</p><pre class="programlisting">interfaces = 192.168.220.100/24 192.168.210.30/24</pre><p>The bitmask number specifies the first number of bits that will be turned on in the netmask. For example, the number 24 means that the first 24 (of 32) bits will be activated in the bit mask, which is the same as saying 255.255.255.0. Likewise, 16 would be equal to 255.255.0.0, and 8 would be equal to 255.0.0.0.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>This option may not work correctly if you are using DHCP.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.4"></a> +bind interfaces only</h4></div></div></div><a class="indexterm" name="ch04-idx-968325-0"></a><p>The <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option can be used to force the <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> processes to serve SMB requests to only those addresses specified by the <code class="literal">interfaces</code> option. The <span class="emphasis"><em>nmbd</em></span> process normally binds to the all addresses interface (0.0.0.0.) on ports 137 and 138, allowing it to receive broadcasts from anywhere. However, you can override this behavior with the following:</p><pre class="programlisting">bind interfaces only = yes</pre><p>This will cause both Samba processes to ignore any packets whose origination address does not match the broadcast address(es) specified by the <code class="literal">interfaces</code> option, including broadcast packets. With <span class="emphasis"><em>smbd</em></span>, this option will cause Samba to not serve file requests to subnets other than those listed in the <code class="literal">interfaces</code> option. You should avoid using this option if you want to allow temporary network connections, such as those created through SLIP or PPP. It's very rare that this option is needed, and it should only be used by experts.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you set <code class="literal">bind interfaces only</code> to <code class="literal">yes </code>, you should add the localhost address (127.0.01) to the "interfaces" list. Otherwise, <span class="emphasis"><em>smbpasswd</em></span> will be unable to connect to the server using its default mode in order to change a password.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.5"></a> +socket address</h4></div></div></div><a class="indexterm" name="ch04-idx-968328-0"></a><p> +<a class="indexterm" name="ch04-idx-967324-0"></a>The <code class="literal">socket</code> <code class="literal">address</code> option dictates which of the addresses specified with the <code class="literal">interfaces</code> parameter Samba should listen on for connections. Samba accepts connections on all addresses specified by default. When used in an <code class="filename">smb.conf</code> file, this option will force Samba to listen on only one IP address. For example:</p><pre class="programlisting">interfaces = 192.168.220.100/24 192.168.210.30/24 +socket address = 192.168.210.30</pre><p>This option is a programmer's tool and we recommend that you do not use it.<a class="indexterm" name="ch04-idx-967297-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-16899"></a>Virtual Servers</h2></div></div></div><p> +<a class="indexterm" name="ch04-idx-967325-0"></a> +<a class="indexterm" name="ch04-idx-967325-1"></a>Virtual servers are a technique for creating the illusion of multiple <a class="indexterm" name="ch04-idx-967337-0"></a>NetBIOS servers on the network, when in reality there is only one. The technique is simple to implement: a machine simply registers more than one NetBIOS name in association with its IP address. There are tangible benefits to doing this.</p><p>The accounting department, for example, might have an <code class="literal">accounting</code> server, and clients of it would see just the accounting disks and printers. The marketing department could have their own server, <code class="literal">marketing</code>, with their own reports, and so on. However, all the services would be provided by one medium-sized Unix workstation (and one relaxed administrator), instead of having one small server and one administrator per department.</p><p>Samba will allow a Unix server to use more than one NetBIOS name with the <code class="literal">netbios</code> <code class="literal">aliases</code> option. See <a href="#ch04-92259" title="Table 4.6. Virtual Server Configuration Options">Table 4.6</a>.</p><div class="table"><a name="ch04-92259"></a><p class="title"><b>Table 4.6. Virtual Server Configuration Options </b></p><div class="table-contents"><table summary="Virtual Server Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">netbios aliases</code></p></td><td><p> +<a class="indexterm" name="ch04-idx-967338-0"></a> +<a class="indexterm" name="ch04-idx-967338-1"></a>List of NetBIOS names</p></td><td><p>Additional NetBIOS names to respond to, for use with multiple "virtual" Samba servers.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-7.0.1"></a> +netbios aliases</h3></div></div></div><a class="indexterm" name="ch04-idx-968331-0"></a><p>The <code class="literal">netbios</code> <code class="literal">aliases</code> option can be used to give the Samba server more than one <a class="indexterm" name="ch04-idx-967339-0"></a> +<a class="indexterm" name="ch04-idx-967339-1"></a>NetBIOS name. Each NetBIOS name listed as a value will be displayed in the Network Neighborhood of a browsing machine. When a connection is requested to any machine, however, it will connect to the same Samba server.</p><p>This might come in handy, for example, if you're transferring three departments' data to a single Unix server with modern large disks, and are retiring or reallocating the old NT servers. If the three servers are called <code class="literal">sales</code>, <code class="literal">accounting</code>, and <code class="literal">admin</code>, you can have Samba represent all three servers with the following options:</p><pre class="programlisting">[global] + netbios aliases = sales accounting admin + include = /usr/local/samba/lib/smb.conf.%L</pre><p>See <a href="#ch04-28393" title="Figure 4.7. Using NetBIOS aliases for a Samba server">Figure 4.7</a> for what the Network Neighborhood would display from a client.When a client attempts to connect to Samba, it will specify the name of the server that it's trying to connect to, which you can access through the <code class="literal">%L</code> variable. If the requested server is <code class="literal">sales</code>, Samba will include the <code class="filename">/usr/local/samba/lib/smb.conf.sales</code> file. This file might contain global and share declarations exclusively for the sales team, such as the following:</p><pre class="programlisting">[global] + workgroup = SALES + hosts allow = 192.168.10.255 + +[sales1998] + path = /usr/local/samba/sales/sales1998/ +...</pre><p>This particular example would set the workgroup to SALES as well, and set the IP address to allow connections only from the SALES subnet (192.168.10). In addition, it would offer shares specific to the sales department.</p><div class="figure"><a name="ch04-28393"></a><p class="title"><b>Figure 4.7. Using NetBIOS aliases for a Samba server + </b></p><div class="figure-contents"><a class="indexterm" name="ch04-idx-967332-0"></a><a class="indexterm" name="ch04-idx-967332-1"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 196px"><td><img src="figs/sam.0407.gif" height="196" alt="Using NetBIOS aliases for a Samba server"></td></tr></table></div></div></div><br class="figure-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-29331"></a>Logging Configuration Options</h2></div></div></div><p> +<a class="indexterm" name="ch04-idx-967340-0"></a> +<a class="indexterm" name="ch04-idx-967340-1"></a>Occasionally, we need to find out what Samba is up to. This is especially true when Samba is performing an unexpected action or is not performing at all. To find out this information, we need to check Samba's log files to see exactly why it did what it did.</p><p>Samba log files can be as brief or verbose as you like. Here is an example of what a Samba log file looks like:</p><pre class="programlisting">[1999/07/21 13:23:25, 3] smbd/service.c:close_cnum(514) + phoenix (192.168.220.101) closed connection to service IPC$ +[1999/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40) + Yielding connection to IPC$ +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 923 of length 49 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBread (pid 467) +[1999/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336) + dos_ChDir to /home/samba +[1999/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199) + read fnum=4207 num=2820 nread=2820 +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 924 of length 55 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBreadbraw (pid 467) +[1999/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053) + readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276 +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 925 of length 55 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBreadbraw (pid 467)</pre><p>Many of these options are of use only to Samba programmers. However, we will go over the meaning of some of these entries in more detail in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>.</p><p>Samba contains six options that allow users to describe how and where logging information should be written. Each of these options are global options and cannot appear inside a share definition. Here is an up-to-date configuration file that covers each of the share and logging options that we've seen so far:</p><pre class="programlisting">[global] + netbios name = HYDRA + server string = Samba %v on (%I) + workgroup = SIMPLE + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + bind interfaces only = yes + + # Debug logging information + log level = 2 + log file = /var/log/samba.log.%m + max log size = 50 + debug timestamp = yes + +[data] + path = /home/samba/data + browseable = yes + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</pre><p> Here, we've added a custom log file that reports information up to debug level 2. This is a relatively light debugging level. The logging level ranges from 1 to 10, where level 1 provides only a small amount of information and level 10 provides a plethora of low-level information. Level 2 will provide us with useful debugging information without wasting disk space on our server. In practice, you should avoid using log levels greater than 3 unless you are programming Samba.</p><p>This file is located in the <code class="filename">/var/log</code> directory thanks to the <code class="literal">log</code> <code class="literal">file</code> configuration option. However, we can use variable substitution to create log files specifically for individual users or clients, such as with the <code class="literal">%m</code> variable in the following line:</p><pre class="programlisting">log file = /usr/local/logs/samba.log.%m</pre><p>Isolating the log messages can be invaluable in tracking down a network error if you know the problem is coming from a specific machine or user.</p><p>We've added another precaution to the log files: no one log file can exceed 50 kilobytes in size, as specified by the <code class="literal">max</code> <code class="literal">log</code> <code class="literal">size</code> option. If a log file exceeds this size, the contents are moved to a file with the same name but with the suffix <span class="emphasis"><em>.old</em></span> appended. If the <span class="emphasis"><em>.old</em></span> file already exists, it is overwritten and its contents are lost. The original file is cleared, waiting to receive new logging information. This prevents the hard drive from being overwhelmed with Samba log files during the life of our daemons.</p><p>For convenience, we have decided to leave the debug timestamp in the logs with the <code class="literal">debug</code> <code class="literal">timestamp</code> option, which is the default behavior. This will place a timestamp next to each message in the logging file. If we were not interested in this information, we could specify <code class="literal">no</code> for this option instead.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-97929"></a>Using syslog</h3></div></div></div><p>If you wish to use the system logger (<code class="filename">syslog </code> +<a class="indexterm" name="ch04-idx-967351-0"></a>) in addition to or in place of the standard Samba logging file, Samba provides options for this as well. However, to use <code class="filename">syslog</code>, the first thing you will have to do is make sure that Samba was built with the <code class="literal">configure</code> <code class="literal">--with-syslog</code> option. See <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> for more information on configuring and compiling Samba.</p><p>Once that is done, you will need to configure your <code class="filename">/etc/syslog.conf</code> to accept logging information from Samba. If there is not already a <code class="literal">daemon.*</code> entry in the <em class="replaceable"><code>/etc/syslog.conf</code></em> file, add the following:</p><pre class="programlisting">daemon.* /var/log/daemon.log</pre><p>This specifies that any logging information from system daemons will be stored in the <code class="filename">/var/log/daemon.log</code> file. This is where the Samba information will be stored as well. From there, you can specify the following global option in your configuration file:</p><pre class="programlisting">syslog = 2</pre><p>This specifies that any logging messages with a level of 1 will be sent to both the <code class="filename">syslog</code> and the Samba logging files. (The mappings to <code class="filename">syslog</code> priorities are described in the upcoming <a href="#ch04-78696" title="syslog">Section 4.8.2.5</a>.) Let's assume that we set the regular <code class="literal">log</code> <code class="literal">level</code> option above to 4. Any logging messages with a level of 2, 3, or 4 will be sent to the Samba logging files, but not to the <code class="filename">syslog</code>. Only level 1 logging messages will be sent to both. If the <code class="literal">syslog</code> value exceeds the <code class="literal">log</code> <code class="literal">level</code> value, nothing will be written to the <code class="filename">syslog</code>.</p><p>If you want to specify that messages be sent only to <code class="filename">syslog</code>—and not to the standard Samba logging files—you can place this option in the configuration file:</p><pre class="programlisting">syslog only = yes</pre><p>If this is the case, any logging information above the number specified in the <code class="literal">syslog</code> option will be discarded, just like the <code class="literal">log</code> <code class="literal">level</code> option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-8.1"></a>Logging Configuration Options</h3></div></div></div><p><a href="#ch04-92838" title="Table 4.7. Global Configuration Options">Table 4.7</a> lists each of the<a class="indexterm" name="ch04-idx-967341-0"></a> logging configuration options that Samba can use.</p><div class="table"><a name="ch04-92838"></a><p class="title"><b>Table 4.7. Global Configuration Options </b></p><div class="table-contents"><table summary="Global Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">log file</code></p></td><td><p>string (fully-qualified filename)</p></td><td><p>Sets the name and location of the log file that Samba is to use. Uses standard variables.</p></td><td><p>Specified in Samba makefile</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">log level</code></p> + +<p><code class="literal">(debug level)</code></p></td><td><p>numerical (0-10)</p></td><td><p>Sets the amount of log/debug messages that are sent to the log file. 0 is none, 3 is considerable.</p></td><td><p><code class="literal">1</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max log size</code></p></td><td><p>numerical (size in KB)</p></td><td><p>Sets the maximum size of log file. After the log exceeds this size, the file will be renamed to <span class="emphasis"><em>.bak</em></span> and a new log file started.</p></td><td><p><code class="literal">5000</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">debug</code></p> + +<p><code class="literal">timestamp (timestamp logs)</code></p></td><td><p>boolean</p></td><td><p>If no, doesn't timestamp logs, making them easier to read during heavy debugging.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">syslog</code></p></td><td><p>numerical (0-10)</p></td><td><p>Sets level of messages sent to <span class="emphasis"><em>syslog</em></span>. Those levels below <code class="literal">syslog level</code> will be sent to the system logger.</p></td><td><p><code class="literal">1</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">syslog only</code></p></td><td><p>boolean</p></td><td><p>If yes, uses <span class="emphasis"><em>syslog</em></span> entirely and sends no output to the standard Samba log files.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-log-file-option"></a>log file</h4></div></div></div><p>On our server, Samba outputs log information to text files in the <code class="filename">var</code> subdirectory of the Samba home directory, as set by the makefile during the build. The <code class="literal">log</code> <code class="literal">file</code> option can be used to reset the name of the log file to another location. For example, to reset the name and location of the Samba log file to <code class="filename">/usr/local/logs/samba.log</code>, you could use the following:</p><pre class="programlisting">[global] + log file = /usr/local/logs/samba.log</pre><p>You may use variable substitution to create log files specifically for individual users or clients.</p><p>You can override the default log file location using the <code class="literal">-l</code> command-line switch when either daemon is started. However, this does not override the <code class="literal">log</code> <code class="literal">file</code> option. If you do specify this parameter, initial logging information will be sent to the file specified after <code class="literal">-l</code> (or the default specified in the Samba makefile) until the daemons have processed the <code class="filename">smb.conf</code> file and know to redirect it to a new log file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.2"></a> +log level</h4></div></div></div><a class="indexterm" name="ch04-idx-968338-0"></a><p>The <code class="literal">log</code> <code class="literal">level</code> option sets the amount of data to be logged. Normally this is left at 0 or 1. However, if you have a specific problem you may want to set it at 3, which provides the most useful debugging information you would need to track down a problem. Levels above 3 provide information that's primarily for the developers to use for chasing internal bugs, and slows down the server considerably. Therefore, we recommend that you avoid setting this option to anything above 3.</p><pre class="programlisting">[global] +log file = /usr/local/logs/samba.log.%m +log level = 3</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.3"></a> +max log size</h4></div></div></div><a class="indexterm" name="ch04-idx-968341-0"></a><p>The <code class="literal">max</code> <code class="literal">log</code> <code class="literal">size</code> option sets the maximum size, in kilobytes, of the debugging log file that Samba keeps. When the log file exceeds this size, the current log file is renamed to add an <span class="emphasis"><em>.old</em></span> extension (erasing any previous file with that name) and a new debugging log file is started with the original name. For example:</p><pre class="programlisting">[global] +log file = /usr/local/logs/samba.log.%m +max log size = 1000</pre><p>Here, if the size of any log file exceeds one megabyte in size, Samba renames the log file <span class="emphasis"><em>samba.log.</em></span> <em class="replaceable"><code>machine-name</code></em><span class="emphasis"><em>.old</em></span> and a new log file is generated. If there was a file there previously with the <span class="emphasis"><em>.old</em></span> extension, Samba deletes it. We highly recommend setting this option in your configuration files because debug logging (even at lower levels) can covertly eat away at your available disk space. Using this option protects unwary administrators from suddenly discovering that most of their disk space has been swallowed up by a single Samba log file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.4"></a> + +;debug timestamp or timestamp logs</h4></div></div></div><a class="indexterm" name="ch04-idx-968344-0"></a><a class="indexterm" name="ch04-idx-968344-1"></a><p>If you happen to be debugging a network problem and you find that the date-stamp and timestamp information within the Samba log lines gets in the way, you can turn it off by giving either the <code class="literal">timestamp</code> <code class="literal">logs</code> or the <code class="literal">debug</code> <code class="literal">timestamp</code> option (they're synonymous) a value of <code class="literal">no</code>. For example, a regular Samba log file presents its output in the following form:</p><pre class="programlisting">12/31/98 12:03:34 hydra (192.168.220.101) connect to server network as user davecb</pre><p>With a <code class="literal">no</code> value for this option, the output would appear without the datestamp or the timestamp:</p><pre class="programlisting">hydra (192.168.220.101) connect to server network as user davecb</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-78696"></a>syslog</h4></div></div></div><p> +<a class="indexterm" name="ch04-idx-967365-0"></a>The <code class="literal">syslog</code> +<a class="indexterm" name="ch04-idx-968349-0"></a> option causes Samba log messages to be sent to the Unix system logger. The type of log information to be sent is specified as the parameter for this argument. Like the <code class="literal">log</code> <code class="literal">level</code> option, it can be a number from 0 to 10. Logging information with a level less than the number specified will be sent to the system logger. However, debug logs equal to or above the <code class="literal">syslog</code> level, but less than log level, will still be sent to the standard Samba log files. To get around this, use the <code class="literal">syslog</code> <code class="literal">only</code> option. For example:</p><pre class="programlisting">[global] + log level = 3 + syslog = 1</pre><p>With this, all logging information with a level of 0 would be sent to the standard Samba logs and the system logger, while information with levels 1, 2, and 3 would be sent only to the standard Samba logs. Levels above 3 are not logged at all. Note that all messages sent to the system logger are mapped to a priority level that the <span class="emphasis"><em>syslog</em></span> process understands, as shown in <a href="#ch04-80576" title="Table 4.8. Syslog Priority Conversion">Table 4.8</a>. The default level is 1.</p><div class="table"><a name="ch04-80576"></a><p class="title"><b>Table 4.8. Syslog Priority Conversion </b></p><div class="table-contents"><table summary="Syslog Priority Conversion " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Log Level</p></th><th><p>Syslog Priority</p></th></tr></thead><tbody><tr><td><p>0</p></td><td><p><code class="literal">LOG_ERR</code></p></td></tr><tr><td><p>1</p></td><td><p><code class="literal">LOG_WARNING</code></p></td></tr><tr><td><p>2</p></td><td><p><code class="literal">LOG_NOTICE</code></p></td></tr><tr><td><p>3</p></td><td><p><code class="literal">LOG_INFO</code></p></td></tr><tr><td><p>4 and above</p></td><td><p><code class="literal">LOG_DEBUG</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>If you wish to use <span class="emphasis"><em>syslog</em></span>, you will have to run <code class="literal">configure</code> <code class="literal">--with-syslog</code> when compiling Samba, and you will need to configure your <code class="filename">/etc/syslog.conf</code> to suit. (See <a href="#ch04-97929" title="Using syslog">Section 4.8.1</a> earlier in this chapter.)</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.6"></a> +syslog only</h4></div></div></div><a class="indexterm" name="ch04-idx-968350-0"></a><p>The <code class="literal">syslog</code> <code class="literal">only</code> option tells Samba not to use the regular logging files—the system logger only. To enable this, specify the following option in the global ection of the Samba configuration file:</p><pre class="programlisting">[global] + syslog only = <a class="indexterm" name="ch04-idx-967342-0"></a> +<a class="indexterm" name="ch04-idx-967342-1"></a>yes<a class="indexterm" name="ch04-idx-967031-0"></a></pre></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-960558" href="#ch04-pgfId-960558">1</a>] </sup>Depending on your system, this file may not be <span class="emphasis"><em>/etc/printcap</em></span>. You can use the <span class="emphasis"><em>testparm</em></span> command that comes with Samba to determine the value of the <code class="literal">printcap</code> <code class="literal">name</code> configuration option; this was the default value chosen when Samba was compiled.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-962322" href="#ch04-pgfId-962322">2</a>] </sup>We should also mention that it is an inherently bad idea to have a workgroup that shares the same name as a server.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-965714" href="#ch04-pgfId-965714">3</a>] </sup>Starting with Samba 2.0.5, <code class="literal">localhost</code> will automatically be allowed unless it is explicitly denied.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-5"></a>Chapter 5. Browsing and Advanced Disk Shares </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch05-23763">5.1. Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-1.1">5.1.1. Preventing Browsing</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.2">5.1.2. Default Services</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.3">5.1.3. Browsing Elections</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.4">5.1.4. Domain Master Browser</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.5">5.1.5. Browsing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34221">5.2. Filesystem Differences</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-2.1">5.2.1. Hiding and Vetoing Files</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.2">5.2.2. Links</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.3">5.2.3. Filesystem Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34062">5.3. File Permissions and Attributes on MS-DOS and Unix</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-3.0.1">5.3.1. Creation masks</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-3.1">5.3.2. File and Directory Permission Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-30534">5.4. Name Mangling and Case</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-4.1">5.4.1. The Samba Mangling Operation</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-4.2">5.4.2. Mangling Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-75933">5.5. Locks and Oplocks</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-5.1">5.5.1. Opportunistic Locking</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-5.2">5.5.2. Unix and Locking</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="ch05-idx-969559-0"></a> +<a class="indexterm" name="ch05-idx-969559-1"></a>This chapter continues our discussion of disk shares from the previous chapter. Here, we will discuss various differences between the Windows and Unix filesystems—and how Samba works to bridge the gap. There are a surprising number of inconsistencies between a DOS filesystem and a Unix filesystem. In addition, we will talk briefly about name mangling, file locking, and a relatively new feature for Samba: opportunistic locking, or oplocks. However, before we move into that territory, we should first discuss the somewhat arcane topic of browsing with Samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-23763"></a>Browsing</h2></div></div></div><p>Browsing is the ability to examine the servers and <a class="indexterm" name="ch05-idx-969575-0"></a>shares that are currently available on your network. On a Windows NT 4.0 or 95/98 client, a user can browse network servers through the Network Neighborhood folder. By double-clicking the icon representing the server, the user should be able to see the printer and disk share resources available on that machine as well. (If you have Windows NT 3.<span class="emphasis"><em>x</em></span>, you can use the Disk-Connect Network Drive menu in the File Manager to display the available shares on a server.)</p><p>From the Windows command line, you can also use the <code class="literal">net</code> <code class="literal">view</code> option to see which servers are currently on the network. Here is an example of the <code class="literal">net</code> <code class="literal">view</code> command in action:</p><pre class="programlisting">C:\><strong class="userinput"><code>net view</code></strong> +Servers available in workgroup SIMPLE +Server name Remark +---------------------------------------------------------- +\\CHIMAERA Windows NT 4.0 +\\HYDRA Samba 2.0.4 on (hydra) +\\PHOENIX Windows 98</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.1"></a>Preventing Browsing</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969576-0"></a> +<a class="indexterm" name="ch05-idx-969576-1"></a> +<a class="indexterm" name="ch05-idx-969576-2"></a> +<a class="indexterm" name="ch05-idx-969576-3"></a>You can restrict a share from being in a browse list by using the <code class="literal">browseable</code> option. This boolean option prevents a share from being seen in the Network Neighborhood at all. For example, to prevent the <code class="literal">[data]</code> share from the previous chapter from being visible, we could write:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = no + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</pre><p>Although you typically don't want to do this to an ordinary disk share, the browseable option is useful in the event that you need to create a share with contents that you do not want others to see, such as a <code class="literal">[netlogin]</code> share for storing logon scripts for Windows domain control (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a> for more information on logon scripts).</p><p>Another example is the <code class="literal">[homes]</code> share. This share is often marked non-browsable so that a share named <code class="literal">[homes]</code> won't appear when its machine's resources are browsed. However, if a user <code class="literal">alice</code> logs on and looks at the machine's shares, an <code class="literal">[alice]</code> share will appear under the machine. What if we wanted to make sure <code class="literal">alice</code>'s share appeared to everyone before she logs in? This could be done with the global <code class="literal">auto</code> <code class="literal">services</code> option. This option preloads shares into the browse list to ensure that they are always visible:</p><pre class="programlisting">[global] + ... + auto services = alice + ...</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.2"></a>Default Services</h3></div></div></div><p>In the event that a user cannot successfully connect to a share, you can specify a default <a class="indexterm" name="ch05-idx-969587-0"></a> +<a class="indexterm" name="ch05-idx-969587-1"></a>share to which they can connect. Since you do not know who will default to this share at any time, you will probably want to set the <code class="literal">guest</code> <code class="literal">ok</code> option to <code class="literal">yes</code> for this share. Specifying a <code class="literal">default</code> <code class="literal">service</code> can be useful when sending the utterly befuddled to a directory of help files. For example:</p><pre class="programlisting">[global] + ... + default service = helpshare + ... + +[helpshare] + path = /home/samba/helpshare/%S + browseable = yes + guest ok = yes + comment = Default Share for Unsuccessful Connections + volume = Sample-Data-Drive + writeable = no</pre><p>Note that we used the <code class="literal">%S</code> variable in the <code class="literal">path</code> option. If you use the <code class="literal">%S</code> variable, it will refer to the requested nonexistent share (the original share requested by the user), not the name of the resulting default share. This allows us to create different paths with the names of each server, which can provide more customized help files for users. In addition, any <a class="indexterm" name="ch05-idx-969588-0"></a> +<a class="indexterm" name="ch05-idx-969588-1"></a>underscores ( _ ) specified in the requested share will be converted to<a class="indexterm" name="ch05-idx-969589-0"></a> +<a class="indexterm" name="ch05-idx-969589-1"></a> slashes ( / ) when the <code class="literal">%S</code> variable is used.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.3"></a>Browsing Elections</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969892-0"></a>As mentioned in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>, one machine in each subnet always keeps a list of the currently active <a class="indexterm" name="ch05-idx-969897-0"></a>machines. This list is called the <em class="firstterm">browse list</em> +<a class="indexterm" name="ch05-idx-969898-0"></a> and the server that maintains it is called the <a class="indexterm" name="ch05-idx-970543-0"></a><em class="firstterm">local master browser</em>. As machines come on and off the network, the local master browser continually updates the information in the browse list and provides it to any machine that requests it.</p><p>A computer becomes a local master browser by holding a browsing election on the local subnet. Browsing elections can be called at any time. Samba can rig a browsing election for a variety of outcomes, including always becoming the local master browser of the subnet or never becoming it. For example, the following options, which we've added to the configuration file from <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, will ensure that Samba always wins the election for local master browser no matter which machines are also present:</p><pre class="programlisting">[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + + # Browsing election options + os level = 34 + local master = yes + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + + # Debug logging information + log level = 2 + log file = /var/log/samba.log.%m + max log size = 50 + debug timestamp = yes + +[data] + path = /home/samba/data + browseable = yes + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writable = yes</pre><p>However, what if we didn't always want to win the election? What if we wanted to yield browsing to a Windows NT Server if present? In order to do that, we need to learn how browsing elections work. As you already know, each machine that takes place in the election must broadcast information about itself. This information includes the following:</p><div class="itemizedlist"><ul type="disc"><li><p>The version of the election protocol used</p></li><li><p>The operating system on the machine</p></li><li><p>The amount of time the client has been on the network</p></li><li><p>The hostname of the client</p></li></ul></div><p>Here is how the election is decided. Operating systems are assigned a binary value according to their version, as shown in <a href="#ch05-51423" title="Table 5.1. Operating System Values in an Election">Table 5.1</a>.</p><div class="table"><a name="ch05-51423"></a><p class="title"><b>Table 5.1. Operating System Values in an Election </b></p><div class="table-contents"><table summary="Operating System Values in an Election " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p> +<a class="indexterm" name="ch05-idx-969634-0"></a> +<a class="indexterm" name="ch05-idx-969634-1"></a>Windows NT Server 4.0</p></td><td><p>33</p></td></tr><tr><td><p>Windows NT Server 3.51</p></td><td><p>32</p></td></tr><tr><td><p>Windows NT Workstation 4.0</p></td><td><p>17</p></td></tr><tr><td><p>Windows NT Workstation 3.51</p></td><td><p>16</p></td></tr><tr><td><p>Windows 98</p></td><td><p>2</p></td></tr><tr><td><p>Windows 95</p></td><td><p>1</p></td></tr><tr><td><p>Windows 3.1 for Workgroups</p></td><td><p>1</p></td></tr></tbody></table></div></div><br class="table-break"><p>Following that, each computer on the network is assigned a separate value according to its role, as shown in <a href="#SAMBA-CH-5-TBL-5.2" title="Table 5.2. Computer Role Settings in an Election">Table 5.2</a>.</p><div class="table"><a name="SAMBA-CH-5-TBL-5.2"></a><p class="title"><b>Table 5.2. Computer Role Settings in an Election </b></p><div class="table-contents"><table summary="Computer Role Settings in an Election " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p> +<a class="indexterm" name="ch05-idx-969635-0"></a> +<a class="indexterm" name="ch05-idx-969635-1"></a> +<a class="indexterm" name="ch05-idx-969635-2"></a> +<a class="indexterm" name="ch05-idx-969635-3"></a>Primary Domain Controller</p></td><td><p>128</p></td></tr><tr><td><p>WINS Client</p></td><td><p>32</p></td></tr><tr><td><p>Preferred Master Browser</p></td><td><p>8</p></td></tr><tr><td><p>Active Master Browser</p></td><td><p>4</p></td></tr><tr><td><p>Standby Browser</p></td><td><p>2</p></td></tr><tr><td><p>Active Backup Browser</p></td><td><p>1</p></td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="ch05-idx-969637-0"></a>Elections are decided in the following order:</p><div class="orderedlist"><ol type="1"><li><p>The machine with the highest version of the election protocol will win. (So far, this is meaningless, as all Windows clients have version 1 of the election protocol.)</p></li><li><p>The machine with the highest operating system value wins the election.</p></li><li><p>If there is a tie, the machine with the setting of Preferred Master Browser (role 8) wins the election.</p></li><li><p>If there is still a tie, the client who has been online the longest wins the election.</p></li><li><p>And finally, if there is still a tie, the client name that comes first alphabetically wins.</p></li><li><p>The machine that is the "runner-up" can become a backup browser.</p></li></ol></div><p>As a result, if you want Samba to take the role of a local master browser, but only if there isn't a Windows NT Server (4.0 or 3.51) on the network, you could change the <code class="literal">os</code> <code class="literal">level</code> parameter in the previous example to:</p><pre class="programlisting">os level = 31</pre><p>This will cause Samba to immediately lose the election to a Windows NT 4.0 or Windows NT 3.5 Server, both of which have a higher operating systems level. On the other hand, if you wanted to decide the local master browser on the basis of the network role, such as which machine is the primary domain controller, you could set the <code class="literal">os</code> <code class="literal">level</code> to match the highest type of operating system on the network and let the election protocol fall down to the next level.</p><p> +<a class="indexterm" name="ch05-idx-969646-0"></a>How can you can tell if a machine is a local master browser? By using the <code class="literal">nbtstat</code> command. Place the NetBIOS name of the machine you wish to check after the <code class="literal">-a</code> option:</p><pre class="programlisting">C:\><strong class="userinput"><code>nbtstat -a hydra</code></strong> + + NetBIOS Remote Machine Name Table + + Name Type Status +---------------------------------------------------------- + HYDRA <00> UNIQUE Registered + HYDRA <03> UNIQUE Registered + HYDRA <20> UNIQUE Registered + .._ _MSBROWSE_ _. <01> GROUP Registered + SIMPLE <00> GROUP Registered + SIMPLE <1D> UNIQUE Registered + SIMPLE <1E> GROUP Registered + + MAC Address = 00-00-00-00-00-00</pre><p>The resource entry that you're looking for is the <code class="literal">.._ _MSBROWSE_ _.<01></code>. This indicates that the server is currently acting as the local master browser for the current subnet. In addition, if the machine is a Samba server, you can check the Samba <code class="filename">nmbd</code> log file for an entry such as:</p><pre class="programlisting">nmbd/nmbd_become_lmb.c:become_local_master_stage2(406) +***** +Samba name server HYDRA is now a local master browser for +workgroup SIMPLE on subnet 192.168.220.100 +****</pre><p>Finally, Windows NT servers serving as primary domain controllers contain a sneak that allows them to assume the role of the local master browser in certain conditions; this is called the <span class="emphasis"><em>preferred</em></span> +<a class="indexterm" name="ch05-idx-969647-0"></a> <span class="emphasis"><em>master browser</em></span> bit. Earlier, we mentioned that Samba could set this bit on itself as well. You can enable it with the <code class="literal">preferred</code> <code class="literal">master</code> option:</p><pre class="programlisting"># Browsing election options +os level = 33 +local master = yes +preferred master = yes</pre><p>If the preferred master bit is set, the machine will force a browsing election at startup. Of course, this is needed only if you set the <code class="literal">os</code> <code class="literal">level</code> option to match the Windows NT machine. We recommend that you don't use this option if another machine also has the role of preferred master, such as an NT server.<a class="indexterm" name="ch05-idx-969633-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.4"></a>Domain Master Browser</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969654-0"></a> +<a class="indexterm" name="ch05-idx-969654-1"></a> +<a class="indexterm" name="ch05-idx-969654-2"></a>In the opening chapter, we mentioned that in order for a Windows workgroup or domain to extend into multiple subnets, one machine would have to take the role of the <em class="firstterm">domain master browser</em>. The domain master browser propagates browse lists across each of the subnets in the workgroup. This works because each local master browser periodically synchronizes its browse list with the domain master browser. During this synchronization, the local master browser passes on any server that the domain master browser does not have in its browse list, and vice versa. In a perfect world, each local master browser would eventually have the browse list for the entire domain.</p><p>Unlike the local master browser, there is no election to determine which machine assumes the role of the domain master browser. Instead, the administrator has to set it manually. By Microsoft design, however, the domain master browser and the primary domain controller (PDC) both register a resource type of <1B>, so the roles—and the machines—are inseparable.</p><p>If you have a <a class="indexterm" name="ch05-idx-969663-0"></a>Windows NT server on the network acting as a PDC, we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a <a class="indexterm" name="ch05-idx-969665-0"></a>PDC, we recommend making it the domain master browser as well. Although it is possible to split the roles with Samba, this is not a good idea. Using two different machines to serve as the PDC and the domain master browser can cause random errors to occur on a Windows workgroup.</p><p>Samba can assume the role of a domain master browser for all subnets in the workgroup with the following option:</p><pre class="programlisting">domain master = yes</pre><p>You can verify that a Samba machine is in fact the domain master browser by checking the <span class="emphasis"><em>nmbd</em></span> log file:</p><pre class="programlisting">nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118) +***** +Samba name server HYDRA is now a domain master browser for +workgroup SIMPLE on subnet 192.168.220.100 +*****</pre><p>Or you can use the <code class="literal">nmblookup</code> command that comes with the Samba distribution to query for a unique <1B> resource type in the workgroup:</p><pre class="programlisting"># <strong class="userinput"><code>nmblookup SIMPLE#1B</code></strong> +Sending queries to 192.168.220.255 +192.168.220.100 SIMPLE<1b></pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.4.1"></a>Multiple subnets</h4></div></div></div><p> +<a class="indexterm" name="ch05-idx-969667-0"></a>There are three rules that you must remember when creating a workgroup/domain that spans more than one subnet:</p><div class="itemizedlist"><ul type="disc"><li><p>You must have either a Windows NT or Samba machine acting as a local master browser on each subnet in the workgroup/domain. (If you have a domain master browser in a subnet, a local master browser is not needed.)</p></li><li><p>You must have a Windows NT Server or a Samba machine acting as a domain master browser somewhere in the workgroup.</p></li><li><p>Each local master browser must be instructed to synchronize with the domain master browser.</p></li></ul></div><p>Samba has a few other features in this arena in the event that you don't have or want a domain master browser on your network. Consider the subnets shown in <a href="#ch05-15706" title="Figure 5.1. Multiple subnets with Samba servers">Figure 5.1</a>.</p><div class="figure"><a name="ch05-15706"></a><p class="title"><b>Figure 5.1. Multiple subnets with Samba servers</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 325px"><td><img src="figs/sam.0501.gif" height="325" alt="Multiple subnets with Samba servers"></td></tr></table></div></div></div><br class="figure-break"><p>First, a Samba server that is a local master browser can use the <code class="literal">remote</code> <code class="literal">announce</code> configuration option to make sure that computers in different subnets are sent broadcast announcements about the server. This has the effect of ensuring that the Samba server appears in the browse lists of foreign subnets. To achieve this, however, the directed broadcasts must reach the local master browser on the other subnet. Be aware that many routers do not allow directed broadcasts by default; you may have to change this setting on the router for the directed broadcasts to get through to its subnet.</p><p>With the <code class="literal">remote</code> <code class="literal">announce</code> option, list the subnets and the workgroup that should receive the broadcast. For example, to ensure that machines in the 192.168.221 and 192.168.222 subnets and SIMPLE workgroup are sent broadcast information from our Samba server, we could specify the following:</p><pre class="programlisting"># Browsing election options +os level = 34 +local master = yes +remote announce = 192.168.221.255/SIMPLE \ + 192.168.222.255/SIMPLE</pre><p>In addition, you are allowed to specify the exact address to send broadcasts to if the local master browser on the foreign subnet is guaranteed to always have a fixed IP address.</p><p>A Samba local master browser can synchronize its browse list directly with another Samba server acting as a local master browser on a different subnet. For example, let's assume that Samba is configured as a local master browser, and Samba local master browsers exist at 192.168.221.130 and 192.168.222.120. We can use the <code class="literal">remote</code> <code class="literal">browse</code> <code class="literal">sync</code> option to sync directly with the Samba servers, as follows:</p><pre class="programlisting"># Browsing election options +os level = 34 +local master = yes +remote browse sync = 192.168.221.130 192.168.222.120</pre><p>In order for this to work, the other Samba machines must also be local master browsers. You can also use directed broadcasts with this option if you do not know specific IP addresses of local master browsers.<a class="indexterm" name="ch05-idx-969939-0"></a> +<a class="indexterm" name="ch05-idx-969940-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.5"></a>Browsing Options</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969668-0"></a> +<a class="indexterm" name="ch05-idx-969668-1"></a><a href="#ch05-81028" title="Table 5.3. Browsing Configuration Options">Table 5.3</a> shows 14 options that define how Samba handles browsing tasks. We recommend the defaults for a site that prefers to be easy on its users with respect to locating shares and printers.</p><div class="table"><a name="ch05-81028"></a><p class="title"><b>Table 5.3. Browsing Configuration Options </b></p><div class="table-contents"><table summary="Browsing Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">announce as</code></p></td><td><p><code class="literal">NT</code> +<a class="indexterm" name="ch05-idx-969670-0"></a> or <code class="literal">Win95</code> or <code class="literal">Wf W</code></p></td><td><p>Sets the operating system that Samba will announce itself as.</p></td><td><p><code class="literal">N T</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">announce version</code></p></td><td><p>numerical</p></td><td><p>Sets the version of the operating system that Samba will announce itself as.</p></td><td><p><code class="literal">4.2</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">browseable (browsable)</code></p></td><td><p>boolean</p></td><td><p>Allows share to be displayed in list of machine resources.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">browse list</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will provide a browse list on this server.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">auto services (preload)</code></p></td><td><p>string (share list)</p></td><td><p>Sets a list of shares that will always appear in the browse list.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">default service (default)</code></p></td><td><p>string (share name)</p></td><td><p>Names a share (service) that will be provided if the client requests a share not listed in <span class="emphasis"><em>smb.conf.</em></span></p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">local master</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will try to become a master browser on the local subnet.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">lm announce</code></p></td><td><p><code class="literal">yes</code> or <code class="literal">no</code> or <code class="literal">auto</code></p></td><td><p>Enables or disables LAN Manager style host announcements.</p></td><td><p><code class="literal">auto</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">lm interval</code></p></td><td><p>numerical</p></td><td><p>Specifies the frequency in seconds that LAN Manager announcements will be made if activated.</p></td><td><p><code class="literal">60</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">preferred master (prefered master)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will use the preferred master browser bit to attempt to become the local master browser.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain master</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will try to become the main browser master for the workgroup.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">os level</code></p></td><td><p>numerical</p></td><td><p>Sets the operating system level of Samba in an election for local master browser.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">remote browse sync</code></p></td><td><p>string (list of IP addresses)</p></td><td><p>Lists Samba servers to synchronize browse lists with.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">remote announce</code></p></td><td><p>string (IP address/ workgroup pairs)</p></td><td><p>Lists subnets and workgroups to send directed broadcast packets to, allowing Samba to appear to browse lists.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.1"></a> +announce as</h4></div></div></div><a class="indexterm" name="ch05-idx-970552-0"></a><p>This global configuration option specifies the type of operating system that Samba will announce to other machines on the network. The default value for this option is <code class="literal">N T</code>, which represents a Windows NT operating system. Other possible values are <code class="literal">Win95</code>, which represents a Windows 95 operating system, and <code class="literal">W f W</code> for a Windows for Workgroup operating system. You can override the default value with the following:</p><pre class="programlisting">[global] + announce as = Win95</pre><p>We recommend against changing the default value of this configuration option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.2"></a> +announce version</h4></div></div></div><a class="indexterm" name="ch05-idx-970555-0"></a><p>This global option is frequently used with the <code class="literal">announce</code> <code class="literal">as</code> configuration option; it specifies the version of the operating system that Samba will announce to other machines on the network. The default value of this options is 4.2, which places itself above the current Windows NT version of 4.0. You can specify a new value with a global entry such as the following:</p><pre class="programlisting">[global] + announce version = 4.3</pre><p>We recommend against changing the default value of this configuration option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-38345"></a>browseable</h4></div></div></div><p>The <code class="literal">browseable</code> option (also spelled <code class="literal">browsable</code>) indicates whether the share referenced should appear in the list of available resources of the machine on which it resides. This option is always set to <code class="literal">yes</code> by default. If you wish to prevent the share from being seen in a client's browser, you can reset this option to <code class="literal">no</code>.</p><p>Note that this does not prevent someone from accessing the share using other means, such as specifying a UNC location (<code class="literal">//server/accounting)</code> in Windows Explorer. It only prevents the share from being listed under the machine's resources when being browsed.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.4"></a>browse list</h4></div></div></div><p> +<a class="indexterm" name="ch05-idx-969674-0"></a>You should never need to change this parameter from its default value of <code class="literal">yes</code>. If your Samba server is acting as a local master browser (i.e., it has won the browsing election), you can use the global <code class="literal">browse</code> <code class="literal">list</code> option to instruct Samba to provide or withhold its browse list to all clients. By default, Samba always provides a browse list. You can withhold this information by specifying the following:</p><pre class="programlisting">[global] + browse list = no</pre><p>If you disable the browse list, clients cannot browse the names of other machines, their services, and other domains currently available on the network. Note that this won't make any particular machine inaccessible; if someone knows a valid machine name/address and a share on that machine, they can still connect to it explicitly using NET USE or by mapping a drive letter to it using Windows Explorer. It simply prevents information in the browse list from being retrieved by any client that requests it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.5"></a>auto services</h4></div></div></div><p>The global <code class="literal">auto</code> +<a class="indexterm" name="ch05-idx-970563-0"></a> <code class="literal">services</code> option, which is also called <code class="literal">preload </code>, ensures that the specified shares are always visible in the browse list. One common use for this option is to advertise specific user or printer shares that are created by the <code class="literal">[homes]</code> or <code class="literal">[printers]</code> shares, but are not otherwise browsable.</p><p>This option works best with disk shares. If you wish to force each of your system printers (i.e., those listed in the printer capabilities file) into the browse list using this option, we recommend using the <code class="literal">load</code> <code class="literal">printers</code> option instead. Any shares listed with the <code class="literal">auto</code> <code class="literal">services</code> option will not be displayed if the <code class="literal">browse</code> <code class="literal">list</code> option is set to <code class="literal">no</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.6"></a>default service</h4></div></div></div><p>The global <code class="literal">default</code> +<a class="indexterm" name="ch05-idx-970564-0"></a> <code class="literal">service</code> option (sometimes called <code class="literal">default</code>) names a "last-ditch" share. If set to an existing share name, and a client requests a nonexistent disk or printer share, Samba will attempt to connect the user to the share specified by this option instead. The option is specified as follows:</p><pre class="programlisting">default service = helpshare</pre><p>Note that there are no braces surrounding the share name <code class="literal">helpshare</code>, even though the definition of the share later in the Samba configuration file will have braces. Also, if you use the <code class="literal">%S</code> variable in the share specified by this option, it will represent the requested, nonexistent share, not the default service. Any underscores ( <code class="literal">_ </code> ) specified in the request share will be converted to slashes (<code class="literal">/</code>) when the variable is used.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.7"></a> +local master</h4></div></div></div><a class="indexterm" name="ch05-idx-970565-0"></a><p> +<a class="indexterm" name="ch05-idx-969675-0"></a>This global option specifies whether Samba will attempt to become the local master browser for the subnet when it starts up. If this option is set to <code class="literal">yes</code>, Samba will take place in elections. However, setting this option by itself does not guarantee victory. (Other parameters, such as <code class="literal">preferred</code> <code class="literal">master</code> and <code class="literal">os</code> <code class="literal">level</code> help Samba win browsing elections.) If this option is set to <code class="literal">no</code>, Samba will lose all browsing elections, no matter which values are specified by the other configuration options. The default value is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.8"></a>lm announce</h4></div></div></div><p>The global <code class="literal">lm</code> +<a class="indexterm" name="ch05-idx-970566-0"></a> <code class="literal">announce</code> option tells Samba's <span class="emphasis"><em>nmbd</em></span> +<a class="indexterm" name="ch05-idx-969678-0"></a> whether or not to send LAN Manager host announcements on behalf of the server. These host announcements may be required by older clients, such as IBM's OS/2 operating system. This announcement allows the server to be added to the browse lists of the client. If activated, Samba will announce itself repetitively at the number of seconds specified by the <code class="literal">lm</code> <code class="literal">interval</code> option.</p><p>This configuration option takes the standard boolean values, <code class="literal">yes</code> and <code class="literal">no</code>, which engage or disengage LAN Manager announcements, respectively. In addition, there is a third option, <code class="literal">auto</code>, which causes <span class="emphasis"><em>nmbd</em></span> to passively listen for LAN Manager announcements, but not send any of its own initially. If LAN Manager announcements are detected for another machine on the network, <span class="emphasis"><em>nmbd</em></span> will start sending its own LAN Manager announcements to ensure that it is visible. You can specify the option as follows:</p><pre class="programlisting">[global] + lm announce = yes</pre><p>The default value is <code class="literal">auto</code>. You probably won't need to change this value from its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.9"></a> +lm interval</h4></div></div></div><a class="indexterm" name="ch05-idx-970567-0"></a><p>This option, which is used in conjunction with <code class="literal">lm</code> <code class="literal">announce</code>, indicates the number of seconds <span class="emphasis"><em>nmbd</em></span> will wait before repeatedly broadcasting LAN Manager-style announcements. Remember that LAN Manager announcements must be activated in order for this option to be used. The default value is 60 seconds. If you set this value to 0, Samba will not send any LAN Manager host announcements, no matter what the value of the <code class="literal">lm</code> <code class="literal">announce</code> option. You can reset the value of this option as follows:</p><pre class="programlisting">[global] + lm interval = 90</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.10"></a>preferred master</h4></div></div></div><p>The <code class="literal">preferred</code> +<a class="indexterm" name="ch05-idx-970568-0"></a> <code class="literal">master</code> option requests that Samba set the preferred master bit when participating in an election. This gives the server a higher preferred status in the workgroup than other machines at the same operating system level. If you are configuring your Samba machine to become the local master browser, it is wise to set the following value:</p><pre class="programlisting">[global] + preferred master = yes</pre><p>Otherwise, you should leave it set to its default, <code class="literal">no</code>. If Samba is configured as a preferred master browser, it will force an election when it first comes online.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.11"></a>os level</h4></div></div></div><p>The global <code class="literal">os</code> +<a class="indexterm" name="ch05-idx-970569-0"></a> <code class="literal">level</code> option dictates the operating system level at which Samba will masquerade during a browser election. If you wish to have Samba win an election and become the master browser, you can set the level above that of the operating system on your network with the highest current value. The values are shown in <a href="#ch05-51423" title="Table 5.1. Operating System Values in an Election">Table 5.1</a> . The default level is 0, which means that Samba will lose all elections. If you wish Samba to win all elections, you can reset its value as follows:</p><pre class="programlisting">os level = 34</pre><p>This means that the server will vote for itself 34 times each time an election is called, which ensures a victory.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.12"></a> +domain master</h4></div></div></div><a class="indexterm" name="ch05-idx-970570-0"></a><p>If Samba is the primary domain controller for your workgroup or NT domain, it should also be the <a class="indexterm" name="ch05-idx-969682-0"></a> domain master browser. The domain master browser is a special machine that has the NetBIOS resource type <1B> and is used to propagate browse lists to and from each of the local master browsers in individual subnets across the domain. To force Samba to become the domain master browser, set the following in the <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code>:</p><pre class="programlisting">[global] + domain master = yes</pre><p>If you have a Windows NT server on the network acting as a primary domain controller (PDC), we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a PDC, we recommend making it the domain master browser. Splitting the PDC and the domain master browser will cause unpredictable errors to occur on the network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.13"></a>remote browse sync</h4></div></div></div><p>The global <code class="literal">remote</code> +<a class="indexterm" name="ch05-idx-970571-0"></a> <code class="literal">browse</code> <code class="literal">sync</code> option specifies that Samba should synchronize its <a class="indexterm" name="ch05-idx-969683-0"></a>browse lists with local master browsers in other subnets. However, the synchronization can occur only with other Samba servers, and not with Windows computers. For example, if your Samba server was a master browser on the subnet 192.168.235, and Samba local master browsers existed on other subnets at 192.168.234.92 and 192.168.236.2, you could specify the following:</p><pre class="programlisting">remote browse sync = 192.168.234.92 192.168.236.2</pre><p>The Samba server would then directly contact the other machines on the address list and synchronize browse lists. You can also say:</p><pre class="programlisting">remote browse sync = 192.168.234.255 192.168.236.255</pre><p>This forces Samba to broadcast queries to determine the IP addresses of the local master browser on each subnet, with which it will then synchronize browse lists. This only works, however, if your router doesn't block directed broadcast requests ending in 255.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.14"></a>remote announce</h4></div></div></div><p>Samba servers are capable of providing browse lists to foreign subnets with the <code class="literal">remote</code> +<a class="indexterm" name="ch05-idx-970572-0"></a> <code class="literal">announce</code> option. This is typically sent to the local master browser of the foreign subnet in question. However, if you do not know the address of the local master browser, you can do the following:</p><pre class="programlisting">[global] + remote announce = 192.168.234.255/ACCOUNTING \ + 192.168.236.255/ACCOUNTING</pre><p>With this, Samba will broadcast host announcements to all machines on subnets 192.168.234 and 192.168.236, which will hopefully reach the local master browser of the<a class="indexterm" name="ch05-idx-969669-0"></a> +<a class="indexterm" name="ch05-idx-969669-1"></a> subnet.<a class="indexterm" name="ch05-idx-969569-0"></a> You can also specify exact IP addresses, if they are known.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-34221"></a>Filesystem Differences</h2></div></div></div><p> +<a class="indexterm" name="ch05-idx-969684-0"></a>One <a class="indexterm" name="ch05-idx-969692-0"></a>of the biggest issues for which Samba has to correct is the difference between Unix and non-Unix filesystems. This includes items such as handling symbolic links, hidden files, and dot files. In addition, file permissions can also be a headache if not accounted for properly. This section describes how to use Samba to make up for some of those annoying differences, and even how to add some new functionality of its own.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.1"></a>Hiding and Vetoing Files</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969693-0"></a> +<a class="indexterm" name="ch05-idx-969693-1"></a>There are some cases when we need to ensure that a user cannot see or access a file at all. Other times, we don't want to keep a user from accessing a file—we just want to hide it when they view the contents of the directory. On Windows systems, an attribute of files allows them to be hidden from a folder listing. With Unix, the traditional way of hiding files in a directory is to precede them with a <a class="indexterm" name="ch05-idx-969701-0"></a> +<a class="indexterm" name="ch05-idx-969701-1"></a>dot (.). This prevents items such as configuration files or defaults from being seen when performing an ordinary <code class="literal">ls</code> command. Keeping a user from accessing a file at all, however, involves working with permissions on files and or directories.</p><p>The first option we should discuss is the boolean <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code>. This option does exactly what it says. When set to <code class="literal">yes</code>, the option treats files beginning with a <a class="indexterm" name="ch05-idx-969702-0"></a> +<a class="indexterm" name="ch05-idx-969702-1"></a>period (.) as hidden. If set to <code class="literal">no</code>, those files are always shown. The important thing to remember is that the files are only hidden. If the user has chosen to show all hidden files while browsing (e.g., using the Folder Options menu item under the View menu in Windows 98), they will still be able to see the files, as shown in <a href="#ch05-77260" title="Figure 5.2. Hidden files in the [data] share">Figure 5.2</a>.</p><div class="figure"><a name="ch05-77260"></a><p class="title"><b>Figure 5.2. Hidden files in the [data] share</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0502.gif" height="210" alt="Hidden files in the [data] share"></td></tr></table></div></div></div><br class="figure-break"><p>Instead of simply hiding files beginning with a dot, you can also specify a string pattern to Samba for files to hide, using the <code class="literal">hide</code> <code class="literal">files</code> option. For example, let's assume that we specified the following in our example <code class="literal">[data]</code> share:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + hide files = /*.java/*README*/</pre><p>Each entry for this option must begin, end, or be separated from another with a <a class="indexterm" name="ch05-idx-969703-0"></a> +<a class="indexterm" name="ch05-idx-969703-1"></a>slash ( / ) character, even if there is only one pattern listed. This convention allows spaces to appear in filenames. In this example, the share directory would appear as shown in <a href="#ch05-19743" title="Figure 5.3. Hiding files based on filename patterns">Figure 5.3</a>. Again, note that we have set the Windows 98 option to view hidden files for the window.</p><div class="figure"><a name="ch05-19743"></a><p class="title"><b>Figure 5.3. Hiding files based on filename patterns</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0503.gif" height="210" alt="Hiding files based on filename patterns"></td></tr></table></div></div></div><br class="figure-break"><p> +<a class="indexterm" name="ch05-idx-969704-0"></a> +<a class="indexterm" name="ch05-idx-969704-1"></a>If we want to prevent users from seeing files at all, we can instead use the <code class="literal">veto</code> <code class="literal">files</code> option. This option, which takes the same syntax as the <code class="literal">hide</code> <code class="literal">files</code> option, specifies a list of files that should never be seen by the user. For example, let's change the <code class="literal">[data]</code> share to the following:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + veto files = /*.java/*README*/</pre><p>The syntax of this option is identical to the <code class="literal">hide</code> <code class="literal">files</code> configuration option: each entry must begin, end, or be separated from another with a slash (<code class="literal">/</code>) character, even if there is only one pattern listed. By doing so, the files <code class="literal">hello.java</code> and <code class="literal">README</code> will simply disappear from the directory, and the user will not be able to access them through SMB.</p><p>There is one other question that we need to address. What happens if the user tries to delete a directory that contains vetoed files? This is where the <code class="literal">delete</code> +<a class="indexterm" name="ch05-idx-969711-0"></a> <code class="literal">veto</code> <code class="literal">files</code> option comes in. If this boolean option is set to <code class="literal">yes</code>, the user is allowed to delete both the regular files and the vetoed files in the directory, and the directory itself will be removed. If the option is set to <code class="literal">no</code>, the user will not be able to delete the vetoed files, and consequently the directory will not be deleted either. From the user's perspective, the directory will appear to be empty, but cannot be removed.</p><p>The <code class="literal">dont</code> <code class="literal">descend</code> directive specifies a list of <a class="indexterm" name="ch05-idx-969715-0"></a>directories whose contents Samba should not allow to be visible. Note that we say <span class="emphasis"><em>contents</em></span>, not the directory itself. Users will be able to enter a directory marked as such, but they are prohibited from descending the directory tree any farther—they will always see an empty folder. For example, let's use this option with a more basic form of the share that we defined earlier in the chapter:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + dont descend = config defaults</pre><p>In addition, let's assume that the <code class="filename">/home/samba/data</code> directory has the following contents:</p><pre class="programlisting">drwxr-xr-x 6 tom users 1024 Jun 13 09:24 . +drwxr-xr-x 8 root root 1024 Jun 10 17:53 .. +-rw-r--r-- 2 tom users 1024 Jun 9 11:43 README +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 config +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 defaults +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 market</pre><p>If the user then connects to the share, he or she would see the directories shown in <a href="#ch05-62659" title="Figure 5.4. Contents of the [data] share with dont descend">Figure 5.4</a>. However, the contents of the <code class="filename">/config</code> and <code class="filename">/defaults</code> directories would appear empty to the user, even if other folders or files existed in them. In addition, users cannot write any data to the folder (which prevents them from creating a file or folder with the same name as one that is already there but invisible). If a user attempts to do so, he or she will receive an "Access Denied" message. <code class="literal">dont</code> <code class="literal">descend</code> is an administrative option, not a security option, and is not a substitute for good file permissions.</p><div class="figure"><a name="ch05-62659"></a><p class="title"><b>Figure 5.4. Contents of the [data] share with dont descend + + </b></p><div class="figure-contents"><a class="indexterm" name="ch05-idx-969696-0"></a><a class="indexterm" name="ch05-idx-969696-1"></a><a class="indexterm" name="ch05-idx-969696-2"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0504.gif" height="210" alt="Contents of the [data] share with dont descend"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.2"></a>Links</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969716-0"></a> +<a class="indexterm" name="ch05-idx-969716-1"></a>DOS and NT filesystems don't have symbolic links; Windows 95/98/NT systems approximate this with "shortcuts" instead. Therefore, when a client tries to open a symbolic link on a Samba server share, Samba attempts to follow the link to find the real file and let the client open it, as if he or she were on a Unix machine. If you don't want to allow this, set the <code class="literal">follow</code> <code class="literal">symlinks</code> option:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + follow symlinks = no</pre><p>You can test this by creating a directory on the Unix server inside the share as the user that you are logging in with. Enter the following commands:</p><pre class="programlisting">% <strong class="userinput"><code>mkdir hello; cd hello</code></strong> +% <strong class="userinput"><code>cat "This is a test" >hello.txt</code></strong> +% <strong class="userinput"><code>ln -s hello.txt "Link to hello"</code></strong></pre><p>This results in the two files shown in the window in <a href="#ch05-36377" title="Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba">Figure 5.5</a>. Normally, if you click on either one, you will receive a file which has the text "This is a test" inside of it. However, with the <code class="literal">follow</code> <code class="literal">symlinks</code> option set to <code class="literal">no</code>, you should receive an error similar to the dialog in <a href="#ch05-36377" title="Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba">Figure 5.5</a> if you click on "Link to hello."</p><div class="figure"><a name="ch05-36377"></a><p class="title"><b>Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 149px"><td><img src="figs/sam.0505.gif" height="149" alt="An error dialog trying to follow symbolic links when forbidden by Samba"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, let's discuss the <code class="literal">wide</code> <code class="literal">links</code> option. This option, if set to <code class="literal">yes</code>, allows the client user to follow symbolic links that point outside the shared directory tree, including files or directories at the other end of the link. For example, let's assume that we modified the <code class="literal">[data]</code> share as follows:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + follow symlinks = yes + wide links = yes</pre><p>As long as the <code class="literal">follow</code> <code class="literal">symlinks</code> option is enabled, this will cause Samba to follow all symbolic links outside the current share tree. If we create a file outside the share (for example, in someone's home directory) and then create a link to it in the share as follows:</p><pre class="programlisting">ln -s ~tom/datafile ./datafile</pre><p>then you will be able to open the file in Tom's directory as per the target file's permissions.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.3"></a>Filesystem Options</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969717-0"></a><a href="#ch05-48353" title="Table 5.4. Filesystem Configuration Options">Table 5.4</a> shows a breakdown of the options we discussed earlier. We recommend the defaults for most, except those listed in the following descriptions.</p><div class="table"><a name="ch05-48353"></a><p class="title"><b>Table 5.4. Filesystem Configuration Options </b></p><div class="table-contents"><table summary="Filesystem Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">unix realname</code></p></td><td><p>boolean</p></td><td><p>Provides Unix user's full name to client.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dont descend</code></p></td><td><p>string (list of directories)</p></td><td><p>Indicates a list of directories whose contents Samba should make invisible to clients.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">follow symlinks</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">no</code>, Samba will not honor symbolic links.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">getwd cache</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will use a cache for <code class="literal">getwd( )</code> calls.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wide links</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will follow symbolic links outside the share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hide dot files</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, treats Unix hidden files as hidden files in Windows.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hide files</code></p></td><td><p>string (list of files)</p></td><td><p>List of file patterns to treat as hidden.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">veto files</code></p></td><td><p>string (list of files)</p></td><td><p>List of file patterns to never show.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">delete veto files</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, will delete files matched by <code class="literal">veto files</code> when the directory they reside in is deleted.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.1"></a> +unix realname</h4></div></div></div><a class="indexterm" name="ch05-idx-970574-0"></a><p>Some programs require a full username in order to operate. For example, a Windows email program often needs to associate a username with a given real name. If your system password file contains the real names of users in the GCOS field, the <code class="literal">unix</code> <code class="literal">realname</code> option instructs Samba to provide this information to clients. Without it, the name of the user will simply be his or her login ID. For example, if your Unix password file contains the following line:</p><pre class="programlisting">rcollins:/KaBfco47Rer5:500:500:Robert Collins: +/home/rcollins:/bin/ksh</pre><p>And the option in the configuration file is:</p><pre class="programlisting">[global] + unix realname = yes</pre><p>then the name Robert Collins will be provided to any client that requests the real name of user <code class="literal">rcollins</code>. You typically don't need to bother with this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.2"></a>dont descend</h4></div></div></div><p>The <code class="literal">dont</code> +<a class="indexterm" name="ch05-idx-970575-0"></a> <code class="literal">descend</code> option can be used to specify various <a class="indexterm" name="ch05-idx-969728-0"></a>directories that should appear empty to the client. Note that the directory itself will still appear. However, Samba will not show any of the contents of the directory to the client user. This is not a good option to use as a security feature (a user could probably find a way around it); it really is meant only as a convenience to keep client users from browsing into directories that might have sensitive files. See our example earlier in this section.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.3"></a> +follow symlinks</h4></div></div></div><a class="indexterm" name="ch05-idx-970576-0"></a><p> +<a class="indexterm" name="ch05-idx-969732-0"></a>This option, which is discussed in greater detail earlier, controls whether Samba will follow a symbolic link in the Unix operating system to the target, or if it should return an error to the client user. If the option is set to <code class="literal">yes</code>, the target of the link will be interpreted as the file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.4"></a> +getwd cache</h4></div></div></div><a class="indexterm" name="ch05-idx-970577-0"></a><p>This global option specifies whether Samba should use a local cache for the Unix <code class="literal">getwd()</code> ( get current working directory) system call. You can override the default value of <code class="literal">yes</code> as follows:</p><pre class="programlisting">[global] + getwd cache = no</pre><p>Setting this option to <code class="literal">yes</code> can significantly increase the time it takes to resolve the <a class="indexterm" name="ch05-idx-969733-0"></a> +<a class="indexterm" name="ch05-idx-969733-1"></a>working directory, especially if the <code class="literal">wide</code> <code class="literal">links</code> option is set to <code class="literal">no</code>. You should normally not need to alter this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.5"></a> +wide links</h4></div></div></div><a class="indexterm" name="ch05-idx-970578-0"></a><p>This option specifies whether the client user can follow symbolic links that point outside the shared directory tree. This includes any files or directories at the other end of the link, as long as the permissions are correct for the user. The default value for this option is <code class="literal">yes</code>. Note that this option will not be honored if the <code class="literal">follow</code> <code class="literal">symlinks</code> options is set to <code class="literal">no</code>. Setting this option to <code class="literal">no</code> slows <span class="emphasis"><em>smbd</em></span> considerably.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.6"></a>hide files</h4></div></div></div><p> +<a class="indexterm" name="ch05-idx-969738-0"></a> +<a class="indexterm" name="ch05-idx-969738-1"></a>The <code class="literal">hide</code> <code class="literal">files</code> option provides one or more directory or filename patterns to Samba. Any file matching this pattern will be treated as a hidden file from the perspective of the client. Note that this simply means that the DOS hidden attribute is set, which may or may not mean that the user can actually see it while browsing.</p><p>Each entry in the list must begin, end, or be separated from another entry with a <a class="indexterm" name="ch05-idx-969734-0"></a> +<a class="indexterm" name="ch05-idx-969734-1"></a>slash (<code class="literal">/</code>) character, even if there is only one pattern listed. This allows spaces to appear in the list. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character. For example:</p><pre class="programlisting">hide files = /.jav*/README.???/</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.7"></a>hide dot files</h4></div></div></div><p>The <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code> option hides any files on the server that begin with a <a class="indexterm" name="ch05-idx-969735-0"></a> +<a class="indexterm" name="ch05-idx-969735-1"></a>dot (.) character, in order to mimic the functionality behind several shell commands that are present on Unix systems. Like <code class="literal">hide</code> <code class="literal">files</code>, those files that begin with a dot have the DOS hidden attribute set, which doesn't necessarily guarantee that a client cannot view them. The default value for this option is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.8"></a> +veto files</h4></div></div></div><a class="indexterm" name="ch05-idx-970581-0"></a><p>More stringent than the hidden files state is the state provided by the <code class="literal">veto</code> <code class="literal">files</code> configuration option. Samba won't even admit these files exist. You cannot list or open them from the client. In reality, this isn't a trustworthy security option. It is actually a mechanism to keep PC programs from deleting special files, such as ones used to store the resource fork of a Macintosh file on a Unix filesystem. If both Windows and Macs are sharing the same files, this can prevent ill-advised power users from removing files the Mac users need.</p><p>The syntax of this option is identical to that of the <code class="literal">hide</code> <code class="literal">files</code> configuration option: each entry must begin, end, or be separated from another with a <a class="indexterm" name="ch05-idx-969758-0"></a> +<a class="indexterm" name="ch05-idx-969758-1"></a>slash ( / ) character, even if only one pattern is listed. Asterisks can be used as a wildcard to represent zero or more characters. <a class="indexterm" name="ch05-idx-969762-0"></a> +<a class="indexterm" name="ch05-idx-969762-1"></a>Questions marks can be used to represent exactly one character. For example:</p><pre class="programlisting">veto files = /*config/*default?/</pre><p>This option is primarily administrative—not a substitute for good file permissions.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.9"></a> +delete veto files</h4></div></div></div><a class="indexterm" name="ch05-idx-970582-0"></a><p> +<a class="indexterm" name="ch05-idx-969768-0"></a> +<a class="indexterm" name="ch05-idx-969768-1"></a>This option tells Samba to delete vetoed files when a user attempts to delete the directory in which they reside. The default value is <code class="literal">no</code>. This means if a user tries to delete a directory that contains a vetoed file, the file (and the directory) will not be deleted. Instead, the directory will remain and appear to be empty from the perspective of the user. If set to <code class="literal">yes</code>, the directory and the vetoed files will be<a class="indexterm" name="ch05-idx-969721-0"></a> deleted.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-34062"></a>File Permissions and Attributes on MS-DOS and Unix</h2></div></div></div><p> +<a class="indexterm" name="ch05-idx-969769-0"></a> +<a class="indexterm" name="ch05-idx-969769-1"></a> +<a class="indexterm" name="ch05-idx-969769-2"></a> +<a class="indexterm" name="ch05-idx-969769-3"></a>DOS was never intended to be a multiuser, networked operating system. Unix, on the other hand, was designed that way from the start. Consequently, there are inconsistencies and gaps in coverage between the two filesystems that Samba must not only be aware of, but also provide solutions for. One of the biggest gaps is how Unix and DOS handle permissions with files.</p><p>Let's take a look at how Unix assigns permissions. All Unix files have read, write, and execute bits for three classifications of users: <a class="indexterm" name="ch05-idx-969803-0"></a>owner, group, and world. These permissions can be seen at the extreme left-hand side when a <code class="literal">ls</code> <code class="literal">-al</code> command is issued in a Unix directory. For example:</p><pre class="programlisting">-rwxr--r-- 1 tom users 2014 Apr 13 14:11 access.conf</pre><p>Windows, on the other hand, has four principal bits that it uses with any file: read-only, system, hidden, and archive. You can view these bits by right-clicking on the file and choosing the Properties menu item. You should see a dialog similar to <a href="#ch05-76568" title="Figure 5.6. DOS and Windows file properties">Figure 5.6</a>.<sup>[<a name="ch05-pgfId-964268" href="#ftn.ch05-pgfId-964268">1</a>]</sup></p><div class="figure"><a name="ch05-76568"></a><p class="title"><b>Figure 5.6. DOS and Windows file properties</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 435px"><td><img src="figs/sam.0506.gif" width="502" alt="DOS and Windows file properties"></td></tr></table></div></div></div><br class="figure-break"><p>The definition of each of those bits follows:</p><div class="variablelist"><dl><dt><span class="term"> +<a class="indexterm" name="ch05-idx-969799-0"></a> +<a class="indexterm" name="ch05-idx-969799-1"></a>Read-only</span></dt><dd><p>The file's contents can be read by a user but cannot be written to.</p></dd><dt><span class="term"> +<a class="indexterm" name="ch05-idx-969800-0"></a> +<a class="indexterm" name="ch05-idx-969800-1"></a>System</span></dt><dd><p>This file has a specific purpose required by the operating system.</p></dd><dt><span class="term"> +<a class="indexterm" name="ch05-idx-969801-0"></a> +<a class="indexterm" name="ch05-idx-969801-1"></a>Hidden</span></dt><dd><p>This file has been marked to be invisible to the user, unless the operating systems is explicitly set to show it.</p></dd><dt><span class="term"> +<a class="indexterm" name="ch05-idx-969802-0"></a> +<a class="indexterm" name="ch05-idx-969802-1"></a>Archive</span></dt><dd><p>This file has been touched since the last DOS backup was performed on it.</p></dd></dl></div><p>Note that there is no bit to specify that a file is executable. DOS and Windows NT filesystems identify executable files by giving them the extensions .EXE, .COM, .CMD, or .BAT.</p><p>Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side—if it is instructed to do so. Mapping these bits, however, has an unfortunate side-effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the <code class="literal">ls</code> <code class="literal">-al</code> command, some of the executable bits won't mean what you'd expect them to.</p><p>Three Samba options decide whether the bits are mapped: <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system </code>, and <code class="literal">map</code> <code class="literal">hidden</code>. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the <code class="literal">[data]</code> share, setting each of their values as follows:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + map archive = yes + map system = yes + map hidden = yes</pre><p>After that, try creating a file in the share under Unix—such as <code class="literal">hello.java</code>—and change the permissions of the file to 755. With these Samba options set, you should be able to check the permissions on the Windows side and see that each of the three values has been checked in the Properties dialog box. What about the read-only attribute? By default, Samba 2.0 sets this whenever a file does not have the Unix owner write permission bit set. In other words, you can set this bit by changing the permissions of the file to 555.</p><p>We should warn you that the default value of the <code class="literal">map</code> <code class="literal">archive</code> option is <code class="literal">yes</code>, while the other two options have a default value of <code class="literal">no</code>. This is because many programs do not work properly if the archive bit is not stored correctly for DOS and Windows files. The system and hidden attributes, however, are not critical for a program's operation and are left to the discretion of the administrator.</p><p><a href="#ch05-56404" title="Figure 5.7. How Samba and Unix view the permissions of a file">Figure 5.7</a> summarizes the Unix permission bits and illustrates how Samba maps those bits to DOS attributes. Note that the group read/write and world read/write bits do not directly translate to a DOS attribute, but they still retain their original Unix definitions on the Samba server.</p><div class="figure"><a name="ch05-56404"></a><p class="title"><b>Figure 5.7. How Samba and Unix view the permissions of a file</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 211px"><td><img src="figs/sam.0507.gif" height="211" alt="How Samba and Unix view the permissions of a file"></td></tr></table></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-3.0.1"></a>Creation masks</h3></div></div></div><p>Samba has several options to help with file <a class="indexterm" name="ch05-idx-969796-0"></a> +<a class="indexterm" name="ch05-idx-969796-1"></a> +<a class="indexterm" name="ch05-idx-969796-2"></a> +<a class="indexterm" name="ch05-idx-969796-3"></a>creation masks. File creation masks (or <em class="firstterm">umasks</em> +<a class="indexterm" name="ch05-idx-969797-0"></a>) help to define the permissions a file or directory will receive at the time it is created. In Unix, this means that you can control what permissions a file or directory does not have when it is created. For files accessed from Windows, this means you can disable the read-only, archive, system, and hidden attributes of a file as well.</p><p>For example, the <code class="literal">create</code> <code class="literal">mask</code> option will force the permissions of a file created by a Windows client to be at most 744:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + create mask = 744</pre><p>while the <code class="literal">directory</code> +<a class="indexterm" name="ch05-idx-970586-0"></a> <code class="literal">mask</code> option shown here will force the permissions of a newly created directory to be at most 755:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + directory mask = 755</pre><p>Alternatively, you can also force various bits with the <code class="literal">force</code> <code class="literal">create</code> <code class="literal">mode</code> and <code class="literal">force</code> <code class="literal">directory</code> <code class="literal">mode</code> options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally in order to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.</p><p>In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file that is created on the Windows side, you can use the <code class="literal">force</code> +<a class="indexterm" name="ch05-idx-970587-0"></a> +<a class="indexterm" name="ch05-idx-970587-1"></a> <code class="literal">user</code> and <code class="literal">force</code> <code class="literal">group</code> options. For example:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + + create mask = 744 + directory mask = 755 + force user = joe + force group = accounting</pre><p>These options actually assign a static Unix user and group to each connection that is made to a share. However, this occurs <span class="emphasis"><em>after</em></span> the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.</p><p>Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.</p><p>DOS filesystems are not designed for multiple users, and so its designers decided that <a class="indexterm" name="ch05-idx-969808-0"></a> +<a class="indexterm" name="ch05-idx-969808-1"></a>read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows file systems exhibit the same behavior.</p><p>Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs—which were first written for Unix—run on Windows and require the ability to delete read-only files. Samba permits this behavior with the <code class="literal">delete</code> +<a class="indexterm" name="ch05-idx-970588-0"></a> <code class="literal">readonly</code> option. In order to enable this functionality, set the option to <code class="literal">yes</code>:</p><pre class="programlisting">[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + + create mask = 744 + directory mask = 755 + force user = joe + force group = accounting + delete readonly = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-3.1"></a>File and Directory Permission Options</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969813-0"></a> +<a class="indexterm" name="ch05-idx-969813-1"></a> +<a class="indexterm" name="ch05-idx-969813-2"></a>The options for file and directory permissions are summarized in <a href="#ch05-96508" title="Table 5.5. File and Directory Permission Options">Table 5.5</a>; each option is then described in detail.</p><div class="table"><a name="ch05-96508"></a><p class="title"><b>Table 5.5. File and Directory Permission Options </b></p><div class="table-contents"><table summary="File and Directory Permission Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">map archive</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS archive attribute in user execute bit (0100).</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">map system</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS system attribute in group execute bit (0010).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">map hidden</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS hidden attribute in world execute bit (0001).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">create mask (create mode)</code></p></td><td><p>numeric</p></td><td><p>Sets the maximum permissions for files created by Samba.</p></td><td><p><code class="literal">0744</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">directory mask (directory mode)</code></p></td><td><p>numeric</p></td><td><p>Sets the maximum permissions for directories created by Samba.</p></td><td><p><code class="literal">0755</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force create mode</code></p></td><td><p>numeric</p></td><td><p>Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><td><p><code class="literal">0000</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force directory mode</code></p></td><td><p>numeric</p></td><td><p>Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><td><p><code class="literal">0000</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force group (group)</code></p></td><td><p>string ( group name)</p></td><td><p>Sets the effective group for a user accessing this share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force user</code></p></td><td><p>string (username)</p></td><td><p>Sets the effective username for a user accessing this share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">delete readonly</code></p></td><td><p>boolean</p></td><td><p>Allows a user to delete a read-only file from a writable directory.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.1"></a>create mask</h4></div></div></div><p>The argument for this option is an octal number indicating which permission flags may be set at file creation by a client in a share. The default is 0755, which means the Unix owner can at most read, write, and optionally execute his or her own files, while members of the user's group and others can only read or execute them. If you need to change it for non-executable files, we recommend 0644, or <code class="literal">rw-r--r--</code>. Keep in mind that the execute bits may be used by the server to map certain DOS file attributes, as described earlier. If you're altering the <a class="indexterm" name="ch05-idx-969816-0"></a>create mask, those bits have to be part of the create mask as well.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.2"></a> +directory mask</h4></div></div></div><a class="indexterm" name="ch05-idx-970593-0"></a><p>The argument for this option is an octal number indicating which permission flags may be set at directory creation by a client in a share. The default is 0755, which allows everyone on the Unix side to at most read and traverse the directories, but allows only you to modify them. We recommend the mask 0750, removing access by world users.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.3"></a> +force create mode</h4></div></div></div><a class="indexterm" name="ch05-idx-970594-0"></a><p>This option sets the permission bits that Samba will force to be set when a file permission change is made. It's often used to force group permissions, mentioned previously. It can also be used to preset any of the DOS attributes we mentioned: archive (0100), system (0010), or hidden (0001). This option always takes effect after the <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system </code>, <code class="literal">map</code> <code class="literal">hidden</code>, and <code class="literal">create</code> <code class="literal">mask</code> options.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Many Windows applications rename their data files to <span class="emphasis"><em>datafile.bak</em></span> and create new ones, thus changing their ownership and permissions so that members of the same Unix group can't edit them. Setting <code class="literal">force create mask = 0660</code> will keep the new file editable by members of the group.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.4"></a> +force directory mode</h4></div></div></div><a class="indexterm" name="ch05-idx-970595-0"></a><p>This option sets the permission bits which Samba will force when a directory permission change is made or a directory is created. It's often used to force group permissions, as mentioned previously. This option defaults to 0000, and can be used just like the <code class="literal">force</code> <code class="literal">create</code> <code class="literal">mode</code> to add group or other permissions if needed. This option always takes effect after the <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system</code>, <code class="literal">map</code> <code class="literal">hidden</code>, and <code class="literal">directory</code> <code class="literal">mask</code> options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.5"></a> +force group</h4></div></div></div><a class="indexterm" name="ch05-idx-970596-0"></a><p>This option, sometimes called <code class="literal">group</code>, assigns a static group ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific group to each new file or directory created from an SMB client.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.6"></a> +force user</h4></div></div></div><a class="indexterm" name="ch05-idx-970597-0"></a><p>The <code class="literal">force</code> <code class="literal">user</code> option assigns a static user ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific user to each new file or directory created from an SMB client.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.7"></a> +delete readonly</h4></div></div></div><a class="indexterm" name="ch05-idx-970598-0"></a><p> +<a class="indexterm" name="ch05-idx-969827-0"></a> +<a class="indexterm" name="ch05-idx-969827-1"></a>This option allows a user to delete a directory containing a read-only file. By default, DOS and Windows will not allow such an operation. You probably will want to leave this option turned off unless a program needs this capability; many Windows users would be appalled to find that they'd accidentally deleted a file which they had set read-only. In fact, even the Unix <code class="literal">rm</code> command will ask users if they really want to override the protection and delete read-only files. It's a good idea to have Samba be at least as cautious.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.8"></a> +map archive</h4></div></div></div><a class="indexterm" name="ch05-idx-970600-0"></a><p>The DOS archive bit is used to flag a file that has been changed since it was last archived (e.g., backed up with the DOS archive program.) Setting the Samba option <code class="literal">map</code> <code class="literal">archive</code> <code class="literal">=</code> <code class="literal">yes</code> causes the DOS archive flag to be mapped to the Unix execute-by-owner (0100) bit. It's best to leave this option on if your Windows users are doing their own backups, or are using programs that require the archive bit. Unix lacks the notion of an archive bit entirely. Backup programs typically keep a file that lists what files were backed up on what date, so comparing file modification dates serves the same purpose.</p><p>Setting this option to <code class="literal">yes</code> causes an occasional surprise on Unix when a user notices that a data file is marked as executable, but rarely causes harm. If a user tries to run it, he or she will normally get a string of error messages as the shell tries to execute the first few lines as commands. The reverse is also possible; an executable Unix program looks like it hasn't been backed up recently on Windows. But again, this is rare, and is usually harmless.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.9"></a> +map system</h4></div></div></div><a class="indexterm" name="ch05-idx-970601-0"></a><p>The DOS system attribute is used to indicate files that are required by the operating system, and should not be deleted, renamed, or moved without special effort. Set this option only if you need to store Windows system files on the Unix file server. Executable Unix programs will appear to be non-removable special Windows files when viewed from Windows clients. This may prove mildly inconvenient if you want to move or remove one. For most sites, however, this is fairly harmless.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.10"></a> +map hidden</h4></div></div></div><a class="indexterm" name="ch05-idx-970602-0"></a><p> +<a class="indexterm" name="ch05-idx-969828-0"></a>DOS uses the hidden attribute to indicate that a file should not ordinarily be visible in directory listings. Unix doesn't have such a facility; it's up to individual programs (notably the shell) to decide what to display and what not to display. Normally, you won't have any DOS files that need to be hidden, so the best thing to do is to leave this option turned off.</p><p>Setting this option to <code class="literal">yes</code> causes the server to map the hidden flag onto the executable-by-others bit (0001). This feature can produce a rather startling effect. Any Unix program that is executable by world seems to vanish when you look for it from a Windows client. If this option is not set, however, and a Windows user attempts to mark a file hidden on a Samba share, it will not work—Samba has no place to store the hidden attribute!<a class="indexterm" name="ch05-idx-969791-0"></a> +<a class="indexterm" name="ch05-idx-969791-1"></a> +<a class="indexterm" name="ch05-idx-969791-2"></a> +<a class="indexterm" name="ch05-idx-969791-3"></a> +<a class="indexterm" name="ch05-idx-969791-4"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-30534"></a>Name Mangling and Case</h2></div></div></div><p> +<a class="indexterm" name="ch05-idx-969835-0"></a>Back in the days of DOS and Windows 3.1, every filename was limited to eight upper-case characters, followed by a dot, and three more uppercase characters. This was known as the <em class="firstterm">8.3 format</em> +<a class="indexterm" name="ch05-idx-969833-0"></a> +<a class="indexterm" name="ch05-idx-969833-1"></a>, and was a huge nuisance. Windows 95/98, Windows NT, and Unix have since relaxed this problem by allowing many more case-sensitive characters to make up a filename. <a href="#ch05-24354" title="Table 5.6. Operating System Filename Limitations">Table 5.6</a> shows the current naming state of several popular operating systems.</p><div class="table"><a name="ch05-24354"></a><p class="title"><b>Table 5.6. Operating System Filename Limitations </b></p><div class="table-contents"><table summary="Operating System Filename Limitations " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>File Naming Rules</p></th></tr></thead><tbody><tr><td><p>DOS 6.22 or below</p></td><td><p> +<a class="indexterm" name="ch05-idx-969834-0"></a>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</p></td></tr><tr><td><p>Windows 3.1 for Workgroups</p></td><td><p>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</p></td></tr><tr><td><p>Windows 95/98</p></td><td><p>127 characters; case sensitive</p></td></tr><tr><td><p>Windows NT</p></td><td><p>127 characters; case sensitive</p></td></tr><tr><td><p>Unix</p></td><td><p>255 characters; case sensitive</p></td></tr></tbody></table></div></div><br class="table-break"><p> +<a class="indexterm" name="ch05-idx-969837-0"></a>Samba still has to remain backwards compatible with network clients who store files only in the 8.3 format, such as Windows for Workgroups. If a user creates a file on a share called <span class="emphasis"><em>antidisestablishmentarianism.txt</em></span>, a Windows for Workgroups client couldn't tell it apart from another file in the same directory called <span class="emphasis"><em>antidisease.txt</em></span>. Like Windows 95/98 and Windows NT, Samba has to employ a special methodology of translating a long filename to an 8.3 filename in such a way that similar filenames will not cause collisions. This is called <em class="firstterm">name mangling</em>, and Samba deals with this in a manner that is similar, but not identical to, Windows 95 and its successors.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-4.1"></a>The Samba Mangling Operation</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969840-0"></a>Here is how Samba mangles a long filename into an 8.3 filename:</p><div class="itemizedlist"><ul type="disc"><li><p>If the original filename does not begin with a dot, up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</p></li><li><p>If the original filename begins with a dot, the dot is removed and up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</p></li><li><p>These characters are immediately followed a special mangling character: by default, a tilde (~), although Samba allows you to change this character.</p></li><li><p>The base of the long filename before the last period is hashed into a two-character code; parts of the name after the last dot may be used if necessary. This two character code is appended to the 8.3 filename after the mangling character.</p></li><li><p>The first three characters after the last dot (if there is one) of the original filename are converted to uppercase and appended onto the mangled name as the extension. If the original filename began with a dot, three underscores ( <code class="literal">_ _ _ </code>) are used as the extension instead.</p></li></ul></div><p>Here are some examples:</p><pre class="programlisting">virtuosity.dat VIRTU~F1.DAT +.htaccess HTACC~U0._ _ _ +hello.java HELLO~1F.JAV +team.config.txt TEAMC~04.TXT +antidisestablishmentarianism.txt ANTID~E3.TXT +antidiseast.txt ANTID~9K.TXT</pre><p>Using these rules will allow Windows for Workgroups to differentiate the two files on behalf of the poor individual who is forced to see the network through the eyes of that operating system. Note that the same long filename should always hash to the same mangled name with Samba; this doesn't always happen with Windows. The downside of this approach is that there can still be collisions; however, the chances are greatly reduced.</p><p>You generally want to use the mangling configuration options with only the oldest clients. We recommend doing this without disrupting other clients by adding an <code class="literal">include</code> directive to the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global] + include = /ucsr/local/samba/lib/smb.conf.%m</pre><p>This resolves to <code class="filename">smb.conf.WfWg</code> when a Window for Workgroups client attaches. Now you can create a file <code class="filename">/usr/local/samba/lib/smb.conf.WfWg</code> which might contain these options:</p><pre class="programlisting">[global] + case sensitive = no + default case = upper + preserve case = no + short preserve case = no + mangle case = yes + mangled names= yes</pre><p>If you are not using Windows for Workgroups 3.1, then you probably do not need to change any of these options from their defaults.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.1.1"></a>Representing and resolving filenames with Samba</h4></div></div></div><p> +<a class="indexterm" name="ch05-idx-969841-0"></a> +<a class="indexterm" name="ch05-idx-969841-1"></a>Another item that we should point out is that there is a difference between how an operating system <span class="emphasis"><em>represents</em></span> a file and how it <span class="emphasis"><em>resolves</em></span> it. For example, if you've used Windows 95/98/NT, you have likely run across a file called <code class="filename">README.TXT</code>. The file can be represented by the operating system entirely in uppercase letters. However, if you open an MS-DOS prompt and enter the command <code class="literal">edit</code> <code class="literal">readme.txt</code>, the all-caps file is loaded into the editing program, even though you typed the name in lowercase letters!</p><p>This is because the Windows 95/98/NT family of operating systems resolves files in a case-insensitive manner, even though the files are represented it in a case-sensitive manner. Unix-based operating systems, on the other hand, always resolve files in a case-sensitive manner; if you try to edit <code class="filename">README.TXT</code> with the command <code class="literal">vi</code> <code class="literal">readme.txt</code>, you will likely be editing the empty buffer of a new file.</p><p>Here is how Samba handles case: if the <code class="literal">preserve</code> <code class="literal">case</code> is set to <code class="literal">yes</code>, Samba will always use the case provided by the operating system for representing (not resolving) filenames. If it is set to <code class="literal">no</code>, it will use the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. The same is true for <code class="literal">short</code> <code class="literal">preserve</code> <code class="literal">case</code>. If this option is set to <code class="literal">yes</code>, Samba will use the default case of the operating system for representing 8.3 filenames; otherwise it will use the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. Finally, Samba will always resolve filenames in its shares based on the value of the <code class="literal">case</code> <code class="literal">sensitive</code> option.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-4.2"></a>Mangling Options</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969842-0"></a>Samba allows you to give it more refined instructions on how it should perform name mangling, including those controlling the case sensitivity, the character inserted to form a mangled name, and the ability to manually map filenames from one format to another. These options are shown in <a href="#ch05-47431" title="Table 5.7. Name Mangling Options">Table 5.7</a>.</p><div class="table"><a name="ch05-47431"></a><p class="title"><b>Table 5.7. Name Mangling Options </b></p><div class="table-contents"><table summary="Name Mangling Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">case sensitive</code></p> + +<p><code class="literal">(casesignames)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will treat filenames as case-sensitive (Windows doesn't).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">default case</code></p></td><td><p>(<code class="literal">upper</code> or <code class="literal">lower</code>)</p></td><td><p>Case to assume as default (only used when preserve case is <code class="literal">no</code>).</p></td><td><p>Lower</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">preserve case</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, keep the case the client supplied (i.e., do not convert to <code class="literal">default case</code>).</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">short preserve case</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, preserve case of 8.3-format names that the client provides.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangle case</code></p></td><td><p>boolean</p></td><td><p>Mangle a name if it is mixed case.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangled names</code></p></td><td><p>boolean</p></td><td><p>8.3 DOS format.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangling char</code></p></td><td><p>string (single character)</p></td><td><p>Gives mangling character.</p></td><td><p><code class="literal">~</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangled stack</code></p></td><td><p>numerical</p></td><td><p>Number of mangled names to keep on the local mangling stack.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">mangled map</code></p></td><td><p>string (list of patterns)</p></td><td><p>Allows mapping of filenames from one format into another.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.1"></a>case sensitive</h4></div></div></div><p> +<a class="indexterm" name="ch05-idx-969856-0"></a>This share-level option, which has the obtuse synonym <code class="literal">casesignames</code>, specifies whether Samba should preserve case when resolving filenames in a specific share. The default value for this option is <code class="literal">no</code>, which is how Windows handles file resolution. If clients are using an operating system that takes advantage of case-sensitive filenames, you can set this configuration option to <code class="literal">yes</code> as shown here:</p><pre class="programlisting">[accounting] + case sensitive = yes</pre><p>Otherwise, we recommend that you leave this option set to its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.2"></a>default case</h4></div></div></div><p>The <code class="literal">default</code> +<a class="indexterm" name="ch05-idx-970606-0"></a> <code class="literal">case</code> option is used with <code class="literal">preserve</code> <code class="literal">case</code>. This specifies the default case (upper or lower) that Samba will use when it creates a file on one of its shares on behalf of a client. The default case is <code class="literal">lower</code>, which means that newly created files will use the mixed-case names given to them by the client. If you need to, you can override this global option by specifying the following:</p><pre class="programlisting">[global] + default case = upper</pre><p>If you specify this value, the names of newly created files will be translated into uppercase, and cannot be overridden in a program. We recommend that you use the default value unless you are dealing with a Windows for Workgroups or other 8.3 client, in which case it should be <code class="literal">upper</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.3"></a> +preserve case</h4></div></div></div><a class="indexterm" name="ch05-idx-970607-0"></a><p>This option specifies whether a file created by Samba on behalf of the client is created with the case provided by the client operating system, or the case specified by the <code class="literal">default</code> <code class="literal">case</code> configuration option above. The default value is <code class="literal">yes</code>, which uses the case provided by the client operating system. If it is set to <code class="literal">no</code>, the value of the <code class="literal">default</code> <code class="literal">case</code> option is used.</p><p>Note that this option does not handle 8.3 file requests sent from the client—see the <code class="literal">short</code> <code class="literal">preserve</code> <code class="literal">case</code> option below. You may want to set this option to <code class="literal">yes</code> if applications that create files on the Samba server are sensitive to the case used when creating the file. If you want to force Samba, for example, to mimic the behavior of a Windows NT filesystem, you can leave this option to its default, <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.4"></a>short preserve case</h4></div></div></div><a class="indexterm" name="ch05-idx-970608-0"></a><p>This option specifies whether an 8.3 filename created by Samba on behalf of the client is created with the default case of the client operating system, or the case specified by the <code class="literal">default</code> <code class="literal">case</code> configuration option. The default value is <code class="literal">yes</code>, which uses the case provided by the client operating system. You can let Samba choose the case through the <code class="literal">default</code> <code class="literal">case</code> option by setting it as follows:</p><pre class="programlisting">[global] + short preserve case = no</pre><p>If you want to force Samba to mimic the behavior of a Windows NT filesystem, you can leave this option set to its default, <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.5"></a> +mangled names</h4></div></div></div><a class="indexterm" name="ch05-idx-970609-0"></a><p>This share-level option specifies whether Samba will mangle filenames for 8.3 clients in that share. If the option is set to <code class="literal">no</code>, Samba will not mangle the names and (depending on the client), they will either be invisible or appear truncated to those using 8.3 operating systems. The default value is <code class="literal">yes</code>. You can override it per share as follows:</p><pre class="programlisting">[data] + mangled names = no</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.6"></a> +mangle case</h4></div></div></div><a class="indexterm" name="ch05-idx-970610-0"></a><p>This option tells Samba whether it should mangle filenames that are not composed entirely of the case specified using the <code class="literal">default</code> <code class="literal">case</code> configuration option. The default for this option is <code class="literal">no</code>. If you set it to <code class="literal">yes</code>, you should be sure that all clients will be able to handle the mangled filenames that result. You can override it per share as follows:</p><pre class="programlisting">[data] + mangle case = yes</pre><p>We recommend that you leave this option alone unless you have a well-justified need to change it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.7"></a> +mangling char</h4></div></div></div><a class="indexterm" name="ch05-idx-970611-0"></a><p>This share-level option specifies the mangling character used when Samba mangles filenames into the 8.3 format. The default character used is a tilde (~). You can reset it to whatever character you wish, for instance:</p><pre class="programlisting">[data] + mangling char = #</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.8"></a> +mangled stack</h4></div></div></div><a class="indexterm" name="ch05-idx-970612-0"></a><p>Samba maintains a local stack of recently mangled 8.3 filenames; this stack can be used to reverse map mangled filenames back to their original state. This is often needed by applications that create and save a file, close it, and need to modify it later. The default number of long filename/mangled filename pairs stored on this stack is 50. However, if you want to cut down on the amount of processor time used to mangle filenames, you can increase the size of the stack to whatever you wish, at the expense of memory and slightly slower file access.</p><pre class="programlisting">[global] + mangled stack = 100</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.9"></a> +mangled map</h4></div></div></div><a class="indexterm" name="ch05-idx-970613-0"></a><p>If the default behavior of name mangling is not sufficient, you can give Samba further instructions on how to behave using the <code class="literal">mangled</code> <code class="literal">map</code> option. This option allows you to specify mapping patterns that can be used before or even in place of name mangling performed by Samba. For example:</p><pre class="programlisting">[data] + mangled map =(*.database *.db) (*.class *.cls)</pre><p>Here, Samba is instructed to search each file it encounters for characters that match the first pattern specified in the parenthesis and convert them to the modified second pattern in the parenthesis for display on an 8.3 client. This is useful in the event that name mangling converts the filename incorrectly or to a format that the client cannot understand<a class="indexterm" name="ch05-idx-969851-0"></a> readily. Patterns are separated by whitespaces.<a class="indexterm" name="ch05-idx-969845-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-75933"></a>Locks and Oplocks</h2></div></div></div><p> +<a class="indexterm" name="ch05-idx-969857-0"></a> +<a class="indexterm" name="ch05-idx-969857-1"></a>Concurrent writes to a single file are not desirable in any operating system. To prevent this, most operating systems use <em class="firstterm">locks</em> to guarantee that only one process can write to a file at a time. Operating systems traditionally lock entire files, although newer ones allow a range of bytes within a file to be locked. If another process attempts to write to a file (or section of one) that is already locked, it will receive an error from the operating system and will wait until the lock is released.</p><p>Samba supports the standard DOS and NT filesystem (deny-mode) locking requests, which allow only one process to write to an entire file on a server at a give time, as well as byte-range locking. In addition, Samba supports a new locking mechanism known in the Windows NT world as <em class="firstterm">opportunistic locking—</em><span class="emphasis"><em>oplock</em></span> for short.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-5.1"></a>Opportunistic Locking</h3></div></div></div><p>Opportunistic locking allows a client to notify the Samba server that it will not only be the exclusive writer of a file, but will also cache its changes to that file on its own machine (and not on the Samba server) in order to speed up file access for that client. When Samba knows that a file has been opportunistically locked by a client, it marks its version as having an opportunistic lock and waits for the client to complete work on the file, at which point it expects the client to send the final changes back to the Samba server for synchronization.</p><p>If a second client requests access to that file before the first client has finished working on it, Samba can send an <em class="firstterm">oplock break</em> +<a class="indexterm" name="ch05-idx-969865-0"></a> request to the first client. This tells the client to stop caching its changes and return the current state of the file to the server so that the interrupting client can use it as it sees fit. An opportunistic lock, however, is not a replacement for a standard deny-mode lock. It is not unheard of for the interrupting process to be granted an oplock break only to discover that the original process also has a deny-mode lock on a file as well. <a href="#ch05-74304" title="Figure 5.8. Opportunistic locking">Figure 5.8</a> illustrates this opportunistic locking process.</p><div class="figure"><a name="ch05-74304"></a><p class="title"><b>Figure 5.8. Opportunistic locking</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 314px"><td><img src="figs/sam.0508.gif" height="314" alt="Opportunistic locking"></td></tr></table></div></div></div><br class="figure-break"><p>In terms of locks, we highly recommend using the defaults provided by Samba: standard DOS/Windows deny-mode locks for compatibility and oplocks for the extra performance that local caching allows. If your operating system can take advantage of oplocks, it should provide significant performance improvements. Unless you have a specific reason for changing any of these options, it's best to leave them as they are.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-5.2"></a>Unix and Locking</h3></div></div></div><p> +<a class="indexterm" name="ch05-idx-969866-0"></a> +<a class="indexterm" name="ch05-idx-969866-1"></a>Windows systems cooperate well to avoid overwriting each other's changes. But if a file stored on a Samba system is accessed by a Unix process, this process won't know a thing about Windows oplocks and could easily ride roughshod over a lock. Some Unix systems have been enhanced to understand the Windows oplocks maintained by Samba. Currently the support exists only in SGI Irix 6.5.2f and later; Linux and FreeBSD should soon follow.</p><p>If you have a system that understands oplocks, set <code class="literal">kernel</code> <code class="literal">oplocks</code> <code class="literal">=</code> <code class="literal">yes</code> in the Samba configuration file. That should eliminate conflicts between Unix processes and Windows users.</p><p>If your system does not support kernel oplocks, you could end up with corrupted data when somebody runs a Unix process that reads or writes a file that Windows users also access. However, Samba provides a rough protection mechanism in the absence of kernel oplocks: the <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. If you can anticipate which Samba files are used by both Windows users and Unix users, set their names in a <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. This will suppress the use of oplocks on matching filenames, which will supress client caching, and let the Windows and Unix programs use system locking or update times to detect competition for the same file. A sample option is:</p><pre class="programlisting">veto oplock files = /*.dbm/</pre><p>This option allows both Unix processes and Windows users to edit files ending in the suffix <span class="emphasis"><em>.dbm</em></span>. Note that the syntax of this option is similar to <code class="literal">veto</code> <code class="literal">files</code>.</p><p>Samba's options for locks and oplocks are given in <a href="#ch05-53407" title="Table 5.8. Locks and Oplocks Configuration Options">Table 5.8</a>.</p><div class="table"><a name="ch05-53407"></a><p class="title"><b>Table 5.8. Locks and Oplocks Configuration Options </b></p><div class="table-contents"><table summary="Locks and Oplocks Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">share modes</code></p></td><td><p> +<a class="indexterm" name="ch05-idx-969867-0"></a> +<a class="indexterm" name="ch05-idx-969867-1"></a>boolean</p></td><td><p>If set to <code class="literal">yes</code>, turns on support for DOS-style whole-file locks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">locking</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, turns on byte-range locks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">strict locking</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, denies access to an entire file if a byte-range lock exists in it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, turn on local caching of files on the client for this share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">kernel oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, indicates that the kernel supports oplocks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">fake oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, tells client the lock was obtained, but doesn't actually lock it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">blocking locks </code></p></td><td><p>boolean</p></td><td><p>Allows lock requestor to wait for the lock to be granted.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">veto oplock files</code></p></td><td><p>string (list of filenames)</p></td><td><p>Does not oplock specified files.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lock directory</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the location where various Samba files, including locks, are stored.</p></td><td><p>As specified in Samba makefile</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.1"></a>share modes</h4></div></div></div><p>The most primitive locks available to Samba are deny-mode locks, known as <em class="firstterm">share modes</em> +<a class="indexterm" name="ch05-idx-969868-0"></a> +<a class="indexterm" name="ch05-idx-969868-1"></a>, which are employed by programs such as text editors to avoid accidental overwriting of files. For reference, the deny-mode locks are listed in <a href="#ch05-55885" title="Table 5.9. SMB Deny-Mode Locks">Table 5.9</a>.</p><div class="table"><a name="ch05-55885"></a><p class="title"><b>Table 5.9. SMB Deny-Mode Locks </b></p><div class="table-contents"><table summary="SMB Deny-Mode Locks " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Lock</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">DENY_NONE</code></p></td><td><p>Do not deny any other file requests.</p></td></tr><tr><td><p><code class="literal">DENY_ALL</code></p></td><td><p>Deny all open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_READ</code></p></td><td><p>Deny any read-only open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_WRITE</code></p></td><td><p>Deny any write-only open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_DOS</code></p></td><td><p>If opened for reading, others can read but cannot write to the file. If opened for writing, others cannot open the file at all.</p></td></tr><tr><td><p><code class="literal">DENY_FCB</code></p></td><td><p>Obsolete.</p></td></tr></tbody></table></div></div><br class="table-break"><p>The <code class="literal">share</code> <code class="literal">modes</code> parameter, which enforces the use of these locks, is enabled by default. To disable it, use the following command:</p><pre class="programlisting">[accounting] + share modes = no</pre><p>We highly recommend against disabling the default locking mechanism unless you have a justifiable reason for doing so. Most Windows and DOS applications rely on these locking mechanisms in order to work correctly, and will complain bitterly if this functionality is taken away.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.2"></a>locking</h4></div></div></div><p>The<a class="indexterm" name="ch05-idx-970616-0"></a> <code class="literal">locking</code> option can be used to tell Samba to engage or disengage server-side byte-range locks on behalf of the client. Samba implements byte-range locks on the server side with normal Unix advisory locks and will consequently prevent other properly-behaved Unix processes from overwriting a locked byte range.</p><p>This option can be specified per share as follows:</p><pre class="programlisting">[accounting] + locking = yes</pre><p>If the <code class="literal">locking</code> option is set to <code class="literal">yes</code>, the requestor will be delayed until the holder of either type of lock releases it (or crashes). If, however, the option is set to <code class="literal">no</code>, no byte-range locks will be kept for the files, although requests to lock and unlock files will appear to succeed. The option is set to <code class="literal">yes</code> by default; however, you can turn this option off if you have read-only media.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.3"></a> +strict locking</h4></div></div></div><a class="indexterm" name="ch05-idx-970617-0"></a><p>This option checks every file access for a byte-range lock on the range of bytes being accessed. This is typically not needed if a client adheres to all the locking mechanisms in place. This option is set to <code class="literal">no</code> by default; however, you can reset it per share as follows:</p><pre class="programlisting">[accounting] + strict locking = yes</pre><p>If this option is set to <code class="literal">yes</code>, mandatory locks are enforced on any file with byte-range locks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.4"></a> +blocking locks</h4></div></div></div><a class="indexterm" name="ch05-idx-970618-0"></a><p>Samba also supports <em class="firstterm">blocking locks</em>, a minor variant of range locks. Here, if the range of bytes is not available, the client specifies an amount of time that it's willing to wait. The server then caches the lock request, periodically checking to see if the file is available. If it is, it notifies the client; however, if time expires, Samba will tell the client that the request has failed. This strategy prevents the client from continually polling to see if the lock is available.</p><p>You can disable this option per share as follows:</p><pre class="programlisting">[accounting] + blocking locks = no</pre><p>When set to <code class="literal">yes</code>, blocking locks will be enforced on the file. If this option is set to <code class="literal">no</code>, Samba behaves as if normal locking mechanisms are in place on the file. The default is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.5"></a> +oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970619-0"></a><p>This option enables or disables support for oplocks on the client. The option is enabled by default. However, you can disable it with the following command:</p><pre class="programlisting">[data] + oplocks = no</pre><p>If you are in an extremely unstable network environment or have many clients that cannot take advantage of opportunistic locking, it may be better to shut this Samba feature off. Oplocks should be disabled if you are accessing the same files from both Unix applications (such as <span class="emphasis"><em>vi</em></span> ) and SMB clients (unless you are lucky enough to have an operating system that supports kernel oplocks as discussed earlier).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.6"></a> +fake oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970620-0"></a><p>Before opportunistic locking was available on Samba, the Samba daemons pretended to allow oplocks via the <code class="literal">fake</code> <code class="literal">oplocks</code> option. If this option was enabled, all clients were told that the file is available for opportunistic locking, and never warned of simultaneous access. This option is deprecated now that real oplocks are available on Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.7"></a> +kernel oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970621-0"></a><p>If a Unix application separate from Samba tries to update a file that Samba has oplocked to a Windows client, it will likely succeed (depending on the operating system) and both Samba and the client will never be aware of it. However, if the local Unix operating system supports it, Samba can warn it of oplocked files, which can suspend the Unix process, notify the client via Samba to write its copy back, and only then allow the open to complete. Essentially, this means that the operating system kernel on the Samba system has the ability to handle oplocks as well as Samba.</p><p>You can enable this behavior with the <code class="literal">kernel</code> <code class="literal">oplocks</code> option, as follows:</p><pre class="programlisting">[global] + kernel oplocks = yes</pre><p>Samba can automatically detect kernel oplocks and use them if present. At the time of this writing, this feature is supported only by SGI Irix 6.5.2f and later. However, Linux and FreeBSD support are expected in the near future. A system without kernel oplocks will allow the Unix process to update the file, but the client programs will notice the change only at a later time, if at all.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.8"></a> +veto oplock files</h4></div></div></div><a class="indexterm" name="ch05-idx-970622-0"></a><p>You can provide a list of filenames that are never granted opportunistic locks with the <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. This option can be set either globally or on a per-share basis. For example:</p><pre class="programlisting">veto oplock files = /*.bat/*.htm/</pre><p>The value of this option is a series of patterns. Each pattern entry must begin, end, or be separated from another with a slash ( / ) character, even if there is only one pattern listed. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character.</p><p>We recommend that you disable oplocks on any files that are meant to be updated by Unix or are intended to be shared by several processes simultaneously.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.9"></a> +lock directory</h4></div></div></div><a class="indexterm" name="ch05-idx-970623-0"></a><p>This option (sometimes called <code class="literal">lock</code> <code class="literal">dir</code>) specifies the location of a directory where Samba will store SMB deny-mode lock files. Samba stores other files in this directory as well, such as browse lists and its shared memory file. If WINS is enabled, the WINS database is written to this directory as well. The default for this option is specified in the Samba makefile; it is typically <code class="filename">/usr/local/samba/var/locks</code>. You can override this location as follows:</p><pre class="programlisting">[global] + lock directory = /usr/local/samba/locks</pre><p>You typically would not need to override this option, unless you want to move the lock files to a more standardized location, such<a class="indexterm" name="ch05-idx-969871-0"></a> +<a class="indexterm" name="ch05-idx-969871-1"></a> as<a class="indexterm" name="ch05-idx-969860-0"></a> +<a class="indexterm" name="ch05-idx-969860-1"></a> +<a class="indexterm" name="ch05-idx-969860-2"></a> <code class="filename">/var/spool/locks</code>.<a class="indexterm" name="ch05-idx-969562-0"></a></p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch05-pgfId-964268" href="#ch05-pgfId-964268">1</a>] </sup>The system checkbox will probably be greyed for your file. Don't worry about that—you should still be able to see when the box is checked and when it isn't.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-6"></a>Chapter 6. Users, Security, and Domains </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch06-92902">6.1. Users and Groups</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-1.1">6.1.1. The [ homes] Share</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-27678">6.2. Controlling Access to Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-2.1">6.2.1. Guest Access</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.2">6.2.2. Access Control Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.3">6.2.3. Username Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-88596">6.3. Authentication Security</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-3.1">6.3.1. Share-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.2">6.3.2. User-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.3">6.3.3. Server-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.4">6.3.4. Domain-level Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-61393">6.4. Passwords</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-4.0.1">6.4.1. Disabling encrypted passwords on the client</a></span></dt><dt><span class="sect2"><a href="#ch06-17782">6.4.2. The smbpasswd File</a></span></dt><dt><span class="sect2"><a href="#ch06-97004">6.4.3. Password Synchronization</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-4.3">6.4.4. Password Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-23084">6.5. Windows Domains</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-36822">6.5.1. Configuring Samba for Windows Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.2">6.5.2. Configuring Windows Clients for Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.3">6.5.3. Domain Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-38153">6.6. Logon Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-6.0.1">6.6.1. Roaming profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.0.2">6.6.2. Mandatory profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.1">6.6.3. Logon Script Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.2">6.6.4. Other Connection Scripts</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.3">6.6.5. Working with NIS and NFS</a></span></dt></dl></dd></dl></div><p>This chapter discusses how to configure users with the Samba server. This topic may seem straightforward at first, but you'll soon discover that there are several ancillary problems that can crop up. One issue that Samba administrators have difficulty with is user authentication—password and security problems are by far the most common support questions on the Samba mailing lists. Learning why various authentication mechanisms work on certain architectures (and don't on others) can save you a tremendous amount of time testing and debugging Samba users in the future.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-92902"></a>Users and Groups</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967489-0"></a> +<a class="indexterm" name="ch06-idx-967489-1"></a>Before we start, we need to warn you up front that if you are connecting to Samba with a Windows 98 or NT 4.0 Workstation SP3, you need to configure your server for encrypted passwords before you can make a connection; otherwise, the clients will refuse to connect to the Samba server. This is because each of those Windows clients sends encrypted passwords, and Samba needs to be configured to expect and decrypt them. We'll show you how to set up Samba for this task later in the chapter, assuming you haven't already tackled this problem in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p> +<a class="indexterm" name="ch06-idx-967590-0"></a> +<a class="indexterm" name="ch06-idx-967590-1"></a>Let's start with a single user. The easiest way to set up a client user is to create a Unix account (and <a class="indexterm" name="ch06-idx-967591-0"></a>home directory) for that individual on the server, and notify Samba of the user's existence. You can do the latter by creating a disk share that maps to the user's home directory in the Samba configuration file, and restricting access to that user with the <code class="literal">valid</code> <code class="literal">users</code> option. For example:</p><pre class="programlisting">[dave] + path = /home/dave + comment = Dave's home directory + writeable = yes +<span class="bold"><strong> valid users = dave</strong></span></pre><p>The <code class="literal">valid</code> <code class="literal">users</code> option lists the users that will be allowed to access the share. In this case, only the user <code class="literal">dave</code> is allowed to access the share. In the previous chapters, we specified that any user could access a disk share using the <code class="literal">guest</code> <code class="literal">ok</code> parameter. Because we don't wish to allow guest access, that option is absent here. We could grant both authenticated users and guest users access to a specific share if we wanted to. The difference between the two typically involves access rights for each of the files.</p><p>Remember that you can abbreviate the user's home directory by using the <code class="literal">%H</code> variable. In addition, you can use the Unix username variable <code class="literal">%u</code> and/or the client username variable <code class="literal">%U</code> in your options as well. For example:</p><pre class="programlisting">[dave] + comment = %U home directory + writeable = yes + valid users = dave + path = %H</pre><p>Both of these examples work as long as the Unix user that Samba uses to represent the client has read/write access to the directory referenced by the <code class="literal">path</code> option. In other words, a client must first pass Samba's security mechanisms (e.g., encrypted passwords, the <code class="literal">valid users</code> option, etc.) as well as the normal Unix file and directory permissions of its Unix-side user <span class="emphasis"><em>before</em></span> it can gain read/write access to a share.</p><p>With a single user accessing a home directory, access permissions are taken care of when the operating system creates the user account. However, if you're creating a shared directory for group access, there are a few more steps you need to perform. Let's take a stab at a group share for the accounting department in the <span class="emphasis"><em>smb.conf</em></span> file:</p><pre class="programlisting">[accounting] + comment = Accounting Department Directory + writeable = yes + valid users = @account + path = /home/samba/accounting + create mode = 0660 + directory mode = 0770</pre><p>The first thing that you might notice we did differently is to specify <code class="literal">@account</code> as the valid user instead of one or more individual usernames. This is shorthand for saying that the valid users are represented by the Unix group <code class="literal">account</code>. These users will need to be added to the group entry <code class="literal">account</code> in the system group file ( <code class="filename">/etc/group</code> or equivalent) to be recognized as part of the group. Once they are, Samba will recognize those users as valid users for the share.</p><p>In addition, you will need to create a <a class="indexterm" name="ch06-idx-967592-0"></a>shared directory that the members of the group can access, which is pointed to by the <code class="literal">path</code> configuration option. Here are the Unix commands that create the shared directory for the accounting department (assuming <span class="emphasis"><em>/home/samba</em></span> already exists):</p><pre class="programlisting"># <span class="bold"><strong>mkdir /home/samba/accounting</strong></span># <span class="bold"><strong>chgrp account /home/samba/accounting</strong></span># <span class="bold"><strong>chmod 770 /home/samba/accounting</strong></span></pre><p>There are two other options in this <code class="filename">smb.conf</code> example, both of which we saw in the previous chapter. These options are <code class="literal">create</code> <code class="literal">mode</code> and <code class="literal">directory</code> <code class="literal">mode</code>. These options set the maximum file and directory permissions that a new file or directory can have. In this case, we have denied all world access to the contents of this share. (This is reinforced by the <span class="emphasis"><em>chmod</em></span> command, shown earlier.).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-1.1"></a>The [ homes] Share</h3></div></div></div><p>Let's return to user shares for a moment. If we have several users to set up home directory shares for, we probably want to use the special <code class="literal">[homes]</code> share that we introduced in <a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a>. With the <code class="literal">[homes]</code> +<a class="indexterm" name="ch06-idx-967594-0"></a> +<a class="indexterm" name="ch06-idx-967594-1"></a> share, all we need to say is:</p><pre class="programlisting">[homes] + browsable = no + writable = yes</pre><p>The <code class="literal">[homes]</code> share is a special section of the Samba configuration file. If a user attempts to connect to an ordinary share that doesn't appear in the <code class="filename">smb.conf</code> file (such as specifying it with a UNC in Windows Explorer), Samba will search for a <code class="literal">[homes]</code> share. If one exists, the incoming share name is assumed to be a username and is queried as such in the password database ( <code class="filename">/etc/passwd</code> or equivalent) file of the Samba server. If it appears, Samba assumes the client is a Unix user trying to connect to his or her home directory.</p><p>As an illustration, let's assume that <code class="literal">sofia</code> is attempting to connect to a share called [<code class="literal">sofia]</code> on the Samba server. There is no share by that name in the configuration file, but a <code class="literal">[homes]</code> share exists and user <code class="literal">sofia</code> is present in the password database, so Samba takes the following steps:</p><div class="orderedlist"><ol type="1"><li><p>Samba creates a new disk share called <code class="literal">[sofia]</code> with the <code class="literal">path</code> specified in the <code class="literal">[homes]</code> section. If there is no <code class="literal">path</code> option specified in <code class="literal">[homes]</code>, Samba initializes it to her home directory.</p></li><li><p>Samba initializes the new share's options from the defaults in <code class="literal">[globals]</code>, and any overriding options in <code class="literal">[homes]</code> with the exception of <code class="literal">browseable</code>.</p></li><li><p>Samba connects <code class="literal">sofia</code>'s client to that share.</p></li></ol></div><p>The <code class="literal">[homes]</code> share is a fast, painless way to create shares for your user community without having to duplicate the information from the password database file in the <code class="filename">smb.conf</code> file. It does have some peculiarities, however, that we need to point out:</p><div class="itemizedlist"><ul type="disc"><li><p>The <code class="literal">[homes]</code> section can represent any account on the machine, which isn't always desirable. For example, it can potentially create a share for <span class="emphasis"><em>root</em></span>, <span class="emphasis"><em>bin</em></span>, <span class="emphasis"><em>sys</em></span>, <span class="emphasis"><em>uucp</em></span>, and the like. (You can set a global <code class="literal">invalid</code> <code class="literal">users</code> option to protect against this.)</p></li><li><p>The meaning of the <code class="literal">browseable</code> configuration option is different from other shares; it indicates only that a <code class="literal">[homes]</code> section won't show up in the local browse list, not that the <code class="literal">[alice]</code> share won't. When the <code class="literal">[alice]</code> section is created (after the initial connection), it will use the browsable value from the <code class="literal">[globals]</code> section for that share, not the value from <code class="literal">[homes]</code>.</p></li></ul></div><p>As we mentioned, there is no need for a path statement in <code class="literal">[homes]</code> if the users have Unix home directories in the server's <code class="filename">/etc/passwd</code> file. You should ensure that a valid home directory does exist, however, as Samba will not automatically create a home directory for a user, and will refuse a tree connect if the user's directory does not exist or is not accessible.<a class="indexterm" name="ch06-idx-967568-0"></a> +<a class="indexterm" name="ch06-idx-967568-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-27678"></a>Controlling Access to Shares</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967497-0"></a> +<a class="indexterm" name="ch06-idx-967497-1"></a>Often you will need to restrict the users who can access a specific share for security reasons. This is very easy to do with Samba since it contains a wealth of options for creating practically any security configuration. Let's introduce a few configurations that you might want to use in your own Samba setup.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Again, if you are connecting with Windows 98 or NT 4.0 with Service Pack 3 (or above), those clients will send encrypted passwords to the Samba server. If Samba is not configured for this, it will continually refuse the connection. This chapter describes how to set up Samba for encrypted passwords. See <a href="#ch06-61393" title="Passwords">Section 6.4</a>.</p></div><p>We've seen what happens when you specify valid users. However, you are also allowed to specify a list of invalid <a class="indexterm" name="ch06-idx-967599-0"></a>users—users who should never be allowed access to Samba or its shares. This is done with the <code class="literal">invalid</code> <code class="literal">users</code> option. We hinted at one frequent use of this option earlier: a global default with the <code class="literal">[homes]</code> section to ensure that various system users and superusers cannot be forged for access. For example:</p><pre class="programlisting">[global] + invalid users = root bin daemon adm sync shutdown \ + halt mail news uucp operator gopher + auto services = dave peter bob + +[homes] + browsable = no + writeable = yes</pre><p>The <code class="literal">invalid</code> <code class="literal">users</code> option, like <code class="literal">valid</code> <code class="literal">users</code>, can take group names as well as usernames. In the event that a user or group appears in both lists, the <code class="literal">invalid</code> <code class="literal">users</code> option takes precedence and the user or group will be denied access to the share.</p><p>At the other end of the spectrum, you can explicitly specify users who will be allowed <a class="indexterm" name="ch06-idx-967600-0"></a> +<a class="indexterm" name="ch06-idx-967600-1"></a> +<a class="indexterm" name="ch06-idx-967600-2"></a>superuser (root) access to a share with the <code class="literal">admin</code> <code class="literal">users</code> option. An example follows:</p><pre class="programlisting">[sales] + path = /home/sales + comment = Fiction Corp Sales Data + writeable = yes + valid users = tom dick harry + admin users = mike</pre><p>This option takes both group names and usernames. In addition, you can specify NIS netgroups by preceding them with an <code class="literal">@</code> as well; if the netgroup is not found, Samba will assume that you are referring to a standard Unix group.</p><p>Be careful if you assign an entire <a class="indexterm" name="ch06-idx-967601-0"></a>group administrative privileges to a share. The Samba team highly recommends you avoid using this option, as it essentially gives root access to the specified users or groups for that share.</p><p>If you wish to force <a class="indexterm" name="ch06-idx-967602-0"></a> +<a class="indexterm" name="ch06-idx-967602-1"></a>read-only or read-write access to users who access a share, you can do so with the <code class="literal">read</code> <code class="literal">list</code> and <code class="literal">write</code> <code class="literal">list</code> options, respectively. These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively. For example:</p><pre class="programlisting">[sales] + path = /home/sales + comment = Fiction Corp Sales Data + read only = yes + write list = tom dick</pre><p>The <code class="literal">write</code> <code class="literal">list</code> option cannot override <a class="indexterm" name="ch06-idx-968868-0"></a>Unix permissions. If you've created the share without giving the write-list user write permission on the Unix system, he or she will be denied write access regardless of the setting of <code class="literal">write</code> <code class="literal">list</code>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.1"></a>Guest Access</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967606-0"></a>As mentioned earlier, you can specify users who have guest access to a share. The options that control guest access are easy to work with. The first option, <code class="literal">guest</code> <code class="literal">account</code>, specifies the Unix account that guest users should be assigned when connecting to the Samba server. The default value for this is set during compilation, and is typically <code class="literal">nobody</code>. However, you may want to reset the guest user to <code class="literal">ftp</code> if you have trouble accessing various system services.</p><p>If you wish to restrict access in a share only to guests—in other words, all clients connect as the guest account when accessing the share—you can use the <code class="literal">guest</code> <code class="literal">only</code> option in conjunction with the <code class="literal">guest ok</code> option, as shown in the following example:</p><pre class="programlisting">[sales] + path = /home/sales + comment = Fiction Corp Sales Data + writeable = yes + guest ok = yes + guest account = ftp + guest only = yes</pre><p>Make sure you specify <code class="literal">yes</code> for both <code class="literal">guest only</code> and <code class="literal">guest ok</code> in this scenario; otherwise, Samba will not use the guest acount that you specify.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.2"></a>Access Control Options</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967608-0"></a><a href="#ch06-28077" title="Table 6.1. Share-level Access Options">Table 6.1</a> summarizes the options that you can use to control access to shares.</p><div class="table"><a name="ch06-28077"></a><p class="title"><b>Table 6.1. Share-level Access Options </b></p><div class="table-contents"><table summary="Share-level Access Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">admin users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users who can perform operations as root.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">valid users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that can connect to a share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">invalid users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that will be denied access to a share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">read list</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that have read-only access to a writable share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">write list</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that have read-write access to a read-only share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">max connections</code></p></td><td><p>numerical</p></td><td><p>Indicates the maximum number of connections for a share at a given time.</p></td><td><p><code class="literal">0</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest only (only guest)</code></p></td><td><p>boolean</p></td><td><p>Specifies that this share allows only guest access.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest account</code></p></td><td><p>string (name of account)</p></td><td><p>Names the Unix account that will be used for guest access.</p></td><td><p><code class="literal">nobody</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.1"></a> +admin users</h4></div></div></div><a class="indexterm" name="ch06-idx-969448-0"></a><p>This option specifies a list of users that perform file operations as if they were <code class="literal">root</code>. This means that they can modify or destroy any other user's work, no matter what the permissions. Any files that they create will have root ownership and will use the default group of the admin user. The <code class="literal">admin</code> <code class="literal">users</code> option is used to allow PC users to act as administrators for particular shares. We urge you to avoid this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.2"></a>v +alid users and invalid users</h4></div></div></div><a class="indexterm" name="ch06-idx-969449-0"></a><a class="indexterm" name="ch06-idx-969449-1"></a><p>These two options let you enumerate the users and groups who are granted or denied access to a particular share. You can enter a list of comma-delimited users, or indicate an NIS or Unix group name by prefixing the name with an at-sign (<code class="literal">@</code>).</p><p>The important rule to remember with these options is that any name or group in the <code class="literal">invalid</code> <code class="literal">users</code> list will <span class="emphasis"><em>always</em></span> be denied access, even if it is included (in any form) in the <code class="literal">valid</code> <code class="literal">users</code> list. By default, neither option has a value associated with it. If both options have no value, any user is allowed to access the share.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.3"></a> + +read list and write list</h4></div></div></div><a class="indexterm" name="ch06-idx-969450-0"></a><a class="indexterm" name="ch06-idx-969450-1"></a><p>Like the <code class="literal">valid</code> <code class="literal">users</code> <code class="literal">and</code> <code class="literal">invalid</code> <code class="literal">users</code> options, this pair of options specifies which users have read-only access to a writeable share and read-write access to a read-only share, respectively. The value of either options is a list of users. <code class="literal">read</code> <code class="literal">list</code> overrides any other Samba permissions granted—as well as Unix file permissions on the server system—to deny users write access. <code class="literal">write</code> <code class="literal">list</code> overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system. You can specify NIS or Unix group names by prefixing the name with an at sign (such as <code class="literal">@users</code>). Neither configuration option has a default value associated with it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.4"></a> +max connections</h4></div></div></div><a class="indexterm" name="ch06-idx-969451-0"></a><p>This option specifies the maximum number of client connections that a share can have at any given time. Any connections that are attempted after the maximum is reached will be rejected. The default value is <code class="literal">0</code>, which means that an unlimited number of connections are allowed. You can override it per share as follows:</p><pre class="programlisting">[accounting] + max connections = 30</pre><p>This option is useful in the event that you need to limit the number of users who are accessing a licensed program or piece of data concurrently.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.5"></a> +guest only</h4></div></div></div><a class="indexterm" name="ch06-idx-969452-0"></a><p>This share-level option (sometimes called <code class="literal">only</code> <code class="literal">guest</code>) forces a connection to a share to be performed with the user specified by the <code class="literal">guest</code> <code class="literal">account</code> option. The share to which this is applied must explicitly specify <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> in order for this option to be recognized by Samba. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.6"></a> +guest account</h4></div></div></div><a class="indexterm" name="ch06-idx-969453-0"></a><p>This option specifies the name of account to be used for guest access to shares in Samba. The default for this option varies from system to system, but it is often set to <code class="literal">nobody</code>. Some default user accounts have trouble connecting as guest users. If that occurs on your system, the Samba team recommends using the ftp account as the guest<a class="indexterm" name="ch06-idx-967617-0"></a> user.<a class="indexterm" name="ch06-idx-967607-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.3"></a>Username Options</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967622-0"></a><a href="#ch06-82964" title="Table 6.2. Username Options">Table 6.2</a> shows two additional options that Samba can use to correct for incompatibilities in usernames between Windows and Unix.</p><div class="table"><a name="ch06-82964"></a><p class="title"><b>Table 6.2. Username Options </b></p><div class="table-contents"><table summary="Username Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">username map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the name of the username mapping file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">username level</code></p></td><td><p>numerical</p></td><td><p>Indicates the number of capital letters to use when trying to match a username.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.3.1"></a> +username map</h4></div></div></div><a class="indexterm" name="ch06-idx-969456-0"></a><p> +<a class="indexterm" name="ch06-idx-967632-0"></a> +<a class="indexterm" name="ch06-idx-967632-1"></a> +<a class="indexterm" name="ch06-idx-967632-2"></a>Client usernames on an SMB network can be relatively large (up to 255 characters), while usernames on a Unix network often cannot be larger than eight characters. This means that an individual user may have one username on a client and another (shorter) one on the Samba server. You can get past this issue by<em class="firstterm"> mapping</em> a free-form client username to a Unix username of eight or fewer characters. It is placed in a standard text file, using a format that we'll describe shortly. You can then specify the pathname to Samba with the global <code class="literal">username</code> <code class="literal">map</code> option. Be sure to restrict access to this file; make the root user the file's owner and deny write access to others. Otherwise, an untrusted user who can access the file can easily map their client username to the root user of the Samba server.</p><p>You can specify this option as follows:</p><pre class="programlisting">[global] + username map = /etc/samba/usermap.txt</pre><p>Each of the entries in the username map file should be listed as follows: the Unix username, followed by an equal sign (<code class="literal">=</code>), followed by one or more whitespace-separated SMB client usernames. Note that unless instructed otherwise, (i.e., a guest connection), Samba will expect both the client and the server user to have the same password. You can also map NT groups to one or more specific Unix groups using the <code class="literal">@</code> sign. Here are some examples:</p><pre class="programlisting">jarwin = JosephArwin +manderso = MarkAnderson +users = @account</pre><p>Also, you can use the asterisk to specify a wildcard that matches any free-form client username as an entry in the username map file:</p><pre class="programlisting">nobody = *</pre><p>Comments in the file can be specified as lines beginning with (#) and (<code class="literal">;</code>).</p><p>Note that you can also use this file to redirect one Unix user to another user. Be careful if you do so because Samba and your client may not notify the user that the mapping has been made and Samba may be expecting a different password.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.3.2"></a> +username level</h4></div></div></div><a class="indexterm" name="ch06-idx-969459-0"></a><p> +<a class="indexterm" name="ch06-idx-967633-0"></a> +<a class="indexterm" name="ch06-idx-967633-1"></a>SMB clients (such as Windows) will often send usernames in SMB connection requests entirely in capital letters; in other words, client usernames are not necessarily case sensitive. On a Unix server, however, usernames <span class="emphasis"><em>are</em></span> case sensitive: the user <code class="literal">ANDY</code> is different from the user <code class="literal">andy</code>. By default, Samba attacks this problem by doing the following:</p><div class="orderedlist"><ol type="1"><li><p>Checking for a user account with the exact name sent by the client</p></li><li><p>Testing the username in all lowercase letters</p></li><li><p>Testing the username in lowercase letters with only the first letter capitalized</p></li></ol></div><p>If you wish to have Samba attempt more combinations of uppercase and lowercase letters, you can use the <code class="literal">username</code> <code class="literal">level</code> global configuration option. This option takes an integer value that specifies how many letters in the username should be capitalized when attempting to connect to a share. You can specify this options as follows:</p><pre class="programlisting">[global] + username level = 3</pre><p>In this case, Samba will then attempt all permutations of usernames it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the username and the longer the authentication wil<a class="indexterm" name="ch06-idx-967629-0"></a>l take.<a class="indexterm" name="ch06-idx-967624-0"></a> +<a class="indexterm" name="ch06-idx-967624-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-88596"></a>Authentication Security</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967505-0"></a> +<a class="indexterm" name="ch06-idx-967505-1"></a>At this point, we should discuss how Samba authenticates users. Each user who attempts to connect to a share that does not allow guest access must provide a password to make a successful connection. What Samba does with that password—and consequently the strategy Samba will use to handle user authentication—is the arena of the <code class="literal">security</code> configuration option. There are currently four <a class="indexterm" name="ch06-idx-967637-0"></a>security levels that Samba supports on its network: <em class="firstterm">share</em>, <em class="firstterm">user</em>, <em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p><div class="variablelist"><dl><dt><span class="term"> +<a class="indexterm" name="ch06-idx-967638-0"></a>Share-level security</span></dt><dd><p>Each share in the workgroup has one or more passwords associated with it. Anyone who knows a valid password for the share can access it.</p></dd><dt><span class="term"> +<a class="indexterm" name="ch06-idx-967639-0"></a>User-level security</span></dt><dd><p>Each share in the workgroup is configured to allow access from certain users. With each initial tree connection, the Samba server verifies users and their passwords to allow them access to the share.</p></dd><dt><span class="term">Server-level security</span></dt><dd><p>This is the same as user-level security, except that the Samba server uses a separate SMB server to validate users and their passwords before granting access to the share.</p></dd><dt><span class="term"> +<a class="indexterm" name="ch06-idx-967641-0"></a>Domain-level security</span></dt><dd><p>Samba becomes a member of a Windows domain and uses the domain's <a class="indexterm" name="ch06-idx-967642-0"></a>primary domain controller (PDC) to perform authentication. Once authenticated, the user is given a special token that allows him or her access to any share with appropriate access rights. With this token, the PDC will not have to revalidate the user's password each time he or she attempts to access another share within the domain.</p></dd></dl></div><p>Each of these security policies can be implemented with the global <code class="literal">security</code> option, as shown in <a href="#ch06-73905" title="Table 6.3. Security Option">Table 6.3</a>.</p><div class="table"><a name="ch06-73905"></a><p class="title"><b>Table 6.3. Security Option </b></p><div class="table-contents"><table summary="Security Option " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">security</code></p></td><td><p> +<a class="indexterm" name="ch06-idx-968919-0"></a><code class="literal">domain</code>, <code class="literal">server</code>, <code class="literal">share</code>, or <code class="literal">user</code></p></td><td><p>Indicates the type of security that the Samba server will use.</p></td><td><p><code class="literal">user</code> (Samba 2.0) or <code class="literal">share</code> (Samba 1.9)</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.1"></a>Share-level Security</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967644-0"></a> +<a class="indexterm" name="ch06-idx-967644-1"></a>With share-level security, each share has one or more passwords associated with it. This differs from the other modes of security in that there are no restrictions as to whom can access a share, as long as that individual knows the correct password. Shares often have multiple passwords. For example, one password may grant read-only access, while another may grant read-write access, and so on. Security is maintained as long as unauthorized users do not discover the password for a share to which they shouldn't have access.</p><p> +<a class="indexterm" name="ch06-idx-967666-0"></a> +<a class="indexterm" name="ch06-idx-967666-1"></a>OS/2 and Window 95/98 both support share-level security on their resources. You can set up share-level security with Windows 95/98 by first enabling share-level security using the Access Control tab of the Network Control Panel dialog. Then select the Share-level Access Control radio button (which deselects the user-level access control radio button), as shown in <a href="#ch06-33100" title="Figure 6.1. Selecting share-level security on a Windows machine">Figure 6.1</a>, and press the OK button.</p><div class="figure"><a name="ch06-33100"></a><p class="title"><b>Figure 6.1. Selecting share-level security on a Windows machine</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 284px"><td><img src="figs/sam.0601.gif" height="284" alt="Selecting share-level security on a Windows machine"></td></tr></table></div></div></div><br class="figure-break"><p>Next, right click on a resource—such as a hard drive or a CD-ROM—and select the Properties menu item. This will bring up the Resource Properties dialog box. Select the Sharing tab at the top of the dialog box and enable the resource as Shared As. From here, you can configure how the shared resource will appear to individual users, as well as assigning whether the resource will appear as read-only, read-write, or a mix, depending on the password that is supplied.</p><p>You might be thinking that this security model is not a good fit for Samba—and you would be right. In fact, if you set the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code> option in the Samba configuration file, Samba will still reuse the username/passwords combinations in the system password files to authenticate access. More precisely, Samba will take the following steps when a client requests a connection using <a class="indexterm" name="ch06-idx-967667-0"></a>share-level security:</p><div class="orderedlist"><ol type="1"><li><p>When a connection is requested, Samba will accept the password and (if sent) the username of the client.</p></li><li><p>If the share is <code class="literal">guest</code> <code class="literal">only </code>, the user is immediately granted access to the share with the rights of the user specified by the <code class="literal">guest</code> <code class="literal">account</code> parameter; no password checking is performed.</p></li><li><p>For other shares, Samba appends the username to a list of users who are allowed access to the share. It then attempts to validate the password given in association with that username. If successful, Samba grants the user access to the share with the rights assigned to that user. The user will not need to authenticate again unless a <code class="literal">revalidate</code> <code class="literal">=</code> <code class="literal">yes</code> option has been set inside the share.</p></li><li><p>If the authentication is unsuccessful, Samba will attempt to validate the password against the list of users it has previously compiled throughout the attempted connections, as well as any specified under the share in the configuration file. If the password does not match any usernames (as specified in the system password file, typically <code class="filename">/etc/passwd </code>), the user is not granted access to the share under that username.</p></li><li><p>However, if the share has a <code class="literal">guest</code> <code class="literal">ok</code> or <code class="literal">public</code> option set, the user will default to access with the rights of the user specified by the <code class="literal">guest</code> <code class="literal">account</code> option.</p></li></ol></div><p>You can indicate in the configuration file which users should be initially placed on the share-level security user list by using the <code class="literal">username</code> configuration option, as shown below:</p><pre class="programlisting">[global] + security = share +[accounting1] + path = /home/samba/accounting1 + guest ok = no + writable = yes + username = davecb, pkelly, andyo</pre><p>Here, when a user attempts to connect to a share, Samba will verify the password that was sent against each of the users in its own list, in addition to the passwords of users <code class="literal">davecb</code>, <code class="literal">pkelly</code>, and <code class="literal">andyo</code>. If any of the passwords match, the connection will be verified and the user will be allowed. Otherwise, connection to the specific share will fail.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.1"></a> + +Share Level Security Options</h4></div></div></div><a class="indexterm" name="ch06-idx-967668-0"></a><a class="indexterm" name="ch06-idx-967668-1"></a><p><a href="#ch06-80998" title="Table 6.4. Share-Level Access Options">Table 6.4</a> shows the options typically associated with share-level security.</p><div class="table"><a name="ch06-80998"></a><p class="title"><b>Table 6.4. Share-Level Access Options </b></p><div class="table-contents"><table summary="Share-Level Access Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">only user</code></p></td><td><p>boolean</p></td><td><p>Indicates whether usernames specified by <code class="literal">username</code> will be the only ones allowed.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">username </code>(user or users)</p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users against which a client's password will be tested.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.2"></a>only user</h4></div></div></div><p>This boolean option indicates whether Samba will allow connections to a share using share-level security based solely on the individuals specified in the <code class="literal">username</code> option, instead of those users compiled on Samba's internal list. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[global] + security = share +[data] + username = andy, peter, valerie + only user = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.3"></a> +username</h4></div></div></div><a class="indexterm" name="ch06-idx-969462-0"></a><p>This option presents a list of users against which Samba will test a connection password to allow access. It is typically used with clients that have share-level security to allow connections to a particular service based solely on a qualifying password—in this case, one that matches a password set up for a specific user:</p><pre class="programlisting">[global] + security = share +[data] + username = andy, peter, terry</pre><p>We recommend against using this option unless you are implementing a Samba server with share-level security.<a class="indexterm" name="ch06-idx-967645-0"></a> +<a class="indexterm" name="ch06-idx-967645-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.2"></a>User-level Security</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967646-0"></a> +<a class="indexterm" name="ch06-idx-967646-1"></a>The preferred mode of security with Samba is <em class="firstterm">user-level security</em>. With this method, each share is assigned specific users that can access it. When a user requests a connection to a share, Samba authenticates by validating the given username and password with the authorized users in the configuration file and the passwords in the password database of the Samba server. As mentioned earlier in the chapter, one way to isolate which users are allowed access to a specific <a class="indexterm" name="ch06-idx-967676-0"></a>share is by using the <code class="literal">valid</code> <code class="literal">users</code> option for each share:</p><pre class="programlisting">[global] + security = user +[accounting1] + writable = yes + valid users = bob, joe, sandy</pre><p>Each of the users listed will be allowed to connect to the share if the password provided matches the password stored in the system password database on the server. Once the initial authentication succeeds, the user will not need to re-enter a password again to access that share unless the <code class="literal">revalidate</code> <code class="literal">=</code> <code class="literal">yes</code> option has been set.</p><p> +<a class="indexterm" name="ch06-idx-967677-0"></a>Passwords can be sent to the Samba server in either an encrypted or a non-encrypted format. If you have both types of systems on your network, you should ensure that the passwords represented by each user are stored both in a traditional account database and Samba's encrypted password database. This way, authorized users can gain access to their shares from any type of client.<sup>[<a name="ch06-pgfId-968956" href="#ftn.ch06-pgfId-968956">1</a>]</sup> However, we recommend that you move your system to encrypted passwords and abandon non-encrypted passwords if security is an issue. <a href="#ch06-61393" title="Passwords">Section 6.4</a> in this chapter explains how to use encrypted as well as non-encrypted passwords.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.3"></a>Server-level Security</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967648-0"></a> +<a class="indexterm" name="ch06-idx-967648-1"></a>Server-level security is similar to user-level security. However, with server-level security, Samba delegates password authentication to another <a class="indexterm" name="ch06-idx-967679-0"></a>SMB password server, typically another Samba server or a Windows NT Server acting as a <a class="indexterm" name="ch06-idx-967680-0"></a>PDC on the network. Note that Samba still maintains its list of shares and their configuration in its <code class="filename">smb.conf</code> file. When a client attempts to make a connection to a particular share, Samba validates that the user is indeed authorized to connect to the share. Samba will then attempt to validate the password by contacting the SMB password server through a known protocol and presenting the username and password to the SMB password server. If the password is accepted, a session will be established with the client. See <a href="#ch06-89929" title="Figure 6.2. A typical system setup using server level security">Figure 6.2</a> for an illustration of this setup.</p><div class="figure"><a name="ch06-89929"></a><p class="title"><b>Figure 6.2. A typical system setup using server level security</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 177px"><td><img src="figs/sam.0602.gif" height="177" alt="A typical system setup using server level security"></td></tr></table></div></div></div><br class="figure-break"><p>You can configure Samba to use a separate password server under server-level security with the use of the <code class="literal">password</code> <code class="literal">server</code> global configuration option, as follows:</p><pre class="programlisting">[global] + security = server + password server = PHOENIX120 HYDRA134</pre><p>Note that you can specify more than one machine as the target of the <code class="literal">password</code> <code class="literal">server </code>; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the <code class="literal">password</code> <code class="literal">server</code> option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail—Samba will not attempt another server.</p><p>One caveat: when using this option, you will still need an account representing that user on the regular Samba server. This is because the Unix operating system needs a username to perform various I/O operations. The preferable method of handling this is to give the user an account on the Samba server but disable the account's password by replacing it in the system password file (e.g., <code class="filename">/etc/passwd </code>) with an <a class="indexterm" name="ch06-idx-967681-0"></a> +<a class="indexterm" name="ch06-idx-967681-1"></a>asterisk (*).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.4"></a>Domain-level Security</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967649-0"></a> +<a class="indexterm" name="ch06-idx-967649-1"></a>Domain-level security is similar to server-level security. However, with domainlevel security, the Samba server is acting as a member of a Windows domain. Recall from <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a> that each domain has a <em class="firstterm">domain controller</em> +<a class="indexterm" name="ch06-idx-967685-0"></a>, which is usually a Windows NT server offering password authentication. Including these controllers provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own <a class="indexterm" name="ch06-idx-967688-0"></a> +<a class="indexterm" name="ch06-idx-967688-1"></a>security authentication module (SAM), and authenticates each user when he or she first logs on and wishes to access another machine's shares.</p><p>As mentioned earlier in this chapter, Samba has a similar ability to offer user-level security, but this option is Unix-centric and assumes that the authentication occurs via <a class="indexterm" name="ch06-idx-967689-0"></a>Unix password files. If the Unix machine is part of a <a class="indexterm" name="ch06-idx-967690-0"></a>NIS or NIS+ domain, Samba will authenticate the users transparently against a shared password file, in typical Unix fashion. Samba then provides access to the NIS or NIS+ domain from Windows. There is, of course, no relationship between the NIS concept of a domain and the Windows concept of a domain.</p><p> +<a class="indexterm" name="ch06-idx-967696-0"></a> +<a class="indexterm" name="ch06-idx-967696-1"></a>With domain-level security, we now have the option of using the native NT mechanism. This has a number of advantages:</p><div class="itemizedlist"><ul type="disc"><li><p>It provides far better integration with NT: there are fewer "kludges" in the <code class="filename">smb.conf</code> options dealing with domains than with most Windows features. This allows more extensive use of NT management tools, such as the User Manager for Domains tool allowing PC support individuals to treat Samba servers as if they were large NT machines.</p></li><li><p>With the better integration comes protocol and code cleanups, allowing the Samba team to track the evolving NT implementation. NT Service Pack 4 corrects several problems in the protocol, and Samba's better integration makes it easier to track and adapt to these changes.</p></li><li><p>There is less overhead on the PDC because there is one less permanent network connection between it and the Samba server. Unlike the protocol used by the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code> option, the Samba server can make a Remote Procedure Call (RPC) call only when it needs authentication information. It can not keep a connection permanently up just for that.</p></li><li><p>Finally, the NT domain authentication scheme returns the full set of user attributes, not just success or failure. The attributes include a longer, more network-oriented version of the Unix uid, NT groups, and other information. This includes:</p><div class="itemizedlist"><ul type="circle"><li><p>Username</p></li><li><p>Full name</p></li><li><p>Description</p></li><li><p>Security identifier (a domain-wide extension of the Unix uid)</p></li><li><p>NT group memberships</p></li><li><p>Logon hours, and whether to force the user to log out immediately</p></li><li><p>Workstations the user is allowed to use</p></li><li><p>Account expiration date</p></li><li><p>Home directory</p></li><li><p>Login script</p></li><li><p>Profile</p></li><li><p>Account type</p></li></ul></div></li><li><p>The Samba developers used domain-level security in Samba version 2.0.4 to add and delete domain <a class="indexterm" name="ch06-idx-967702-0"></a>users on Samba servers semi-automatically. In addition, it adds room for other NT-like additions, such as supporting access control lists and changing permissions of files from the client.</p></li></ul></div><p>The advantage to this approach is less administration; there is only one authentication database to keep synchronized. The only local administration required on the Samba server will be creating directories for users to work in and <code class="filename">/etc/passwd</code> entries to keep their UIDs and groups in.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.4.1"></a>Adding a Samba server to a Windows NT Domain</h4></div></div></div><p>If you already have an NT <a class="indexterm" name="ch06-idx-967704-0"></a>domain, you can easily add a Samba server to it. First, you will need to stop the Samba daemons. Then, add the Samba server to the NT domain on the PDC using the <a class="indexterm" name="ch06-idx-967706-0"></a>"Windows NT Server Manager for Domains" tool. When it asks for the computer type, choose "Windows NT Workstation or Server," and give it the NetBIOS name of the Samba server. This creates the machine account on the NT server.</p><p>Next, generate a Microsoft-format machine password using the <code class="filename">smbpasswd</code> +<a class="indexterm" name="ch06-idx-967707-0"></a> tool, which is explained in further detail in the next section. For example, if our domain is SIMPLE and the Windows NT PDC is <code class="literal">beowulf</code>, we could use the following command on the Samba server to accomplish this:</p><pre class="programlisting">smbpasswd -j SIMPLE -r beowulf</pre><p>Finally, add the following options to the <code class="literal">[global]</code> section of your <code class="filename">smb.conf</code> and restart the Samba daemons.</p><pre class="programlisting">[global] + security = domain + domain logins = yes + workgroup = SIMPLE + password server = beowulf</pre><p>Samba should now be configured for domain-level security. The <code class="literal">domain</code> <code class="literal">logins</code> option is explained in more detail later in this<a class="indexterm" name="ch06-idx-967657-0"></a> +<a class="indexterm" name="ch06-idx-967657-1"></a> chapter.<a class="indexterm" name="ch06-idx-967506-0"></a> +<a class="indexterm" name="ch06-idx-967506-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-61393"></a>Passwords</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967574-0"></a>Passwords are a thorny issue with Samba. So much so, in fact, that they are almost always the first major problem that users encounter when they install Samba, and generate by far the most questions sent to Samba support groups. In previous chapters, we've gotten around the need for passwords by placing the <code class="literal">guest</code> <code class="literal">ok</code> option in each of our configuration files, which allows connections without authenticating passwords. However, at this point, we need to delve deeper into Samba to discover what is happening on the network.</p><p> +<a class="indexterm" name="ch06-idx-967709-0"></a> +<a class="indexterm" name="ch06-idx-967709-1"></a>Passwords sent from individual clients can be either encrypted or non-encrypted. Encrypted passwords are, of course, more secure. A <a class="indexterm" name="ch06-idx-967710-0"></a>non-encrypted password can be easily read with a packet sniffing program, such as the modified <span class="emphasis"><em>tcpdump</em></span> +<a class="indexterm" name="ch06-idx-967712-0"></a> program for Samba that we used in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>. Whether passwords are encrypted depends on the operating system that the client is using to connect to the Samba server. <a href="#ch06-75183" title="Table 6.5. Windows Operating Systems with Encrypted Passwords">Table 6.5</a> lists which Windows operating systems encrypt their passwords before sending them to the primary domain controller for authentication. If your client is not Windows, check the system documentation to see if SMB passwords are encrypted.</p><div class="table"><a name="ch06-75183"></a><p class="title"><b>Table 6.5. Windows Operating Systems with Encrypted Passwords </b></p><div class="table-contents"><table summary="Windows Operating Systems with Encrypted Passwords " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>Encrypted or Non-encrypted</p></th></tr></thead><tbody><tr><td><p><code class="literal"></code> +<a class="indexterm" name="ch06-idx-967714-0"></a>Windows 95</p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows 95 with SMB Update</p></td><td><p>Encrypted</p></td></tr><tr><td><p>Windows 98</p></td><td><p>Encrypted</p></td></tr><tr><td><p>Windows NT 3.<span class="emphasis"><em>x</em></span></p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows NT 4.0 before SP 3</p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows NT 4.0 after SP 3</p></td><td><p>Encrypted</p></td></tr></tbody></table></div></div><br class="table-break"><p>There are actually two different encryption methods used: one for <a class="indexterm" name="ch06-idx-967715-0"></a>Windows 95 and 98 clients that reuses Microsoft's LAN Manager encryption style, and a separate one for <a class="indexterm" name="ch06-idx-967716-0"></a>Windows NT clients and servers. Windows 95 and 98 use an older encryption system inherited from the LAN Manager network software, while Windows NT clients and servers use a newer encryption system.</p><p>If encrypted passwords are supported, Samba stores the encrypted passwords in a file called <code class="filename">smbpasswd</code> +<a class="indexterm" name="ch06-idx-967717-0"></a> +<a class="indexterm" name="ch06-idx-967717-1"></a>. By default, this file is located in the <code class="filename">private</code> +<a class="indexterm" name="ch06-idx-967719-0"></a> directory of the Samba distribution (<code class="filename">/usr/local/samba/private</code>). At the same time, the client stores an encrypted version of a user's password on its own system. The plaintext password is never stored on either system. Each system encrypts the password automatically using a known algorithm when the password is set or changed.</p><p>When a client requests a connection to an SMB server that supports encrypted passwords (such as Samba or Windows NT), the two computers undergo the following negotiations:</p><div class="orderedlist"><ol type="1"><li><p>The client attempts to negotiate a protocol with the server.</p></li><li><p>The server responds with a protocol and indicates that it supports encrypted passwords. At this time, it sends back a randomly-generated 8-byte challenge string.</p></li><li><p>The client uses the challenge string as a key to encrypt its already encrypted password using an algorithm predefined by the negotiated protocol. It then sends the result to the server.</p></li><li><p>The server does the same thing with the encrypted password stored in its database. If the results match, the passwords are equivalent and the user is authenticated.</p></li></ol></div><p>Note that even though the original passwords are not involved in the authentication process, you need to be very careful that the encrypted passwords located inside of the <code class="filename">smbpasswd</code> +<a class="indexterm" name="ch06-idx-967721-0"></a> file are guarded from unauthorized users. If they are compromised, an unauthorized user can break into the system by replaying the steps of the previous algorithm. The <a class="indexterm" name="ch06-idx-967722-0"></a> +<a class="indexterm" name="ch06-idx-967722-1"></a> +<a class="indexterm" name="ch06-idx-967722-2"></a>encrypted passwords are just as sensitive as the plaintext passwords—this is known as <em class="firstterm">plaintext-equivalent</em> data in the cryptography world. Of course, you should also ensure that the clients safeguard their plaintext-equivalent passwords as well.</p><p>You can configure Samba to accept encrypted passwords with the following global additions to <code class="filename">smb.conf</code>. Note that we explicitly name the location of the Samba password file:</p><pre class="programlisting">[global] + security = user + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd</pre><p>Samba, however, will not accept any users until the <code class="filename">smbpasswd</code> file has been initialized.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-4.0.1"></a>Disabling encrypted passwords on the client</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967724-0"></a>While Unix authentication has been in use for decades, including the use of <span class="emphasis"><em>telnet</em></span> and <span class="emphasis"><em>rlogin</em></span> access across the Internet, it embodies well-known security risks. Plaintext passwords are sent over the Internet and can be retrieved from TCP packets by malicious snoopers. However, if you feel that your network is secure and you wish to use standard Unix <code class="filename">/etc/passwd</code> authentication for all clients, you can do so, but you must disable encrypted passwords on those Windows clients that default to using them.</p><p>In order to do this, you must modify the Windows registry by installing two files on each system. Depending on the platform involved, the files are either <code class="filename">NT4_PlainPassword.reg</code> or <code class="filename">Win95_PlainPassword.reg</code>. You can perform this installation by copying the appropriate <code class="filename">.reg</code> files from the Samba distribution's <code class="filename">/docs</code> directory to a DOS floppy, and running it from the Run menu item on the client's Start Menu button. Incidentally, the Windows 95 <code class="filename">.reg</code> file works fine on Windows 98 as well.</p><p>After you reboot the machine, the client will not encrypt its hashed passwords before sending them to the server. This means that the plaintext-equivalent passwords can been seen in the TCP packets that are broadcast across the network. Again, we encourage you not to do this unless you are absolutely sure that your network is secure.</p><p>If passwords are not encrypted, you can indicate as much in your Samba configuration file:</p><pre class="programlisting">[global] + security = user + encrypt passwords = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-17782"></a>The smbpasswd File</h3></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch06-idx-967731-0"></a>Samba stores its encrypted passwords in a file called <code class="filename">smbpasswd</code>, which by default resides in the <code class="filename">/usr/local/samba/private</code> directory. The <code class="filename">smbpasswd</code> +<a class="indexterm" name="ch06-idx-967742-0"></a> file should be guarded as closely as the <code class="filename">passwd</code> file; it should be placed in a directory to which only the root user has read/write access. All other users should not be able to read from the directory at all. In addition, the file should have all access closed off to all users except for root.</p><p>Before you can use encrypted passwords, you will need to create an entry for each Unix user in the <code class="filename">smbpasswd</code> file. The structure of the file is somewhat similar to a Unix <code class="filename">passwd</code> file, but has different fields. <a href="#ch06-54128" title="Figure 6.3. Structure of the smbpasswd file entry (actually one line)">Figure 6.3</a> illustrates the layout of the <code class="filename">smbpasswd</code> file; the entry shown is actually one line in the file.</p><div class="figure"><a name="ch06-54128"></a><p class="title"><b>Figure 6.3. Structure of the smbpasswd file entry (actually one line)</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 177px"><td><img src="figs/sam.0603.gif" height="177" alt="Structure of the smbpasswd file entry (actually one line)"></td></tr></table></div></div></div><br class="figure-break"><p>Here is a breakdown of the individual fields:</p><div class="variablelist"><dl><dt><span class="term">Username</span></dt><dd><p>This is the username of the account. It is taken directly from the system password file.</p></dd><dt><span class="term">UID</span></dt><dd><p>This is the user ID of the account. Like the username, it is taken directly from the system password file and must match the user it represents there.</p></dd><dt><span class="term">LAN Manager Password Hash</span></dt><dd><p>This is a 32-bit hexadecimal sequence that represents the password Windows 95 and 98 clients will use. It is derived by encrypting the string <code class="literal">KGS!@#$%</code> with a 56-bit DES algorithm using the user's password (forced to 14 bytes and converted to capital letters) twice repeated as the key. If there is currently no password for this user, the first 11 characters of the hash will consist of the sequence <code class="literal">NO</code> <code class="literal">PASSWORD</code> followed by <code class="literal">X</code> characters for the remainder. Anyone can access the share with no password. On the other hand, if the password has been disabled, it will consist of 32 <code class="literal">X</code> characters. Samba will not grant access to a user without a password unless the <code class="literal">null</code> <code class="literal">passwords</code> option has been set.</p></dd><dt><span class="term">NT Password Hash</span></dt><dd><p>This is a 32-bit hexadecimal sequence that represents the password Windows NT clients will use. It is derived by hashing the user's password (represented as a 16-bit little-endian Unicode sequence) with an MD4 hash. The password is not converted to uppercase letters first.</p></dd><dt><span class="term">Account Flags</span></dt><dd><p>This field consists of 11 characters between two braces ( [ ] ). Any of the following characters can appear in any order; the remaining characters should be spaces:</p><div class="variablelist"><dl><dt><span class="term">U</span></dt><dd><p>This account is a standard user account.</p></dd><dt><span class="term">D</span></dt><dd><p>This account is currently disabled and Samba should not allow any logins.</p></dd><dt><span class="term">N</span></dt><dd><p>This account has no password associated with it.</p></dd><dt><span class="term">W</span></dt><dd><p>This is a workstation trust account that can be used to configure Samba as a primary domain controller (PDC) when allowing Windows NT machines to join its domain.</p></dd></dl></div></dd><dt><span class="term">Last Change Time</span></dt><dd><p>This code consists of the characters <code class="literal">LCT-</code> followed by a hexidecimal representation of the amount of seconds since the epoch (midnight on January 1, 1970) that the entry was last changed.</p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.1.1"></a>Adding entries to smbpasswd</h4></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch06-idx-967757-0"></a>There are a few ways you can add a new entry to the <code class="filename">smbpasswd</code> file:</p><div class="itemizedlist"><ul type="disc"><li><p>You can use the <em class="firstterm">smbpasswd</em> program with the <code class="literal">-a</code> option to automatically add any user that currently has a standard Unix system account on the server. This program resides in the <code class="filename">/usr/local/samba/bin</code> directory.</p></li><li><p>You can use the <em class="firstterm">addtosmbpass</em> +<a class="indexterm" name="ch06-idx-967763-0"></a> executable inside the <em class="firstterm">/usr/local/samba/bin</em> directory. This is actually a simple <span class="emphasis"><em>awk</em></span> +<a class="indexterm" name="ch06-idx-967764-0"></a> script that parses a system password file and extracts the username and UID of each entry you wish to add to the SMB password file. It then adds default fields for the remainder of the user's entry, which can be updated using the <code class="filename">smbpasswd</code> program later. In order to use this program, you will probably need to edit the first line of the file to correctly point to <span class="emphasis"><em>awk</em></span> on your system.</p></li><li><p>In the event that the neither of those options work for you, you can create a default entry by hand in the <code class="filename">smbpasswd</code> file. The entry should be entirely on one line. Each field should be colon-separated and should look similar to the following:</p><pre class="programlisting">dave:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:</pre><p>This consists of the username and the UID as specified in the system password file, followed by two sets of exactly 32 <code class="literal">X</code> characters, followed by the account flags and last change time as it appears above. After you've added this entry, you must use the <em class="firstterm">smbpasswd</em> program to change the password for the user.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.1.2"></a>Changing the encrypted password</h4></div></div></div><p> +<a class="indexterm" name="ch06-idx-967765-0"></a>If you need to change the encrypted password in the <code class="filename">smbpasswd</code> file, you can also use the <code class="filename">smbpasswd</code> +<a class="indexterm" name="ch06-idx-967766-0"></a> program. Note that this program shares the same name as the encrypted password file itself, so be sure not to accidentally confuse the password file with the password-changing program.</p><p>The <code class="filename">smbpasswd</code> program is almost identical to the <code class="filename">passwd</code> program that is used to change Unix account passwords. The program simply asks you to enter your old password (unless you're the root user), and duplicate entries of your new password. No password characters are shown on the screen.</p><pre class="programlisting"># <span class="bold"><strong>smbpasswd dave</strong></span> +Old SMB password: +New SMB password: +Retype new SMB password: +Password changed for user dave</pre><p>You can look at the <code class="filename">smbpasswd</code> file after this command completes to verify that both the LAN Manager and the NT hashes of the passwords have been stored in their respective positions. Once users have encrypted password entries in the database, they should be able to connect to shares using encrypted passwords!<code class="filename"></code> +<a class="indexterm" name="ch06-idx-967737-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-97004"></a>Password Synchronization</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-967768-0"></a> +<a class="indexterm" name="ch06-idx-967768-1"></a>Having a regular password and an encrypted version of the same password can be troublesome when you need to change both of them. Luckily, Samba affords you a limited ability to keep your passwords synchronized. Samba has a pair of configuration options that can be used to automatically update a user's regular Unix password when the encrypted password is changed on the system. The feature can be activated by specifying the <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> global configuration option:</p><pre class="programlisting">[global] + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes</pre><p>With this option enabled, Samba will attempt to change the user's regular password (as <code class="literal">root</code>) when the encrypted version is changed with <code class="filename">smbpasswd</code>. However, there are two other options that have to be set correctly in order for this to work.</p><p>The easier of the two is <code class="literal">passwd</code> <code class="literal">program</code>. This option simply specifies the Unix command used to change a user's standard system password. It is set to <code class="literal">/bin/passw</code>d <code class="literal">%u</code> by default. With some Unix systems, this is sufficient and you do not need to change anything. Others, such as Red Hat Linux, use <code class="filename">/usr/bin/passwd</code> instead. In addition, you may want to change this to another program or script at some point in the future. For example, let's assume that you want to use a script called <code class="literal">changepass</code> to change a user's password. Recall that you can use the variable <code class="literal">%u</code> to represent the current Unix username. So the example becomes:</p><pre class="programlisting">[global] + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes + passwd program = changepass %u</pre><p>Note that this program will be called as the <code class="literal">root</code> user when the <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> option is set to <code class="literal">yes</code>. This is because Samba does not necessarily have the plaintext old password of the user.</p><p>The harder option to configure is <code class="literal">passwd</code> <code class="literal">chat</code>. The <code class="literal">passwd</code> <code class="literal">chat</code> option works like a Unix chat script. It specifies a series of strings to send as well as responses to expect from the program specified by the <code class="literal">passwd</code> <code class="literal">program</code> option. For example, this is what the default <code class="literal">passwd</code> <code class="literal">chat</code> looks like. The delimiters are the spaces between each groupings of characters:</p><pre class="programlisting">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre><p>The first grouping represents a response expected from the password-changing program. Note that it can contain <a class="indexterm" name="ch06-idx-967780-0"></a> +<a class="indexterm" name="ch06-idx-967780-1"></a>wildcards (*), which help to generalize the chat programs to be able to handle a variety of similar outputs. Here, <code class="literal">*old*password*</code> indicates that Samba is expecting any line from the password program containing the letters <code class="literal">old</code> followed by the letters <code class="literal">password</code>, without regard for what comes on either side or between them. Once instructed to, Samba will wait indefinitely for such a match. Is Samba does not receive the expected response, the password will fail.</p><p>The second grouping indicates what Samba should send back once the data in the first grouping has been matched. In this case, you see <code class="literal">%o\n</code>. This response is actually two items: the variable <code class="literal">%o</code> represents the old password, while the <code class="literal">\n</code> is a newline character. So, in effect, this will "type" the old password into the standard input of the password changing program, and then "press" Enter.</p><p>Following that is another response grouping, followed by data that will be sent back to the password changing program. (In fact, this response/send pattern continues indefinitely in any standard Unix <span class="emphasis"><em>chat</em></span> script.) The script continues until the final pattern is matched.<sup>[<a name="ch06-pgfId-969009" href="#ftn.ch06-pgfId-969009">2</a>]</sup></p><p>You can help match the response strings sent from the password program with the characters listed in <a href="#ch06-77246" title="Table 6.6. Password Chat Response Characters">Table 6.6</a>. In addition, you can use the characters listed in <a href="#ch06-38512" title="Table 6.7. Password Chat Send Characters">Table 6.7</a> to help formulate your response.</p><div class="table"><a name="ch06-77246"></a><p class="title"><b>Table 6.6. Password Chat Response Characters </b></p><div class="table-contents"><table summary="Password Chat Response Characters " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">*</code></p></td><td><p> +<a class="indexterm" name="ch06-idx-967781-0"></a> +<a class="indexterm" name="ch06-idx-967781-1"></a>Zero or more occurrences of any character.</p></td></tr><tr><td><p><code class="literal">" "</code></p></td><td><p>Allows you to include matching strings that contain spaces. Asterisks are still considered wildcards even inside of quotes, and you can represent a null response with empty quotes.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="ch06-38512"></a><p class="title"><b>Table 6.7. Password Chat Send Characters </b></p><div class="table-contents"><table summary="Password Chat Send Characters " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%o</code></p></td><td><p>The user's old password</p></td></tr><tr><td><p><code class="literal">%n</code></p></td><td><p>The user's new password</p></td></tr><tr><td><p><code class="literal">\n</code></p></td><td><p>The linefeed character</p></td></tr><tr><td><p><code class="literal">\r</code></p></td><td><p>The carriage-return character</p></td></tr><tr><td><p><code class="literal">\t</code></p></td><td><p>The tab character</p></td></tr><tr><td><p><code class="literal">\s</code></p></td><td><p>A space</p></td></tr></tbody></table></div></div><br class="table-break"><p>For example, you may want to change your password chat to the following entry. This will handle scenarios in which you do not have to enter the old password. In addition, this will also handle the new <code class="literal">all</code> <code class="literal">tokens</code> <code class="literal">updated</code> <code class="literal">successfully</code> string that Red Hat Linux sends:</p><pre class="programlisting">passwd chat = *new password* %n\n *new password* %n\n *success*</pre><p>Again, the default chat should be sufficient for many Unix systems. If it isn't, you can use the <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> global option to set up a new chat script for the password change program. The <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> option logs everything during a password chat. This option is a simple boolean, as shown below:</p><pre class="programlisting">[global] + encrypted passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes + passwd chat debug = yes + log level = 100</pre><p>After you activate the password chat debug feature, all I/O received by Samba through the password chat will be sent to the Samba logs with a debug level of 100, which is why we entered a new log level option as well. As this can often generate multitudes of error logs, it may be more efficient to use your own script, by setting the <code class="literal">passwd</code> <code class="literal">program</code> option, in place of <code class="filename">/bin/passwd</code> to record what happens during the exchange. Also, make sure to protect your log files with strict file permissions and to delete them as soon as you've grabbed the information you need, because they contain the passwords in plaintext.</p><p>The operating system on which Samba is running may have strict requirements for valid passwords in order to make them more impervious to dictionary attacks and the like. Users should be made aware of these restrictions when changing their passwords.</p><p>Earlier we said that password synchronization is limited. This is because there is no reverse synchronization of the encrypted <code class="filename">smbpasswd</code> file when a standard Unix password is updated by a user. There are various strategies to get around this, including NIS and freely available implementations of the <a class="indexterm" name="ch06-idx-967787-0"></a> +<a class="indexterm" name="ch06-idx-967787-1"></a>pluggable authentication modules (PAM) standard, but none of them really solve all the problems yet. In the future, when Windows 2000 emerges, we will see more compliance with the <a class="indexterm" name="ch06-idx-967788-0"></a>Lightweight Directory Access Protocol (LDAP), which promises to make password synchronization a thing of the past.<a class="indexterm" name="ch06-idx-967772-0"></a> +<a class="indexterm" name="ch06-idx-967772-1"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-4.3"></a>Password Configuration Options</h3></div></div></div><p>The options in <a href="#ch06-68460" title="Table 6.8. Password Configuration Options">Table 6.8</a> will help you work with passwords in Samba.</p><div class="table"><a name="ch06-68460"></a><p class="title"><b>Table 6.8. Password Configuration Options </b></p><div class="table-contents"><table summary="Password Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">encrypt passwords</code></p></td><td><p>boolean</p></td><td><p> +<a class="indexterm" name="ch06-idx-969358-0"></a>Turns on encrypted passwords.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">unix password sync </code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba updates the standard Unix password database when a user changes his or her encrypted password.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd chat</code></p></td><td><p>string (chat commands)</p></td><td><p>Sets a sequence of commands that will be sent to the password program.</p></td><td><p>See earlier section on this option</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd chat debug</code></p></td><td><p>boolean</p></td><td><p>Sends debug logs of the password-change process to the log files with a level of 100.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd program</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets the program to be used to change passwords.</p></td><td><p><code class="literal">/bin/passwd %u</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">password level</code></p></td><td><p>numeric</p></td><td><p>Sets the number of capital letter permutations to attempt when matching a client's password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">update encrypted</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba updates the encrypted password file when a client connects to a share with a plaintext password.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">null passwords</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba allows access for users with null passwords.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">smb passwd file</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the name of the encrypted password file.</p></td><td><p><code class="literal">/usr/local/samba/private/smbpasswd</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">hosts equiv</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the name of a file that contains hosts and users that can connect without using a password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">use rhosts</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>.<span class="emphasis"><em>rhosts</em></span> file that allows users to connect without using a password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.1"></a> +unix password sync</h4></div></div></div><a class="indexterm" name="ch06-idx-969469-0"></a><p>The <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> global option allows Samba to update the standard Unix password file when a user changes his or her encrypted password. The encrypted password is stored on a Samba server in the <code class="filename">smbpasswd</code> file, which is located in <code class="filename">/usr/local/samba/private</code> by default. You can activate this feature as follows:</p><pre class="programlisting">[global] + unix password sync = yes</pre><p>If this option is enabled, Samba changes the encrypted password and, in addition, attempts to change the standard Unix password by passing the username and new password to the program specified by the <code class="literal">passwd</code> <code class="literal">program</code> option (described earlier). Note that Samba does not necessarily have access to the plaintext password for this user, so the password changing program must be invoked as <code class="literal">root</code>.<sup>[<a name="ch06-pgfId-959675" href="#ftn.ch06-pgfId-959675">3</a>]</sup> If the Unix password change does not succeed, for whatever reason, the SMB password will not be changed either.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.2"></a> +encrypt passwords</h4></div></div></div><a class="indexterm" name="ch06-idx-969472-0"></a><p> +<a class="indexterm" name="ch06-idx-967797-0"></a>The <code class="literal">encrypt</code> <code class="literal">passwords</code> global option switches Samba from using plaintext passwords to encrypted passwords for authentication. Encrypted passwords will be expected from clients if the option is set to <code class="literal">yes</code>:</p><pre class="programlisting">encrypt passwords = yes</pre><p>By default, Windows NT 4.0 with Service Pack 3 or above and Windows 98 transmit encrypted passwords over the network. If you are enabling encrypted passwords, you must have a valid <code class="filename">smbpasswd</code> file in place and populated with usernames that will authenticate with encrypted passwords. (See <a href="#ch06-17782" title="The smbpasswd File">Section 6.4.2</a> earlier in this chapter.) In addition, Samba must know the location of the <code class="filename">smbpasswd</code> file; if it is not in the default location (typically <code class="filename">/usr/local/samba/private/smbpasswd</code>), you can explicitly name it using the <code class="literal">smb</code> <code class="literal">passwd</code> <code class="literal">file</code> option.</p><p>If you wish, you can use the <code class="literal">update</code> <code class="literal">encrypted</code> to force Samba to update the <code class="filename">smbpasswd</code> file with encrypted passwords each time a client connects to a non-encrypted password.</p><p>A common strategy to ensure that hosts who need encrypted password authentication indeed receive it is with the <code class="literal">include</code> option. With this, you can create individual configuration files that will be read in based on OS-type (<code class="literal">%a</code>) or client name (<code class="literal">%m</code>). These host-specific or OS-specific configuration files can contain an <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option that will activate only when those clients are connecting to the server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.3"></a> +passwd program</h4></div></div></div><a class="indexterm" name="ch06-idx-969475-0"></a><p>The <code class="literal">passwd</code> +<a class="indexterm" name="ch06-idx-967798-0"></a> <code class="literal">program</code> is used to specify a program on the Unix Samba server that Samba can use to update the standard system password file when the encrypted password file is updated. This option defaults to the standard <span class="emphasis"><em>passwd</em></span> program, usually located in the <code class="filename">/bin</code> directory. The <code class="literal">%u</code> variable is typically used here as the requesting user when the command is executed. The actual handling of input and output to this program during execution is handled through the <code class="literal">passwd</code> <code class="literal">chat</code> option. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a>, earlier in this chapter, covers this option in detail.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.4"></a> +passwd chat</h4></div></div></div><a class="indexterm" name="ch06-idx-969476-0"></a><p>This option specifies a series of send/response strings similar to a Unix chat script, which are used to interface with the password-changing program on the Samba server. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a>, earlier in this chapter, covers this option in detail.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.5"></a> +passwd chat debug</h4></div></div></div><a class="indexterm" name="ch06-idx-969477-0"></a><p>If set to <code class="literal">yes</code>, the <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> global option logs everything sent or received by Samba during a password chat. All the I/O received by Samba through the password chat is sent to the Samba logs with a debug level of 100; you will need to specify <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">100</code> in order for the information to be recorded. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a> earlier in this chapter, describes this option in more detail. Be aware that if you do set this option, the plaintext passwords will be visible in the debugging logs, which could be a security hazard if they are not properly secured.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.6"></a> +password level</h4></div></div></div><a class="indexterm" name="ch06-idx-969478-0"></a><p>With SMB, non-encrypted (or plaintext) passwords are sent with capital letters, just like the usernames mentioned previously. Many Unix users, however, choose passwords with both uppercase and lowercase letters. Samba, by default, only attempts to match the password entirely in lowercase letters, and not capitalizing the first letter.</p><p>Like <code class="literal">username</code> <code class="literal">level</code>, there is a <code class="literal">password</code> <code class="literal">level</code> option that can be used to attempt various permutations of the password with capital letters. This option takes an integer value that specifies how many letters in the password should be capitalized when attempting to connect to a share. You can specify this options as follows:</p><pre class="programlisting">[global] + password level = 3</pre><p>In this case, Samba will then attempt all permutations of the password it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the password, and the longer a connection to a specific share may take.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.7"></a>update encrypted</h4></div></div></div><a class="indexterm" name="ch06-idx-969481-0"></a><p>For sites switching over to the <a class="indexterm" name="ch06-idx-967799-0"></a>encrypted password format, Samba provides an option that should help with the transition. The <code class="literal">update</code> <code class="literal">encrypted</code> option allows a site to ease into using encrypted passwords from plaintext passwords. You can activate this option as follows:</p><pre class="programlisting">[global] + update encrypted = yes</pre><p>This instructs Samba to create an encrypted version of each user's Unix password in the <code class="filename">smbpasswd</code> file each time he or she connects to a share. When this option is enabled, you must have the <code class="literal">encrypt</code> <code class="literal">passwords</code> option set to <code class="literal">no</code> so that the client will pass plaintext passwords to Samba to use to update the files. Once each user has connected at least once, you can set <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code>, allowing you to use only the encrypted passwords. The user must already have a valid entry in the <code class="filename">smbpasswd</code> file for this option to work.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.8"></a>null passwords</h4></div></div></div><p>This global option tells Samba whether or not to allow access from users that have <a class="indexterm" name="ch06-idx-967801-0"></a> +<a class="indexterm" name="ch06-idx-967801-1"></a>null passwords (encrypted or non-encrypted) set in their accounts. The default value is <code class="literal">no</code>. You can override it as follows:</p><pre class="programlisting">null passwords = yes</pre><p>We highly recommend against doing so unless you are familiar with the security risks this option can present to your system, including inadvertent access to system users (such as <code class="filename">bin</code>) in the system password file who have null passwords set.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.9"></a> +smb passwd file</h4></div></div></div><a class="indexterm" name="ch06-idx-969483-0"></a><p> +<a class="indexterm" name="ch06-idx-968245-0"></a>This global option identifies the location of the encrypted password database. By default, it is set to <code class="filename">/usr/local/samba/private/smbpasswd</code>. You can override it as follows:</p><pre class="programlisting">[global] + smb passwd file = /etc/smbpasswd</pre><p>This location, for example, is common on many Red Hat distributions.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.10"></a> +hosts equiv</h4></div></div></div><a class="indexterm" name="ch06-idx-969486-0"></a><p>This global option specifies the name of a standard Unix <code class="filename">hosts.equiv</code> file that will allow hosts or users to access shares without specifying a password. You can specify the location of such a file as follows:</p><pre class="programlisting">[global] + hosts equiv = /etc/hosts.equiv</pre><p>The default value for this option does not specify any <code class="filename">hosts.equiv</code> file. Because using such a file is essentially a huge security risk, we highly recommend that you do not use this option unless you are confident in the security of your network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.11"></a> +use rhosts</h4></div></div></div><a class="indexterm" name="ch06-idx-969487-0"></a><p>This global option specifies the name of a standard Unix user's <code class="filename">.rhosts</code> file that will allow foreign hosts to access <a class="indexterm" name="ch06-idx-967803-0"></a>shares without specifying a password. You can specify the location of such a file as follows:</p><pre class="programlisting">[global] + use rhosts = /home/dave/.rhosts</pre><p>The default value for this option does not specify any <code class="filename">.rhosts</code> file. Like the <code class="literal">hosts</code> <code class="literal">equiv</code> option above, using such a file is a security risk. We highly recommend that you do use this option unless you are confident in the security of<a class="indexterm" name="ch06-idx-968233-0"></a> your network.<a class="indexterm" name="ch06-idx-968235-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-23084"></a>Windows Domains</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967533-0"></a> +<a class="indexterm" name="ch06-idx-967533-1"></a> +<a class="indexterm" name="ch06-idx-967533-2"></a>Now that you are comfortable with users and passwords on a Samba server, we can show you how to set up Samba to become a <a class="indexterm" name="ch06-idx-967819-0"></a>primary domain controller for Windows 95/98 and NT machines. Why use domains? The answer probably isn't obvious until you look behind the scenes, especially with Windows 95/98.</p><p>Recall that with traditional workgroups, Windows 95/98 simply accepts each username and password that you enter when logging on to the system. There are no unauthorized users with Windows 95/98; if a new user logs on, the operating system simply asks for a new password and authenticates the user against that password from then on. The only time that Windows 95/98 attempts to use the password you entered is when connecting to another share.</p><p> +<a class="indexterm" name="ch06-idx-967805-0"></a>Domain logons, on the other hand, are similar to Unix systems. In order to log on to the domain, a valid username and password must be presented at startup, which is then authenticated against the primary domain controller's password database. If the password is invalid, the user is immediately notified and they cannot log on to the domain.</p><p>There's more good news: once you have successfully logged on to the domain, you can access any of the shares in the domain to which you have rights without having to reauthenticate yourself. More precisely, the primary domain controller returns a token to the client machine that allows it to access any share without consulting the PDC again. Although you probably won't notice the shift, this can be beneficial in cutting down network traffic. (You can disable this behavior if you wish by using the <code class="literal">revalidate</code> option.)</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-36822"></a>Configuring Samba for Windows Domain Logons</h3></div></div></div><p>If you wish to allow Samba to act as a domain controller, use the following sections to configure Samba and your clients to allow domain access.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on how to set up domains, see the <code class="filename">DOMAINS.TXT</code> file that comes with the Samba distribution.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.1"></a>Windows 95/98 clients</h4></div></div></div><p> +<a class="indexterm" name="ch06-idx-967815-0"></a>Setting up Samba as a PDC for Windows 95/98 clients is somewhat anticlimactic. All you really need to do on the server side is ensure that:</p><div class="itemizedlist"><ul type="disc"><li><p>Samba is the only primary domain controller for the current workgroup.</p></li><li><p>There is a <a class="indexterm" name="ch06-idx-967817-0"></a>WINS server available on the network, either a Samba machine or a Windows NT server. (See <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for more information on WINS.)</p></li><li><p>Samba is using user-level security (i.e., it doesn't hand off password authentication to anyone else). You do not want to use domain-level security if Samba itself is acting as the PDC.</p></li></ul></div><p>At that point, you can insert the following options into your Samba configuration file:</p><pre class="programlisting">[global] + workgroup = SIMPLE + domain logons = yes + +# Be sure to set user-level security! + + security = user + +# Be sure to become the primary domain controller! + + os level = 34 + local master = yes + preferred master = yes + domain master = yes</pre><p>The <code class="literal">domain</code> <code class="literal">logons</code> option enables Samba to perform domain authentication on behalf of other clients that request it. The name of the domain will be the same as the workgroup listed in the Samba configuration file, in this case: SIMPLE.</p><p>After that, you need to create a non-writable, non-public, non-browesable disk share called <code class="literal">[netlogon]</code> (it does not matter where this share points to as long as each Windows client can connect to it):</p><pre class="programlisting">[netlogon] + comment = The domain logon service + path = /export/samba/logon + public = no + writeable = no + browsable = no</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.2"></a>Windows NT clients</h4></div></div></div><p> +<a class="indexterm" name="ch06-idx-967816-0"></a>If you have Window NT clients on your system, there are a few more steps that need to be taken in order for Samba to act as their primary domain controller.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>You will need to use at least <a class="indexterm" name="ch06-idx-967821-0"></a> +<a class="indexterm" name="ch06-idx-967821-1"></a> +<a class="indexterm" name="ch06-idx-967821-2"></a>Samba 2.1 to ensure that PDC functionality for Windows NT clients is present. Prior to Samba 2.1, only limited user authentication for NT clients was present. At the time this book went to press, Samba 2.0.5 was the latest version, but Samba 2.1 was available through CVS download. Instructions on downloading alpha versions of Samba are given in <a href="#SAMBA-AP-E" title="Appendix E. Downloading Samba with CVS">Appendix E</a>.</p></div><p>As before, you need to ensure that Samba is a primary domain controller for the current workgroup and is using user-level security. However, you must also ensure that Samba is using encrypted passwords. In other words, alter the <code class="literal">[global]</code> options the previous example to include the <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option, as shown here:</p><pre class="programlisting">[global] + workgroup = SIMPLE + encrypted passwords = yes + domain logons = yes + + security = user</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.3"></a>Creating trust accounts for NT clients</h4></div></div></div><p>This step is exclusively for Windows NT clients. All NT clients that connect to a primary domain controller make use of <em class="firstterm">trust accounts</em> +<a class="indexterm" name="ch06-idx-967823-0"></a>. These accounts allow a machine to log in to the <a class="indexterm" name="ch06-idx-967824-0"></a>PDC itself (not one of its shares), which means that the PDC can trust any further connections from users on that client. For all intents and purposes, a trust account is identical to a user account. In fact, we will be using standard Unix user accounts to emulate trust accounts for the Samba server.</p><p>The login name of a machine's trust account is the name of the machine with a dollar sign appended to it. For example, if our Windows NT machine is named <code class="literal">chimaera</code>, the login account would be <code class="literal">chimaera$</code>. The initial password of the account is simply the name of the machine in lowercase letters. In order to forge the trust account on the Samba server, you need to create a Unix account with the appropriate machine name, as well as an encrypted password entry in the <code class="filename">smbpasswd</code> database.</p><p>Let's tackle the first part. Here, we only need to modify the <code class="filename">/etc/passwd</code> file to support the trust account; there is no need to create a home directory or assign a shell to the "user" because the only part we are interested in is whether a login is permitted. Therefore, we can create a "dummy" account with the following entry:</p><pre class="programlisting">chimaera$:*:1000:900:Trust Account:/dev/null:/dev/null</pre><p>Note that we have also disabled the password field by placing a <code class="literal">*</code> in it. This is because Samba will use the <code class="filename">smbpasswd</code> file to contain the password instead, and we don't want anyone to telnet into the machine using that account. In fact, the only value other than the account name that is used here is the UID of the account for the encrypted password database (1000). This number must map to a unique resource ID on the NT server and cannot conflict with any other resource IDs. Hence, no NT user or group should map to this number or a networking error will occur.</p><p>Next, add the encrypted password using the <code class="filename">smbpasswd</code> command, as follows:</p><pre class="programlisting"># <strong class="userinput"><code>smbpasswd -a -m chimaera</code></strong> +Added user chimaera$ +Password changed for user chimaera$</pre><p>The <code class="literal">-m</code> option specifies that a machine trust account is being generated. The <code class="filename">smbpasswd</code> program will automatically set the initial encrypted password as the NetBIOS name of the machine in lowercase letters; you don't need to enter it. When specifying this option on the command line, do not put a dollar sign after the machine name—it will be appended automatically. Once the encrypted password has been added, Samba is ready to handle domain logins from a NT client.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-5.2"></a>Configuring Windows Clients for Domain Logons</h3></div></div></div><p>Once you have Samba configured for domain logons, you need to set up your Windows clients to log on to the domain at startup.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.2.1"></a>Windows 95/98</h4></div></div></div><p> +<a class="indexterm" name="ch06-idx-969407-0"></a> +<a class="indexterm" name="ch06-idx-969407-1"></a>With Windows 95/98, this can be done by raising the Network configuration dialog in the Windows Control Panel and selecting the Properties for "Client for Microsoft Networks." At this point, you should see a dialog box similar to <a href="#ch06-48609" title="Figure 6.4. Configuring a Windows 95/98 client for domain logons">Figure 6.4</a>. Select the "Logon to Windows Domain" checkbox at the top of the dialog box, and enter the workgroup that is listed in the Samba configuration file as the Windows NT domain. Then click on OK and reboot the machine when asked.</p><div class="figure"><a name="ch06-48609"></a><p class="title"><b>Figure 6.4. Configuring a Windows 95/98 client for domain logons</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 359px"><td><img src="figs/sam.0604.gif" width="502" alt="Configuring a Windows 95/98 client for domain logons"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If Windows complains that you are already logged into the domain, you probably have an active connection to a share in the workgroup (such as a mapped network drive). Simply disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</p></div><p>When Windows reboots, you should see the standard <a class="indexterm" name="ch06-idx-967825-0"></a>login dialog with an addition: a field for a domain. The domain name should already be filled in, so simply enter your password and click on the OK button. At this point, Windows should consult the primary domain controller (Samba) to see if the password is correct. (You can check the log files if you want to see this in action.) If it worked, congratulations! You have properly configured Samba to act as a domain controller for Windows 95/98 machines and your client is successfully connected.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.2.2"></a>Windows NT 4.0</h4></div></div></div><p> +<a class="indexterm" name="ch06-idx-967826-0"></a>To configure Windows NT for domain logons, open the Network configuration dialog in the Windows NT Control Panel. The first tab that you see should list the identification of the machine.</p><p>Press the Change button and you should see the dialog box shown in <a href="#ch06-89804" title="Figure 6.5. Configuring a Windows NT client for domain logons">Figure 6.5</a>. In this dialog box, you can choose to have the Windows NT client become a member of the domain by selecting the radio button marked Domain in the "Member of " box. Then, type in the domain that you wish the client to login to; it should be the same as the workgroup that you specified in the Samba configuration file. Do not check the box marked "Create a Computer Account in the Domain"—Samba does not currently support this functionality.</p><div class="figure"><a name="ch06-89804"></a><p class="title"><b>Figure 6.5. Configuring a Windows NT client for domain logons</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 359px"><td><img src="figs/sam.0605.gif" width="502" alt="Configuring a Windows NT client for domain logons"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Like Windows 95/98, if NT complains that you are already logged in, you probably have an active connection to a share in the workgroup (such as a mapped network drive). Disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</p></div><p>After you press the OK button, Windows should present you with a small <a class="indexterm" name="ch06-idx-967838-0"></a>dialog box welcoming you to the domain. At this point, you will need to reset the Windows NT machine. Once it comes up again, the machine will automatically present you with a log on screen similar to the one for Windows 95/98 clients. You can now log in using any account that you have already on the Samba server that is configured to accept logins.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Be sure to select the correct domain in the <a class="indexterm" name="ch06-idx-967844-0"></a> +<a class="indexterm" name="ch06-idx-967844-1"></a>Windows NT logon dialog box. Once selected, it may take a moment for Windows NT to build the list of available domains.</p></div><p>After you enter the password, Windows NT should consult the primary domain controller (Samba) to see if the password is correct. Again, you can check the log files if you want to see this in action. If it worked, you have successfully configured Samba to act as a domain controller for Windows NT machines.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-5.3"></a>Domain Options</h3></div></div></div><p><a href="#ch06-53106" title="Table 6.9. Windows 95/98 Domain Logon Options">Table 6.9</a> shows the options that are commonly used in association with domain logons.</p><div class="table"><a name="ch06-53106"></a><p class="title"><b>Table 6.9. Windows 95/98 Domain Logon Options </b></p><div class="table-contents"><table summary="Windows 95/98 Domain Logon Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">domain logons</code></p></td><td><p>boolean</p></td><td><p>Indicates whether Windows domain logons are to be used.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain group map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT domain groups.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain user map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT domain users.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">local group map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT local groups.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">revalidate</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba forces users to authenticate themselves with each connection to a share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.1"></a> +domain logons</h4></div></div></div><a class="indexterm" name="ch06-idx-969495-0"></a><p>This option configures Samba to accept domain logons as a <a class="indexterm" name="ch06-idx-968113-0"></a>primary domain controller. When a client successfully logs on to the domain, Samba will return a special token to the client that allows the client to access domain shares without consulting the PDC again for authentication. Note that the Samba machine must be in user-level security (<code class="literal">security</code> <code class="literal">=</code> <code class="literal">user</code>) and must be the PDC in order for this option to function. In addition, Windows machines will expect a <code class="literal">[netlogon]</code> share to exist on the Samba server (see <a href="#ch06-36822" title="Configuring Samba for Windows Domain Logons">Section 6.5.1</a> earlier in this chapter).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.2"></a> +domain group map</h4></div></div></div><a class="indexterm" name="ch06-idx-969498-0"></a><p>This option specifies the location of a <a class="indexterm" name="ch06-idx-968114-0"></a>mapping file designed to translate Windows NT domain group names to Unix group names. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/groups.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixGroup = NTGroup</code></em></pre><p>An example is:</p><pre class="programlisting">admin = Administrative</pre><p>The specified Unix group should be a valid group in the <code class="filename">/etc/group</code> file. The NT group should be the name to which you want the Unix group to map on an NT client. This option will work only with Windows NT clients.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.3"></a> +domain user map</h4></div></div></div><a class="indexterm" name="ch06-idx-969499-0"></a><p>This option specifies the location of a mapping file designed to translate Unix usernames to Windows NT domain usernames. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/domainuser.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixUsername</code></em> = [\\<em class="replaceable"><code>Domain</code></em>\\]<em class="replaceable"><code>NTUserName</code></em></pre><p>An example entry is:</p><pre class="programlisting">joe = Joseph Miller</pre><p>The Unix name specified should be a valid username in the <code class="filename">/etc/passwd</code> file. The NT name should be the username to which you want to Unix username to map on an NT client. This option will work with Windows NT clients only.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on how Windows NT uses domain usernames and local groups, we recommend Eric Pearce's <em class="citetitle">Windows NT in a Nutshell</em>, published by O'Reilly.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.4"></a> +local group map</h4></div></div></div><a class="indexterm" name="ch06-idx-969502-0"></a><p>This option specifies the location of a mapping file designed to translate Windows NT local group names to Unix group names. Local group names include those such as Administrator and Users. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/localgroup.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixGroup</code></em> = [BUILTIN\]<em class="replaceable"><code>NTGroup</code></em></pre><p>An example entry is:</p><pre class="programlisting">root = BUILTIN\Administrators</pre><p>This option will work with Windows NT clients only. For more information, see Eric Pearce's <em class="citetitle">Windows NT in a Nutshell</em> (O'Reilly).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.5"></a>revalidate</h4></div></div></div><p>This share-level option tells Samba to force users to authenticate with <a class="indexterm" name="ch06-idx-968116-0"></a> +<a class="indexterm" name="ch06-idx-968116-1"></a> +<a class="indexterm" name="ch06-idx-968116-2"></a> +<a class="indexterm" name="ch06-idx-968116-3"></a>passwords each time they connect to a different share on a machine, no matter what level of security is in place on the Samba server. The default value is <code class="literal">no</code>, which allows users to be trusted once they successfully authenticate themselves. You can override it as:</p><pre class="programlisting">revalidate = yes</pre><p>You can use this option to increase security on your system. However, you should weigh it against the inconvenience of having users revalidate themselves to every share.<a class="indexterm" name="ch06-idx-968204-0"></a> +<a class="indexterm" name="ch06-idx-968204-1"></a> +<a class="indexterm" name="ch06-idx-968204-2"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-38153"></a>Logon Scripts</h2></div></div></div><p> +<a class="indexterm" name="ch06-idx-967542-0"></a> +<a class="indexterm" name="ch06-idx-967542-1"></a> +<a class="indexterm" name="ch06-idx-967542-2"></a>Samba supports the execution of Windows logon scripts, which are scripts (<a class="indexterm" name="ch06-idx-968119-0"></a> +<a class="indexterm" name="ch06-idx-968119-1"></a>.BAT or .CMD) that are executed on the client when a user logs on to a Windows domain. Note that these scripts are stored on the Unix side, but are transported across the network to the client side and executed once a user logs on. These scripts are invaluable for dynamically setting up network configurations for users when they log on. The downside is that because they run on Windows, they must use the <a class="indexterm" name="ch06-idx-968120-0"></a> +<a class="indexterm" name="ch06-idx-968120-1"></a>Windows network configuration commands.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on NET commands, we recommend the following O'Reilly handbooks: <span class="emphasis"><em>Windows NT in a Nutshell</em></span>, <span class="emphasis"><em>Windows 95 in a Nutshell</em></span>, and <span class="emphasis"><em>Windows 98 in a Nutshell.</em></span></p></div><p>You can instruct Samba to use a logon script with the <code class="literal">logon</code> <code class="literal">script</code> option, as follows:</p><pre class="programlisting">[global] + domain logons = yes + security = user + workgroup = SIMPLE + + os level = 34 + local master = yes + preferred master = yes + domain master = yes + logon script = %U.bat + +[netlogon] + comment = The domain logon service + path = /export/samba/logon + public = no + writeable = no + browsable = no</pre><p>Note that this example uses the <code class="literal">%U</code> variable, which will individualize the script based on the user that is logging in. It is common to customize logon scripts based on the user or machine name that is logging onto the domain. These scripts can then be used to configure individual settings for users or clients.</p><p>Each logon script should be stored at the base of the <code class="literal">[netlogon]</code> share. For example, if the base of the <code class="literal">[netlogon]</code> share is <code class="filename">/export/samba/logon</code> and the logon script is <code class="filename">jeff.bat</code>, the file should be located at <code class="filename">/export/samba/logon/jeff.bat</code>. When a user logs on to a domain that contains a startup script, he or she will see a small dialog that informs them that the script is executing, as well as any output the script generates in an MS-DOS-like box.</p><p>One warning: because these scripts are loaded by Windows and executed on the Windows side, they must consist of DOS formatted <a class="indexterm" name="ch06-idx-968122-0"></a> +<a class="indexterm" name="ch06-idx-968122-1"></a> +<a class="indexterm" name="ch06-idx-968122-2"></a>carriage-return/linefeed characters instead of Unix carriage returns. It's best to use a DOS- or Windows-based editor to create them.</p><p>Here is an example of a logon script that sets the current time to match that of the Samba server and maps two network drives, <code class="literal">h</code> and <code class="literal">i</code>, to individual shares on the server:</p><pre class="programlisting"># Reset the current time to that shown by the server. +# We must have the "time server = yes" option in the +# smb.conf for this to work. + +echo Setting Current Time... +net time \\hydra /set /yes + +# Here we map network drives to shares on the Samba +# server +echo Mapping Network Drives to Samba Server Hydra... +net use h: \\hydra\data +net use i: \\hydra\network</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.0.1"></a>Roaming profiles</h3></div></div></div><p><em class="firstterm"></em> +<a class="indexterm" name="ch06-idx-968132-0"></a> +<a class="indexterm" name="ch06-idx-968132-1"></a>In Windows 95 and NT, each user can have his or her own <em class="firstterm">profile</em> +<a class="indexterm" name="ch06-idx-968123-0"></a>. A profile bundles information such as: the appearance of a user's desktop, the applications that appear on the start menus, the background, and other miscellaneous items. If the profile is stored on a local disk, it's called a <em class="firstterm">local profile</em> +<a class="indexterm" name="ch06-idx-968124-0"></a> +<a class="indexterm" name="ch06-idx-968124-1"></a>, since it describes what a user's environment is like on one machine. If the profile is stored on a server, on the other hand, the user can download the same profile to any client machine that is connected to the server. The latter is called a <em class="firstterm">roaming profile</em> because the user can roam around from machine to machine and still use the same profile. This makes it particularly convenient when someone might be logging in from his or her desk one day and from a portable in the field the next. <a href="#ch06-71393" title="Figure 6.6. Local profiles versus roaming profiles">Figure 6.6</a> illustrates local and roaming profiles.</p><div class="figure"><a name="ch06-71393"></a><p class="title"><b>Figure 6.6. Local profiles versus roaming profiles</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 303px"><td><img src="figs/sam.0606.gif" height="303" alt="Local profiles versus roaming profiles"></td></tr></table></div></div></div><br class="figure-break"><p>Samba will provide roaming profiles if it is configured for domain logons and you provide a tree of directories pointed to by the <code class="literal">logon</code> <code class="literal">path</code> option. This option is typically used with one of the user variables, as shown in this example:</p><pre class="programlisting">[global] + domain logons = yes + security = user + workgroup = SIMPLE + os level = 34 + local master = yes + preferred master = yes + domain master = yes + + logon path = \\hydra\profile\%U</pre><p>We need to create a new share to support the profiles, which is a basic disk share accessible only by the Samba process' user (<code class="literal">root</code>). This share must be writeable, but should not be browseable. In addition, we must create a directory for each user who wishes to log on (based on how we specified our <code class="literal">logon</code> <code class="literal">path</code> in the example above), which is accessible only by that user. For an added measure of security, we use the <code class="literal">directory</code> <code class="literal">mode</code> and <code class="literal">create</code> <code class="literal">mode</code> options to keep anyone who connects to it from viewing or altering the files created in those directories:</p><pre class="programlisting">[profile] + comment = User profiles + path = /export/samba/profile + create mode = 0600 + directory mode = 0700 + writable = yes + browsable = no</pre><p>Once a user initially logs on, the Windows client will create a <code class="filename">user.dat</code> or <code class="filename">ntuser.dat</code> file—depending on which operating system the client is running. The client then uploads the contents of the desktop, the Start Menu, the Network Neighborhood, and the programs folders in individual folders in the directory. When the user subsequently logs on, those contents will be downloaded from the server and activated for the client machine with which the user is logging on. When he or she logs off, those contents will be uploaded back on the server until the next time the user connects. If you look at the directory listing of a profile folder, you'll see the following:</p><pre class="programlisting"># ls -al + +total 321 +drwxrwxr-x 9 root simple Jul 21 20:44 . +drwxrwxr-x 4 root simple Jul 22 14:32 .. +drwxrwx--- 3 fred develope Jul 12 07:15 Application Data +drwxrwx--- 3 fred develope Jul 12 07:15 Start Menu +drwxrwx--- 2 fred develope Jul 12 07:15 cookies +drwxrwx--- 2 fred develope Jul 12 07:15 desktop +drwxrwx--- 7 fred develope Jul 12 07:15 history +drwxrwx--- 2 fred develope Jul 12 07:15 nethood +drwxrwx--- 2 fred develope Jul 19 21:05 recent +-rw------- 1 fred develope Jul 21 21:59 user.dat</pre><p>The <code class="filename">user.dat</code> files are binary configuration files, created automatically by Windows. They can be edited with the Profile Editor on a Windows client, but they can be somewhat tricky to get correct. Samba supports them correctly for all clients up to NT 5.0 beta, but they're still relatively new<em class="firstterm"></em> +<a class="indexterm" name="ch06-idx-968138-0"></a> +<a class="indexterm" name="ch06-idx-968138-1"></a>.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Hints and HOWTOs for handling logon scripts are available in the Samba documentation tree, in both <code class="filename">docs/textdocs/DOMAIN.txt</code> and <code class="filename">docs/textdocs/PROFILES.txt</code>.<em class="firstterm"></em> +<a class="indexterm" name="ch06-idx-968148-0"></a> +<a class="indexterm" name="ch06-idx-968148-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.0.2"></a>Mandatory profiles</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-968144-0"></a> +<a class="indexterm" name="ch06-idx-968144-1"></a>Users can also have <em class="firstterm">mandatory profiles</em>, which are roaming profiles that they cannot change. For example, with a mandatory profile, if a user adds a command to the Start Menu on Tuesday, it will be gone when he or she logs in again on Wednesday. The mandatory profile is simply a <code class="filename">user.dat</code> file that has been renamed to <code class="filename">user.man</code> and made read-only on the Unix server. It normally contains settings that the administrator wishes to ensure the user always executes. For example, if an administrator wants to create a <a class="indexterm" name="ch06-idx-968145-0"></a>fixed user configuration, he or she can do the following:</p><div class="orderedlist"><ol type="1"><li><p>Create the read-write directory on the Samba server.</p></li><li><p>Set the <code class="literal">logon</code> <code class="literal">path</code> option in the <span class="emphasis"><em>smb.conf</em></span> file to point to this directory.</p></li><li><p>Logon as the user from Windows 95/98 to have the client populate the directory.</p></li><li><p>Rename the resulting <code class="filename">user.dat</code> to <code class="filename">user.man</code>.</p></li><li><p>Make the directory and its contents read only.</p></li></ol></div><p>Mandatory profiles are fairly unusual. Roaming profiles, on the other hand, are one of the more desirable features of Windows that Samba can support.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.1"></a>Logon Script Options</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-968152-0"></a><a href="#ch06-46661" title="Table 6.10. Logon Script Options">Table 6.10</a> summarizes the options commonly used in association with Windows domain logon scripts.</p><div class="table"><a name="ch06-46661"></a><p class="title"><b>Table 6.10. Logon Script Options </b></p><div class="table-contents"><table summary="Logon Script Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">logon script</code></p></td><td><p>string (DOS path)</p></td><td><p>Name of DOS/NT batch file</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon path</code></p></td><td><p>string (UNC server and share name)</p></td><td><p>Location of roaming profile for user</p></td><td><p><code class="literal">\\%N\%U\profile</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon drive</code></p></td><td><p>string (drive letter)</p></td><td><p>Specifies the logon drive for a home directory (NT only)</p></td><td><p><code class="literal">Z</code>:</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon home</code></p></td><td><p>string (UNC server and share name)</p></td><td><p>Specifies a location for home directories for clients logging on to the domain</p></td><td><p><code class="literal">\\%N\%U</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.1"></a> +logon script</h4></div></div></div><a class="indexterm" name="ch06-idx-969510-0"></a><p>This option specifies a Windows .BAT or .CMD file with lines ending in carriage-return/line feed that will be executed on the client after a user has logged on to the domain. Each logon script should be stored at the base of a share entitled <code class="literal">[netlogin]</code> (see <a href="#ch06-36822" title="Configuring Samba for Windows Domain Logons">Section 6.5.1</a> for details.) This option frequently uses the <code class="literal">%U</code> or <code class="literal">%m</code> variables (user or NetBIOS name) to point to an individual script. For example:</p><pre class="programlisting">logon script = %U.bat</pre><p>will execute a script based on the username located at the base of the <code class="literal">[netlogin]</code> share. If the user who is connecting is <code class="literal">fred</code> and the path of the <code class="literal">[netlogin]</code> share maps to the directory <code class="filename">/export/samba/netlogin</code>, the script should be <code class="filename">/export/samba/netlogin/fred.bat</code>. Because these scripts are downloaded to the client and executed on the Windows side, they must consist of DOS formatted carriage-return/linefeed characters instead of Unix carriage returns.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.2"></a> +logon path</h4></div></div></div><a class="indexterm" name="ch06-idx-969513-0"></a><p>This option provides a location for <a class="indexterm" name="ch06-idx-968161-0"></a> +<a class="indexterm" name="ch06-idx-968161-1"></a>roaming profiles. When the user logs on, a roaming profile will be downloaded from the server to the client and activated for the user who is logging on. When the user logs off, those contents will be uploaded back on the server until the next time the user connects.</p><p>It is often more secure to create a separate share exclusively for storing user profiles:</p><pre class="programlisting">logon path = \\hydra\profile\%U</pre><p>For more informaiton on this option, see <a href="#ch06-38153" title="Logon Scripts">Section 6.6</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.3"></a> +logon drive</h4></div></div></div><a class="indexterm" name="ch06-idx-969514-0"></a><p>This option specifies the drive letter on an NT client to which the home directory specified with the <code class="literal">logon</code> <code class="literal">home</code> option will be mapped. Note that this option will work with Windows NT clients only. For example:</p><pre class="programlisting">logon home = I:</pre><p>You should always use drive letters that will not conflict with fixed drives on the client machine. The default is Z:, which is a good choice because it is as far away from A:, C:, and D: as possible.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.4"></a> +logon home </h4></div></div></div><a class="indexterm" name="ch06-idx-969517-0"></a><p>This option specifies the location of a user's <a class="indexterm" name="ch06-idx-968162-0"></a> +<a class="indexterm" name="ch06-idx-968162-1"></a>home directory for use by the DOS NET commands. For example, to specify a home directory as a share on a Samba server, use the following:</p><pre class="programlisting">logon home = \\hydra\%U</pre><p>Note that this works nicely with the <code class="literal">[homes]</code> service, although you can specify any directory you wish. Home directories can be mapped with a logon script using the following command:</p><pre class="programlisting">NET USE I: /HOME</pre><p>In addition, you can use the User Environment Profile under User Properties in the Windows NT User Manager to verify that the home directory has automatically been set.<a class="indexterm" name="ch06-idx-968155-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.2"></a>Other Connection Scripts</h3></div></div></div><p> +<a class="indexterm" name="ch06-idx-968164-0"></a> +<a class="indexterm" name="ch06-idx-968164-1"></a>After a user successfully makes a connection to any Samba share, you may want the Samba server to execute a program on its side to prepare the share for use. Samba allows scripts to be executed before and after someone connects to a share. You do not need to be using Windows domains to take advantage of the options. <a href="#ch06-67528" title="Table 6.11. Connection Script Options">Table 6.11</a> introduces some of the configuration options provided for setting up users.</p><div class="table"><a name="ch06-67528"></a><p class="title"><b>Table 6.11. Connection Script Options </b></p><div class="table-contents"><table summary="Connection Script Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">root preexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a command to run as <code class="literal">root</code>, before connecting to the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">preexec (exec)</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as the user before connecting to the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">postexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as the user after disconnecting from the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">root postexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as <code class="literal">root</code> after disconnecting from the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.1"></a> +root preexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969520-0"></a><p>The first form of the logon command is called <code class="literal">root</code> <code class="literal">preexec</code>. This option specifies a Unix command as its value that will be run <span class="emphasis"><em>as the root user</em></span> before any connection to a share is completed. You should use this option specifically for performing actions that require <a class="indexterm" name="ch06-idx-968166-0"></a> +<a class="indexterm" name="ch06-idx-968166-1"></a>root privilege. For example, <code class="literal">root</code> <code class="literal">preexec</code> can be used to mount CD-ROMs for a share that makes them available to the clients, or to create necessary directories. If no <code class="literal">root</code> <code class="literal">preexec</code> option is specified, there is no default action. Here is an example of how you can use the command to mount a CD-ROM:</p><pre class="programlisting">[homes] + browseable = no + writeable = yes + root preexec = /etc/mount /dev/cdrom2</pre><p>Remember that these commands will be run as the root user. Therefore, in order to ensure security, users should never be able to modify the target of the <code class="literal">root</code> <code class="literal">preexec</code> command.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.2"></a> +preexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969523-0"></a><p>The next option run before logon is the <code class="literal">preexec</code> option, sometimes just called <code class="literal">exec</code>. This is an ordinary unprivileged command run by Samba as the user specified by the variable <code class="literal">%u</code>. For example, a common use of this option is to perform <a class="indexterm" name="ch06-idx-968167-0"></a>logging, such as the following:</p><pre class="programlisting">[homes] +<strong class="userinput"><code>preexec = echo "%u connected to %S from %m (%I)\" >>/tmp/.log</code></strong></pre><p>Be warned that any information the command sends to standard output will not be seen by the user, but is instead thrown away. If you intend to use a <code class="literal">preexec</code> script, you should ensure that it will run correctly before having Samba invoke it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.3"></a> +postexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969524-0"></a><p>Once the user disconnects from the share, the command specified with <code class="literal">postexec</code> is run as the user on the Samba server to do any necessary cleanup. This option is essentially the same as the <code class="literal">preexec</code> option. Again, remember that the command is run as the user represented by <code class="literal">%u</code> and any information sent to standard output will be ignored.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.4"></a> +root postexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969525-0"></a><p>Following the <code class="literal">postexec</code> option, the <code class="literal">root</code> <code class="literal">postexec</code> command is run, if one has been specified. Again, this option specifies a Unix command as its value that will be run <span class="emphasis"><em>as the</em></span> <a class="indexterm" name="ch06-idx-968179-0"></a> +<a class="indexterm" name="ch06-idx-968179-1"></a><span class="emphasis"><em>root user</em></span> before disconnecting from a share. You should use this option specifically for performing actions that require root privilege.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.3"></a>Working with NIS and NFS</h3></div></div></div><p>Finally, Samba has the ability to work with <a class="indexterm" name="ch06-idx-968184-0"></a>NIS and NIS+. If there is more than one file server, and each runs Samba, it may be desirable to have the SMB client connect to the server whose disks actually house the user's home directory. It isn't normally a good idea to ship files across the network once via NFS to a Samba server, only to be sent across the network once again to the client via SMB. (For one thing, it's slow—about 30 percent of normal Samba speed). Therefore, there are a pair of options to tell Samba that NIS knows the name of the right server and indicate in which NIS map the information lives.</p><p><a href="#ch06-27466" title="Table 6.12. NIS Options">Table 6.12</a> introduces some of the other configuration options specifically for setting up users.</p><div class="table"><a name="ch06-27466"></a><p class="title"><b>Table 6.12. NIS Options </b></p><div class="table-contents"><table summary="NIS Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">nis homedir</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, use NIS instead of <code class="filename">/etc/passwd</code> to look up the path of a user's home directory</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">homedir map</code></p></td><td><p>string (NIS map name)</p></td><td><p>Sets the NIS map to use to look up a user's home directory</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.3.1"></a>nis homedir and homedir map</h4></div></div></div><p>The <code class="literal">nis</code> +<a class="indexterm" name="ch06-idx-969528-0"></a> +<a class="indexterm" name="ch06-idx-969528-1"></a> <code class="literal">homedir</code> and <code class="literal">homedir</code> <code class="literal">map</code> options are for Samba servers on network sites where Unix home directories are provided using NFS, the automounter, and NIS (Yellow Pages).</p><p>The <code class="literal">nis</code> <code class="literal">homedir</code> option indicates that the home directory server for the user needs to be looked up in NIS. The <code class="literal">homedir</code> <code class="literal">map</code> option tells Samba what NIS map to look in for the server that has the user's home directory. The server needs to be a Samba server, so the client can do an SMB connect to it, and the other Samba servers need to have NIS installed so they can do the lookup.</p><p>For example, if user <code class="literal">joe</code> asks for a share called <code class="literal">[joe]</code>, and the <code class="literal">nis</code> <code class="literal">homedir</code> option is set to <code class="literal">yes</code>, Samba will look in the file specified by <code class="literal">homedir</code> <code class="literal">map</code> for a home directory for <code class="literal">joe</code>. If it finds one, Samba will return the associated machine name to the client. The client will then try to connect to <span class="emphasis"><em>that</em></span> machine and get the share from there. Enabling NIS lookups looks<a class="indexterm" name="ch06-idx-967545-0"></a> +<a class="indexterm" name="ch06-idx-967545-1"></a> +<a class="indexterm" name="ch06-idx-967545-2"></a> like the following:</p><pre class="programlisting">[globals] + nis homedir = yes + homedir map = amd.map</pre></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-968956" href="#ch06-pgfId-968956">1</a>] </sup>Having both encrypted and non-encrypted password clients on your network is another reason why Samba allows you to include (or not include) various options in the Samba configuration file based on the client operating system or machine name variables.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-969009" href="#ch06-pgfId-969009">2</a>] </sup>This may not work under Red Hat Linux, as the password program typically responds "All authentication tokens updated successfully," instead of "Password changed." We provide a fix for this later in this section.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-959675" href="#ch06-pgfId-959675">3</a>] </sup>This is because the Unix <span class="emphasis"><em>passwd</em></span> program, which is the usual target for this operation, allows <code class="literal">root</code> to change a user's password without the security restriction that requests the old password of that user.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-7"></a>Chapter 7. Printing and Name Resolution</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch07-61388">7.1. Sending Print Jobs to Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-1.1">7.1.1. Print Commands</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.2">7.1.2. Printing Variables</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.3">7.1.3. A Minimal Printing Setup</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.4">7.1.4. The [printers] Share</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.5">7.1.5. Test Printing</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.6">7.1.6. Setting Up and Testing a Windows Client</a></span></dt><dt><span class="sect2"><a href="#ch07-30008">7.1.7. Automatically Setting Up Printer Drivers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-31526">7.2. Printing to Windows Client Printers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-2.0.1">7.2.1. BSD printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.0.2">7.2.2. System V printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.1">7.2.3. Samba Printing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-12219">7.3. Name Resolution with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-3.1">7.3.1. The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.2">7.3.2. Setting Up Samba to Use Another WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-83429">7.3.3. Setting Up Samba as a WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.4">7.3.4. Name Resolution Configuration Options</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="ch07-idx-956351-0"></a>This chapter tackles two Samba topics: setting up printers for use with a Samba server and configuring Samba to use or become a Windows Internet Name Service (WINS) server. Samba allows client machines to send documents to printers connected to the Samba server. In addition, Samba can also assist you with printing Unix documents to a printer on a Windows machine. In the first part of this chapter, we will discuss how to get printers configured to work on either side.</p><p>In the second half of the chapter, we will introduce the Windows Internet Name Service, Microsoft's implementation of a NetBIOS Name Server (NBNS). As mentioned in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>, an NBNS allows machines to perform name resolution on a NetBIOS network without having to rely on broadcasts. Instead, each machine knows exactly where the WINS server is and can query it for the IP addresses of other machines on the network.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-61388"></a>Sending Print Jobs to Samba</h2></div></div></div><p> +<a class="indexterm" name="ch07-idx-956360-0"></a>A printer attached to the Samba server shows up in the list of shares offered in the Network Neighborhood. If the printer is registered on the client machine and the client has the correct printer driver installed, the client can effortlessly send print jobs to a printer attached to a Samba server. <a href="#ch07-35075" title="Figure 7.1. A Samba printer in the Network Neighborhood">Figure 7.1</a> shows a Samba printer as it appears in the Network Neighborhood of a Windows client.</p><p> +<a class="indexterm" name="ch07-idx-956377-0"></a> +<a class="indexterm" name="ch07-idx-956377-1"></a>To administer printers with Samba, you should understand the basic process by which printing takes place on a network. Sending a print job to a printer on a Samba server involves four steps:</p><div class="orderedlist"><ol type="1"><li><p>Opening and authenticating a connection to the printer share</p></li><li><p>Copying the file over the network</p></li><li><p>Closing the connection</p></li><li><p>Printing and deleting the copy of the file</p><div class="figure"><a name="ch07-35075"></a><p class="title"><b>Figure 7.1. A Samba printer in the Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 171px"><td><img src="figs/sam.0701.gif" height="171" alt="A Samba printer in the Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"></li></ol></div><p>When a print job arrives at a Samba server, the print data is temporarily written to disk in the directory specified by the <code class="literal">path</code> option of the printer share. Samba then executes a Unix print command to send that data file to the printer. The job is printed as the authenticated user of the share. Note that this may be the guest user, depending on how the share is configured.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.1"></a>Print Commands</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956378-0"></a>In order to print the document, you'll need to tell Samba what the command is to print and delete a file. On Linux, such a command is:</p><pre class="programlisting">lpr -r -P<em class="replaceable"><code>printer</code></em> <em class="replaceable"><code>file</code></em></pre><p>This tells <code class="literal">lpr</code> to copy the document to a spool area, usually <code class="filename">/var/spool</code>, retrieve the name of the printer in the system configuration file (<code class="filename">/etc/printcap</code>), and interpret the rules it finds there to decide how to process the data and which physical device to send it to. Note that because the <code class="literal">-r</code> option has been listed, the file specified on the command line will be deleted after it has been printed. Of course, the file removed is just a copy stored on the Samba server; the original file on the client is unaffected.</p><p>Linux uses a Berkeley (BSD) style of printing. However, the process is similar on System V Unix. Here, printing and deleting becomes a compound command:</p><pre class="programlisting">lp -d<em class="replaceable"><code>printer</code></em> -s <em class="replaceable"><code>file</code></em>; rm <em class="replaceable"><code>file</code></em></pre><p>With System V, the <code class="filename">/etc/printcap</code> file is replaced with different set of configuration files hiding in <code class="filename">/usr/spool/lp</code>, and there is no option to delete the file. You have to do it yourself, which is why we have added the <code class="literal">rm</code> command afterward.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.2"></a>Printing Variables</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956380-0"></a>Samba provides four variables specifically for use with <a class="indexterm" name="ch07-idx-956450-0"></a>printing configuration options. They are shown in <a href="#ch07-29758" title="Table 7.1. Printing Variables">Table 7.1</a>.</p><div class="table"><a name="ch07-29758"></a><p class="title"><b>Table 7.1. Printing Variables </b></p><div class="table-contents"><table summary="Printing Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%s</code></p></td><td><p>The full pathname of the file on the Samba server to be printed</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>The name of the file itself (without the preceding path) on the Samba server to be printed</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>The name of the Unix printer to use</p></td></tr><tr><td><p><code class="literal">%j</code></p></td><td><p>The number of the print job (for use with <code class="literal">lprm</code>, <code class="literal">lppause</code>, and <code class="literal">lpresume</code>)</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.3"></a>A Minimal Printing Setup</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956382-0"></a>Let's start with a simple but illustrative printing share. Assuming that you're on a Linux system and you have a printer called <code class="literal">lp</code> listed in the printer capabilities file, the following addition to your <code class="filename">smb.conf</code> +<a class="indexterm" name="ch07-idx-956439-0"></a> file will make the printer accessible through the network:</p><pre class="programlisting">[printer1] + printable = yes + print command = /usr/bin/lpr -r %s + printer = lp + printing = BSD + read only = yes + guest ok = yes</pre><p>This configuration allows anyone to send data to the printer, something we may want to change later. For the moment, what's important to understand is that the variable <code class="literal">%s</code> in the <code class="literal">print</code> <code class="literal">command</code> option will be replaced with the name of the file to be printed when Samba executes the command. Changing the <code class="literal">print command</code> to reflect a different style of Unix machine typically involves only replacing the right side of the <code class="literal">print</code> <code class="literal">command</code> option with whatever command you need for your system and changing the target of the <code class="literal">printing</code> option.</p><p>Let's look at the commands for a <a class="indexterm" name="ch07-idx-956440-0"></a> +<a class="indexterm" name="ch07-idx-956440-1"></a>System V Unix. With variable substitution, the System V Unix command becomes:</p><pre class="programlisting">print command = lp -d%p -s %s; rm %s</pre><p>As mentioned earlier, the <code class="literal">%p</code> variable resolves to the name of the printer, while the <code class="literal">%s</code> variable resolves to the name of the file. After that, you can change the <code class="literal">printing</code> option to reflect that you're using a System V architecture:</p><pre class="programlisting">printing = SYSV</pre><p>If you are using <a class="indexterm" name="ch07-idx-956441-0"></a>share-level security, pay special attention to the guest account used by Samba. The typical setting, <code class="literal">nobody</code>, may not be allowed to print by the operating system. If that's true for your operating system, you should place a <code class="literal">guest</code> <code class="literal">account</code> option under the <a class="indexterm" name="ch07-idx-956445-0"></a>printing share (or even perhaps the global share) specifying an account that can. A popular candidate with the Samba authors is the <code class="literal">ftp</code> account, which is often preconfigured to be safe for untrusted guest users. You can set it with the following command:</p><pre class="programlisting">guest account = ftp</pre><p>Another common printing issue is that clients may need to request the status of a <a class="indexterm" name="ch07-idx-956443-0"></a>print job sent to the Samba server. Samba will not reject a document from being sent to an already busy printer share. Consequently, Samba needs the ability to communicate not only the status of the current printing job to the client, but also which documents are currently waiting to be printed on that printer. Samba also has to provide the client the ability to pause print jobs, resume print jobs, and remove print jobs from the printing queue. Samba provides options for each of these tasks. As you might expect, they borrow functionality from existing Unix commands. The options are:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">lpq command</code></p></li><li><p><code class="literal">lprm command</code></p></li><li><p><code class="literal">lppause command</code></p></li><li><p><code class="literal">lpresume command</code></p></li></ul></div><p>We will cover these options in more detail below. For the most part, however, the value of the <code class="literal">printing</code> configuration option will determine their values, and you should not need to alter the default values of these options.</p><p>Here are a few important items to remember about printing shares:</p><div class="itemizedlist"><ul type="disc"><li><p>You must put <code class="literal">printable</code> <code class="literal">=</code> <code class="literal">yes</code> in all printer shares (even <code class="literal">[printers]</code>), so that Samba will know that they are printer shares. If you forget, the shares will not be usable for printing and will instead be treated as disk shares.</p></li><li><p>If you set the <code class="literal">path</code> configuration option in the printer section, any files sent to the printer(s) will be copied to the directory you specify instead of to the default location of <code class="filename">/tmp</code>. As the amount of disk space allocated to <code class="filename">/tmp</code> can be relatively small in some Unix operating systems, many administrators opt to use <code class="filename">/var/spool</code> or some other directory instead.</p></li><li><p>The <code class="literal">read only</code> option is ignored for printer shares.</p></li><li><p>If you set <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> in a printer share and Samba is configured for share-level security, it will allow anyone to send data to the printer as the <code class="literal">guest</code> <code class="literal">account</code> user.</p></li></ul></div><p>Using one or more Samba machines as a print server gives you a great deal of flexibility on your LAN. You can easily partition your available printers, restricting some to members of one department, or you can maintain a bank of printers available to all. In addition, you can restrict a printer to a selected few by adding the trusty <code class="literal">valid</code> <code class="literal">users</code> option to its share definition:</p><pre class="programlisting">[deskjet] + printable = yes + path = /var/spool/samba/print + valid users = gail sam</pre><p>All of the other share accessibility options defined in the previous chapter should work for printing shares as well. Since the printers themselves are accessed through Samba by name, it's also simple to delegate print services among several servers using familiar Unix commands for tasks such as load balancing or maintenance.<a class="indexterm" name="ch07-idx-956385-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.4"></a>The [printers] Share</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956390-0"></a><a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, briefly introduced <code class="literal">[printers]</code>, a special share for automatically creating printing services. Let's review how it works: if you create a share named <code class="literal">[printers]</code> in the configuration file, Samba will automatically read in your printer capabilities file and create a printing share for each printer that appears in the file. For example, if the Samba server had <code class="literal">lp</code>, <code class="literal">pcl</code> and <code class="literal">ps</code> printers in its printer capabilities file, Samba would provide three printer shares with those names, each configured with the options in the <code class="literal">[printers]</code> share.</p><p> +<a class="indexterm" name="ch07-idx-956509-0"></a>Recall that Samba obeys following rules when a client requests a share that has not been created through the <code class="filename">smb.conf</code> file:</p><div class="itemizedlist"><ul type="disc"><li><p>If the share name matches a username in the system password file and a <code class="literal">[homes]</code> share exists, a new share is created with the name of the user and is initialized using the values given in the <code class="literal">[homes]</code> and <code class="literal">[global]</code> sections.</p></li><li><p>Otherwise, if the name matches a printer in the system printer capabilities file, and a <code class="literal">[printers]</code> share exists, a new share is created with the name of the printer and initialized using the values given in the <code class="literal">[printers]</code> section. (Variables in the <code class="literal">[global]</code> section do not apply here.)</p></li><li><p>If neither of those succeed, Samba looks for a <code class="literal">default</code> <code class="literal">service</code> share. If none is found, it returns an error.</p></li></ul></div><p>This brings to light an important point: be careful that you do not give a <a class="indexterm" name="ch07-idx-956508-0"></a>printer the same name as a user. Otherwise, you will end up connecting to a disk share when you may have wanted a printer share instead.</p><p>Here is an example <code class="literal">[printers]</code> share for a Linux (BSD) system. Some of these options are already defaults; however, we have listed them anyway for illustrative purposes:</p><pre class="programlisting">[global] + printing = BSD + print command = /usr/bin/lpr -P%p -r %s + printcap file = /etc/printcap + min print space = 2000 + +[printers] + path = /usr/spool/public + printable = true + guest ok = true + guest account = pcguest</pre><p>Here, we've given Samba global options that specify the printing type (BSD), a print command to send data to the printer and remove a temporary file, our default printer capabilities file, and a minimum printing space of 2 megabytes.</p><p>In addition, we've created a <code class="literal">[printers]</code> share for each of the system printers. Our temporary spooling directory is specified by the <code class="literal">path</code> option: <code class="filename">/usr/spool/public</code>. Each of the shares is marked as printable—this is necessary, even in the <code class="literal">[printers]</code> section. The two <code class="literal">guest</code> options are useful in the event that Samba is using share-level security: we allow guest access to the printer and we specify the guest user that Samba should use to execute print commands.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.5"></a>Test Printing</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956391-0"></a>Here is how you can test printing from the Samba server. Let's assume the most complex case and use a guest account. First, run the Samba <span class="emphasis"><em>testparm</em></span> command on your configuration file that contains the print shares, as we did in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>. This will tell you if there are any syntactical problems with the configuration file. For example, here is what you would see if you left out the <code class="literal">path</code> configuration option in the previous example:</p><pre class="programlisting"># testparm +Load smb config files from /usr/local/samba/lib/smb.conf +Processing configuration file "/usr/local/samba/lib/smb.conf" +Processing section "[global]" +Processing section "[homes]" +Processing section "[data]" +Processing section "[printers]" +No path in service printers - using /tmp +Loaded services file OK. +Press enter to see a dump of your service definitions +Global parameters: + load printers: Yes + printcap name: /etc/printcap +Default service parameters: + guest account: ftp + min print space: 0 + print command: lpr -r -P%p %s + lpq command: lpq -P%p + lprm command: lprm -P%p %j +lppause command: + lpresume command: + Service parameters [printers]: + path: /tmp + print ok: Yes + read only: true + public: true</pre><p>Second, try the command <code class="literal">testprns</code> <em class="replaceable"><code>printername</code></em>. This is a simple program that verifies that the specified printer is available in your <span class="emphasis"><em>printcap</em></span> file. If your <span class="emphasis"><em>printcap</em></span> file is not in the usual place, you can specify its full pathname as the second argument to the <span class="emphasis"><em>testprns</em></span> command:</p><pre class="programlisting"># testprns lp /etc/printcap +Looking for printer lp in printcap file /etc/printcap +Printer name lp is valid.</pre><p>Next, log on as the guest user, go to the spooling directory, and ensure that you can print using the same command that <span class="emphasis"><em>testparm</em></span> says Samba will use. As mentioned before, this will tell you if you need to change the guest account, as the default account may not be allowed to print.</p><p>Finally, print something to the Samba server via <code class="literal">smbclient</code>, and see if the following actions occur:</p><div class="itemizedlist"><ul type="disc"><li><p>The job appears (briefly) in the Samba spool directory specified by the path.</p></li><li><p>The job shows up in your print systems spool directory.</p></li><li><p>The job disappears from the spool directory that Samba used.</p></li></ul></div><p>If <span class="emphasis"><em>smbclient</em></span> cannot print, you can reset the <code class="literal">print</code> <code class="literal">command</code> option to collect debugging information:</p><pre class="programlisting">print command = /bin/cat %s >>/tmp/printlog; rm %s</pre><p>or:</p><pre class="programlisting">print command = echo "printed %s on %p" >>/tmp/printlog</pre><p>A common problem with Samba printer configuration is forgetting to use the full <a class="indexterm" name="ch07-idx-956511-0"></a> +<a class="indexterm" name="ch07-idx-956511-1"></a>pathnames for commands; simple commands often don't work because the guest account's PATH doesn't include them. Another frequent problem is not having the correct <a class="indexterm" name="ch07-idx-956512-0"></a> +<a class="indexterm" name="ch07-idx-956512-1"></a>permissions on the spooling directory.<a class="indexterm" name="ch07-idx-956494-0"></a></p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +<a class="indexterm" name="ch07-idx-956514-0"></a> +<a class="indexterm" name="ch07-idx-956514-1"></a>There is more information on debugging printers in the Samba documentation (<code class="filename">Printing.txt</code>). In addition, the Unix print systems are covered in detail in AEleen Frisch's <span class="emphasis"><em>Essential Systems Administration</em></span> (published by O'Reilly).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.6"></a>Setting Up and Testing a Windows Client</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956392-0"></a> +<a class="indexterm" name="ch07-idx-956392-1"></a>Now that Samba is offering a workable printer, you need to set it up on a Windows client. Look at the Samba server in the Network Neighborhood. It should now show each of the printers that are available. For example, in <a href="#ch07-35075" title="Figure 7.1. A Samba printer in the Network Neighborhood">Figure 7.1</a>, we saw a printer called <code class="literal">lp</code>.</p><p>Next, you need to have the Windows client recognize the printer. Double-click on the printer icon to get started. If you try to select an uninstalled printer (as you just did), Windows will ask you if it should help configure it for the Windows system. Respond "Yes," which will open the Printer Wizard.</p><p>The first thing the wizard will ask is whether you need to print from DOS. Let's assume you don't, so choose No and press the Next button to get to the manufacturer/model window as shown in <a href="#ch07-60084" title="Figure 7.2. A printer in the Network Neighborhood">Figure 7.2</a>.</p><div class="figure"><a name="ch07-60084"></a><p class="title"><b>Figure 7.2. A printer in the Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 128px"><td><img src="figs/sam.0702.gif" height="128" alt="A printer in the Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p>In this dialog box, you should see a large list of manufacturers and models for almost every printer imaginable. If you don't see your printer on the list, but you know it's a PostScript printer, select Apple as the manufacturer and Apple LaserWriter as the model. This will give you the most basic Postscript printer setup, and arguably one of the most reliable. If you already have any Postscript printers attached, you will be asked about replacing or reusing the existing driver. Be aware that if you replace it with a new one, you may make your other printers fail. Therefore, we recommend you keep using your existing printer drivers as long as they're working properly.</p><p>Following that, the Printer Wizard will ask you to name the printer. <a href="#ch07-69466" title="Figure 7.3. Printer manufacturers and models">Figure 7.3</a> shows this example, where the name has defaulted to our second laserwriter. Here, you rename it from Apple Laserwriter (Copy 2) to "ps on Samba server," so you know where to look for the printouts. In reality, you can name the printer anything you want.</p><div class="figure"><a name="ch07-69466"></a><p class="title"><b>Figure 7.3. Printer manufacturers and models</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0703.gif" height="296" alt="Printer manufacturers and models"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, the Printing Wizard asks if it should print a test page. Click on Yes, and you should be presented with the dialog in <a href="#ch07-43374" title="Figure 7.4. Printing successfully completed">Figure 7.4</a>.</p><div class="figure"><a name="ch07-43374"></a><p class="title"><b>Figure 7.4. Printing successfully completed</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 232px"><td><img src="figs/sam.0704.gif" height="232" alt="Printing successfully completed"></td></tr></table></div></div></div><br class="figure-break"><p>If the test printing was unsuccessful, press the No button in <a href="#ch07-43374" title="Figure 7.4. Printing successfully completed">Figure 7.4</a> and the Printing Wizard will walk you through some debugging steps for the client side of the process. If the test printing does work, congratulations! The remote printer will now be available to all your PC applications through the File and Print menu items.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-30008"></a>Automatically Setting Up Printer Drivers</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956393-0"></a>The previous section described how to manually configure a printer driver for your Windows system. As a system administrator, however, you can't always guarantee that users can perform such a process without making mistakes. Luckily, however, you can ask Samba to automatically set up the printer drivers for a specific printer.</p><p>Samba has three options that can be used to automatically set up printer drivers for clients who are connecting for the first time. These options are <code class="literal">printer</code> <code class="literal">driver</code>, <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code>, and <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code>. This section explains how to use these options to allow users to skip over the Manufacturer dialog in the Add Printer Wizard above.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>For more information on how to do this, see the <code class="filename">PRINTER_DRIVER.TXT</code> file in the Samba distribution documentation.</p></div><p>There are four major steps:</p><div class="orderedlist"><ol type="1"><li><p>Install the drivers for the printer on a Windows client (the printer need not be attached).</p></li><li><p>Create a printer definition file from the information on a Windows machine.</p></li><li><p>Create a <code class="literal">PRINTER$</code> share where the resulting driver files can be placed.</p></li><li><p>Modify the Samba configuration file accordingly.</p></li></ol></div><p>Let's go over each of the four steps in greater detail.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.1"></a>Install the drivers on a windows client</h4></div></div></div><p>Use <a class="indexterm" name="ch07-idx-956517-0"></a>Windows 95/98 for this step. It doesn't matter which client you choose, as long as it has the ability to load the appropriate drivers for the printer. In fact, you don't even need to have the printer attached to the machine. All you're interested in here is getting the appropriate driver files into the Windows directory. First, go to the Printers window of My Computer and double-click on the Add Printer icon, as shown in <a href="#ch07-52397" title="Figure 7.5. The Printers window">Figure 7.5</a>.</p><div class="figure"><a name="ch07-52397"></a><p class="title"><b>Figure 7.5. The Printers window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 223px"><td><img src="figs/sam.0705.gif" height="223" alt="The Printers window"></td></tr></table></div></div></div><br class="figure-break"><p>At this point, you can follow the Add Printer Wizard dialogs through to select the manufacturer and model of the printer in question. If it asks you if you want to print from MS-DOS, answer No. Windows should load the appropriate driver resources from its CD-ROM and ask you if you want to print a test page. Again, respond No and close the Add Printer Wizard dialog.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.2"></a>Create a printer definition file</h4></div></div></div><p>You can create a <a class="indexterm" name="ch07-idx-956518-0"></a>printer definition file by using the <code class="filename">make_ printerdef</code> script in the <code class="filename">/usr/local/samba/bin</code> directory. In order to use this script, you need to copy over the following four files from a Windows client:<sup>[<a name="ch07-pgfId-951615" href="#ftn.ch07-pgfId-951615">1</a>]</sup></p><table class="simplelist" border="0" summary="Simple list"><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT2.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT3.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT4.INF</em></span></td></tr></table><p>Once you have the four files, you can create a printer definition file using the appropriate printer driver and its .INF file. If the printer driver starts with the letters A-K, use either the <span class="emphasis"><em>MSPRINT.INF</em></span> file or the <span class="emphasis"><em>MSPRINT3.INF</em></span> file. If it begins with the letters L-Z, use the <span class="emphasis"><em>MSPRINT2.INF</em></span> file or the <span class="emphasis"><em>MSPRINT4.INF</em></span> file. You may need to <span class="emphasis"><em>grep</em></span> through each of the files to see where your specific driver is. For the following example, we have located our driver in <span class="emphasis"><em>MSPRINT3.INF</em></span> and created a printer definition file for a HP DeskJet 560C printer:</p><pre class="programlisting">$grep "HP DeskJet 560C Printer" MSPRINT.INF MSPRINT3.INF +MSPRINT3.INF: "HP DeskJet 560C Printer"=DESKJETC.DRV,HP_DeskJet_ ... + +$make_printerdef MSPRINT3.INF "HP DeskJet 560C Printer" >printers.def +FOUND:DESKJETC.DRV +End of section found +CopyFiles: DESKJETC,COLOR_DESKJETC +Datasection: (null) +Datafile: DESKJETC.DRV +Driverfile: DESKJETC.DRV +Helpfile: HPVDJC.HLP +LanguageMonitor: (null) + +Copy the following files to your printer$ share location: +DESKJETC.DRV +HPVCM.HPM +HPVIOL.DLL +HPVMON.DLL +HPVRES.DLL +HPCOLOR.DLL +HPVUI.DLL +HPVDJCC.HLP +color\HPDESK.ICM</pre><p>Note the files that the script asks you to copy. You'll need those for the next step.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.3"></a>Create a PRINTER$ share</h4></div></div></div><p> +<a class="indexterm" name="ch07-idx-956525-0"></a>This part is relatively easy. Create a share called <code class="literal">[PRINTER$]</code> in your <code class="filename">smb.conf</code> that points to an empty directory on the Samba server. Once that is done, copy over the files that the <code class="filename">make_ printerdef</code> script requested of you into the location of the <code class="literal">path</code> configuration option for the <code class="literal">[PRINTER$]</code> share. For example, you can put the following in your configuration file:</p><pre class="programlisting">[PRINTER$] + path = /usr/local/samba/print + read only = yes + browsable = no + guest ok = yes</pre><p>The files requested by the <code class="filename">make_ printerdef</code> script are typically located in the <span class="emphasis"><em>C:\WINDOWS\SYSTEM</em></span> directory, although you can use the following commands to find out exactly where they are:</p><pre class="programlisting">cd C:\WINDOWS +dir <em class="replaceable"><code>filename</code></em> /s</pre><p>In this case, each of the files needs to be copied to the <code class="filename">/usr/local/samba/print</code> directory on the Samba server. In addition, copy the <code class="filename">printers.def</code> file that you created over to that share as well. Once you've done that, you're almost ready to go.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.4"></a>Modify the Samba configuration file</h4></div></div></div><p><code class="filename"></code> +<a class="indexterm" name="ch07-idx-956532-0"></a>The last step is to modify the Samba configuration file by adding the following three options:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">printer</code> <code class="literal">driver</code></p></li><li><p><code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code></p></li><li><p><code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code></p></li></ul></div><p>The <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code> is a global option that points to the <code class="filename">printers.def</code> file; place that option in your <code class="literal">[global]</code> section. The other options should be set in the printer share for which you wish to automatically configure the drivers. The value for <code class="literal">printer</code> <code class="literal">driver</code> should match the string that shows up in the Printer Wizard on the Windows system. The value of the <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code> is the pathname of the PRINTER$ share you set up, not the Unix pathname on the server. Thus, you could use the following:</p><pre class="programlisting">[global] + printer driver file = /usr/local/samba/print/printers.def +[hpdeskjet] + path = /var/spool/samba/printers + printable = yes + + printer driver = HP DeskJet 560C Printer + printer driver location = \\%L\PRINTER$</pre><p>Now you're ready to test it out. At this point, remove the Windows printer that you "set up" in the first step from the list of printers in the Printers window of My Computer. If Samba asks you to delete unneeded files, do so. These files will be replaced shortly on the client, as they now exist on the Samba server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.5"></a>Testing the configuration</h4></div></div></div><p>Restart the Samba daemons and look for the <code class="literal">[hpdeskjet]</code> share under the machine name in the Network Neighborhood. At this point, if you click on the printer icon, you should begin the printer setup process and come to the dialog shown in <a href="#ch07-60108" title="Figure 7.6. Automatically configuring the printer driver">Figure 7.6</a>.</p><p>This is different from the dialog you saw earlier when setting up a printer. Essentially, the dialog is asking if you wish to accept the driver that is "already installed"—in other words, offered by Samba. Go ahead and keep the existing driver, and press the Next button. At this point, you can give the printer a name and print out a test page. If it works, the setup should be complete. You should be able to repeat the process now from any Windows<a class="indexterm" name="ch07-idx-956413-0"></a> client. <a class="indexterm" name="ch07-idx-956407-0"></a></p><div class="figure"><a name="ch07-60108"></a><p class="title"><b>Figure 7.6. Automatically configuring the printer driver</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0706.gif" height="296" alt="Automatically configuring the printer driver"></td></tr></table></div></div></div><br class="figure-break"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-31526"></a>Printing to Windows Client Printers</h2></div></div></div><p> +<a class="indexterm" name="ch07-idx-956368-0"></a>If you have printers connected to clients running Windows 95/98 or NT 4.0, those printers can also be accessed from Samba. Samba comes equipped with a tool called <span class="emphasis"><em>smbprint</em></span> +<a class="indexterm" name="ch07-idx-956539-0"></a> +<a class="indexterm" name="ch07-idx-956539-1"></a> that can be used to spool print jobs to Windows-based printers. In order to use this, however, you need to set up the printer as a shared resource on the client machine. If you haven't already done this, you can reset this from the Printers window, reached from the Start button, as shown in <a href="#ch07-32814" title="Figure 7.7. The Printers window">Figure 7.7</a>.</p><div class="figure"><a name="ch07-32814"></a><p class="title"><b>Figure 7.7. The Printers window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 273px"><td><img src="figs/sam.0707.gif" height="273" alt="The Printers window"></td></tr></table></div></div></div><br class="figure-break"><p>Select a printer that's locally connected (for example, ours is the Canon printer), press the right mouse button to bring up a menu, and select Sharing. This will give you the Sharing tab of the Printer Properties frame, as shown in <a href="#ch07-92021" title="Figure 7.8. The Sharing tab of the printer">Figure 7.8</a>. If you want it available to everybody on your LAN as the Windows guest user, enter a blank password.</p><div class="figure"><a name="ch07-92021"></a><p class="title"><b>Figure 7.8. The Sharing tab of the printer</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 273px"><td><img src="figs/sam.0708.gif" height="273" alt="The Sharing tab of the printer"></td></tr></table></div></div></div><br class="figure-break"><p>Once you've got this working, you can add your printer to the list of standard printers and Samba can make it available to all the other PCs in the workgroup. To make installation on Unix easier, the Samba distribution provides two sample scripts: <code class="filename">smbprint</code> and <code class="filename">smbprint.sysv</code>. The first works with BSD-style printers; the second is designed for System V printers.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.0.1"></a>BSD printers</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956540-0"></a>There are two steps you need to have a BSD Unix recognize a remote printer:</p><div class="orderedlist"><ol type="1"><li><p>Place an entry for the printer in the <code class="filename">/etc/printcap</code> file (or equivalent).</p></li><li><p>Place a configuration file in the <code class="filename">/var/spool</code> directory for the printer.</p></li></ol></div><p>First, edit your <code class="filename">/etc/printcap</code> file and add an entry for the remote printer. Note that the input filter (<code class="literal">if</code>) entry needs to point to the <span class="emphasis"><em>smbprint</em></span> program if the machine is on Windows 95/98. The following set of lines will accomplish on a Linux machine, for example:</p><pre class="programlisting">laserjet:\ + :sd=/var/spool/lpd/laser:\ <em class="replaceable"><code># spool directory</code></em> + :mx#0:\ <em class="replaceable"><code># maximum file size (none)</code></em> + :sh:\ <em class="replaceable"><code># surpress burst header (no)</code></em> + :if=/usr/local/samba/bin/smbprint: <em class="replaceable"><code># text filter</code></em></pre><p>After that, you need to create a configuration file in the spool directory that you specified with the <code class="literal">sd</code> parameter above. (You may need to create that directory.) The file must have the name <span class="emphasis"><em>.config</em></span> and should contain the following information:</p><div class="itemizedlist"><ul type="disc"><li><p>The NetBIOS name of the Windows machine with the printer</p></li><li><p>The service name that represents the printer</p></li><li><p>The password used to access that service</p></li></ul></div><p>The last two parameters were set up in the Sharing dialog for the requested resource on the Windows machine. In this case, the <span class="emphasis"><em>.config</em></span> file would have three lines:</p><pre class="programlisting">server = phoenix +service = CANON +password = ""</pre><p>After you've done that, reset the Samba server machine and try printing to it using any standard Unix program.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.0.2"></a>System V printers</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956541-0"></a>Sending print jobs from a System V Unix system is a little easier. Here, you need to get obtain the <code class="filename">smbprint.sysv</code> script in the <code class="filename">/usr/local/samba/examples/printing</code> directory and do the following:</p><div class="orderedlist"><ol type="1"><li><p>Change the <code class="literal">server</code>, <code class="literal">service</code>, and <code class="literal">password</code> parameters in the script to match the NetBIOS machine, its shared printer service, and its password, respectively. For example, the following entries would be correct for the service in the previous example:</p><pre class="programlisting">server = phoenix +service = CANON +password = ""</pre></li><li><p>Run the following commands, which create a reference for the printer in the printer capabilities file. Note that the new Unix printer entry <code class="literal">canon_ printer</code> is named:</p><pre class="programlisting"># lpadmin -p canon_printer -v /dev/null -i./smbprint.sysv +# enable canon_printer +# accept canon_printer</pre></li></ol></div><p>After you've done that, restart the Samba daemons and try printing to it using any standard Unix program. You should now be able to send data to a printer on a Windows client across the network.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.1"></a>Samba Printing Options</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956419-0"></a><a href="#ch07-19361" title="Table 7.2. Printing Configuration Options">Table 7.2</a> summarizes the Samba printing options.</p><div class="table"><a name="ch07-19361"></a><p class="title"><b>Table 7.2. Printing Configuration Options </b></p><div class="table-contents"><table summary="Printing Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">printing</code></p></td><td><p><code class="literal">bsd</code>, <code class="literal">sysv</code>, <code class="literal">hpux</code>, <code class="literal">aix</code>, <code class="literal">qnx</code>, <code class="literal">plp</code>, <code class="literal">softq</code>, or <code class="literal">lprng</code></p></td><td><p>Sets the print system type for your Unix system.</p></td><td><p>System dependent</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printable (print ok)</code></p></td><td><p>boolean</p></td><td><p>Marks a share as a printing share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer (printer name)</code></p></td><td><p>string (Unix printer name)</p></td><td><p>Sets the name of the printer to be shown to clients.</p></td><td><p>System dependent</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer driver</code></p></td><td><p>string (printer driver name)</p></td><td><p>Sets the driver name that should be used by the client to send data to the printer.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer driver file</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the name of the printer driver file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">printer driver location</code></p></td><td><p>string (network pathname)</p></td><td><p>Specifies the pathname of the share for the printer driver file.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpq cache time</code></p></td><td><p>numeric (time in seconds)</p></td><td><p>Sets the amount of time in seconds that Samba will cache the lpq status.</p></td><td><p><code class="literal">10</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">postscript</code></p></td><td><p>boolean</p></td><td><p>Treats all print jobs sent as postscript by prepending <code class="literal">%!</code> at the beginning of each file.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">load printers</code></p></td><td><p>boolean</p></td><td><p>Automatically loads each of the printers in the <span class="emphasis"><em>printcap</em></span> file as printing shares.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">print command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to perform printing.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpq command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to return the status of the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lprm command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to remove a job from the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lppause command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to pause a job on the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpresume command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to resume a paused job on the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printcap name</code></p> + +<p><code class="literal">(printcap)</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the printer capabilities file.</p></td><td><p>System dependent</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">min print space</code></p></td><td><p>numeric (size in kilobytes)</p></td><td><p>Sets the minimum amount of disk free space that must be present to print.</p></td><td><p><code class="literal">0</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">queuepause command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to pause a queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">queueresume command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to resume a queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.1"></a>printing</h4></div></div></div><p>The <code class="literal">printing</code> +<a class="indexterm" name="ch07-idx-958423-0"></a> configuration option tells Samba a little about your Unix printing system, in this case which printing parser to use. With Unix, there are several different families of commands to control printing and print statusing. Samba supports seven different types, as shown in <a href="#ch07-28758" title="Table 7.3. Printing Types">Table 7.3</a>.</p><div class="table"><a name="ch07-28758"></a><p class="title"><b>Table 7.3. Printing Types </b></p><div class="table-contents"><table summary="Printing Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p>BSD</p></td><td><p> +<a class="indexterm" name="ch07-idx-956545-0"></a>Berkeley Unix system</p></td></tr><tr><td><p>SYSV</p></td><td><p>System V</p></td></tr><tr><td><p>AIX</p></td><td><p>AIX Operating System (IBM)</p></td></tr><tr><td><p>HPUX</p></td><td><p>Hewlett-Packard Unix</p></td></tr><tr><td><p>QNX</p></td><td><p>QNX Realtime Operating System (QNX)</p></td></tr><tr><td><p>LPRNG</p></td><td><p>LPR Next Generation (Powell)</p></td></tr><tr><td><p>SOFTQ</p></td><td><p>SOFTQ system</p></td></tr><tr><td><p>PLP</p></td><td><p>Portable Line Printer (Powell)</p></td></tr></tbody></table></div></div><br class="table-break"><p>The value for this optio.n will be one of these seven options. For example:</p><pre class="programlisting">printing = SYSV</pre><p>The default value of this option is system dependent and is configured when Samba is first compiled. For most systems, the <code class="filename">configure</code> script will automatically detect the printing system to be used and configure it properly in the Samba makefile. However, if your system is a PLP, LPRNG, or QNX printing system, you will need to explicitly specify this in the makefile or the printing share.</p><p>The most common system types are BSD and SYSV. Each of the printers on a BSD Unix server are described in the printer capabilities file—normally <code class="filename">/etc/printcap</code>.</p><p>Setting the <code class="literal">printing</code> configuration option automatically sets at least three other printing options for the service in question: <code class="literal">print</code> <code class="literal">command</code>, <code class="literal">lpq</code> <code class="literal">command</code>, and <code class="literal">lprm</code> <code class="literal">command</code>. If you are running Samba on a system that doesn't support any of these printing styles, simply set the commands for each of these manually.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.2"></a>printable</h4></div></div></div><p>The <a class="indexterm" name="ch07-idx-958426-0"></a>printable option must be set to <code class="literal">yes</code> in order to flag a share as a printing service. If this option is not set, the share will be treated as a disk share instead. You can set the option as follows:</p><pre class="programlisting">[printer1] + printable = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.3"></a>printer</h4></div></div></div><p> +<a class="indexterm" name="ch07-idx-957248-0"></a>The <a class="indexterm" name="ch07-idx-958427-0"></a>option, sometimes called <code class="literal">printer</code> <code class="literal">name</code>, specifies the name of the printer on the server to which the share points. This option has no default and should be set explicitly in the configuration file, even though Unix systems themselves often recognize a default name such as <code class="literal">lp</code> for a printer. For example:</p><pre class="programlisting">[deskjet] + printer = hpdkjet1</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.4"></a>printer driver</h4></div></div></div><p>The <code class="literal">printer</code> +<a class="indexterm" name="ch07-idx-958428-0"></a> <code class="literal">driver</code> option sets the string that Samba uses to tell Windows what the printer is. If this option is set correctly, the Windows Printer Wizard will already know what the printer is, making installation easier for end users by giving them one less dialog to worry about. The string given should match the string that shows up in the Printer Wizard, as shown in <a href="#ch07-46183" title="Figure 7.9. The Add Printer Wizard dialog box in Windows 98">Figure 7.9</a>. For example, an Apple LaserWriter typically uses <code class="literal">Apple</code> <code class="literal">LaserWriter</code>; a Hewlett Packard Deskjet 560C uses <code class="literal">HP</code> <code class="literal">DeskJet</code> <code class="literal">560C</code> <code class="literal">Printer</code>.</p><div class="figure"><a name="ch07-46183"></a><p class="title"><b>Figure 7.9. The Add Printer Wizard dialog box in Windows 98</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0709.gif" height="296" alt="The Add Printer Wizard dialog box in Windows 98"></td></tr></table></div></div></div><br class="figure-break"><p>Automatically configuring printer drivers with Samba is explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.5"></a> +printer driver file</h4></div></div></div><a class="indexterm" name="ch07-idx-958429-0"></a><p>This global option gives the location of the Windows 95/98 printer driver definition file, which is needed to give printer drivers to clients using a Samba printer. The default value of this option is <code class="filename">/usr/local/samba/lib/printers.def</code>. You can override this default as shown below:</p><pre class="programlisting">[deskjet] + printer driver file = /var/printers/printers.def</pre><p>This option is explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.6"></a> +printer driver location</h4></div></div></div><a class="indexterm" name="ch07-idx-958432-0"></a><p>This option specifies a specific share that contains Windows 95 and 98 printer driver and definition files. There is no default parameter for this value. You can specify the location as a network pathname. A frequent approach is to use a share on your own machine, as shown here:</p><pre class="programlisting">[deskjet] + printer driver location = \\%L\PRINTER$</pre><p>This option is also explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.7"></a> +lpq cache time</h4></div></div></div><a class="indexterm" name="ch07-idx-958433-0"></a><p> +<a class="indexterm" name="ch07-idx-956564-0"></a>The global <code class="literal">lpq</code> <code class="literal">cache</code> <code class="literal">time</code> option allows you to set the number of seconds that Samba will remember the current printer status. After this time elapses, Samba will issue an <span class="emphasis"><em>lpq</em></span> command (or whatever command you specify with the <code class="literal">lpq</code> <code class="literal">command</code> option) to get a more up-to-date status. This defaults to 10 seconds, but can be increased if your <code class="literal">lpq</code> <code class="literal">command</code> takes an unusually long time to run or you have lots of clients. The following example resets the time to 30 seconds:</p><pre class="programlisting">[deskjet] + lpq cache time = 30</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.8"></a>postscript</h4></div></div></div><p>The<a class="indexterm" name="ch07-idx-958438-0"></a> <code class="literal">postscript</code> option forces the printer to treat all data sent to it as Postscript. It does this by prepending the characters <code class="literal">%!</code> at the beginning of the first line of each job. It is normally used with PCs that insert a <code class="literal">^D</code> (control-D or "end-of-file mark) in front of the first line of a PostScript file. It will not, obviously, turn a non-PostScript printer into a PostScript one. The default value of this options is <code class="literal">no</code>. You can override it as follows:<a class="indexterm" name="ch07-idx-957258-0"></a></p><pre class="programlisting">[deskjet] + postscript = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.9"></a> + + + + +print command, lpq command, lprm command, lppause command, lpresume command</h4></div></div></div><a class="indexterm" name="ch07-idx-958439-0"></a><a class="indexterm" name="ch07-idx-958439-1"></a><a class="indexterm" name="ch07-idx-958439-2"></a><a class="indexterm" name="ch07-idx-958439-3"></a><a class="indexterm" name="ch07-idx-958439-4"></a><p> +<a class="indexterm" name="ch07-idx-956566-0"></a>These options tell Samba which Unix commands used to control and send data to the printer. The Unix commands involved are: <span class="emphasis"><em>lpr</em></span> (send to Line PRinter), <span class="emphasis"><em>lpq</em></span> (List Printer Queue), <span class="emphasis"><em>lprm</em></span> (Line printer ReMove), and optionally <span class="emphasis"><em>lppause</em></span> and <span class="emphasis"><em>lpresume</em></span>. Samba provides an option named after each of these commands, in case you need to override any of the system defaults. For example, consider:</p><pre class="programlisting">lpq command = /usr/ucb/lpq %p</pre><p>This would set the <code class="literal">lpq command</code> to use <code class="filename">/usr/ucb/lpq</code>. Similarly:</p><pre class="programlisting">lprm command = /usr/local/lprm -P%p %j</pre><p>would set the Samba printer remove command to <code class="filename">/usr/local/lprm</code>, and provide it the print job number using the <code class="literal">%j</code> variable.</p><p>The default values for each of these options are dependent on the value of the <code class="literal">printing</code> option. <a href="#ch07-82964" title="Table 7.4. Default Commands for Various Printing Commands">Table 7.4</a> shows the default commands for each of the printing options. The most popular printing system is BSD.</p><div class="table"><a name="ch07-82964"></a><p class="title"><b>Table 7.4. Default Commands for Various Printing Commands </b></p><div class="table-contents"><table summary="Default Commands for Various Printing Commands " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>BSD, AIX, PLP, LPRNG</p></th><th><p>SYSV, HPUX</p></th><th><p>QNX</p></th><th><p>SOFTQ</p></th></tr></thead><tbody><tr><td><p><code class="literal">print command</code></p></td><td><p><code class="literal">lpr -r -P%p %s</code> +<a class="indexterm" name="ch07-idx-958518-0"></a></p></td><td><p><code class="literal">lp -c -d%p %s; rm %s</code></p></td><td><p><code class="literal">lp -r -P%p %s</code></p></td><td><p><code class="literal">lp -d%p -s %s; rm %s</code></p></td></tr><tr><td><p><code class="literal">lpq command</code></p></td><td><p><code class="literal">lpq -P%p</code></p></td><td><p><code class="literal">lpstat -o%p</code></p></td><td><p><code class="literal">lpq -P%p</code></p></td><td><p><code class="literal">lpstat -o%p</code></p></td></tr><tr><td><p><code class="literal">lprm command</code></p></td><td><p><code class="literal">lprm -P%p %j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td></tr><tr><td><p><code class="literal">lppause command</code></p></td><td><p><code class="literal">lp -i %p-%j -H hold </code></p> + +<p>(SYSV only)</p></td><td><p>None</p></td><td><p>None</p></td><td><p>None</p></td></tr><tr><td><p><code class="literal">lpresume command</code></p></td><td><p><code class="literal">lp -i %p-%j -H resume</code></p> + +<p>(SYSV only)</p></td><td><p>None</p></td><td><p>None</p></td><td><p><code class="literal">qstat -s -j%j -r</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>It is typically not necessary to reset these options in Samba, with the possible exception of <code class="literal">print</code> <code class="literal">command</code>. This option may need to be explicitly set if your printing system doesn't have a <code class="literal">-r</code> (remove after printing) option on the printing command. For example:</p><pre class="programlisting">/usr/local/lpr -P%p %s; /bin/rm %s</pre><p>With a bit of judicious programming, these <code class="filename">smb.conf</code> options can also used for debugging:</p><pre class="programlisting">print command = cat %s >>/tmp/printlog; lpr -r -P%p %s</pre><p>For example, this configuration can verify that files are actually being delivered to the Samba server. If they are, their contents will show up in the <code class="filename">/tmp/printlog</code> file.</p><p>After BSD, the next most popular kind of printing system is SYSV (or System V) printing, plus some SYSV variants for IBM's AIX and Hewlett-Packard's HP-UX. These system do not have an <code class="filename">/etc/printcap</code> file. Instead, the <code class="literal">printcap</code> <code class="literal">file</code> option can be set to an appropriate <span class="emphasis"><em>lpstat</em></span> command for the system. This tells Samba to get a list of printers from the <span class="emphasis"><em>lpstat</em></span> command. Alternatively, you can set the global configuration option <code class="literal">printcap</code> <code class="literal">name</code> to the name of a dummy <code class="filename">printcap</code> file you provide. In the latter case, the file must contain a series of lines such as:</p><pre class="programlisting">lp|print1|My Printer 1 +print2|My Printer 2 +print3|My Printer 3</pre><p>Each line names a printer, and provides aliases for it. In this example, the first printer is called <code class="literal">lp</code>, <code class="literal">print1</code>, or <code class="literal">My</code> <code class="literal">Printer</code> <code class="literal">1</code>, whichever the user prefers to use. The first name will be used in place of <code class="literal">%p</code> in any command Samba executes for that printer.</p><p>Two additional printer types are also supported by Samba: LPRNG (LPR New Generation) and PLP (Public Line Printer). These are public domain and Open Source printing systems, and are used by many sites to overcome problems with vendor-supplied software. In addition, the SOFTQ and QNX realtime operating systems are supported by Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.10"></a>load printers</h4></div></div></div><p> +<a class="indexterm" name="ch07-idx-956568-0"></a>The <code class="literal">load</code> +<a class="indexterm" name="ch07-idx-958440-0"></a> <code class="literal">printers</code> option tells Samba to create shares for all known printer names and load those shares into the browse list. Samba will create and list a printer share for each printer name in <code class="filename">/etc/printcap</code> (or system equivalent). For example, if your <code class="filename">printcap</code> file looks like this:<sup>[<a name="ch07-pgfId-950654" href="#ftn.ch07-pgfId-950654">2</a>]</sup></p><pre class="programlisting">lp:\ + :sd=/var/spool/lpd/lp:\ <em class="replaceable"><code># spool directory</code></em> + :mx#0:\ <em class="replaceable"><code># maximum file size (none)</code></em> + :sh:\ <em class="replaceable"><code># surpress burst header (no)</code></em> + :lp=/dev/lp1:\ <em class="replaceable"><code># device name for output</code></em> + :if=/var/spool/lpd/lp/filter: <em class="replaceable"><code># text filter</code></em> + +laser:\ + :sd=/var/spool/lpd/laser:\ <em class="replaceable"><code># spool directory</code></em> + :mx#0:\ <em class="replaceable"><code># maximum file size (none)</code></em> + :sh:\ <em class="replaceable"><code># surpress burst header (no)</code></em> + :lp=/dev/laser:\ <em class="replaceable"><code># device name for output</code></em> + :if=/var/spool/lpd/lp/filter: <em class="replaceable"><code># text filter</code></em></pre><p>and you specify:</p><pre class="programlisting">load printers = yes</pre><p>the shares <code class="literal">[lp]</code> and <code class="literal">[laser]</code> will automatically be created as valid print shares when Samba is started. Both shares will borrow the configuration options specified in the <code class="literal">[printers]</code> section to configure themselves, and will be available in the browse list for the Samba server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.11"></a>printcap name</h4></div></div></div><p>If the <code class="literal">printcap</code> +<a class="indexterm" name="ch07-idx-958442-0"></a> <code class="literal">name</code> option (also called <code class="literal">printcap</code>) appears in a printing share, Samba will use the file specified as the system printer capabilities file. This is normally <code class="filename">/etc/printcap</code>. However, you can reset it to a file consisting of only the printers you want to share over the network. The value must be a fully-qualified filename of a printer capabilities file on the server:</p><pre class="programlisting">[deskjet] + printcap name = /usr/local/printcap</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.12"></a>min print space</h4></div></div></div><p>The <code class="literal">min</code> +<a class="indexterm" name="ch07-idx-958443-0"></a> <code class="literal">print</code> <code class="literal">space</code> option sets the amount of <a class="indexterm" name="ch07-idx-956570-0"></a>spool space that must be available on the disk before printing is allowed. Setting it to zero (the default) turns the check off; setting it to any other number sets the amount of free space in kilobytes required. This option helps avoid having print jobs fill up the remaining disk space on the server, which may cause other processes to fail:</p><pre class="programlisting">[deskjet] + min print space = 4000</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.13"></a> +queuepause command</h4></div></div></div><a class="indexterm" name="ch07-idx-958444-0"></a><p>This configuration option specifies a command that tells Samba how to pause a <a class="indexterm" name="ch07-idx-956571-0"></a>print queue entirely, as opposed to a single job on the queue. The default value depends on the printing type chosen. You should not need to alter this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.14"></a> +queueresume command</h4></div></div></div><a class="indexterm" name="ch07-idx-958445-0"></a><p>This configuration option specifies a command that tells Samba how to resume a paused print queue, as opposed to resuming a single job on the print queue. The default value depends on the printing type chosen. You should not need to alter<a class="indexterm" name="ch07-idx-956423-0"></a> this<a class="indexterm" name="ch07-idx-956372-0"></a> option.<a class="indexterm" name="ch07-idx-956352-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-12219"></a>Name Resolution with Samba</h2></div></div></div><p> +<a class="indexterm" name="ch07-idx-956353-0"></a>Before NetBIOS Name Servers (NBNS) came about, name resolution worked entirely by broadcast. If you needed a machine's address, you simply <a class="indexterm" name="ch07-idx-956574-0"></a>broadcast its name across the network and, in theory, the machine itself would reply. This approach is still possible: anyone looking for a machine named <code class="literal">fred</code> can still broadcast a query and find out if it exists and what its IP address is. (We use this capability to troubleshoot Samba name services with the <code class="literal">nmblookup</code> command in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>.)</p><p>As you saw in the first chapter, however, broadcasting—whether it be browsing or name registration and resolution—does not pass easily across multiple subnets. In addition, many broadcasts tend to bog down networks. To solve this problem, Microsoft now provides the <a class="indexterm" name="ch07-idx-956577-0"></a>Windows Internet Naming Service (WINS), a cross-subnet NBNS, which Samba supports. With it, an administrator can designate a single machine to act as a WINS server, and can then provide each client that requires name resolution the address of the WINS server. Consequently, name registration and resolution requests can be directed to a single machine from any point on the network, instead of broadcast.</p><p>WINS and broadcasting are not the only means of name resolution, however. There are actually four mechanisms that can be used with Samba:</p><div class="itemizedlist"><ul type="disc"><li><p>WINS</p></li><li><p>Broadcasting</p></li><li><p>Unix <code class="filename">/etc/hosts</code> or NIS/NIS+ matches</p></li><li><p><span class="emphasis"><em>LMHOSTS</em></span> file</p></li></ul></div><p>Samba can use any or all of these name resolution methods in the order that you specify in the Samba configuration file using the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> parameter. However, before delving into configuration options, let's discuss the one that you've probably not encountered before: the <code class="filename">LMHOSTS</code> file.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.1"></a>The LMHOSTS File</h3></div></div></div><p><code class="filename">LMHOSTS</code> +<a class="indexterm" name="ch07-idx-956428-0"></a> is the standard LAN Manager <span class="emphasis"><em>hosts</em></span> file used to resolve names into IP addresses on the system. It is the NBT equivalent of the <code class="filename">/etc/hosts</code> file that is standard on all Unix systems. By default, the file is usually stored as <code class="filename">/usr/local/samba/lib/LMHOSTS</code> and shares a format similar to <code class="filename">/etc/hosts</code>. For example:</p><pre class="programlisting">192.168.220.100 hydra +192.168.220.101 phoenix</pre><p>The only difference is that the names on the right side of the entries are NetBIOS names instead of DNS names. Because they are NetBIOS names, you can assign resource types to them as well:</p><pre class="programlisting">192.168.220.100 hydra#20 +192.168.220.100 simple#1b +192.168.220.101 phoenix#20</pre><p>Here, we've assigned the <code class="literal">hydra</code> machine to be the primary domain controller of the <code class="literal">SIMPLE</code> domain, as indicated by the resource type <1B> assigned to the name after <code class="literal">hydra</code>'s IP address in the second line. The other two are standard workstations.</p><p>If you wish to place an <span class="emphasis"><em>LMHOSTS</em></span> file somewhere other than the default location, you will need to notify the <span class="emphasis"><em>nmbd</em></span> process upon start up, as follows:</p><pre class="programlisting">nmbd -H /etc/samba/lmhosts -D</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.2"></a>Setting Up Samba to Use Another WINS Server</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956595-0"></a> +<a class="indexterm" name="ch07-idx-956595-1"></a>You can set up Samba to use a WINS server somewhere else on the network by simply pointing it to the IP address of the WINS server. This is done with the global <code class="literal">wins</code> <code class="literal">server</code> configuration option, as shown here:</p><pre class="programlisting">[global] + wins server = 192.168.200.122</pre><p>With this option enabled, Samba will direct all WINS requests to the server at 192.168.200.122. Note that because the request is directed at a single machine, we don't have to worry about any of the problems inherent to broadcasting. However, though you have specified an IP address for a WINS server in the configuration file, Samba will not necessarily use the WINS server before other forms of name resolution. The order in which Samba attempts various name-resolution techniques is given with the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> configuration option, which we will discuss shortly.</p><p>If you have a Samba server on a subnet that still uses broadcasting and the Samba server knows the correct location of a WINS server on another subnet, you can configure the Samba server to forward any name resolution requests with the <code class="literal">wins</code> <code class="literal">proxy</code> option:</p><pre class="programlisting">[global] + wins server = 192.168.200.12 + wins proxy = yes</pre><p>Use this only in situations where the WINS server resides on another subnet. Otherwise, the broadcast will reach the WINS server regardless of any proxying.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-83429"></a>Setting Up Samba as a WINS Server</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956600-0"></a>You can set up Samba as a WINS server by setting two global options in the configuration file, as shown below:</p><pre class="programlisting">[global] + wins support = yes + name resolve order = wins lmhosts hosts bcast</pre><p>The <code class="literal">wins</code> <code class="literal">support</code> option turns Samba into a WINS server. Believe it or not, that's all you need to do! Samba handles the rest of the details behind the scenes, leaving you a relaxed administrator. The <code class="literal">wins</code> <code class="literal">support=yes</code> and the <code class="literal">wins</code> <code class="literal">server</code> option are mutually exclusive; you cannot simultaneously offer Samba as the WINS server and point to another system as the server.</p><p>If Samba is acting as a WINS server, you should probably get familiar with the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> option mentioned earlier. This option tells Samba the order of methods in which it tries to resolve a NetBIOS name. It can take up to four values:</p><div class="variablelist"><dl><dt><span class="term">lmhosts</span></dt><dd><p>Uses a LAN Manager <span class="emphasis"><em>LMHOSTS</em></span> file</p></dd><dt><span class="term">hosts</span></dt><dd><p>Uses the standard name resolution methods of the Unix system, <span class="emphasis"><em>/etc/hosts</em></span>, DNS, NIS, or a combination (as configured for the system)</p></dd><dt><span class="term">wins</span></dt><dd><p>Uses the WINS server</p></dd><dt><span class="term">bcast</span></dt><dd><p>Uses a broadcast method</p></dd></dl></div><p>The order in which you specify them in the value is the order in which Samba will attempt name resolution when acting as a WINS server. For example, let's look at the value specified previously:</p><pre class="programlisting">name resolve order = wins lmhosts hosts bcast</pre><p>This means that Samba will attempt to use its WINS entries first for name resolution, followed by the LAN Manager <span class="emphasis"><em>LMHOSTS</em></span> file on its system. Next, the hosts value causes it to use Unix name resolution methods. The word <code class="literal">hosts</code> may be misleading; it covers not only the <code class="filename">/etc/hosts</code> file, but also the use of DNS or NIS (as configured on the Unix host). Finally, if those three do not work, it will use a broadcast to try to locate the correct machine.</p><p>Finally, you can instruct a Samba server that is acting as a WINS server to check with the system's DNS server if a requested host cannot be found in its WINS database. With a typical Linux system, for example, you can find the IP address of the DNS server by searching the <code class="filename">/etc/resolv.conf</code> file. In it, you might see an entry such as the following:</p><pre class="programlisting">nameserver 127.0.0.1 +nameserver 192.168.200.192</pre><p>This tells us that a DNS server is located at 192.168.220.192. (The 127.0.0.1 is the localhost address and is never a valid DNS server address.)</p><p>Use the global <code class="literal">dns</code> <code class="literal">proxy</code> option to alert Samba to use the configured DNS server:</p><pre class="programlisting">[global] + wins support = yes + name resolve order = wins lmhosts hosts bcast + dns proxy = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.4"></a>Name Resolution Configuration Options</h3></div></div></div><p> +<a class="indexterm" name="ch07-idx-956430-0"></a>Samba's WINS options are shown in <a href="#ch07-82331" title="Table 7.5. WINS Options">Table 7.5</a>.</p><div class="table"><a name="ch07-82331"></a><p class="title"><b>Table 7.5. WINS Options </b></p><div class="table-contents"><table summary="WINS Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">wins support</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will act as a WINS server.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wins server</code></p></td><td><p>string (IP address or DNS name)</p></td><td><p>Identifies a WINS server for Samba to use for name registration and resolution.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wins proxy</code></p></td><td><p>boolean</p></td><td><p>Allows Samba to act as a proxy to a WINS server on another subnet.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dns proxy</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, a Samba WINS server will search DNS if it cannot find a name in WINS.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">name resolve order</code></p></td><td><p><code class="literal">lmhosts</code>, <code class="literal">hosts</code>, <code class="literal">wins</code>, or <code class="literal">bcast</code></p></td><td><p>Specifies an order of the methods used to resolve NetBIOS names.</p></td><td><p><code class="literal">lmhosts hosts wins bcast</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum time-to-live in seconds for a requested NetBIOS names.</p></td><td><p><code class="literal">259200</code>( 3 days)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max wins ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</p></td><td><p><code class="literal">518400</code>(6 days)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">min wins ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the minimum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</p></td><td><p><code class="literal">21600</code>(6 hours)</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.1"></a> +wins support</h4></div></div></div><a class="indexterm" name="ch07-idx-958447-0"></a><p>Samba will provide <a class="indexterm" name="ch07-idx-956607-0"></a>WINS name service to all machines in the network if you set the following in the <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global] + wins support = yes</pre><p>The default value is <code class="literal">no</code>, which is typically used to allow another Windows NT server to become a WINS server. If you do enable this option, remember that a Samba WINS server currently cannot exchange data with any backup WINS servers. If activated, this option is mutually exclusive with the <code class="literal">wins</code> <code class="literal">server</code> parameter; you cannot set both to <code class="literal">yes</code> at the same time or Samba will flag an error.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.2"></a> +wins server</h4></div></div></div><a class="indexterm" name="ch07-idx-958448-0"></a><p>Samba will use an existing WINS server on the network if you specify the <code class="literal">wins</code> <code class="literal">server</code> global option in your configuration file. The value of this option is either the IP address or DNS name (not NetBIOS name) of the WINS server. For example:</p><pre class="programlisting">[global] + wins server = 192.168.220.110</pre><p>or:</p><pre class="programlisting">[global] + wins server = wins.example.com</pre><p>In order for this option to work, the <code class="literal">wins</code> <code class="literal">support</code> option must be set to <code class="literal">no</code> (the default). Otherwise, Samba will report an error. You can specify only one WINS server using this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.3"></a> +wins proxy</h4></div></div></div><a class="indexterm" name="ch07-idx-958449-0"></a><p>This option allows Samba to act as a proxy to another WINS server, and thus relay name registration and resolution requests from itself to the real WINS server, often outside the current subnet. The WINS server can be indicated through the <code class="literal">wins</code> <code class="literal">server</code> option. The proxy will then return the WINS response back to the client. You can enable this option by specifying the following in the <code class="literal">[global]</code> section:</p><pre class="programlisting">[global] + wins proxy = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.4"></a> +dns proxy</h4></div></div></div><a class="indexterm" name="ch07-idx-958450-0"></a><p>If you want the <a class="indexterm" name="ch07-idx-956608-0"></a>domain name service (DNS) to be used if a name isn't found in WINS, you can set the following option:</p><pre class="programlisting">[global] + dns proxy = yes</pre><p>This will cause <code class="filename">nmbd</code> to query for machine names using the server's standard domain name service. You may wish to deactivate this option if you do not have a permanent connection to your DNS server. Despite this option, we recommend using a WINS server. If you don't already have any WINS servers on your network, make one Samba machine a WINS server. Do not, however, make two Samba machines WINS servers (one primary and one backup) as they currently cannot exchange WINS databases.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.5"></a> +name resolve order</h4></div></div></div><a class="indexterm" name="ch07-idx-958451-0"></a><p>The global <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> option specifies the order of services that Samba will use in attempting name resolution. The default order is to use the <span class="emphasis"><em>LMHOSTS</em></span> file, followed by standard Unix name resolution methods (some combination of <code class="filename">/etc/hosts</code>, DNS, and NIS), then query a WINS server, and finally use broadcasting to determine the address of a NetBIOS name. You can override this option by specifying something like the following:</p><pre class="programlisting">[global] + name resolve order = lmhosts wins hosts bcast</pre><p>This causes resolution to use the <span class="emphasis"><em>LMHOSTS</em></span> file first, followed by a query to a WINS server, the system password file, and finally broadcasting. You need not use all four options if you don't want to. This option is covered in more detail in <a href="#ch07-83429" title="Setting Up Samba as a WINS Server">Section 7.3.3</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.6"></a> +max ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958452-0"></a><p>This option gives the maximum t<a class="indexterm" name="ch07-idx-956610-0"></a> +<a class="indexterm" name="ch07-idx-956610-1"></a>ime to live (T T L) during which a NetBIOS name registered with the Samba server will remain active. You should never need to alter this value.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.7"></a> +max wins ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958453-0"></a><p>This option give the maximum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to change this value from its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.8"></a> +min wins ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958454-0"></a><p>This option give the minimum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to alter this value from its<a class="indexterm" name="ch07-idx-956431-0"></a> default.<a class="indexterm" name="ch07-idx-956354-0"></a></p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch07-pgfId-951615" href="#ch07-pgfId-951615">1</a>] </sup>Older Windows 95 clients may have only the first two files.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch07-pgfId-950654" href="#ch07-pgfId-950654">2</a>] </sup>We have placed annotated comments off to the side in case you've never dealt with this file before.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-8"></a>Chapter 8. Additional Samba Information </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch08-56646">8.1. Supporting Programmers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-1.1">8.1.1. Time Synchronization</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-79987">8.2. Magic Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-2.0.1">8.2.1. magic script</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-2.0.2">8.2.2. +magic output</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-91233">8.3. Internationalization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-17721">8.3.1. +client code page</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.2">8.3.2. character set</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.3">8.3.3. coding system</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.4">8.3.4. valid chars</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-82569">8.4. WinPopup Messages</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-4.0.1">8.4.1. message command</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-SECT-5">8.5. Recently Added Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-5.0.1">8.5.1. change notify timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.2">8.5.2. machine password timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.3">8.5.3. stat cache</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.4">8.5.4. stat cache size</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-70923">8.6. Miscellaneous Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-6.0.1">8.6.1. +deadtime</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.2">8.6.2. +dfree command</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.3">8.6.3. +fstype</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.4">8.6.4. keep alive</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.5">8.6.5. +max disk size</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.6">8.6.6. +max mux</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.7">8.6.7. +max open files</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.8">8.6.8. +max xmit</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.9">8.6.9. +nt pipe support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.10">8.6.10. +nt smb support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.11">8.6.11. +ole locking compatibility</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.12">8.6.12. +panic action</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.13">8.6.13. +set directory</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.14">8.6.14. +smbrun</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.15">8.6.15. +status</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.16">8.6.16. +strict sync</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.17">8.6.17. +sync always</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.18">8.6.18. +strip dot</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-74829">8.7. Backups with smbtar</a></span></dt></dl></div><p>This chapter wraps up our coverage of the <code class="filename">smb.conf</code> configuration file with some miscellaneous options that can perform a variety of tasks. We will talk briefly about options for supporting programmers, internationalization, messages, and common Windows bugs. For the most part, you will use these options only in isolated circumstances. We also cover performing automated backups with the <code class="filename">smbtar</code> command at the end of this chapter. So without further ado, let's jump into our first subject: options to help programmers.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-56646"></a>Supporting Programmers</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965254-0"></a>If <a class="indexterm" name="ch08-idx-965351-0"></a>you have programmers accessing your Samba server, you'll want to be aware of the special options listed in <a href="#ch08-73167" title="Table 8.1. Programming Configuration Options">Table 8.1</a>.</p><div class="table"><a name="ch08-73167"></a><p class="title"><b>Table 8.1. Programming Configuration Options </b></p><div class="table-contents"><table summary="Programming Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">time server</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, <span class="emphasis"><em>nmbd</em></span> announces itself as a SMB time service to Windows clients.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">time offset</code></p></td><td><p>numerical (number of minutes)</p></td><td><p>Adds a specified number of minutes to the reported time.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dos filetimes</code></p></td><td><p>boolean</p></td><td><p>Allows non-owners of a file to change its time if they can write to it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">dos filetime</code></p> + +<p><code class="literal">resolution</code></p></td><td><p>boolean</p></td><td><p>Causes file times to be rounded to the next even second.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">fake directory create times</code></p></td><td><p>boolean</p></td><td><p>Sets directory times to avoid a MS <span class="emphasis"><em>nmake</em></span> bug.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-1.1"></a>Time Synchronization</h3></div></div></div><p> +<a class="indexterm" name="ch08-idx-965360-0"></a> +<a class="indexterm" name="ch08-idx-965360-1"></a>Time synchronization can be very important to programmers. Consider the following options:</p><pre class="programlisting">time service = yes +dos filetimes = yes +fake directory create times = yes +dos filetime resolution = yes +delete readonly = yes</pre><p>If you set these options, Samba shares will provide the kind of compatible file times that Visual C++, <span class="emphasis"><em>nmake</em></span>, and other Microsoft programming tools require. Otherwise, PC <span class="emphasis"><em>make</em></span> programs will tend to think that all the files in a directory need to be recompiled every time. Obviously, this is not the behavior you want.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.1"></a>time server</h4></div></div></div><p>If your Samba server has an accurate clock, or if it's a client of one of the Unix network time servers, you can instruct it to advertise itself as an SMB time server by setting the<a class="indexterm" name="ch08-idx-965946-0"></a> <code class="literal">time</code> <code class="literal">server</code> option as follows:</p><pre class="programlisting">[global] + time service = yes</pre><p>The client will still have to request the correct time with the following DOS command, substituting the Samba server name in at the appropriate point:</p><pre class="programlisting">C:\NET TIME \\<em class="replaceable"><code>server</code></em> /YES /SET</pre><p>This command can be placed in a Windows logon script (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>).</p><p>By default, the <code class="literal">time</code> <code class="literal">server</code> option is normally set to <code class="literal">no</code>. If you turn this service on, you can use the command above to keep the client clocks from drifting. Time synchronization is important to clients using programs such as <span class="emphasis"><em>make</em></span>, which compile based on the last time the file was changed. Incorrectly synchronized times can cause such programs to either remake all files in a directory, which wastes time, or not recompile a source file that was just modified because of a slight clock drift.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.2"></a>time offset</h4></div></div></div><p>To deal with clients that don't process daylight savings time properly, Samba provides the <code class="literal">time</code> <code class="literal">offset</code> option. If set, it adds the specified number of minutes to the current time. This is handy if you're in Newfoundland and Windows doesn't know about the 30-minute time difference there:</p><pre class="programlisting">[global] + time offset = 30</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.3"></a>dos filetimes</h4></div></div></div><p>Traditionally, only the root user and the owner of a file can change its last-modified date on a Unix system. The share-level <code class="literal">dos</code> <code class="literal">filetimes</code> option allows the Samba server to mimic the characteristics of a DOS/Windows machine: any user can change the last modified date on a file in that share if he or she has write permission to it. In order to do this, Samba uses its root privileges to modify the timestamp on the file.</p><p>By default, this option is disabled. Setting this option to <code class="literal">yes</code> is often necessary to allow PC <span class="emphasis"><em>make</em></span> programs to work properly. Without it, they cannot change the last-modified date themselves. This often results in the program thinking <span class="emphasis"><em>all</em></span> files need recompiling when they really don't.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.4"></a>dos filetime resolution</h4></div></div></div><p><code class="literal">dos</code> +<a class="indexterm" name="ch08-idx-965949-0"></a> <code class="literal">filetime</code> <code class="literal">resolution</code> is share-level option. If set to <code class="literal">yes</code>, Samba will arrange to have the file times rounded to the closest two-second boundary. This option exists primarily to satisfy a quirk in Windows that prevents Visual C++ from correctly recognizing that a file has not changed. You can enable it as follows:</p><pre class="programlisting">[data] + dos filetime resolution = yes</pre><p>We recommend using this option only if you are using Microsoft Visual C++ on a Samba share that supports opportunistic locking.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.5"></a>fake directory create times</h4></div></div></div><p>The <code class="literal">fake</code> +<a class="indexterm" name="ch08-idx-965950-0"></a> <code class="literal">directory</code> <code class="literal">create</code> <code class="literal">times</code> option exists to keep PC <span class="emphasis"><em>make</em></span> programs sane. VFAT and NTFS filesystems record the creation date of a specific directory while Unix does not. Without this option, Samba takes the earliest recorded date it has for the directory (often the last-modified date of a file) and returns it to the client. If this is not sufficient, set the following option under a share definition:</p><pre class="programlisting">[data] + fake directory create times = yes</pre><p>If set, Samba will adjust the directory create time it reports to the hardcoded value January 1st, 1980. This is primarily used to convince the Visual C++ <span class="emphasis"><em>nmake</em></span> program that any object files in its build directories are indeed younger than the creation date of the directory itself and need to be recompiled.<a class="indexterm" name="ch08-idx-965924-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-79987"></a>Magic Scripts</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965216-0"></a> +<a class="indexterm" name="ch08-idx-965216-1"></a>The following options deal with <em class="firstterm">magic scripts</em> on the Samba server. Magic scripts are a method of running programs on Unix and redirecting the output back to the <a class="indexterm" name="ch08-idx-965385-0"></a>SMB client. These are essentially an experimental hack. However, some users and their programs still rely on these two options for their programs to function correctly. Magic scripts are not widely trusted and their use is highly discouraged by the Samba team. See <a href="#ch08-33693" title="Table 8.2. Networking Configuration Options">Table 8.2</a> for more information.</p><div class="table"><a name="ch08-33693"></a><p class="title"><b>Table 8.2. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">magic script</code></p></td><td><p> +<a class="indexterm" name="ch08-idx-965386-0"></a>string (fully-qualified filename)</p></td><td><p>Sets the name of a file to be executed by Samba, as the logged-on user, when closed.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">magic output</code></p></td><td><p>string (fully-qualified filename)</p></td><td><p>Sets a file to log output from the magic file.</p></td><td><p><span class="emphasis"><em>scriptname.out</em></span></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-2.0.1"></a>magic script</h3></div></div></div><p>If the <code class="literal">magic</code> +<a class="indexterm" name="ch08-idx-965952-0"></a> <code class="literal">script</code> option is set to a filename and the client creates a file by that name in that share, Samba will run the file as soon as the user has opened and closed it. For example, let's assume that the following option was created in the share <code class="literal">[accounting]</code>:</p><pre class="programlisting">[accounting] + magic script = tally.sh</pre><p>Samba continually monitors the files in that share. If one by the name of <span class="emphasis"><em>tally.sh</em></span> is closed (after being opened) by a user, Samba will execute the contents of that file locally. The file will be passed to the shell to execute; it must therefore be a legal Unix shell script. This means that it must have newline characters as line endings instead of Windows CR/LFs. In addition, it helps if you use the <code class="literal">#!</code> directive at the beginning of the file to indicate under which shell the script should run.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-2.0.2"></a> +magic output</h3></div></div></div><a class="indexterm" name="ch08-idx-965953-0"></a><p>This option specifies an output file that the script specified by the <code class="literal">magic</code> <code class="literal">script</code> option will send output to. You must specify a filename in a writable directory:</p><pre class="programlisting">[accounting] + magic script = tally.sh + magic output = /var/log/magicoutput</pre><p>If this option is omitted, the default output file is the name of the script (as stated in the <code class="literal">magic</code> <code class="literal">script</code> option) with the extension <span class="emphasis"><em>.out</em></span> appended onto it.<a class="indexterm" name="ch08-idx-965526-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-91233"></a>Internationalization</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965219-0"></a> +<a class="indexterm" name="ch08-idx-965219-1"></a> +<a class="indexterm" name="ch08-idx-965219-2"></a>Samba has a limited ability to speak foreign tongues: if you need to deal with characters that aren't in standard ASCII, some options that can help you are shown in <a href="#ch08-40870" title="Table 8.3. Networking Configuration Options">Table 8.3</a>. Otherwise, you can skip over this section.</p><div class="table"><a name="ch08-40870"></a><p class="title"><b>Table 8.3. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">client code page</code></p></td><td><p>Described in this section</p></td><td><p>Sets a code page to expect from clients</p></td><td><p>850</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">character set</code></p></td><td><p>Described in this section</p></td><td><p>Translates code pages into alternate UNIX character sets</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">coding system</code></p></td><td><p>Described in this section</p></td><td><p>Translates code page 932 into an Asian character set</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">valid chars</code></p></td><td><p>string (set of characters)</p></td><td><p>Obsolete: formerly added individual characters to a code page, and had to be used after setting client code page</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-17721"></a> +client code page</h3></div></div></div><a class="indexterm" name="ch08-idx-965956-0"></a><p>The character sets on Windows platforms hark back to the original concept of a <span class="emphasis"><em>code page</em></span> +<a class="indexterm" name="ch08-idx-965388-0"></a>. These code pages are used by DOS and Windows clients to determine rules for mapping lowercase letters to uppercase letters. Samba can be instructed to use a variety of code pages through the use of the global <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option in order to match the corresponding code page in use on the client. This option loads a code-page definition file, and can take the values specified in <a href="#ch08-20815" title="Table 8.4. Valid Code Pages with Samba 2.0">Table 8.4</a>.</p><div class="table"><a name="ch08-20815"></a><p class="title"><b>Table 8.4. Valid Code Pages with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Code Pages with Samba 2.0 " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Code Page</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">437</code></p></td><td><p> +<a class="indexterm" name="ch08-idx-965389-0"></a>MS-DOS Latin (United States)</p></td></tr><tr><td><p><code class="literal">737</code></p></td><td><p>Windows 95 Greek</p></td></tr><tr><td><p><code class="literal">850</code></p></td><td><p>MS-DOS Latin 1 (Western European)</p></td></tr><tr><td><p><code class="literal">852</code></p></td><td><p>MS-DOS Latin 2 (Eastern European)</p></td></tr><tr><td><p><code class="literal">861</code></p></td><td><p>MS-DOS Icelandic</p></td></tr><tr><td><p><code class="literal">866</code></p></td><td><p>MS-DOS Cyrillic (Russian)</p></td></tr><tr><td><p><code class="literal">932</code></p></td><td><p>MS-DOS Japanese Shift-JIS</p></td></tr><tr><td><p><code class="literal">936</code></p></td><td><p>MS-DOS Simplified Chinese</p></td></tr><tr><td><p><code class="literal">949</code></p></td><td><p>MS-DOS Korean Hangul</p></td></tr><tr><td><p><code class="literal">950</code></p></td><td><p>MS-DOS Traditional Chinese</p></td></tr></tbody></table></div></div><br class="table-break"><p>You can set the client code page as follows:</p><pre class="programlisting">[global] + client code page = 852</pre><p>The default value of this option is 850. You can use the <span class="emphasis"><em>make_smbcodepage</em></span> tool that comes with Samba (by default in <code class="filename">/usr/local/samba/bin</code> ) to create your own SMB code pages, in the event that those listed earlier are not sufficient.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.2"></a>character set</h3></div></div></div><p>The global <code class="literal">character</code> <code class="literal">set</code> option can be used to convert filenames offered through a DOS code page (see the previous section, <a href="#ch08-17721" title="client code page">Section 8.3.1</a>) to equivalents that can be represented by Unix character sets other than those in the United States. For example, if you want to convert the Western European MS-DOS character set on the client to a Western European Unix character set on the server, you can use the following in your configuration file:</p><pre class="programlisting">[global] + client code page = 850 + character set = ISO8859-1</pre><p>Note that you must include a <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option to specify the character set from which you are converting. The valid character sets (and their matching code pages) that Samba 2.0 accepts are listed in <a href="#ch08-14126" title="Table 8.5. Valid Character Sets with Samba 2.0">Table 8.5</a>:</p><div class="table"><a name="ch08-14126"></a><p class="title"><b>Table 8.5. Valid Character Sets with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Character Sets with Samba 2.0 " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Character Set</p></th><th><p>Matching Code Page</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">ISO8859-1</code></p></td><td><p><code class="literal">850</code> +<a class="indexterm" name="ch08-idx-965390-0"></a></p></td><td><p>Western European Unix</p></td></tr><tr><td><p><code class="literal">ISO8859-2</code></p></td><td><p><code class="literal">852</code></p></td><td><p>Eastern European Unix</p></td></tr><tr><td><p><code class="literal">ISO8859-5</code></p></td><td><p><code class="literal">866</code></p></td><td><p>Russian Cyrillic Unix</p></td></tr><tr><td><p><code class="literal">KOI8-R</code></p></td><td><p><code class="literal">866</code></p></td><td><p>Alternate Russian Cyrillic Unix</p></td></tr></tbody></table></div></div><br class="table-break"><p>Normally, the <code class="literal">character</code> <code class="literal">set</code> option is disabled completely.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.3"></a>coding system</h3></div></div></div><p>The <code class="literal">coding</code> +<a class="indexterm" name="ch08-idx-965965-0"></a> <code class="literal">system</code> option is similar to the <code class="literal">character</code> <code class="literal">set</code> option. However, its purpose is to determine how to convert a Japanese Shift JIS code page into an appropriate Unix character set. In order to use this option, the <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option described previously must be set to page 932. The valid coding systems that Samba 2.0 accepts are listed in <a href="#ch08-57476" title="Table 8.6. Valid Coding System Parameters with Samba 2.0">Table 8.6</a>.</p><div class="table"><a name="ch08-57476"></a><p class="title"><b>Table 8.6. Valid Coding System Parameters with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Coding System Parameters with Samba 2.0 " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character Set</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">SJIS</code></p></td><td><p> +<a class="indexterm" name="ch08-idx-965393-0"></a>Standard Shift JIS</p></td></tr><tr><td><p><code class="literal">JIS8</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8BB</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8BH</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@B</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@J</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@H</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">JIS7</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7BB</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7BH</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@B</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@J</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@H</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">JUNET</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JUBB</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JUBH</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@B</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@J</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@H</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">EUC</code></p></td><td><p>EUC codes</p></td></tr><tr><td><p><code class="literal">HEX</code></p></td><td><p>Three-byte hexidecimal code</p></td></tr><tr><td><p><code class="literal">CAP</code></p></td><td><p>Three-byte hexidecimal code (Columbia Appletalk Program)</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.4"></a>valid chars</h3></div></div></div><p>The <code class="literal">valid</code> +<a class="indexterm" name="ch08-idx-965969-0"></a> <code class="literal">chars</code> option is an older Samba feature that will add individual characters to a code page. However, this option is being phased out in favor of more modern coding systems. You can use this option as follows:</p><pre class="programlisting">valid chars = Î +valid chars = 0450:0420 0x0A20:0x0A00 +valid chars = A:a</pre><p>Each of the characters in the list specified should be separated by spaces. If there is a colon between two characters or their numerical equivalents, the data to the left of the colon is considered an uppercase character, while the data to the right is considered the lowercase character. You can represent characters both by literals (if you can type them) and by octal, hexidecimal, or decimal Unicode equivalents.</p><p>We recommend against using this option. Instead, go with one of the standard code pages listed earlier in this section. If you do use this option, however, it must be listed after the <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> to which you wish to add the character. Otherwise, the characters will not be added.<a class="indexterm" name="ch08-idx-965533-0"></a> +<a class="indexterm" name="ch08-idx-965533-1"></a> +<a class="indexterm" name="ch08-idx-965533-2"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-82569"></a>WinPopup Messages</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965227-0"></a> +<a class="indexterm" name="ch08-idx-965227-1"></a> +<a class="indexterm" name="ch08-idx-965227-2"></a>You can use the WinPopup tool (<code class="filename">WINPOPUP.EXE </code> ) in Windows to send messages to users, machines, or entire workgroups on the network. This tool is provided with Windows 95 OSR2 and comes standard with Windows 98. With either Windows 95 or 98, however, you need to be running WinPopup to receive and send WinPopup messages. With Windows NT, you can still receive messages without starting such a tool; they will automatically appear in a small dialog box on the screen when received. The WinPopup application is shown in <a href="#ch08-66444" title="Figure 8.1. The WinPopup application">Figure 8.1</a>.</p><div class="figure"><a name="ch08-66444"></a><p class="title"><b>Figure 8.1. The WinPopup application</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0801.gif" width="502" alt="The WinPopup application"></td></tr></table></div></div></div><br class="figure-break"><p>Samba has a single WinPopup messaging option, <code class="literal">message</code> <code class="literal">command</code>, as shown in <a href="#ch08-18671" title="Table 8.7. WinPopup Configuration Option">Table 8.7</a>.</p><div class="table"><a name="ch08-18671"></a><p class="title"><b>Table 8.7. WinPopup Configuration Option </b></p><div class="table-contents"><table summary="WinPopup Configuration Option " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameter</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">message command</code></p></td><td><p> +<a class="indexterm" name="ch08-idx-965394-0"></a> +<a class="indexterm" name="ch08-idx-965394-1"></a> +<a class="indexterm" name="ch08-idx-965394-2"></a>string (fully-qualified pathname)</p></td><td><p>Sets a command to run on Unix when a WinPopup message is received.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-4.0.1"></a>message command</h3></div></div></div><p>Samba's <code class="literal">message</code> +<a class="indexterm" name="ch08-idx-965971-0"></a> <code class="literal">command</code> option sets the path to a program that will run on the server when a Windows popup message arrives at the server. The command will be executed using the <code class="literal">guest</code> <code class="literal">account</code> user. What to do with one of these is questionable since it's probably for the Samba administrator, and Samba doesn't know his or her name. If you know there's a human using the console, the Samba team once suggested the following:</p><pre class="programlisting">[global] + message command = /bin/csh -c 'xedit %s; rm %s' &</pre><p>Note the use of variables here. The <code class="literal">%s</code> variable will become the file that the message is in. This file should be deleted when the command is finished with it; otherwise, there will be a buildup of pop-up files collecting on the Samba server. In addition, the command must fork its own process (note the & after the command); otherwise the client may suspend and wait for notification that the command was sent successfully before continuing.</p><p>In addition to the standard variables, <a href="#ch08-29758" title="Table 8.8. Message Command Variables">Table 8.8</a> shows the three unique variables that you can use in a <code class="literal">message</code> <code class="literal">command</code>.</p><div class="table"><a name="ch08-29758"></a><p class="title"><b>Table 8.8. Message Command Variables </b></p><div class="table-contents"><table summary="Message Command Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%s</code></p></td><td><p>The name of the file in which the message resides</p></td></tr><tr><td><p><code class="literal">%</code>f</p></td><td><p>The name of the client that sent the message</p></td></tr><tr><td><p><code class="literal">%t</code></p></td><td><p>The name of the machine that is the destination of the message</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-SECT-5"></a>Recently Added Options</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965236-0"></a>Samba has several options that appeared around the time of Samba 2.0, but are not entirely supported. However, we will give you a brief overview of their workings in this section. These options are shown in <a href="#ch08-72538" title="Table 8.9. Recently Added Options">Table 8.9</a>.</p><div class="table"><a name="ch08-72538"></a><p class="title"><b>Table 8.9. Recently Added Options </b></p><div class="table-contents"><table summary="Recently Added Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">change notify timeout</code></p></td><td><p>numerical (number of seconds)</p></td><td><p>Sets the interval between checks when a client asks to wait for a change in a specified directory.</p></td><td><p><code class="literal">60</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">machine password timeout</code></p></td><td><p>numerical (number of seconds)</p></td><td><p>Sets the renewal interval for NT domain machine passwords.</p></td><td><p><code class="literal">604,800</code> (1 week )</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">stat cache</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will cache recent name mappings.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">stat cache size</code></p></td><td><p>numerical</p></td><td><p>Sets the size of the stat cache.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.1"></a>change notify timeout</h3></div></div></div><p>The <code class="literal">change</code> +<a class="indexterm" name="ch08-idx-965973-0"></a> <code class="literal">notify</code> <code class="literal">timeout</code> global option emulates a Windows NT SMB feature called <em class="firstterm">change notification</em> +<a class="indexterm" name="ch08-idx-965415-0"></a>. This allows a client to request that a Windows NT server periodically monitor a specific directory on a share for any changes. If any changes occur, the server will notify the client.</p><p>As of version 2.0, Samba will perform this function for its clients. However, performing these checks too often can slow the server down considerably. This option sets the time period that Samba should wait between such checks. The default is one minute (60 seconds); however, you can use this option to specify an alternate time that Samba should wait between performing checks:</p><pre class="programlisting">[global] + change notify timeout = 30</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.2"></a>machine password timeout</h3></div></div></div><p>The <code class="literal">machine</code> +<a class="indexterm" name="ch08-idx-965974-0"></a> <code class="literal">password</code> <code class="literal">timeout</code> global option sets a retention period for NT <a class="indexterm" name="ch08-idx-965417-0"></a> +<a class="indexterm" name="ch08-idx-965417-1"></a>domain machine passwords. The default is currently set to the same time period that Windows NT 4.0 uses: 604,800 seconds (one week). Samba will periodically attempt to change the <em class="firstterm">machine account password</em>, which is a password used specifically by another server to report changes to it. This option specifies the number of seconds that Samba should wait before attempting to change that password. The following example changes it to a single day, by specifying the following:</p><pre class="programlisting">[global] + machine password timeout = 86400</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.3"></a>stat cache</h3></div></div></div><p>The <code class="literal">stat</code> +<a class="indexterm" name="ch08-idx-965977-0"></a> <code class="literal">cache</code> global option turns on caching of recent case-insensitive name mappings. The default is <code class="literal">yes</code>. The Samba team recommends that you never change this parameter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.4"></a>stat cache size</h3></div></div></div><p> +<a class="indexterm" name="ch08-idx-965418-0"></a>The <code class="literal">stat</code> +<a class="indexterm" name="ch08-idx-965978-0"></a> <code class="literal">cache</code> <code class="literal">size</code> global option sets the size of the cache entries to be used for the <code class="literal">stat</code> <code class="literal">cache</code> option. The default here is 50. Again, the Samba team recommends that you never change this parameter.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-70923"></a>Miscellaneous Options</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965426-0"></a> +<a class="indexterm" name="ch08-idx-965426-1"></a> +<a class="indexterm" name="ch08-idx-965426-2"></a>Many Samba options are present to deal with operating system issues on either Unix or Windows. The options shown in <a href="#ch08-83566" title="Table 8.10. Miscellaneous Options">Table 8.10</a> deal specifically with some of these known problems. We usually don't change these and we recommend the same to you.</p><div class="table"><a name="ch08-83566"></a><p class="title"><b>Table 8.10. Miscellaneous Options </b></p><div class="table-contents"><table summary="Miscellaneous Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">deadtime</code></p></td><td><p> +<a class="indexterm" name="ch08-idx-965429-0"></a>numerical (<a class="indexterm" name="ch08-idx-965437-0"></a>number of minutes)</p></td><td><p>Specifies the number of minutes of inactivity before a connection should be terminated.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dfree command</code></p></td><td><p>string (command)</p></td><td><p>Used to provide a command that returns disk free space in a format recognized by Samba.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">fstype</code></p></td><td><p><code class="literal">NTFS</code>, <code class="literal">FAT</code>, or <code class="literal">Samba</code></p></td><td><p>Sets the filesystem type reported by the server to the client.</p></td><td><p><code class="literal">NTFS</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">keep alive</code></p></td><td><p>seconds</p></td><td><p>Sets the number of seconds between checks for an inoperative client.</p></td><td><p>(none)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max disk size</code></p></td><td><p>numerical (size in MB)</p></td><td><p>Sets the largest disk size to return to a client, some of which have limits. Does not affect actual operations on the disk.</p></td><td><p>(infinity)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max mux</code></p></td><td><p>numerical</p></td><td><p>Sets the maximum number of simultaneous SMB operations that clients may make.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max open files</code></p></td><td><p>numerical</p></td><td><p>Limits number of open files to be below Unix limits.</p></td><td><p><code class="literal">10,000</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max xmit</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum packet size that Samba will send.</p></td><td><p><code class="literal">65,535</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">nt pipe support</code></p></td><td><p>boolean</p></td><td><p>Turns off an experimental NT feature, for benchmarking or in case of an error.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">nt smb support</code></p></td><td><p>boolean</p></td><td><p>Turns off an experimental NT feature, for benchmarking or in case of an error.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ole locking compatib-ility</code></p></td><td><p>boolean</p></td><td><p>Remaps out-of-range lock requests used on Windows to fit in allowable range on Unix. Turning it off causes Unix lock errors.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">panic action</code></p></td><td><p>command</p></td><td><p>Program to run if Samba server fails; for debugging.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">set directory</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows VMS clients to issue <code class="literal">set</code> <code class="literal">dir</code> commands.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">smbrun</code></p></td><td><p>string (fully-qualified command)</p></td><td><p>Sets the command Samba uses as a wrapper for shell commands.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">status</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows Samba to monitor status for <code class="literal">smbstatus</code> command.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">strict sync</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">no</code>, ignores Windows applications requests to perform a sync-to-disk.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">sync always</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, forces all client writes to be committed to disk before returning from the call.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">strip dot</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, strips trailing dots from Unix filenames.<a class="indexterm" name="ch08-idx-965441-0"></a></p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.1"></a> +deadtime</h3></div></div></div><a class="indexterm" name="ch08-idx-965979-0"></a><p>This global option sets the number of minutes that Samba will wait for an inactive client before closing its session with the Samba server. A client is considered inactive when it has no open files and there is no data being sent from it. The default value for this option is 0, which means that Samba never closes any connections no matter how long they have been inactive. You can override it as follows:</p><pre class="programlisting">[global] + deadtime = 10</pre><p>This tells Samba to terminate any inactive client sessions after 10 minutes. For most networks, setting this option as such will work because reconnections from the client are generally performed transparently to the user.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.2"></a> +dfree command</h3></div></div></div><a class="indexterm" name="ch08-idx-965980-0"></a><p> +<a class="indexterm" name="ch08-idx-965466-0"></a>This global option is used on systems that incorrectly determine the free space left on the disk. So far, the only confirmed system that needs this option set is Ultrix. There is no default value for this option, which means that Samba already knows how to compute the free disk space on its own and the results are considered reliable. You can override it as follows:</p><pre class="programlisting">[global] + dfree command = /usr/local/bin/dfree</pre><p>This option should point to a script that should return the total disk space in a block, and the number of available blocks. The Samba documentation recommends the following as a usable script:</p><pre class="programlisting">#!/bin/sh +df $1 | tail -1 | awk '{print $2" "$4}'</pre><p>On System V machines, the following will work:</p><pre class="programlisting">#!/bin/sh +/usr/bin/df $1 | tail -1 | awk '{print $3" "$5}'</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.3"></a> +fstype</h3></div></div></div><a class="indexterm" name="ch08-idx-965983-0"></a><p>This share-level option sets the type of <a class="indexterm" name="ch08-idx-965467-0"></a>filesystem that Samba reports when queried by the client. There are three strings that can be used as a value to this configuration option, as listed in <a href="#ch08-80519" title="Table 8.11. Filesystem Types">Table 8.11</a>.</p><div class="table"><a name="ch08-80519"></a><p class="title"><b>Table 8.11. Filesystem Types </b></p><div class="table-contents"><table summary="Filesystem Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p>NTFS</p></td><td><p> +<a class="indexterm" name="ch08-idx-965468-0"></a>Microsoft Windows NT filesystem</p></td></tr><tr><td><p>FAT</p></td><td><p>DOS FAT filesystem</p></td></tr><tr><td><p>Samba</p></td><td><p>Samba filesystem</p></td></tr></tbody></table></div></div><br class="table-break"><p>The default value for this option is <code class="literal">NTFS</code>, which represents a Windows NT filesystem. There probably isn't a need to specify any other type of filesystem. However, if you need to, you can override it per share as follows:</p><pre class="programlisting">[data] + fstype = FAT</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.4"></a>keep alive</h3></div></div></div><p> +<a class="indexterm" name="ch08-idx-965469-0"></a>This global option specifies the number of seconds that Samba waits between sending NetBIOS <span class="emphasis"><em>keep-alive packets</em></span>. These packets are used to ping a client to detect whether it is still alive and on the network. The default value for this option is <code class="literal">0</code>, which means that Samba will not send any such packets at all. You can override it as follows:</p><pre class="programlisting">[global] + keep alive = 10</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.5"></a> +max disk size</h3></div></div></div><a class="indexterm" name="ch08-idx-965985-0"></a><p> +<a class="indexterm" name="ch08-idx-965470-0"></a>This global option specifies an illusory limit, in megabytes, for each of the shares that Samba is using. You would typically set this option to prevent clients with older operating systems from incorrectly processing large disk spaces, such as those over one gigabyte.</p><p>The default value for this option is <code class="literal">0</code>, which means there is no upper limit at all. You can override it as follows:</p><pre class="programlisting">[global] + max disk size = 1000</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.6"></a> +max mux</h3></div></div></div><a class="indexterm" name="ch08-idx-965986-0"></a><p> +<a class="indexterm" name="ch08-idx-965471-0"></a>This global option specifies the maximum number of concurrent SMB operations that Samba allows. The default value for this option is <code class="literal">50</code>. You can override it as follows:</p><pre class="programlisting">[global] + max mux = 100</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.7"></a> +max open files</h3></div></div></div><a class="indexterm" name="ch08-idx-965987-0"></a><p> +<a class="indexterm" name="ch08-idx-965478-0"></a>This global option specifies the maximum number of open files that Samba should allow at any given time for all processes. This value must be equal to or less than the amount allowed by the operating system, which varies from system to system. The default value for this option is <code class="literal">10,000</code>. You can override it as follows:</p><pre class="programlisting">[global] + max open files = 8000</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.8"></a> +max xmit</h3></div></div></div><a class="indexterm" name="ch08-idx-965988-0"></a><p> +<a class="indexterm" name="ch08-idx-965482-0"></a>This global option sets the maximum size of packets that Samba exchanges with a client. In some cases, setting a smaller maximum packet size can increase performance, especially with Windows for Workgroups. The default value for this option is <code class="literal">65535</code>. You can override it as follows:</p><pre class="programlisting">[global] + max xmit = 4096</pre><p><a href="#appb-19919" title="The TCP receive window">Section 2.2.2.6</a> in <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>," shows some uses for this option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.9"></a> +nt pipe support</h3></div></div></div><a class="indexterm" name="ch08-idx-965989-0"></a><p> +<a class="indexterm" name="ch08-idx-965483-0"></a>This global option is used by developers to allow or disallow Windows NT clients the ability to make connections to the NT SMB-specific IPC$ pipes. As a user, you should never need to override the default:</p><pre class="programlisting">[global] + nt pipe support = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.10"></a> +nt smb support</h3></div></div></div><a class="indexterm" name="ch08-idx-965990-0"></a><p> +<a class="indexterm" name="ch08-idx-965484-0"></a> +<a class="indexterm" name="ch08-idx-965484-1"></a>This global option is used by developers to negotiate NT-specific SMB options with Windows NT clients. The Samba team has discovered that slightly better performance comes from setting this value to <code class="literal">no</code>. However, as a user, you should probably not override the default:</p><pre class="programlisting">[global] + nt smb support = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.11"></a> +ole locking compatibility</h3></div></div></div><a class="indexterm" name="ch08-idx-965991-0"></a><p>This global option turns off Samba's internal byte-range locking manipulation in files, which gives compatibility with Object Linking and Embedding (OLE) applications that use high byte-range locks as a method of interprocess communication. The default value for this option is <code class="literal">yes</code>. If you trust your Unix locking mechanisms, you can override it as follows:</p><pre class="programlisting">[global] + ole locking compatibility = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.12"></a> +panic action</h3></div></div></div><a class="indexterm" name="ch08-idx-965992-0"></a><p> +<a class="indexterm" name="ch08-idx-965492-0"></a>This global option specifies a command to execute in the event that Samba itself encounters a fatal error when loading or running. There is no default value for this option. You can specify an action as follows:</p><pre class="programlisting">[global] + panic action = /bin/csh -c + 'xedit < "Samba has shutdown unexpectedly!'</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.13"></a> +set directory</h3></div></div></div><a class="indexterm" name="ch08-idx-965993-0"></a><p>This boolean share-level option allows <a class="indexterm" name="ch08-idx-965497-0"></a>Digital Pathworks clients to use the <code class="literal">setdir</code> command to change directories on the server. If you are not using the Digital Pathworks client, you should not need to alter this option. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[data] + set directory = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.14"></a> +smbrun</h3></div></div></div><a class="indexterm" name="ch08-idx-965994-0"></a><p>This option sets the location of the <span class="emphasis"><em>smbrun</em></span> executable, which Samba uses as a wrapper to run shell commands. The default value for this option is automatically configured by Samba when it is compiled. If you did not install Samba to the standard directory, you can specify where the binary is as follows:</p><pre class="programlisting">[global] + smbrun = /usr/local/bin/smbrun</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.15"></a> +status</h3></div></div></div><a class="indexterm" name="ch08-idx-965995-0"></a><p>This global option indicates whether Samba should log all <a class="indexterm" name="ch08-idx-965499-0"></a> +<a class="indexterm" name="ch08-idx-965499-1"></a>active connections to a status file. This file is used only by the <span class="emphasis"><em>smbstatus</em></span> command. If you have no intentions of using this command, you can set this option to <code class="literal">no</code>, which can result in a small increase of speed on the server. The default value for this option is <code class="literal">yes</code>. You can override it as follows:</p><pre class="programlisting">[global] + status = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.16"></a> +strict sync</h3></div></div></div><a class="indexterm" name="ch08-idx-965996-0"></a><p>This share-level option determines whether Samba honors all requests to perform a <a class="indexterm" name="ch08-idx-965500-0"></a>disk sync when requested to do so by a client. Many clients request a disk sync when they are really just trying to flush data to their own open files. As a result, this can substantially slow a Samba server down. The default value for this option is <code class="literal">no</code>. You can override it as follows:</p><pre class="programlisting">[data] + strict sync = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.17"></a> +sync always</h3></div></div></div><a class="indexterm" name="ch08-idx-965997-0"></a><p>This share-level option decides whether every write to disk should be followed by a disk synchronization before the write call returns control to the client. Even if the value of this option is <code class="literal">no</code>, clients can request a disk synchronization; see the <code class="literal">strict</code> <code class="literal">sync</code> option above. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[data] + sync always = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.18"></a> +strip dot</h3></div></div></div><a class="indexterm" name="ch08-idx-965998-0"></a><p>This global option determines whether to remove the <a class="indexterm" name="ch08-idx-965502-0"></a> +<a class="indexterm" name="ch08-idx-965502-1"></a> +<a class="indexterm" name="ch08-idx-965502-2"></a>trailing dot from Unix filenames that are formatted with a dot at the end. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[global] + strip dot = yes</pre><p>This option is now considered obsolete; the user should use the <code class="literal">mangled</code> <code class="literal">map</code> option insead.<a class="indexterm" name="ch08-idx-965454-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-74829"></a>Backups with smbtar</h2></div></div></div><p> +<a class="indexterm" name="ch08-idx-965244-0"></a> +<a class="indexterm" name="ch08-idx-965244-1"></a>Our final topic in this chapter is the <code class="filename">smbtar</code> tool. One common problem with modem PCs is that floppies and even CD-ROMs are often too small to use for backups. However, buying one tape drive per machine would also be silly. Consequently, many sites don't back up their PCs at all. Instead, they reinstall them using floppy disks and CD-ROMs when they fail.</p><p>Thankfully, Samba provides us with another option: you can back up PCs' data using the <code class="filename">smbtar</code> tool. This can be done on a regular basis if you keep user data on your Samba system, or only occasionally, to save the local applications and configuration files and thus make repairs and reinstallations quicker.</p><p>To back up PCs from a <a class="indexterm" name="ch08-idx-965519-0"></a>Unix server, you need to do three things:</p><div class="orderedlist"><ol type="1"><li><p>Ensure that File and Printer Sharing is installed on the PC and is bound to the TCP/IP protocol.</p></li><li><p>Explicitly share a disk on the PC so it can be read from the server.</p></li><li><p>Set up the backup scripts on the server.</p></li></ol></div><p>We'll use Windows 95/98 to illustrate the first two steps. Go to the Networking icon in the Control Panel window, and check that <a class="indexterm" name="ch08-idx-965520-0"></a>File and Printer Sharing for Microsoft Networks is currently listed in the top window, as shown in <a href="#ch08-18303" title="Figure 8.2. The Networking window">Figure 8.2</a>.</p><div class="figure"><a name="ch08-18303"></a><p class="title"><b>Figure 8.2. The Networking window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 368px"><td><img src="figs/sam.0802.gif" width="502" alt="The Networking window"></td></tr></table></div></div></div><br class="figure-break"><p>If "File and printer sharing for Microsoft Networks" isn't installed, you can install it by clicking on the Add button on the Network panel. After pressing it, you will be asked what service to add. Select Service and move forward, and you will be asked for a vendor and a service to install. Finally, select "File and printer sharing for Microsoft Networks," and click on Done to install the service.</p><p>Once you've installed "File and printer sharing for Microsoft Networks," return to the Network panel and select the TCP/IP protocol that is tied to your Samba network adapter. Then, click on the Properties button and choose the Bindings tab at the top. You should see a dialog box similar to <a href="#ch08-41042" title="Figure 8.3. TCP/IP Bindings">Figure 8.3</a>. Here, you'll need to verify that the "File and Printer Sharing" checkbox is checked, giving it access to TCP/IP. At this point you can share disks with other machines on the net.</p><div class="figure"><a name="ch08-41042"></a><p class="title"><b>Figure 8.3. TCP/IP Bindings</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 248px"><td><img src="figs/sam.0803.gif" height="248" alt="TCP/IP Bindings"></td></tr></table></div></div></div><br class="figure-break"><p>The next step is to share the disk you want to back up with the tape server. Go to My Computer and select, for example, the My Documents directory. Then right-click on the icon and select its Properties. This should yield the dialog box in <a href="#ch08-64918" title="Figure 8.4. My Documents Properties">Figure 8.4</a>.</p><div class="figure"><a name="ch08-64918"></a><p class="title"><b>Figure 8.4. My Documents Properties</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 352px"><td><img src="figs/sam.0804.gif" width="502" alt="My Documents Properties"></td></tr></table></div></div></div><br class="figure-break"><p>Select the Sharing tab and turn file sharing on. You now have the choice to share the disk as read-only, read-write (Full), or either, each with separate password. This is the Windows 95/98 version, so it provides only share-level security. In this example, we made it read/write and set a password, as shown in <a href="#ch08-29192" title="Figure 8.5. MyFiles Properties as shared">Figure 8.5</a>. When you enter the password and click on OK, you'll be prompted to re-enter it. After that, you have finished the second step.</p><div class="figure"><a name="ch08-29192"></a><p class="title"><b>Figure 8.5. MyFiles Properties as shared</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 374px"><td><img src="figs/sam.0805.gif" width="502" alt="MyFiles Properties as shared"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, the last step is to set up a backup script on the tape server, using the <code class="filename">smbtar</code> program. The simplest script might contain only a single line and would be something like the following:</p><pre class="programlisting">smbtar -s client -t /dev/rst0 -x "My Documents" -p <em class="replaceable"><code>password</code></em></pre><p>This unconditionally backs up the <span class="emphasis"><em>//client/My Documents</em></span> share to the device <code class="filename">/dev/rst0</code>. Of course, this is excessively simple and quite insecure. What you will want to do will depend on your existing backup scheme.</p><p>However, to whet your appetite, here are some possibilities of what <code class="filename">smbtar</code> can do:</p><div class="itemizedlist"><ul type="disc"><li><p>Back up files incrementally using the DOS archive bit (the <code class="literal">-i</code> option). This requires the client share to be accessed read-write so the bit can be cleared by <code class="filename">smbtar</code></p></li><li><p>Back up only files that have changed since a specified date (using the <code class="literal">-N</code> <em class="replaceable"><code>filename </code></em>option)</p></li><li><p>Back up entire PC drives, by sharing all of C: or D:, for example, and backing that up</p></li></ul></div><p>Except for the first example, each of these can be done with the PC sharing set to read-only, reducing the security risk of having passwords in scripts and passing them on the command line.<a class="indexterm" name="ch08-idx-965514-0"></a> +<a class="indexterm" name="ch08-idx-965514-1"></a></p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-9"></a>Chapter 9. Troubleshooting Samba</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch09-36385">9.1. The Tool Bag</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-1.1">9.1.1. Samba Logs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.2">9.1.2. Samba Test Utilities</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.3">9.1.3. Unix Utilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-29538">9.2. The Fault Tree</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-2.1">9.2.1. How to use the fault tree</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.2">9.2.2. Troubleshooting Low-level IP </a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.3">9.2.3. Troubleshooting TCP</a></span></dt><dt><span class="sect2"><a href="#ch09-88968">9.2.4. Troubleshooting Server Daemons</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.5">9.2.5. Troubleshooting SMB Connections</a></span></dt><dt><span class="sect2"><a href="#ch09-23573">9.2.6. Troubleshooting Browsing </a></span></dt><dt><span class="sect2"><a href="#ch09-21713">9.2.7. Other Things that Fail </a></span></dt><dt><span class="sect2"><a href="#ch09-23768">9.2.8. Troubleshooting Name Services</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.9">9.2.9. Troubleshooting Network Addresses</a></span></dt><dt><span class="sect2"><a href="#ch09-35552">9.2.10. Troubleshooting NetBIOS Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-49719">9.3. Extra Resources</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-3.1">9.3.1. Documentation and FAQs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.2">9.3.2. Samba Newsgroups</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.3">9.3.3. Samba Mailing Lists</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.4">9.3.4. Samba Discussion Archives</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.5">9.3.5. Further Reading</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="ch09-idx-953453-0"></a>Samba is extremely robust. Once you've got everything set up the way you want, you'll probably forget that it is running. When trouble occurs, it's typically during installation or when you're trying to add something new to the server. Fortunately, there are a wide variety of resources that you can use to diagnose these troubles. While we can't describe in detail the solution to every problem that you might encounter, you should be able to get a good start at a resolution by following the advice given in this chapter.</p><p>The first section of the chapter lists the tool bag, a collection of tools available for troubleshooting Samba; the second section is a detailed how-to, and the last section lists extra resources you may need to track down particularly stubborn problems.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-36385"></a>The Tool Bag</h2></div></div></div><p> +<a class="indexterm" name="ch09-idx-953455-0"></a>Sometimes Unix seems to be made up of a handful of applications and tools. There are tools to troubleshoot tools. And of course, there are several ways to accomplish the same task. When you are trying to solve a problem related to Samba, a good plan of attack is to check the following:</p><div class="orderedlist"><ol type="1"><li><p>Samba logs</p></li><li><p>Fault tree</p></li><li><p>Unix utilities</p></li><li><p>Samba test utilities</p></li><li><p>Documentation and FAQs</p></li><li><p>Searchable archives</p></li><li><p>Samba newsgroups</p></li></ol></div><p>Let's go over each of these one by one in the following sections.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.1"></a>Samba Logs</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953456-0"></a>Your first line of attack should always be to check the log files. The Samba log files can help diagnose the vast majority of the problems that beginning to intermediate Samba administrators are likely to face. Samba is quite flexible when it comes to logging. You can set up the server to log as little or as much as you want. Substitution variables that allow you to isolate individual logs for each machine, share, or combination thereof.</p><p>By default, logs are placed in <em class="replaceable"><code>samba_directory</code></em><span class="emphasis"><em>/var/smbd.log</em></span> and <em class="replaceable"><code>samba_directory</code></em><span class="emphasis"><em>/var/nmbd.log</em></span>, where <code class="literal">samba_directory</code> is the location where Samba was installed (typically, <code class="filename">/usr/local/samba</code>). As we mentioned in <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, you can override the location and name using the <code class="literal">log</code> <code class="literal">file</code> configuration option in <code class="filename">smb.conf</code>. This option accepts all of the substitution variables mentioned in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, so you could easily have the server keep a separate log for each connecting client by specifying the following in the <code class="literal">[global]</code> section of <code class="filename">smb.conf </code>:</p><pre class="programlisting">log file = %m.log</pre><p>Alternatively, you can specify a log directory to use with the <code class="literal">-l</code> flag on the command line. For example:</p><pre class="programlisting">smbd -l /usr/local/var/samba</pre><p>Another useful trick is to have the server keep a log for each service (share) that is offered, especially if you suspect a particular share is causing trouble. Use the <code class="literal">%S</code> variable to set this up in the <code class="literal">[global]</code> section of the configuration file:</p><pre class="programlisting">log file = %S.log</pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-28969"></a>Log levels</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953457-0"></a>The level of logging that Samba uses can be set in the <code class="filename">smb.conf</code> file using the global <code class="literal">log</code> +<a class="indexterm" name="ch09-idx-954135-0"></a> +<a class="indexterm" name="ch09-idx-954135-1"></a> <code class="literal">level</code> or <code class="literal">debug</code> <code class="literal">level</code> option; they are equivalent. The logging level is an integer which ranges from 0 (no logging), and increases the logging to voluminous by <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code>. For example, let's assume that we are going to use a Windows client to browse a directory on a Samba server. For a small amount of log information, you can use <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">1</code>, which instructs Samba to show only cursory information, in this case only the connection itself:</p><pre class="programlisting">105/25/98 22:02:11 server (192.168.236.86) connect to service public as user pcguest (uid=503,gid=100) (pid 3377)</pre><p>Higher debug levels produce more detailed information. Usually you won't need any more than level 3; this is more than adequate for most Samba administrators. Levels above 3 are for use by the developers and dump enormous amounts of cryptic information.</p><p>Here is example output at levels 2 and 3 for the same operation. Don't worry if you don't understand the intricacies of an SMB connection; the point is simply to show you what types of information are shown at the different logging levels:</p><pre class="programlisting">/* Level 2 */ +Got SIGHUP +Processing section "[homes]" +Processing section "[public]" +Processing section "[temp]" +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/ + + +/* Level 3 */ +05/25/98 22:15:09 Transaction 63 of length 67 +switch message SMBtconX (pid 3377) +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +ACCEPTED: guest account and guest ok +found free connection number 105 +Connect path is /tmp +chdir to /tmp +chdir to / +05/25/98 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest (uid=503,gid=100) (pid 3377) +05/25/98 22:15:09 tconX service=ipc$ user=pcguest cnum=105 +05/25/98 22:15:09 Transaction 64 of length 99 +switch message SMBtrans (pid 3377) +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/98 22:15:11 Transaction 65 of length 99 +switch message SMBtrans (pid 3377) +chdir to / +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/98 22:15:11 Transaction 66 of length 95 +switch message SMBtrans2 (pid 3377) +chdir to / +chdir to /pcdisk/public +call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 +unix_clean_name [./DESKTOP.INI] +unix_clean_name [desktop.ini] +unix_clean_name [./] +creating new dirptr 1 for path ./, expect_close = 1 +05/25/98 22:15:11 Transaction 67 of length 53 +switch message SMBgetatr (pid 3377) +chdir to / + +[...]</pre><p>We cut off this listing after the first packet because it runs on for many pages. However, you should be aware that log levels above 3 will quickly fill your disk with megabytes of excruciating detail concerning Samba internal operations. Log level 3 is extremely useful for following exactly what the server is doing, and most of the time it will be obvious where an error is occurring by glancing through the log file.</p><p>A word of warning: using a high log level (3 or above) will <span class="emphasis"><em>seriously</em></span> slow down the Samba server. Remember that every log message generated causes a write to disk (an inherently slow operation) and log levels greater than 2 produce massive amounts of data. Essentially, you should turn on logging level 3 only when you're actively tracking a problem in the Samba server.<a class="indexterm" name="ch09-idx-953461-0"></a></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.1.2"></a>Activating and deactivating logging</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953474-0"></a>To turn logging on and off, set the appropriate level in the <code class="literal">[global]</code> section of <code class="filename">smb.conf</code>. Then, you can either restart Samba, or force the current daemon to reprocess the configuration file. You also can send the <span class="emphasis"><em>smbd</em></span> process a SIGUSR1 signal to increase its log level by one while it's running, and a SIGUSR2 signal to decrease it by one:</p><pre class="programlisting"># Increase the logging level by 1 +kill -SIGUSR1 1234 + +# Decrease the logging level by 1 +kill -SIGUSR2 1234</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-34448"></a>Logging by individual client machines or users</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953475-0"></a> +<a class="indexterm" name="ch09-idx-953475-1"></a>An effective way to diagnose problems without hampering other users is to assign different log levels for different machines in <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code> file. We can do this by building on the strategy we presented earlier:</p><pre class="programlisting">[global] + log level = 0 + log file = /usr/local/samba/lib/log.%m + include = /usr/local/samba/lib/smb.conf.%m</pre><p>These options instruct Samba to use unique configuration and log files for each client that connects. Now all you have to do is create an <code class="filename">smb.conf</code> +<a class="indexterm" name="ch09-idx-953477-0"></a> file for a specific client machine with a <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code> entry in it (the others will pick up the default log level of 0) and use that log file to track down the problem.</p><p>Similarly, if only particular users are experiencing a problem, and it travels from machine to machine with them, you can isolate logging to a specific user by adding the following to the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global] + log level = 0 + log file = /usr/local/samba/lib/log.%u + include = /usr/local/samba/lib/smb.conf.%u</pre><p>Then you can create a unique <code class="filename">smb.conf</code> file for each user (e.g., <code class="filename">/usr/local/samba/lib/smb.conf.tim</code>) files containing the configuration option <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code> and only those users will get more detailed logging.<a class="indexterm" name="ch09-idx-953469-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.2"></a>Samba Test Utilities</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953478-0"></a> +<a class="indexterm" name="ch09-idx-953478-1"></a>A rigorous set of tests that exercise the major parts of Samba are described in various files in the <span class="emphasis"><em>/docs/textdocs</em></span> +<a class="indexterm" name="ch09-idx-953497-0"></a> directory of the Samba distribution kit, starting with <span class="emphasis"><em>DIAGNOSIS.TXT.</em></span> The fault tree in this chapter is a more detailed version of the basic tests suggested by the Samba team, but covers only installation and reconfiguration diagnosis, like <span class="emphasis"><em>DIAGNOSIS.TXT.</em></span> The other files in the <span class="emphasis"><em>/docs</em></span> subdirectoryies address specific problems (such as Windows NT clients) and instruct you how to troubleshoot items not included in this book. If the fault tree doesn't suffice, be sure to look at <span class="emphasis"><em>DIAGNOSIS.TXT</em></span> and its friends.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.3"></a>Unix Utilities</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953505-0"></a>Sometimes it's useful to use a tool outside of the Samba suite to examine what's happening inside the server. Unix has always been a "kitchen-sink" operating system. Two diagnostic tools can be of particular help in debugging Samba troubles: <span class="emphasis"><em>trace</em></span> and <span class="emphasis"><em>tcpdump</em></span>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.3.1"></a>Using trace</h4></div></div></div><a class="indexterm" name="ch09-idx-953506-0"></a><p>The <span class="emphasis"><em>trace</em></span> command masquerades under several different names, depending on the operating system that you are using. On Linux it will be <span class="emphasis"><em>strace</em></span>, on Solaris you'll use <span class="emphasis"><em>truss</em></span>, and SGI will have <span class="emphasis"><em>padc</em></span> and <span class="emphasis"><em>par</em></span>. All have essentially the same function, which is to display each operating system function call as it is executed. This allows you to follow the execution of a program, such as the Samba server, and will often pinpoint the exact call that is causing the difficulty.</p><p>One problem that <span class="emphasis"><em>trace</em></span> can highlight is the location of an incorrect version of a dynamically linked library. This can happen if you've downloaded prebuilt binaries of Samba. You'll typically see the offending call at the end of the <span class="emphasis"><em>trace</em></span>, just before the program terminates.</p><p>A sample <code class="literal">strace</code> output for the Linux operating system follows. This is a small section of a larger file created during the opening of a directory on the Samba server. Each line is a system-call name, and includes its parameters and the return value. If there was an error, the error value (e.g., <code class="literal">ENOENT</code>) and its explanation are also shown. You can look up the parameter types and the errors that can occur in the appropriate <code class="literal">trace</code> manual page for the operating system that you are using.</p><pre class="programlisting">chdir("/pcdisk/public") = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +open("mini", O_RDONLY) = 5 +fcntl(5, F_SETFD, FD_CLOEXEC) = 0 +fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +lseek(5, 0, SEEK_CUR) = 0 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196 +lseek(5, 0, SEEK_CUR) = 1024 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0 +close(5) = 0 +stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory) +write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39 +SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1 +read(3, "\0\0\0?", 4) = 4 +read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63 +time(NULL) = 896143871</pre><p>This example shows several <code class="literal">stat</code> calls failing to find the files they were expecting. You don't have to be a expert to see that the file <span class="emphasis"><em>desktop.ini</em></span> is missing from that directory. In fact, many difficult problems can be identified by looking for obvious, repeatable errors with <span class="emphasis"><em>trace</em></span>. Often, you need not look farther than the last message before a crash.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.3.2"></a>Using tcpdump</h4></div></div></div><p>The <span class="emphasis"><em>tcpdump</em></span> +<a class="indexterm" name="ch09-idx-953802-0"></a> program, written by <a class="indexterm" name="ch09-idx-953803-0"></a> +<a class="indexterm" name="ch09-idx-953803-1"></a> +<a class="indexterm" name="ch09-idx-953803-2"></a> +<a class="indexterm" name="ch09-idx-953803-3"></a>Van Jacobson, Craig Leres, and Steven McCanne, and extended by Andrew Tridgell, allows you to monitor network traffic in real time. A variety of output formats are available and you can filter the output to look at only a particular type of traffic. The <span class="emphasis"><em>tcpdump</em></span> program lets you examine all conversations between client and server, including SMB and NMB <a class="indexterm" name="ch09-idx-953805-0"></a>broadcast messages. While its troubleshooting capabilities lie mainly at the OSI network layer, you can still use its output to get a general idea of what the server and client are attempting to accomplish.</p><p>A sample <span class="emphasis"><em>tcpdump</em></span> log follows. In this instance, the client has requested a directory listing and the server has responded appropriately, giving the directory names <code class="literal">homes</code>, <code class="literal">public</code>, <code class="literal">IPC$</code>, and <code class="literal">temp</code> (we've added a few explanations on the right):</p><pre class="programlisting">$<strong class="userinput"><code>tcpdump -v -s 255 -i eth0 port not telnet</code></strong> +SMB PACKET: SMBtrans (REQUEST) <em class="replaceable"><code>Request packet</code></em> +SMB Command = 0x25 <em class="replaceable"><code>Request was ls or dir</code></em>. + +[000] 01 00 00 10 .... + + +>>> NBT Packet +<em class="replaceable"><code>Outer frame of SMB packe</code></em>t +NBT Session Packet +Flags=0x0 +Length=226 +[lines skipped] + +SMB PACKET: SMBtrans (REPLY) <em class="replaceable"><code>Beginning of a reply to request </code></em> +SMB Command = 0x25 <em class="replaceable"><code>Command was an ls or dir</code></em> +Error class = 0x0 +Error code = 0 +<em class="replaceable"><code>No errors</code></em> +Flags1 = 0x80 +Flags2 = 0x1 +Tree ID = 105 +Proc ID = 6075 +UID = 100 +MID = 30337 +Word Count = 10 +TotParamCnt=8 +TotDataCnt=163 +Res1=0 +ParamCnt=8 +ParamOff=55 +Res2=0 +DataCnt=163 +DataOff=63 +Res3=0 +Lsetup=0 +Param Data: (8 bytes) +[000] 00 00 00 00 05 00 05 00 ........ + +Data Data: (135 bytes) +<em class="replaceable"><code>Actual directory contents:</code></em> +[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........ +[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic...... +[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp.... +[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$ +[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w... +[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........ +[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo +[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi +[080] 63 65 20 28 53 61 6D ce (Sam</pre><p>This is more of the same debugging session as with the <span class="emphasis"><em>trace</em></span> command; the listing of a directory. The options we used were <code class="literal">-v</code> (verbose), <code class="literal">-i</code> <code class="literal">eth0</code> to tell <span class="emphasis"><em>tcpdump</em></span> the interface to listen on (an Ethernet port), and <code class="literal">-s</code> <code class="literal">255</code> to tell it to save the first 255 bytes of each packet instead of the default: the first 68. The option <code class="literal">port</code> +<a class="indexterm" name="ch09-idx-954174-0"></a> <code class="literal">not</code> <code class="literal">telnet</code> is used to avoid screens of telnet traffic, since we were logged in to the server remotely. The <span class="emphasis"><em>tcpdump</em></span> program actually has quite a number of options to filter just the traffic you want to look at. If you've used <span class="emphasis"><em>snoop</em></span> or <span class="emphasis"><em>etherdump</em></span>, they'll look vaguely familiar.</p><p>You can download the modified <span class="emphasis"><em>tcpdump</em></span> +<a class="indexterm" name="ch09-idx-953518-0"></a> from the Samba FTP server at <code class="systemitem">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</code>. Other versions don't include support for the SMB protocol; if you don't see output such as that shown in the example, you'll need to<span class="emphasis"><em></em></span> +<a class="indexterm" name="ch09-idx-953513-0"></a> use the SMB-enabled version.<a class="indexterm" name="ch09-idx-953481-0"></a> +<a class="indexterm" name="ch09-idx-953481-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-29538"></a>The Fault Tree</h2></div></div></div><p> +<a class="indexterm" name="ch09-idx-953543-0"></a> +<a class="indexterm" name="ch09-idx-953543-1"></a>The fault tree is for diagnosing and fixing problems that occur when you're installing and reconfiguring Samba. It's an expanded form of a trouble and diagnostic document that is part of the Samba distribution.</p><p> +<a class="indexterm" name="ch09-idx-953548-0"></a>Before you set out to troubleshoot any part of the Samba suite, you should know the following information:</p><div class="itemizedlist"><ul type="disc"><li><p> Your client IP address (we use 192.168.236.10)</p></li><li><p> Your server IP address (we use 192.168.236.86)</p></li><li><p> The netmask for your network (typically 255.255.255.0)</p></li><li><p> Whether the machines are all on the same subnet (ours are)</p></li></ul></div><p>For clarity, we've renamed the server in the following examples to <span class="emphasis"><em>server.example.com</em></span>, and the client machine to <span class="emphasis"><em>client.example.com</em></span>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.1"></a>How to use the fault tree</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953549-0"></a>Start the tests here, without skipping forward; it won't take long (about five minutes) and may actually save you time backtracking. Whenever a test succeeds, you will be given a section name and page number to which you can safely skip.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.2"></a>Troubleshooting Low-level IP </h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953556-0"></a>The first series of tests is that of the low-level services that Samba needs in order to run. The tests in this section will verify that:</p><div class="itemizedlist"><ul type="disc"><li><p> The IP software works</p></li><li><p> The Ethernet hardware works</p></li><li><p> Basic name service is in place</p></li></ul></div><p>Subsequent sections will add TCP software, the Samba daemons <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span>, host-based access control, authentication and per-user access control, file services, and browsing. The tests are described in considerable detail in order to make them understandable by both technically oriented end users and experienced systems and network administrators.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.2.1"></a>Testing the networking software with ping </h4></div></div></div><p>The first command to enter on both the server and the client is <code class="literal">ping 127.0.0.1</code>. This is the <em class="firstterm">loopback</em> <span class="emphasis"><em>address</em></span> and testing it will indicate whether any networking support is functioning at all. On Unix, you can use <code class="literal">ping</code> <code class="literal">127.0.0.1</code> with the statistics option and interrupt it after a few lines. On Sun workstations, the command is typically <code class="literal">/usr/etc/ping</code> <code class="literal">-s</code> <code class="literal">127.0.0.1</code>; on Linux, just <code class="literal">ping</code> <code class="literal">127.0.0.1</code>. On Windows clients, run <code class="literal">ping</code> <code class="literal">127.0.0.1</code> in an MS-DOS window and it will stop by itself after four lines.</p><p>Here is an example on a Linux server:</p><pre class="programlisting">server% <span class="bold"><strong>ping 127.0.0.1</strong></span> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=1. ms ^C +----127.0.0.1 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre><p>If you get "ping: no answer from..." or "100% packet loss," you have no IP networking at all installed on the machine. The address <code class="literal">127.0.0.1</code> is the internal loopback address and doesn't depend on the computer being physically connected to a network. If this test fails, you have a serious local problem. TCP/IP either isn't installed or is seriously misconfigured. See your operating system documentation if it is a Unix server. If it is a Windows client, follow the instructions in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>, to install networking support.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If <span class="emphasis"><em>you're</em></span> the network manager, some good references are Craig Hunt's <span class="emphasis"><em>TCP/IP Network Administration</em></span>, Chapter 11, and Craig Hunt & Robert Bruce Thompson's new book, <span class="emphasis"><em>Windows NT TCP/IP Network Administration,</em></span> both published by O'Reilly.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-20350"></a>Testing local name services with ping </h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953658-0"></a>Next, try to ping <code class="literal">localhost</code> on the Samba server. <code class="literal">localhost</code> is the conventional hostname for the 127.0.0.1 loopback, and it should resolve to that address. After typing <code class="literal">ping</code> <code class="literal">localhost</code>, you should see output similar to the following:</p><pre class="programlisting">server% <span class="bold"><strong>ping localhost</strong></span> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=0. ms ^C</pre><p>If this succeeds, try the same test on the client. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "unknown host: localhost," there is a problem resolving the host name localhost into a valid IP address. (This may be as simple as a missing entry in a local <span class="emphasis"><em>hosts</em></span> file.) From here, skip down to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>.</p></li><li><p>If you get "ping: no answer," or "100% packet loss," but pinging 127.0.0.1 worked, then name services is resolving to an address, but it isn't the correct one. Check the file or database (typically <code class="filename">/etc/hosts</code> on a Unix system) that the name service is using to resolve addresses to ensure that the entry is corrected.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.2.3"></a>Testing the networking hardware with ping </h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953666-0"></a>Next, ping the server's network IP address from itself. This should get you exactly the same results as pinging 127.0.0.1:</p><pre class="programlisting">server% <span class="bold"><strong>ping 192.168.236.86</strong></span> +PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----192.168.236.86 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre><p>If this works on the server, repeat it for the client. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If <code class="literal">ping</code> <em class="replaceable"><code>network_ip</code></em> fails on either the server or client, but ping 127.0.0.1 works on that machine, you have a TCP/IP problem that is specific to the Ethernet network interface card on the computer. Check with the documentation for the network card or the host operating system to determine how to correctly configure it. However, be aware that on some operating systems, the <span class="emphasis"><em>ping</em></span> command appears to work even if the network is disconnected, so this test doesn't always diagnose all hardware problems.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-84079"></a>Testing connections with ping</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953831-0"></a>Now, ping the server by name (instead of its IP address), once from the server and once from the client. This is the general test for working network hardware:</p><pre class="programlisting">server% <span class="bold"><strong>ping server</strong></span> +PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----server.example.com PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre><p>On Microsoft Windows, a ping of the server would look like <a href="#ch09-91668" title="Figure 9.1. Pinging the Samba server from a Windows client">Figure 9.1</a>.</p><div class="figure"><a name="ch09-91668"></a><p class="title"><b>Figure 9.1. Pinging the Samba server from a Windows client</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0901.gif" height="285" alt="Pinging the Samba server from a Windows client"></td></tr></table></div></div></div><br class="figure-break"><p>If successful, this test tells us five things:</p><div class="orderedlist"><ol type="1"><li><p>The hostname (e.g., "server") is being found by your local nameserver.</p></li><li><p>The hostname has been expanded to the full name (e.g., <span class="emphasis"><em>server.example.com</em></span>).</p></li><li><p>Its address is being returned (192.168.236.86).</p></li><li><p>The client has sent the Samba server four 56-byte UDP/IP packets.</p></li><li><p>The Samba server has replied to all four packets.</p></li></ol></div><p>If this test isn't successful, there can be one of several things wrong with the network:</p><div class="itemizedlist"><ul type="disc"><li><p>First, if you get "ping: no answer," or "100% packet loss," you're not connecting to the network, the other machine isn't connecting, or one of the addresses is incorrect. Check the addresses that the <code class="literal">ping</code> command reports on each machine, and ensure that they match the ones you set up initially.</p><p>If not, there is at least one mismatched address between the two machines. Try entering the command <code class="literal">arp</code> <code class="literal">-a</code>, and see if there is an entry for the other machine. The <code class="literal">arp</code> command stands for the Address Resolution Protocol. The <code class="literal">arp</code> <code class="literal">-a</code> command lists all the addresses known on the local machine. Here are some things to try:</p><div class="itemizedlist"><ul type="circle"><li><p>If you receive a message like "192.168.236.86 at (incomplete)," the Ethernet address of 192.168.236.86 is unknown. This indicates a complete lack of connectivity, and you're likely having a problem at the very bottom of the TCP/IP Network Administration protocol stack, at the Ethernet-interface layer. This is discussed in Chapters 5 and 6 of <em class="citetitle">TCP/IP Network Administration </em>(O'Reilly).</p></li><li><p>If you receive a response similar to "server (192.168.236.86) at 8:0:20:12:7c:94," then the server has been reached at some time, or another machine is answering on its behalf. However, this means that <span class="emphasis"><em>ping</em></span> should have worked: you may have an intermittent networking or ARP problem.</p></li><li><p>If the IP address from ARP doesn't match the addresses you expected, investigate and correct the addresses manually.</p></li></ul></div></li><li><p>If each machine can ping itself but not another, something is wrong on the network between them.</p></li><li><p>If you get "ping: network unreachable" or "ICMP Host Unreachable," then you're not receiving an answer and there is likely more than one network involved.</p><p>In principle, you shouldn't try to troubleshoot SMB clients and servers on different networks. Try to test a server and client on the same network. The three tests that follow assume you might be testing between two networks:</p><div class="orderedlist"><ol type="1"><li><p>First, perform the tests for no answer described earlier in this section. If this doesn't identify the problem, the remaining possibilities are the following: an address is wrong, your netmask is wrong, a network is down, or just possibly you've been stopped by a firewall.</p></li><li><p>Check both the address and the netmasks on source and destination machines to see if something is obviously wrong. Assuming both machines really are on the same network, they both should have the same netmasks and <span class="emphasis"><em>ping</em></span> should report the correct addresses. If the addresses are wrong, you'll need to correct them. If they're right, the programs may be confused by an incorrect netmask. See <a href="#ch09-21203" title="Netmasks">Section 9.2.9.1</a>, later in this chapter.</p></li><li><p>If the commands are still reporting that the network is unreachable and neither of the previous two conditions is in error, one network really may be unreachable from the other. This, too, is a network manager issue.</p></li></ol></div></li><li><p>If you get "ICMP Administratively Prohibited," you've struck a firewall of some sort or a misconfigured router. You will need to speak to your network security officer.</p></li><li><p>If you get "ICMP Host redirect," and <span class="emphasis"><em>ping</em></span> reports packets getting through, this is generally harmless: you're simply being rerouted over the network.</p></li><li><p>If you get a host redirect and no <span class="emphasis"><em>ping</em></span> responses, you are being redirected, but no one is responding. Treat this just like the "Network unreachable" response and check your addresses and netmasks.</p></li><li><p>If you get "ICMP Host Unreachable from gateway <span class="emphasis"><em>gateway_name</em></span>," ping packets are being routed to another network, but the other machine isn't responding and the router is reporting the problem on its behalf. Again, treat this like a "Network unreachable" response and start checking addresses and netmasks.</p></li><li><p>If you get "ping: unknown host <span class="emphasis"><em>hostname</em></span>," your machine's name is not known. This tends to indicate a name-service problem, which didn't affect <code class="literal">localhost</code>. Have a look at <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," later in this chapter.</p></li><li><p>If you get a partial success, with some pings failing but others succeeding, you either have an intermittent problem between the machines or an overloaded network. Ping for longer, and see if more than about 3 percent of the packets fail. If so, check it with your network manager: a problem may just be starting. However, if only a few fail, or if you happen to know some massive network program is running, don't worry unduly. Ping's ICMP (and UDP) are designed to drop occasional packets.</p></li><li><p>If you get a response like "smtsvr.antares.net is alive" when you actually pinged <span class="emphasis"><em>client.example.com</em></span>, you're either using someone else's address or the machine has multiple names and addresses. If the address is wrong, name service is clearly the culprit; you'll need to change the address in the name service database to refer to the right machine. This is discussed in <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," later in this chapter.</p><p>Server machines are often <span class="emphasis"><em>multihomed</em></span> : connected to more than one network, with different names on each net. If you are getting a response from an unexpected name on a multihomed server, look at the address and see if it's on your network (see <a href="#ch09-21203" title="Netmasks">Section 9.2.9.1</a> later in this chapter). If so, you should use that address, rather than one on a different network, for both performance and reliability reasons.</p><p>Servers may also have multiple names for a single Ethernet address, especially if they are web servers. This is harmless, if otherwise startling. You probably will want to use the official (and permanent) name, rather than an alias which may change.</p></li><li><p>If everything works, but the IP address reported is 127.0.0.1, you have a name service error. This typically occurs when a operating system installation program generates an <code class="filename">/etc/hosts</code> line similar to <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> <span class="emphasis"><em>hostnamedomainname</em></span>. The localhost line should say <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> or <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> <code class="literal">loghost</code>. Correct it, lest it cause failures to negotiate who is the master browse list holder and who is the master browser. It can, also cause (ambiguous) errors in later tests.</p></li></ul></div><p>If this worked from the server, repeat it from the<a class="indexterm" name="ch09-idx-953672-0"></a> client.<a class="indexterm" name="ch09-idx-953563-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.3"></a>Troubleshooting TCP</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953568-0"></a>Now that you've tested IP, UDP, and a name service with <span class="emphasis"><em>ping</em></span>, it's time to test TCP. <span class="emphasis"><em>ping</em></span> and browsing use ICMP and UDP; file and print services (shares) use TCP. Both depend on IP as a lower layer and all four depend on name services. Testing TCP is most conveniently done using the FTP (file transfer protocol) program.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-78512"></a>Testing TCP with FTP </h4></div></div></div><p>Try connecting via FTP, once from the server to itself, and once from the client to the server:</p><pre class="programlisting">server% <strong class="userinput"><code>ftp server</code></strong> +Connected to server.example.com. +220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready. + Name (server:davecb): +331 Password required for davecb. +Password: +230 User davecb logged in. + ftp><strong class="userinput"><code> quit </code></strong> +221 Goodbye.</pre><p>If this worked, skip to <a href="#ch09-88968" title="Troubleshooting Server Daemons">Section 9.2.4</a>. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you received the message "server: unknown host," then nameservice has failed. Go back to the corresponding <span class="emphasis"><em>ping</em></span> step, <a href="#ch09-20350" title="Testing local name services with ping">Section 9.2.2.2</a>," and rerun those tests to see why name lookup failed.</p></li><li><p>If you received "ftp: connect: Connection refused," the machine isn't running an FTP daemon. This is mildly unusual on Unix servers. Optionally, you might try this test by connecting to the machine using telnet instead of FTP; the messages are very similar and telnet uses TCP as well.</p></li><li><p>If there was a long pause, then "ftp: connect: Connection timed out," the machine isn't reachable. Return to <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>.</p></li><li><p>If you received "530 Logon Incorrect," you connected successfully, but you've just found a different problem. You likely provided an incorrect username or password. Try again, making sure you use your username from the Unix server and type your password correctly.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-88968"></a>Troubleshooting Server Daemons</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953569-0"></a>Once you've confirmed that TCP networking is working properly, the next step is to make sure the daemons are running on the server. This takes three separate tests because no single one of the following will decisively prove that they're working correctly.</p><p>To be sure they're running, you need to find out if:</p><div class="orderedlist"><ol type="1"><li><p>The daemon has started</p></li><li><p>The daemons are registered or bound to a TCP/IP port by the operating system</p></li><li><p>They're actually paying attention</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.1"></a>Before you start</h4></div></div></div><p>First, check the logs. If you've started the daemons, the message "smbd version <span class="emphasis"><em>some_number</em></span> started" should appear. If it doesn't, you will need to restart the Samba daemons.</p><p>If the daemon reports that it has indeed started, look out for "bind failed on port 139 socket_addr=0 (Address already in use)". This means another daemon has been started on port 139 (<span class="emphasis"><em>smbd</em></span> ). Also, <span class="emphasis"><em>nmbd</em></span> will report a similar failure if it cannot bind to port 137. Either you've started them twice, or the <span class="emphasis"><em>inetd</em></span> server has tried to provide a daemon for you. If it's the latter, we'll diagnose that in a moment.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-49239"></a>Looking for daemon processes with ps</h4></div></div></div><p>Next, you need to see if the daemons have been started. Use the <code class="literal">ps</code> command on the server with the <code class="literal">long</code> option for your machine type (commonly <code class="literal">ps</code> <code class="literal">ax</code> or <code class="literal">ps</code> <code class="literal">-ef</code>), and see if you have either <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> already running. This often looks like the following:</p><pre class="programlisting">server% <span class="bold"><strong>ps ax</strong></span> + PID TTY STAT TIME COMMAND + 1 ? S 0:03 init [2] + 2 ? SW 0:00 (kflushd) +<span class="emphasis"><em>(...many lines of processes...)</em></span> + 234 ? S 0:14 nmbd -D3 + 237 ? S 0:11 smbd -D3 +<span class="emphasis"><em>(...more lines, possibly including more smbd lines...)</em></span></pre><p>This example illustrates that <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> have already started as stand-alone daemons (the <code class="literal">-D</code> option) at log level 3.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.3"></a>Looking for daemons bound to ports</h4></div></div></div><p>Next, the daemons have to be registered with the operating system so they can get access to TCP/IP ports. The <code class="literal">netstat</code> command will tell you if this has been done. Run the command <code class="literal">netstat</code> <code class="literal">-a</code> on the server, and look for lines mentioning <code class="literal">netbios</code>, <code class="literal">137</code> or <code class="literal">139</code>:</p><pre class="programlisting">server% <span class="bold"><strong>netstat -a</strong></span> +Active Internet connections (including servers) +Proto Recv-Q Send-Q Local Address Foreign Address (state) +udp 0 0 *.netbios- *.* +tcp 0 0 *.netbios- *.* +LISTEN +tcp 8370 8760 server.netbios- client.1439 +ESTABLISHED</pre><p>or:</p><pre class="programlisting">server% <span class="bold"><strong>netstat -a</strong></span> +Active Internet connections (including servers) +Proto Recv-Q Send-Q Local Address Foreign Address (state) +udp 0 0 *.137 *.* +tcp 0 0 *.139 *.* +LISTEN +tcp 8370 8760 server.139 client.1439 +ESTABLISHED</pre><p>Among many similar lines, there should be at least one UDP line for <code class="literal">*.netbios-</code> or <code class="literal">*.137</code>. This indicates that the <span class="emphasis"><em>nmbd</em></span> server is registered and (we hope) is waiting to answer requests. There should also be at least one TCP line mentioning <code class="literal">*.netbios-</code> or <code class="literal">*.139</code>, and it will probably be in the LISTENING state. This means that <span class="emphasis"><em>smbd</em></span> is up and listening for connections.</p><p>There may be other TCP lines indicating connections from <span class="emphasis"><em>smbd</em></span> to clients, one for each client. These are usually in the ESTABLISHED state. If there are <span class="emphasis"><em>smbd</em></span> lines in the ESTABLISHED state, <span class="emphasis"><em>smbd</em></span> is definitely running. If there is only one line in the LISTENING state, we're not sure yet. If both of the lines is missing, a daemon has not succeeded in starting, so it's time to check the logs and then go back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p>If there is a line for each client, it may be coming either from a Samba daemon or from the master IP daemon, <span class="emphasis"><em>inetd</em></span>. It's quite possible that your <span class="emphasis"><em>inetd</em></span> startup file contains lines that start Samba daemons without your realizing it; for instance, the lines may have been placed there if you installed Samba as part of a Linux distribution. The daemons started by <span class="emphasis"><em>inetd</em></span> prevent ours from running. This problem typically produces log messages such as "bind failed on port 139 socket_addr=0 (Address already in use)."</p><p>Check your <code class="filename">/etc/inetd.conf</code> ; unless you're intentionally starting the daemons from there, there <span class="emphasis"><em>must not</em></span> be any <code class="literal">netbios-ns</code> (udp port 137) or <code class="literal">netbios-ssn</code> (tcp port 139) servers mentioned there. <span class="emphasis"><em>inetd</em></span> is a daemon that provides numerous services, controlled by entries in <span class="emphasis"><em>/etc/inetd.conf</em></span>. If your system is providing an SMB daemon via <span class="emphasis"><em>inetd</em></span>, there will be lines like the following in the file:</p><pre class="programlisting">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.4"></a>Checking smbd with telnet</h4></div></div></div><p>Ironically, the easiest way to test that the <span class="emphasis"><em>smbd</em></span> +<a class="indexterm" name="ch09-idx-953678-0"></a> server is actually working is to send it a meaningless message and see if it rejects it. Try something like the following:</p><pre class="programlisting"><strong class="userinput"><code>echo hello | telnet localhost 139</code></strong></pre><p>This sends an erroneous but harmless message to <span class="emphasis"><em>smbd</em></span>. The <code class="literal">hello</code> message is important. Don't try telneting to the port and typing just anything; you'll probably just hang your process. <code class="literal">hello</code>, however, is generally a harmless message.</p><pre class="programlisting">server% <span class="bold"><strong>echo "hello" | telnet localhost 139</strong></span> +Trying +Trying 192.168.236.86 ... +Connected to localhost. Escape character is '^]'. +Connection closed by foreign host.</pre><p>If you get a "Connected" message followed by a "Connection closed" message, the test was a success. You have an <span class="emphasis"><em>smbd</em></span> daemon listening on the port and rejecting improper connection messages. On the other hand, if you get "telnet: connect: Connection refused," there is probably no daemon present. Check the logs and go back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p>Regrettably, there isn't an easy test for <span class="emphasis"><em>nmbd</em></span>. If the <code class="literal">telnet</code> test and the <code class="literal">netstat</code> test both say that there is an <span class="emphasis"><em>smbd</em></span> running, there is a good chance that <code class="literal">netstat</code> will also be correct about <span class="emphasis"><em>nmbd</em></span> running.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-67494"></a>Testing daemons with testparm</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953679-0"></a>Once you know there's a daemon, you should always run <code class="literal">testparm</code>, in hopes of getting:</p><pre class="programlisting">server% <span class="bold"><strong>testparm</strong></span> +Load smb config files from /opt/samba/lib/smb.conf +Processing section "[homes]" +Processing section "[printers]" ... +Processing section "[tmp]" +Loaded services file OK. ...</pre><p>The <code class="literal">testparm</code> program normally reports processing a series of sections, and responds with "Loaded services file OK" if it succeeds. If not, it will report one or more of the following messages, which will also appear in the logs as noted:</p><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>"Allow/Deny connection from account (n) to service"</em></span></span></dt><dd><p>A <span class="emphasis"><em>testparm</em></span>-only message produced if you have valid/invalid user options set in your <span class="emphasis"><em>smb.conf</em></span>. You will want to make sure that you are on the valid user list, and that root, bin, etc., are on the invalid user list. If you don't, you will not be able to connect, or folks who shouldn't <span class="emphasis"><em>will</em></span> be able to.</p></dd><dt><span class="term"><span class="emphasis"><em>"Warning: You have some share names that are longer than eight chars"</em></span></span></dt><dd><p>For anyone using Windows for Workgroups and older clients. They will fail to connect to shares with long names, producing an overflow message that sounds confusingly like a memory overflow.</p></dd><dt><span class="term">"Warning: [name] service MUST be printable!"</span></dt><dd><p>A printer share lacks a <code class="literal">printable</code> <code class="literal">=</code> <code class="literal">yes</code> option.</p></dd><dt><span class="term">"No path in service name using [name]"</span></dt><dd><p>A file share doesn't know which directory to provide to the user, or a print share doesn't know which directory to use for spooling. If no path is specified, the service will try to run with a path of <span class="emphasis"><em>/tmp</em></span>, which may not be what you want.</p></dd><dt><span class="term">"Note: Servicename is flagged unavailable"</span></dt><dd><p>Just a reminder that you have used the <code class="literal">available</code> <code class="literal">=</code> <code class="literal">no</code> option in a share.</p></dd><dt><span class="term">"Can't find include file [name]" </span></dt><dd><p>A configuration file referred to by an <code class="literal">include</code> option did not exist. If you were including the file unconditionally, this is an error and probably a serious one: the share will not have the configuration you intended. If you were including it based one of the <code class="literal">%</code> variables, such as <code class="literal">%a</code> (architecture), you will need to decide if, for example, a missing Windows for Workgroups configuration file is a problem. It often isn't.</p></dd><dt><span class="term">"Can't copy service name, unable to copy to itself"</span></dt><dd><p>You tried to copy a <code class="filename">smb.conf</code> section into itself.</p></dd><dt><span class="term">"Unable to copy service—source not found: [name]"</span></dt><dd><p>Indicates a missing or misspelled section in a <code class="literal">copy</code> <code class="literal">=</code> option.</p></dd><dt><span class="term">"Ignoring unknown parameter name" </span></dt><dd><p>Typically indicates an obsolete, misspelled or unsupported option.</p></dd><dt><span class="term">"Global parameter name found in service section" </span></dt><dd><p>Indicates a global-only parameter has been used in an individual share. Samba will ignore the parameter.</p></dd></dl></div><p>After the <code class="literal">testparm</code> test, repeat it with (exactly) three parameters: the name of your <code class="filename">smb.conf</code> file, the name of your client, and its IP address:</p><pre class="programlisting">testparm <em class="replaceable"><code>samba_directory</code></em>/lib/smb.conf client 192.168.236.10</pre><p>This will run one more test that checks the host name and address against <code class="literal">host</code> <code class="literal">allow</code> and <code class="literal">host</code> <code class="literal">deny</code> options and may produce the "Allow/Deny connection from account account_name" to service message for the client machine. This message indicates you have valid/invalid host options in your <code class="filename">smb.conf</code>, and they prohibit access from the client machine. Entering <code class="literal">testparm</code> <code class="literal">/usr/local/lib/experimental.conf</code> is also an effective way to test an experimental <code class="filename">smb.conf</code> file before putting it into production.<a class="indexterm" name="ch09-idx-953573-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.5"></a>Troubleshooting SMB Connections</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953578-0"></a>Now that you know the servers are up, you need to make sure that they're running properly. We start with the <code class="filename">smb.conf</code> file in the <em class="replaceable"><code>samba_directory</code></em><code class="filename">/lib</code> directory.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-67928"></a>A minimal smb.conf file</h4></div></div></div><p>In the following tests, we assume you have a <code class="literal">[temp]</code> share suitable for testing, plus at least one account. An <code class="filename">smb.conf</code> file that includes just these is:</p><pre class="programlisting">[global] + workgroup = <em class="replaceable"><code>EXAMPLE</code></em> + security = user + browsable = yes + local master = yes +[homes] + guest ok = no + browseble = no +[temp] + path = /tmp + public = yes</pre><p>A word of warning: the <code class="literal">public</code> <code class="literal">=</code> <code class="literal">yes</code> option in the <code class="literal">[temp]</code> share is just for testing. You probably don't want people without accounts to be able to store things on your Samba server, so you should comment it out when you're done.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-40595"></a>Testing locally with smbclient</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953682-0"></a>The first test is to ensure the server can list its own services (shares). Run the command <code class="literal">smbclient</code> with a <code class="literal">-L</code> option of <code class="literal">localhost</code> to connect to itself, and a <code class="literal">-U</code> option of just <code class="literal">%</code> to specify the guest user. You should see the following:</p><pre class="programlisting">server% <strong class="userinput"><code>smbclient -L localhost -U% </code></strong> +Server time is Wed May 27 17:57:40 1998 Timezone is UTC-4.0 +Server=[localhost] +User=[davecb] +Workgroup=[EXAMPLE] +Domain=[EXAMPLE] + Sharename Type Comment + --------- ----- ---------- + temp Disk + IPC$ IPC IPC Service (Samba 1.9.18) + homes Disk Home directories +This machine does not have a browse list</pre><p>If you received this output, move on to the next test, <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>." On the other hand, if you receive an error, check the following:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Get_hostbyname: unknown host localhost," either you've spelled its name wrong or there actually is a problem (which should have been seen back in <a href="#ch09-20350" title="Testing local name services with ping">Section 9.2.2.2</a>) In the latter case, move on to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>.</p></li><li><p>If you get "Connect error: Connection refused," the server machine was found, but it wasn't running an <span class="emphasis"><em>nmbd</em></span> daemon. Skip back to <a href="#ch09-88968" title="Troubleshooting Server Daemons">Section 9.2.4</a>," and retest the daemons.</p></li><li><p>If you get the message "Your server software is being unfriendly," the initial session request packet got a garbage response from the server. The server may have crashed or started improperly. The common causes of this can be discovered by scanning the logs for:</p><div class="itemizedlist"><ul type="circle"><li><p>Invalid command-line parameters to <span class="emphasis"><em>smbd</em></span>; see the <span class="emphasis"><em>smbd</em></span> manual page.</p></li><li><p>A fatal problem with the <code class="filename">smb.conf</code> file that prevents the startup of <span class="emphasis"><em>smbd</em></span>. Always check your changes, as was done in <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>.</p></li><li><p>The directories where Samba keeps its log and lock files are missing.</p></li><li><p>There is already a server on the port (139 for <span class="emphasis"><em>smbd</em></span>, 137 for <span class="emphasis"><em>nmbd </em></span>), preventing it from starting.</p></li></ul></div></li><li><p>If you're using <span class="emphasis"><em>inetd</em></span> instead of stand-alone daemons, check your <code class="filename">/etc/inetd.conf</code> and <code class="filename">/etc/services</code> entries against their manual pages for errors as well.</p></li><li><p>If you get a <code class="literal">Password:</code> prompt, your guest account is not set up properly. The <code class="literal">%U</code> option tells <span class="emphasis"><em>smbclient</em></span> to do a "null login," which requires that the guest account be present but does not require it to have any privileges.</p></li><li><p>If you get the message "SMBtconX failed. ERRSRV—ERRaccess," you aren't permitted access to the server. This normally means you have a <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an <code class="literal">invalid</code> <code class="literal">hosts</code> option that does. Recheck with the command <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname</code></em> <em class="replaceable"><code>your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>) and correct any unintended prohibitions.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-77154"></a>Testing connections with smbclient</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953689-0"></a>Run the command <code class="literal">smbclient</code> <code class="literal">\\</code><em class="replaceable"><code>server</code></em><code class="literal">\temp</code>, which connects to your server's <code class="filename">/tmp</code> share, to see if you can connect to a file service. You should get the following response:</p><pre class="programlisting">server% <span class="bold"><strong>smbclient '\\server\temp'</strong></span> +Server time is Tue May 5 09:49:32 1998 Timezone is UTC-4.0 Password: +smb: \> <span class="bold"><strong>quit</strong></span></pre><div class="itemizedlist"><ul type="disc"><li><p>If you get "Get_Hostbyname: Unknown host name," "Connect error: Connection refused," or "Your server software is being unfriendly," see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a> for the diagnoses.</p></li><li><p>If you get the message "servertemp: Not enough `\' characters in service," you likely didn't quote the address, so Unix stripped off backslashes. You can also write the command:</p><pre class="programlisting">smbclient \\\\<em class="replaceable"><code>server</code></em>\\temp</pre><p>or:</p><pre class="programlisting">smbclient //<em class="replaceable"><code>server</code></em>/temp</pre></li></ul></div><p>Now, provide your Unix account password to the <code class="literal">Password</code> prompt. If you then get an <code class="literal">smb\></code> prompt, it worked. Enter <code class="literal">quit</code>, and continue on to <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>." If you then get "SMBtconX failed. ERRSRV—ERRinvnetname," the problem can be any of the following:</p><div class="itemizedlist"><ul type="disc"><li><p>A wrong share name: you may have spelled it wrong, it may be too long, it may be in mixed case, or it may not be available. Check that it's what you expect with testparm (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>.)</p></li><li><p><code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code>, in which you may have to add <em class="replaceable"><code>-U your_account</code></em> to the <span class="emphasis"><em>smbclient</em></span> command, or know the password of a Unix account named temp.</p></li><li><p>An erroneous username.</p></li><li><p>An erroneous password.</p></li><li><p>An <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> option in your <span class="emphasis"><em>smb.conf</em></span> file that doesn't allow your account to connect. Recheck with <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>).</p></li><li><p>A <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an <code class="literal">invalid</code> <code class="literal">hosts</code> option that does. Also test this with <span class="emphasis"><em>testparm</em></span>.</p></li><li><p>A problem in authentication, such as if shadow passwords or the PAM (Password Authentication Module) is used on the server, but Samba is not compiled to use it. This is rare, but occasionally happens when a SunOS 4 Samba binary (no shadow passwords) is run without recompilation on a Solaris system (with shadow passwords).</p></li><li><p>The <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option in the configuration file, but no password for your account in the <span class="emphasis"><em>smbpasswd</em></span> file.</p></li><li><p>You have a null password entry, either in Unix <code class="filename">/etc/passwd</code> or in the <span class="emphasis"><em>smbpasswd</em></span> file.</p></li><li><p>You are connecting to <code class="literal">[temp]</code>, and you do not have the <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> option in the <code class="literal">[temp]</code> section of the <span class="emphasis"><em>smb.conf</em></span> file.</p></li><li><p>You are connecting to <code class="literal">[temp]</code> before connecting to your home directory, and your guest account isn't set up correctly. If you can connect to your home directory and then connect to <code class="literal">[temp]</code>, that's the problem. See <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> for more information on creating a basic Samba configuration file.</p><p>A bad guest account will also prevent you from printing or browsing until after you've logged in to your home directory.</p></li></ul></div><p>There is one more reason for this failure that has nothing at all to do with passwords: the <code class="literal">path</code> <code class="literal">=</code> line in your <code class="filename">smb.conf</code> file may point somewhere that doesn't exist. This will not be diagnosed by <span class="emphasis"><em>testparm</em></span>, and most SMB clients can't tell it from other types of bad user accounts. You will have to check it manually.</p><p>Once you have connected to <code class="literal">[temp]</code> successfully, repeat the test, this time logging in to your home directory (e.g., map network drive <em class="replaceable"><code>server</code></em><code class="literal">\davecb</code>) looking for failures in doing that. If you have to change anything to get that to work, re-test <code class="literal">[temp]</code> again afterwards.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-97081"></a>Testing connections with NET USE</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953696-0"></a>Run the command <code class="literal">net</code> <code class="literal">use</code> <code class="literal">*</code> <code class="literal">\</code><em class="replaceable"><code>server</code></em><code class="literal">\temp</code> on the DOS or Windows client to see if it can connect to the server. You should be prompted for a password, then receive the response "The command was completed successfully," as shown in <a href="#ch09-99328" title="Figure 9.2. Results of the NET USE command">Figure 9.2</a>.</p><div class="figure"><a name="ch09-99328"></a><p class="title"><b>Figure 9.2. Results of the NET USE command</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 471px"><td><img src="figs/sam.0902.gif" width="502" alt="Results of the NET USE command"></td></tr></table></div></div></div><br class="figure-break"><p>If that succeeded, continue with the steps in <a href="#ch09-57065" title="Testing connections with Windows Explorer">Section 9.2.5.5</a>. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "The specified shared directory cannot be found," or "Cannot locate specified share name," the directory name is either misspelled or not in the <span class="emphasis"><em>smb.conf</em></span> file. This message can also warn of a name in mixed case, including spaces, or is longer than eight characters.</p></li><li><p>If you get "The computer name specified in the network path cannot be located," or "Cannot locate specified computer," the directory name has been misspelled, the name service has failed, there is a networking problem, or the <code class="literal">hosts</code> <code class="literal">deny</code> <code class="literal">=</code> option includes your host.</p><div class="itemizedlist"><ul type="circle"><li><p>If it is not a spelling mistake, you need to double back to at least <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>, to investigate why it doesn't connect.</p></li><li><p>If <span class="emphasis"><em>smbclient</em></span> does work, it's a name service problem with the client name service, and you need to go forward to <a href="#ch09-12446" title="Testing the server with nmblookup">Section 9.2.6.2</a>, and see if you can look up both client and server with <span class="emphasis"><em>nmblookup</em></span>.</p></li></ul></div></li><li><p>If you get "The password is invalid for <code class="literal">\</code><em class="replaceable"><code>server</code></em><code class="literal">\</code><em class="replaceable"><code>username</code></em>," your locally cached copy on the client doesn't match the one on the server. You will be prompted for a replacement.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Windows 95 and 98 clients keep a local <span class="emphasis"><em>password</em></span> file, but it's really just a cached copy of the password it sends to Samba and NT servers to authenticate you. That's what is being prompted for here. You can still log on to a Windows machine without a password (but not to NT).</p></div><div class="itemizedlist"><ul type="disc"><li><p> +If you provide your password, and it still fails, your password is not being matched on the server, you have a <code class="literal">valid</code> <code class="literal">users</code> or <code class="literal">invalid</code> <code class="literal">users</code> list denying you permission, NetBEUI is interfering, or the encrypted password problem described in the next paragraph exists.</p></li><li><p>If your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, these default to using Microsoft encryption for passwords (discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>'s <a href="#ch06-61393" title="Passwords">Section 6.4</a>, along with the alternatives). In general, if you have installed a major Microsoft product recently, you may have applied an update and turned on encrypted passwords.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Because of Internet Explorer's willingness to honor URLs such as <code class="filename">file://somehost/somefile</code> by making SMB connections, clients up to and including Windows 95 Patch Level 2 would happily send your password, in plaintext, to SMB servers anywhere on the Internet. This was considered a bad idea, and Microsoft quite promptly switched to using only encrypted passwords in the SMB protocol. All subsequent releases of their products have included this correction. Encrypted passwords aren't actually needed unless you're using Internet Explorer 4.0 without a firewall, so it's reasonable to keep using unencrypted passwords on your own networks.</p></div><div class="itemizedlist"><ul type="disc"><li><p>If you have a mixed-case password on Unix, the client is probably sending it in all one case. If changing your password to all one case works, this was the problem. Regrettably, all but the oldest clients support uppercase passwords, so Samba will try once with it in uppercase and once in lower case. If you wish to use mixed-case passwords, see the <code class="literal">password</code> <code class="literal">level</code> option in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a> for a workaround.</p></li><li><p>You may have a <code class="literal">valid</code> <code class="literal">users</code> problem, as tested with <span class="emphasis"><em>smbclient</em></span> (see <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>).</p></li><li><p>You may have the NetBEUI protocol bound to the Microsoft client. This often produces long timeouts and erratic failures, and is known to have caused failures to accept passwords in the past.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The term "bind" is used to mean connecting a piece of software to another in this case. The Microsoft SMB client is "bound to" TCP/IP in the bindings section of the TCP/IP properties panel under the Windows 95/98 Network icon in the Control Panel. TCP/IP in turn is bound to an Ethernet card. This is not the same sense of the word as binding an SMB daemon to a TCP/IP port.<a class="indexterm" name="ch09-idx-953703-0"></a></p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-57065"></a>Testing connections with Windows Explorer</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953710-0"></a>Start Windows Explorer or NT Explorer (not Internet Explorer), select Tools→Map Network Drive and specify \\<em class="replaceable"><code>server</code></em>\<code class="literal">temp</code> to see if you can make Explorer connect to the <code class="filename">/tmp</code> directory. You should see a screen similar to the one in <a href="#ch09-74414" title="Figure 9.3. Accessing the /tmp directory with Windows Explorer">Figure 9.3</a>. If so, you've succeeded and can skip to <a href="#ch09-23573" title="Troubleshooting Browsing">Section 9.2.6</a>."</p><div class="figure"><a name="ch09-74414"></a><p class="title"><b>Figure 9.3. Accessing the /tmp directory with Windows Explorer</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 336px"><td><img src="figs/sam.0903.gif" width="502" alt="Accessing the /tmp directory with Windows Explorer"></td></tr></table></div></div></div><br class="figure-break"><p>A word of caution: Windows Explorer and NT Explorer are rather poor as diagnostic tools: they do tell you that something's wrong, but rarely what it is. If you get a failure, you'll need to track it down with the NET USE command, which has far superior error reporting:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "The password for this connection that is in your password file is no longer correct," you may have any of the following:</p><div class="itemizedlist"><ul type="circle"><li><p>Your locally cached copy on the client doesn't match the one on the server.</p></li><li><p>You didn't provide a username and password when logging on to the client. Most Explorers will continue to send a username and password of null, even if you provide a password.</p></li><li><p>You have misspelled the password.</p></li><li><p>You have an <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> list denying permission.</p></li><li><p>Your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98, or any of these with Internet Explorer 4. They will all want encrypted passwords.</p></li><li><p>You have a mixed-case password, which the client is supplying in all one case.</p></li></ul></div></li><li><p>If you get "The network name is either incorrect, or a network to which you do not have full access," or "Cannot locate specified computer," you may have any of the following:</p><div class="itemizedlist"><ul type="circle"><li><p> Misspelled name</p></li><li><p> Malfunctioning service</p></li><li><p> Failed share</p></li><li><p> Networking problem</p></li><li><p> Bad <code class="literal">path</code> line</p></li><li><p> <code class="literal">hosts</code> <code class="literal">deny</code> line that excludes you</p></li></ul></div></li><li><p>If you get "You must supply a password to make this connection," the password on the client is out of synchronization with the server, or this is the first time you've tried from this client machine and the client hasn't cached it locally yet.</p></li><li><p>If you get "Cannot locate specified share name," you have a wrong share name or a syntax error in specifying it, a share name longer than eight characters, or one containing spaces or in mixed case.</p></li></ul></div><p>Once you can reliably connect to the <code class="literal">[temp]</code> directory, try once again, this time using your home directory. If you have to change something to get home directories working, then retest with <code class="literal">[temp]</code>, and vice versa, as we showed in <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>. As always, if Explorer fails, drop back to that section and debug it<a class="indexterm" name="ch09-idx-953717-0"></a> there.<a class="indexterm" name="ch09-idx-953581-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-23573"></a>Troubleshooting Browsing </h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953586-0"></a>Finally, we come to browsing. This was left to last, not because it is hardest, but because it's both optional and partially dependent on a protocol that doesn't guarantee delivery of a packet. Browsing is hard to diagnose if you don't already know all the other services are running.</p><p>Browsing is purely optional: it's just a way to find the servers on your net and the shares that they provide. Unix has nothing of the sort and happily does without. Browsing also assumes all your machines are on a local area network (LAN) where broadcasts are allowable.</p><p>First, the browsing mechanism identifies a machine using the unreliable UDP protocol; then it makes a normal (reliable) TCP/IP connection to list the shares the machine provides.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-96207"></a>Testing browsing with smbclient </h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953724-0"></a>We'll start with testing the reliable connection first. From the server, try listing its own shares via <span class="emphasis"><em>smbclient</em></span> with a <code class="literal">-L</code> option of your server's name. You should get:</p><pre class="programlisting">server% <strong class="userinput"><code>smbclient -L server</code></strong> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server time is Tue Apr 28 09:57:28 1998 Timezone is UTC-4.0 +Password: +Domain=[EXAMPLE] +OS=[Unix] +Server=[Samba 1.9.18] +Server=[server] +User=[davecb] +Workgroup=[EXAMPLE] +Domain=[EXAMPLE] + Sharename Type Comment + --------- ---- ------- + cdrom Disk CD-ROM + cl Printer Color Printer 1 + davecb Disk Home Directories + + This machine has a browse list: + Server Comment + --------- ------- + SERVER Samba 1.9.18 + + This machine has a workgroup list: + Workgroup Master + --------- ------- + EXAMPLE SERVER</pre><div class="itemizedlist"><ul type="disc"><li><p>If you didn't get a Sharename list, the server is not allowing you to browse any shares. This should not be the case if you've tested any of the shares with Windows Explorer or the NET USE command. If you haven't done the <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">localhost</code> <code class="literal">-U%</code> test yet (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>), do it now. An erroneous guest account can prevent the shares from being seen. Also, check the <code class="filename">smb.conf</code> file to make sure you do not have the option <code class="literal">browsable</code> <code class="literal">=</code> <code class="literal">no</code> anywhere in it: we suggest a minimal <code class="filename">smb.conf</code> file (see <a href="#ch09-67928" title="A minimal smb.conf file">Section 9.2.5.1</a>) for you to steal from. You need to have <code class="literal">browseable</code> enabled in order to be able to see at least the <code class="literal">[temp]</code> share.</p></li><li><p>If you didn't get a browse list, the server is not providing information about the machines on the network. At least one machine on the net must support browse lists. Make sure you have <code class="literal">local</code> <code class="literal">master</code> <code class="literal">=</code> <code class="literal">yes</code> in the <code class="filename">smb.conf</code> file if you want Samba be the local master browser.</p></li><li><p>If you got a browse list but didn't get <span class="emphasis"><em>/tmp</em></span>, you probably have a <code class="filename">smb.conf</code> problem. Go back to <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>."</p></li><li><p>If you didn't get a workgroup list with your workgroup name in it, it is possible that your workgroup is set incorrectly in the <code class="filename">smb.conf</code> file.</p></li><li><p>If you didn't get a workgroup list at all, ensure that <code class="literal">workgroup</code> <code class="literal">=EXAMPLE</code> is present in the <code class="filename">smb.conf</code> file.</p></li><li><p>If you get nothing, try once more with the options <code class="literal">-I</code> <em class="replaceable"><code>ip_address</code></em> <code class="literal">-n</code> <em class="replaceable"><code>netbios_name</code></em> <code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em> <code class="literal">-d3</code> with the NetBIOS and workgroup name in uppercase. (The <code class="literal">-d</code> <code class="literal">3</code> option sets the log /debugging level to 3.)</p></li></ul></div><p>If you're still getting nothing, you shouldn't have gotten this far. Double back to at least <a href="#ch09-78512" title="Testing TCP with FTP">Section 9.2.3.1</a>," or perhaps <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>." On the other hand:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "SMBtconX failed. ERRSRV—ERRaccess," you aren't permitted access to the server. This normally means you have a <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an invalid hosts option that does.</p></li><li><p> If you get "Bad password," then you presumably have one of the following:</p><div class="itemizedlist"><ul type="circle"><li><p> An incorrect <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> line</p></li><li><p> An incorrect <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> line</p></li><li><p> A lowercase password and OS/2 or Windows for Workgroups clients</p></li><li><p> A missing or invalid guest account</p></li></ul></div><p>Check what your guest account is (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>) and verify your <code class="filename">smb.conf</code> file with <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>) and change or comment out any <code class="literal">hosts</code> <code class="literal">allow</code>, <code class="literal">hosts</code> <code class="literal">deny</code>, <code class="literal">valid</code> <code class="literal">users</code> or <code class="literal">invalid</code> <code class="literal">users</code> lines.</p></li><li><p>If you get "Connection refused," the <span class="emphasis"><em>smbd</em></span> server is not running or has crashed. Check that it's up, running, and listening to the network with <span class="emphasis"><em>netstat</em></span>, see step <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>."</p></li><li><p>If you get "Get_Hostbyname: Unknown host name," you've made a spelling error, there is a mismatch between Unix and NetBIOS hostname, or there is a name service problem. Start nameservice debugging with <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>." If this works, suspect a name mismatch and go to step <a href="#ch09-35552" title="Troubleshooting NetBIOS Names">Section 9.2.10</a>."</p></li><li><p>If you get "Session request failed," the server refused the connection. This usually indicates an internal error, such as insufficient memory to fork a process.</p></li><li><p>If you get "Your server software is being unfriendly," the initial session request packet received a garbage response from the server. The server may have crashed or started improperly. Go back to <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>," where the problem is first analyzed.</p></li><li><p>If you suspect the server is not running, go back to <a href="#ch09-49239" title="Looking for daemon processes with ps">Section 9.2.4.2</a> to see why the server daemon isn't responding.<a class="indexterm" name="ch09-idx-953731-0"></a></p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-12446"></a>Testing the server with nmblookup</h4></div></div></div><p>This will test the "advertising" system used for Windows name services and browsing. Advertising works by broadcasting one's presence or willingness to provide services. It is the part of browsing that uses an unreliable protocol (UDP), and works only on broadcast networks like Ethernets. The <span class="emphasis"><em>nmblookup</em></span> +<a class="indexterm" name="ch09-idx-953736-0"></a> program broadcasts name queries for the hostname you provide, and returns its IP address and the name of the machine, much like <span class="emphasis"><em>nslookup</em></span> does with DNS. Here, the <code class="literal">-d</code> (debug- or log-level) option, and the <code class="literal">-B</code> (broadcast address) options direct queries to specific machines.</p><p>First, we check the server from itself. Run <span class="emphasis"><em>nmblookup</em></span> with a <code class="literal">-B</code> option of your server's name to tell it to send the query to the Samba server, and a parameter of <code class="literal">_ _SAMBA_ _</code> as the symbolic name to look up. You should get:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -B</strong></span><em class="replaceable"><code>server</code></em><span class="bold"><strong> _ _SAMBA_ _</strong></span> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 +Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre><p>You should get the IP address of the server, followed by the name <code class="literal">_ _SAMBA_ _ </code>, which means that the server has successfully advertised that it has a service called <code class="literal">_ _SAMBA_ _ </code>, and therefore at least part of NetBIOS nameservice works.</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Name_query failed to find name _ _SAMBA_ _" you may have specified the wrong address to the <code class="literal">-B</code> option, or <span class="emphasis"><em>nmbd</em></span> is not running. The <code class="literal">-B</code> option actually takes a broadcast address: we're using a machine-name to get a unicast address, and to ask server if it has claimed <code class="literal">_ _SAMBA_ _</code>.</p></li><li><p>Try again with <code class="literal">-B</code><em class="replaceable"><code> ip_address</code></em>, and if that fails too, <span class="emphasis"><em>nmbd</em></span> isn't claiming the name. Go back briefly to "Testing daemons with testparm" to see if <span class="emphasis"><em>nmbd</em></span> is running. If so, it may not claiming names; this means that Samba is not providing the browsing service—a configuratiuon problem. If that is the case, make sure that <code class="filename">smb.conf</code> doesn't contain the option <code class="literal">browsing</code> <code class="literal">=</code> <code class="literal">no</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-32122"></a>Testing the client with nmblookup</h4></div></div></div><p>Next, check the IP address of the client from the server with <span class="emphasis"><em>nmblookup</em></span> +<a class="indexterm" name="ch09-idx-953737-0"></a> using <code class="literal">-B</code> option for the client's name and a parameter of <code class="literal">'*'</code> meaning "anything," as shown here:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -B client '*'</strong></span> +Sending queries to 192.168.236.10 192.168.236.10 * +Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre><div class="itemizedlist"><ul type="disc"><li><p>If you receive "Name-query failed to find name *," you have made a spelling mistake, or the client software on the PC isn't installed, started, or bound to TCP/IP. Double back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> or <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a> and ensure you have a client installed and listening to the network.</p></li></ul></div><p>Repeat the command with the following options if you had any failures:</p><div class="itemizedlist"><ul type="disc"><li><p>If <code class="literal">nmblookup</code> <code class="literal">-B</code> <em class="replaceable"><code>client_IP_address</code></em> succeeds but <code class="literal">-B</code> <em class="replaceable"><code>client_name</code></em> fails, there is a name service problem with the client's name; go to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>."</p></li><li><p>If <code class="literal">nmblookup</code> <code class="literal">-B</code> <code class="literal">127.0.0.1'*'</code> succeeds, but <code class="literal">-B</code> <em class="replaceable"><code>client_IP_address</code></em> fails, there is a hardware problem and ping should have failed. See your network manager.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-98123"></a>Testing the network with nmblookup</h4></div></div></div><p>Run the command <span class="emphasis"><em>nmblookup</em></span> +<a class="indexterm" name="ch09-idx-953741-0"></a> +<a class="indexterm" name="ch09-idx-953741-1"></a> again with a <code class="literal">-d</code> option (debug level) of 2 and a parameter of <code class="literal">'*'</code> again. This time we are testing the ability of programs (such as <span class="emphasis"><em>nmbd</em></span> ) to use broadcast. It's essentially a connectivity test, done via a broadcast to the default broadcast address.</p><p>A number of NetBIOS/TCP-IP hosts on the network should respond with "got a positive name query response" messages. Samba may not catch all of the responses in the short time it listens, so you won't always see all the SMB clients on the network. However, you should see most of them:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -d 2 '*'</strong></span> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending queries to 192.168.236.255 +Got a positive name query response from 192.168.236.191 (192.168.236.191) +Got a positive name query response from 192.168.236.228 (192.168.236.228) +Got a positive name query response from 192.168.236.75 (192.168.236.75) +Got a positive name query response from 192.168.236.79 (192.168.236.79) +Got a positive name query response from 192.168.236.206 (192.168.236.206) +Got a positive name query response from 192.168.236.207 (192.168.236.207) +Got a positive name query response from 192.168.236.217 (192.168.236.217) +Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre><p>However:</p><div class="itemizedlist"><ul type="disc"><li><p>If this doesn't give at least the client address you previously tested, the default broadcast address is wrong. Try <code class="literal">nmblookup</code> <code class="literal">-B</code> <code class="literal">255.255.255.255</code> <code class="literal">-d</code> <code class="literal">2</code> <code class="literal">'*'</code>, which is a last-ditch variant (a broadcast address of all ones). If this draws responses, the broadcast address you've been using before is wrong. Troubleshooting these is discussed in the <a href="#ch09-45060" title="Broadcast addresses">Section 9.2.9.2</a>, later in this chapter.</p></li><li><p>If the address 255.255.255.255 fails too, check your notes to see if your PC and server are on different subnets, as discovered in <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>." You should try to diagnose this with a server and client on the same subnet, but if you can't, you can try specifying the remote subnet's broadcast address with <code class="literal">-B</code>. Finding that address is discussed in the same place as troubleshooting broadcast addresses, in <a href="#ch09-45060" title="Broadcast addresses">Section 9.2.9.2</a>s," later in this chapter. The <code class="literal">-B</code> option will work if your router supports directed broadcasts; if it doesn't, you may be forced to test with a client on the same network.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.6.5"></a>Testing client browsing with net view</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953742-0"></a>On the client, run the command <em class="replaceable"><code>net view \\server</code></em> in a DOS window to see if you can connect to the client and ask what shares it provides. You should get back a list of available shares on the server, as shown in <a href="#ch09-83710" title="Figure 9.4. Using the net view command">Figure 9.4</a>.</p><div class="figure"><a name="ch09-83710"></a><p class="title"><b>Figure 9.4. Using the net view command</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 206px"><td><img src="figs/sam.0904.gif" height="206" alt="Using the net view command"></td></tr></table></div></div></div><br class="figure-break"><p>If you received this, continue with <a href="#ch09-21713" title="Other Things that Fail">Section 9.2.7</a>."</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Network name not found" for the name you just tested in <a href="#ch09-32122" title="Testing the client with nmblookup">Section 9.2.6.3</a>," there is a problem with the client software itself. Double-check this by running <span class="emphasis"><em>nmblookup</em></span> on the client; if it works and NET VIEW doesn't, the client is at fault.</p></li><li><p>Of course, if <span class="emphasis"><em>nmblookup</em></span> fails, there is a NetBIOS nameservice problem, as discussed in <a href="#ch09-35552" title="Troubleshooting NetBIOS Names">Section 9.2.10</a>."</p></li><li><p>If you get "You do not have the necessary access rights," or "This server is not configured to list shared resources," either your guest account is misconfigured (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>), or you have a <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> line that prohibits connections from your machine. These problems should have been detected by the <span class="emphasis"><em>smbclient</em></span> tests starting in <a href="#ch09-96207" title="Testing browsing with smbclient">Section 9.2.6.1</a>."</p></li><li><p>If you get "The specified computer is not receiving requests," you have misspelled the name, the machine is unreachable by broadcast (tested in "Testing the network with nmblookup"), or it's not running <span class="emphasis"><em>nmbd</em></span>.</p></li><li><p>If you get "Bad password error," you're probably encountering the Microsoft-encrypted password problem, as discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, with its corrections.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.6.6"></a>Browsing the server from the client</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953743-0"></a>From the Network Neighborhood (File Manager in older releases), try to browse the server. Your Samba server should appear in the browse list of your local workgroup. You should be able to double click on the name of the server and get a list of shares, as illustrated in <a href="#ch09-60004" title="Figure 9.5. List of shares on a server">Figure 9.5</a>.</p><div class="figure"><a name="ch09-60004"></a><p class="title"><b>Figure 9.5. List of shares on a server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 202px"><td><img src="figs/sam.0905.gif" height="202" alt="List of shares on a server"></td></tr></table></div></div></div><br class="figure-break"><div class="itemizedlist"><ul type="disc"><li><p>If you get an "Invalid password" error with NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, it's most likely the encryption problem again. All of these clients default to using Microsoft encryption for passwords (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>).</p></li><li><p>If you receive an "Unable to browse the network" error, one of the following has ocurred:</p><div class="itemizedlist"><ul type="circle"><li><p>You have looked too soon, before the broadcasts and updates have completed; try waiting 30 seconds before re-attempting.</p></li><li><p>There is a network problem you've not yet diagnosed.</p></li><li><p>There is no browse master. Add the configuration option <code class="literal">local</code> <code class="literal">master</code> <code class="literal">=</code> <code class="literal">yes</code> to your <span class="emphasis"><em>smb.conf</em></span> file.</p></li><li><p>No shares are marked <code class="literal">browsable</code> in the <span class="emphasis"><em>smb.conf</em></span> file.</p></li></ul></div></li><li><p>If you receive the message "\\server is not accessible," then:</p><div class="itemizedlist"><ul type="circle"><li><p> You have the encrypted password problem</p></li><li><p> The machine really isn't accessible</p></li><li><p> The machine doesn't support browsing<a class="indexterm" name="ch09-idx-953589-0"></a></p></li></ul></div></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-21713"></a>Other Things that Fail </h3></div></div></div><p>If you've made it here, either the problem is solved or it's not one we've seen. The next sections cover troubleshooting tasks that are required to have the infrastructure to run Samba, not Samba itself.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.7.1"></a>Not logging on</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953594-0"></a>An occasional problem is forgetting to log in to the client or logging in as a wrong (account-less) person. The former is not diagnosed at all: Windows tries to be friendly and lets you on. Locally! The only warning of the latter is that Windows welcomes you and asks about your new account. Either of these leads to repeated refusals to connect and endless requests for passwords. If nothing else seems to work, try logging out or shutting down and logging in again.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-23768"></a>Troubleshooting Name Services</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953595-0"></a>This section looks at simple troubleshooting of all the name services that you will encounter, but only for the common problems that affect Samba.</p><p>There are several good references for troubleshooting particular name services: Paul Albitz and Cricket Liu's <span class="emphasis"><em>DNS and Bind</em></span> covers the Domain Name Service (DNS), Hal Stern's <span class="emphasis"><em>NFS and NIS</em></span> (both from O'Reilly) covers NIS ("Yellow pages") while WINS (Windows Internet Name Service), <code class="filename">hosts/LMHOSTS</code> files and NIS+ are best covered by their respective vendor's manuals.</p><p>The problems addressed in this section are:</p><div class="itemizedlist"><ul type="disc"><li><p>Identifying name services</p></li><li><p>A hostname can't be looked up</p></li><li><p>The long (FQDN) form of a hostname works but the short form doesn't</p></li><li><p>The short form of the name works, but the long form doesn't</p></li><li><p>A long delay ocurrs before the expected result</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.1"></a>Identifying what's in use</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953744-0"></a>First, see if both the server and the client are using DNS, WINS, NIS, or <code class="filename">hosts</code> files to look up IP addresses when you give them a name. Each kind of machine will have a different preference:</p><div class="itemizedlist"><ul type="disc"><li><p>Windows 95 and 98 machines will look in WINS and <code class="filename">LMHOSTS</code> files first, then broadcast, and finally try DNS and <code class="filename">hosts</code> files.</p></li><li><p>NT will look in WINS, then broadcast, LMHOSTS files, and finally <code class="filename">hosts</code> and DNS.</p></li><li><p>Windows programs using the WINSOCK standard (like PC-NFSs) will use hosts files, DNS, WINS, and then broadcast. Don't assume that if a different program's name service works, the SMB client program's name service will!</p></li><li><p>Samba daemons will use <code class="filename">LMHOSTS</code>, WINS, the Unix host's preference, and then broadcast.</p></li><li><p>Unix hosts can be configured to use any combination of DNS, <code class="filename">hosts</code> files, and NIS and NIS+, generally in any order.</p></li></ul></div><p>We recommend that the client machines be configured to use WINS and DNS, the Samba daemons to use WINS and DNS, and the Unix server to use DNS. You'll have to look at your notes and the actual machines to see which is in use.</p><p>On the clients, the name services are all set in the TCP/IP Properties panel of the Networking Control Panel, as discussed in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>. You may need to check there to see what you've actually turned on. On the server, see if an <code class="filename">/etc/resolv.conf</code> file exists. If it does, you're using DNS. You may be using the others as well, though. You'll need to check for NIS and combinations of services.</p><p>Check for an <code class="filename">/etc/nsswitch.conf</code> file on Solaris and other System V Unix operating systems. If you have one, look for a line that begins <code class="literal">host</code>:, followed by one or more of <code class="literal">files</code>, <code class="literal">bind</code>, <code class="literal">nis</code> or <code class="literal">nis+</code>. These are the name services to use, in order, with optional extra material in square brackets. <span class="emphasis"><em>files</em></span> stands for using <span class="emphasis"><em>hosts</em></span> files, while <span class="emphasis"><em>bind</em></span> (the Berkeley Internet Name Daemon) stands for using DNS.</p><p>If the client and server differ, the first thing to do is to get them in sync. Clients can only use only DNS, WINS, <span class="emphasis"><em>hosts</em></span> files and <span class="emphasis"><em>lmhosts</em></span> files, not NIS or NIS+. Servers can use <span class="emphasis"><em>hosts</em></span> files, DNS, and NIS or NIS+, but not WINS—even if your Samba server provides WINS services. If you can't get all the systems to use the same services, you'll have to carefully check the server and the client for the same data.</p><p>Samba 2.0 (and late 1.9 versions) added a <code class="literal">-R</code><code class="option"> </code>(resolve order) option to <span class="emphasis"><em>smbclient</em></span>. If you want to troubleshoot WINS, for example, you'd say:</p><pre class="programlisting">smbclient -L <em class="replaceable"><code>server</code></em> -R wins</pre><p>The possible settings are <code class="literal">hosts</code> (which means whatever the Unix machine is using, not just<code class="filename"> /etc/hosts</code> files), <code class="literal">lmhosts</code>, <code class="literal">wins</code> and <code class="literal">bcast</code> (broadcast).</p><p>In the following sections, we use the term <span class="emphasis"><em>long name</em></span> for a fully-qualified domain name (FQDN), like <code class="literal">server.example.com </code>, and the term <span class="emphasis"><em>short name</em></span> for the host part of a FQDN, like <code class="literal">server</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.2"></a>Cannot look up hostnames</h4></div></div></div><p> <a class="indexterm" name="ch09-idx-953745-0"></a>Try the following:</p><div class="itemizedlist"><ul type="disc"><li><p>In DNS:</p><p>Run <code class="literal">nslookup</code> <em class="replaceable"><code>name</code></em>. If this fails, look for a <code class="filename">resolv.conf</code> error, a downed DNS server, or a short/long name problem (see the next section). Try the following:</p><div class="itemizedlist"><ul type="circle"><li><p>Your <code class="filename">/etc/resolv.conf</code> should contain one or more name-server lines, each with an IP address. These are the addresses of your DNS servers.</p></li><li><p>ping each of the server addresses you find. If this fails for one, suspect the machine. If it fails for each, suspect your network.</p></li><li><p>Retry the lookup using the full domain name (e.g., <span class="emphasis"><em>server.example.com</em></span>) if you tried the short name first, or the short name if you tried the long name first. If results differ, skip to the next section.</p></li></ul></div></li><li><p>In Broadcast/ WINS:</p><p>Broadcast/ WINS does only short names such as <code class="literal">server</code>, (not long ones, such as <code class="literal">server.example.com)</code>. Run <code class="literal">nmblookup</code> <code class="literal">-S</code> <em class="replaceable"><code>server</code></em>.<em class="replaceable"><code> </code></em>This reports everything broadcast has registered for the name. In our example, it looks like this:</p></li></ul></div><pre class="programlisting">Looking up status of 192.168.236.86 +received 10 names + SERVER <00> - M <ACTIVE> + SERVER <03> - M <ACTIVE> + SERVER <1f> - M <ACTIVE> + SERVER <20> - M <ACTIVE> + .._ _MSBROWSE_ _.<01> - <GROUP> M <ACTIVE> + MYGROUP <00> - <GROUP> M <ACTIVE> + MYGROUP <1b> - M <ACTIVE> + MYGROUP <1c> - <GROUP> M <ACTIVE> + MYGROUP <1d> - M <ACTIVE> + MYGROUP <1e> - <GROUP> M <ACTIVE></pre><div class="itemizedlist"><ul type="disc"><li><p> +The required entry is <code class="literal">SERVER</code> <code class="literal"><00></code>, which identifies <em class="replaceable"><code>server</code></em> as being this machine's NetBIOS name. You should also see your workgroup mentioned one or more times. If these lines are missing, Broadcast/WINS cannot look up names and will need attention.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The numbers in angle brackets in the previous output identify NetBIOS names as being workgroups, workstations, and file users of the messenger service, master browsers, domain master browsers, domain controllers and a plethora of others. We primarily use <code class="literal"><00></code> to identify machine and workgroup names and <code class="literal"><20></code> to identify machines as servers. The complete list is available at <code class="systemitem">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</code>.</p></div><div class="itemizedlist"><ul type="disc"><li><p>In NIS:</p><p>Try <code class="literal">ypmatch</code> <code class="literal">name</code> <code class="literal">hosts</code>. If this fails, NIS is down. Find out the NIS server's name by running <span class="emphasis"><em>ypwhich</em></span>, and ping the machine it to see if it's accessible.</p></li><li><p>In NIS+:</p><p>If you're running NIS+, try <code class="literal">nismatch</code> <code class="literal">name</code> <code class="literal">hosts</code>. If this fails, NIS is down. Find out the NIS server's name by running <span class="emphasis"><em>niswhich</em></span>, and ping that machine to see if it's accessible.</p></li><li><p>In <code class="filename">hosts</code> files:</p><p>Inspect <code class="filename">/etc/hosts</code> on the client (<code class="literal">C:\WINDOWS\HOSTS</code>). Each line should have an IP number and one or more names, the primary name first, then any optional aliases. An example follows:</p></li></ul></div><pre class="programlisting">127.0.0.1 localhost + 192.168.236.1 dns.svc.example.com + 192.168.236.10 client.example.com client + 192.168.236.11 backup.example.com loghost + 192.168.236.86 server.example.com server + 192.168.236.254 router.svc.example.com</pre><div class="itemizedlist"><ul type="disc"><li><p> +On Unix, <code class="literal">localhost</code> should always be 127.0.0.1, although it may be just an alias for a hostname on the PC. On the client, check that there are no <code class="literal">#XXX</code> directives at the ends of the lines; these are LAN Manager/NetBIOS directives, and should appear only in <span class="emphasis"><em>LMHOSTS</em></span> files (<code class="literal">C:\WINDOWS\LMHOSTS</code>).</p></li><li><p>In <span class="emphasis"><em>LMHOSTS</em></span> files:</p><p>This file is a local source for LAN Manager (NetBIOS) names. It has a format very similar to <code class="filename">/etc/hosts</code> files, but does not support long-form domain names (e.g., <code class="literal">server.example.com</code>), and may have a number of optional <code class="literal">#XXX</code> directives following the names. Note there usually is a <span class="emphasis"><em>lmhosts.sam</em></span> (for sample) file in <code class="literal">C:\WINDOWS</code>, but it's not used unless renamed to <code class="literal">C:\WINDOWS\LMHOSTS</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.3"></a>Long and short hostnames</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953754-0"></a>Where the long (FQDN) form of a hostname works but the short name doesn't (for example, <code class="literal">client.example.com</code> works but <code class="literal">client</code> doesn't), consider the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>This usually indicates there is no default domain in which to look up the short names. Look for a <code class="literal">default</code> line in <code class="filename">/etc/resolv.conf</code> on the Samba server with your domain in it, or a <code class="literal">search</code> line with one or more domains in it. One or the other may need to be present to make short names usable; which one depends on vendor and version of the DNS resolver. Try adding <code class="literal">domain</code> <em class="replaceable"><code>your domain</code></em> to <code class="filename">resolv.conf</code> and ask your network or DNS administrator what should have been in the file.</p></li><li><p>Broadcast/WINS:</p><p>Broadcast/WINS doesn't support long names; it won't suffer from this problem.</p></li><li><p>NIS:</p><p>Try the command <code class="literal">ypmatch</code> <code class="literal">hostname</code> <code class="literal">hosts</code>. If you don't get a match, your tables don't include short names. Speak to your network manager; short names may be missing by accident, or may be unsupported as a matter of policy. Some sites don't ever use (ambiguous) short names.</p></li><li><p>NIS+ :</p><p>Try <code class="literal">nismatch</code> <em class="replaceable"><code>hostname</code></em> <code class="literal">hosts</code>, and treat failure exactly as with NIS above.</p></li><li><p><span class="emphasis"><em>hosts:</em></span></p><p>If the short name is not in <code class="filename">/etc/hosts</code>, consider adding it as an alias. Avoid, if you can, short names as primary names (the first one on a line). Have them as aliases if your system permits.</p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>LAN Manager doesn't support long names, so it won't suffer from this problem.</p></li></ul></div><p>On the other hand, if the short form of the name works and the long doesn't, consider the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>This is bizarre; see your network or DNS administrator, as this is probably a DNS setup bug.</p></li><li><p>Broadcast/WINS:</p><p>This is a normal bug; Broadcast/WINS can't use the long form. Optionally, consider DNS. Microsoft has stated that they will switch to DNS, though it's not providing name types like <00>.</p></li><li><p>NIS:</p><p>If you can use <code class="literal">ypmatch</code> to look up the short form but not the long, consider adding the long form to the table as at least an alias.</p></li><li><p>NIS+:</p><p>Same as NIS, except you use <code class="literal">nismatch</code> instead of <code class="literal">ypmatch</code> to look up names.</p></li><li><p><code class="filename">hosts:</code></p><p>Add the long name as at least an alias, and preferably as the primary form. Also consider using DNS if it's practical.</p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>This is a normal bug. LAN Manager can't use the long form; consider switching to DNS or <code class="filename">hosts</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.4"></a>Unusual delays</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953755-0"></a>When there is a long delay before the expected result:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>Test the same name with the <span><strong class="command">nslookup</strong></span> command on the machine (client or server) that is slow. If <span><strong class="command">nslookup</strong></span> is also slow, you have a DNS problem. If it's slower on a client, you have too many protocols bound to the Ethernet card. Eliminate NetBEUI, which is infamously slow, and optionally, Novel, assuming you don't need them. This is especially important on Windows 95, which is particularly sensitive to excess protocols.</p></li><li><p>Broadcast/ WINS:</p><p>Test the client using <code class="literal">nmblookup</code>, and if it's faster, you probably have the protocols problem as mentioned in the previous item.</p></li><li><p>NIS:</p><p>Try <code class="literal">ypmatch</code>, and if it's slow, report the problem to your network manager.</p></li><li><p>NIS+:</p><p>Try <code class="literal">nismatch</code>, similarly.</p></li><li><p><span class="emphasis"><em>hosts</em></span>:</p><p><span class="emphasis"><em>hosts</em></span> files, if of reasonable size, are always fast. You probably have the protocols problem mentioned under DNS, above.</p></li><li><p><span class="emphasis"><em>LMHOSTS</em></span>:</p><p>This is not a name lookup problem; <span class="emphasis"><em>LMHOSTS</em></span> files are as fast as <span class="emphasis"><em>hosts</em></span> files.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.5"></a>Localhost issues</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953756-0"></a>When a localhost isn't 127.0.0.1, try the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>There is probably no record for <code class="literal">localhost.</code> <code class="literal">A</code> <code class="literal">127.0.0.1</code>. Arrange to add one, and a reverse entry, <code class="literal">1.0.0.127.IN-ADDR.ARPA</code> <code class="literal">PTR</code> <code class="literal">127.0.0.1</code>.</p></li><li><p>Broadcast/WINS:</p><p>Not applicable.</p></li><li><p>NIS:</p><p>If <code class="literal">localhost</code> isn't in the table, add it.</p></li><li><p>NIS+:</p><p>If <code class="literal">localhost</code> isn't in the table, add it.</p></li><li><p><code class="filename">hosts:</code></p><p>Add a line is the <span class="emphasis"><em>hosts</em></span> file that says <code class="literal">127.0.0.1</code> <code class="literal">localhost</code></p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>Not applicable.<a class="indexterm" name="ch09-idx-953603-0"></a></p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.9"></a>Troubleshooting Network Addresses</h3></div></div></div><p>A number of common problems are caused by incorrect Internet address routing or the incorrect assignment of addresses. This section helps you determine what your addresses are.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-21203"></a>Netmasks</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953973-0"></a> +<a class="indexterm" name="ch09-idx-953973-1"></a> +<a class="indexterm" name="ch09-idx-953973-2"></a>The <a class="indexterm" name="ch09-idx-953974-0"></a>netmasks tell each machine which addresses can be reached directly (are on your local network) and which addresses require forwarding packets through a router. If the netmask is wrong, the machines will make one of two mistakes. One is to try to route local packets via a router, which is an expensive way to waste time—it may work reasonably fast, it may run slowly, or it may fail utterly. The second mistake is to fail to send packets for a remote machine to the router, which will prevent them from being forwarded to the remote machine.</p><p>The netmask is a number like an IP address, with one-bits for the network part of an address and zero-bits for the host portion. The netmask is literally used to mask off parts of the address inside the TCP/IP code. If the mask is 255.255.0.0, the first 2 bytes are the network part and the last 2 are the host part. More common is 255.255.255.0, in which the first 3 bytes are the network part and the last one is the host part.</p><p>For example, let's say your IP address is 192.168.0.10 and the Samba server is 192.168.236.86. If your netmask happens to be 255.255.255.0, the network part of the addresses is the first 3 bytes and the host part is the last byte. In this case, the network parts are different, and the machines are on different networks:</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p>192 168 000</p></td><td><p>10</p></td></tr><tr><td><p>192 168 235</p></td><td><p>86</p></td></tr></tbody></table></div><p>If your netmask happens to be 255.255.0.0, the network part is just the first two bytes. In this case, the network parts match and so the two machines are on the same network:</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p>192 168</p></td><td><p>000 10</p></td></tr><tr><td><p>192 168</p></td><td><p>236 86</p></td></tr></tbody></table></div><p>Of course, if your netmask says one thing and your network manager says another, the netmask is wrong.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-45060"></a>Broadcast addresses</h4></div></div></div><p>The <a class="indexterm" name="ch09-idx-953758-0"></a>broadcast address is a normal address, with the hosts part all one-bits. It means "all hosts on your network." You can compute it easily from your netmask and address: take the address and put one-bits in it for all the bits that are zero at the end of the netmask (the host part). The following table illustrates this:</p><div class="informaltable"><table border="1"><colgroup><col><col><col></colgroup><thead><tr><th> </th><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p><span class="bold"><strong>IP address</strong></span></p></td><td><p>192 168 236</p></td><td><p>86</p></td></tr><tr><td><p><span class="bold"><strong>Netmask</strong></span></p></td><td><p>255 255 255</p></td><td><p>000</p></td></tr><tr><td><p><span class="bold"><strong>Broadcast</strong></span></p></td><td><p>192 168 236</p></td><td><p>255</p></td></tr></tbody></table></div><p>In this example, the broadcast address on the 192.168.236 network is 192.168.236.255. There is also an old "universal" broadcast address, 255.255.255.255. Routers are prohibited from forwarding these, but most machines on your local network will respond to broadcasts to this address.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.9.3"></a>Network address ranges</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953762-0"></a>A number of address ranges have been reserved for testing and for non-connected networks; we use one of these for the book. If you don't have an address yet, feel free to use one of these to start with. They include one class A (large) network, 10.*.*.*, and 254 class C (smaller) networks, 192.168.1.* through to 192.168.254.*. In this book we use one of the latter, 192.168.236.*. The domain <code class="filename">example.com</code> is also reserved for unconnected networks, explanatory examples, and books.</p><p>If you're actually connecting to the Internet, you'll need to get a real network and a domain name, probably through the same company that provides your connection.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.9.4"></a>Finding your network address</h4></div></div></div><p> +<a class="indexterm" name="ch09-idx-953761-0"></a>If you haven't recorded your IP address, it will be displayed by the <span><strong class="command">ifconfig</strong></span> command on Unix or by the IPCONFIG command on Windows 95 and NT. (Check your manual pages for any options required by your brand of Unix: Sun wants <code class="literal">ifconfig</code> <code class="literal">-a</code>). You should see output similar to the following:</p><pre class="programlisting">server% ifconfig -a +le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING > + inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 +lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt> + inet 127.0.0.1 netmask ff000000</pre><p>One of the interfaces will be loopback (in our examples <code class="literal">lo0</code>), and the other will be the regular IP interface. The flags should show that the interface is running, and Ethernet interfaces will also say they support broadcasts (PPP interfaces don't). The other places to look for IP addresses are <code class="filename">/etc/hosts</code> files, Windows <span class="emphasis"><em>HOSTS</em></span> files, Windows <span class="emphasis"><em>LMHOSTS</em></span> files, NIS, NIS+ and DNS.<a class="indexterm" name="ch09-idx-953611-0"></a> +<a class="indexterm" name="ch09-idx-953611-1"></a> +<a class="indexterm" name="ch09-idx-953611-2"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-35552"></a>Troubleshooting NetBIOS Names</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953616-0"></a>Historically, SMB protocols have depended on the NetBIOS name system, also called the LAN Manager name system. This was a simple scheme where each machine had a unique 20-character name and broadcast it on the LAN for everyone to know. With TCP/IP, we tend to use names like <span class="emphasis"><em>client.example.com</em></span> stored in <code class="filename">/etc/hosts</code> files, through DNS or WINS.</p><p>The usual mapping to domain names such as <span class="emphasis"><em>server.example.com</em></span> simply uses the <span class="emphasis"><em>server</em></span> part as the NetBIOS name and converts it to uppercase. Alas, this doesn't always work, especially if you have a machine with a 21-character name; not everyone uses the same NetBIOS and DNS names. For example, <span class="emphasis"><em>corpvm1</em></span> along with <span class="emphasis"><em>vm1.corp.com</em></span> is not unusual.</p><p>A machine with a different NetBIOS name and domain name is confusing when you're troubleshooting; we recommend that you try to avoid this wherever possible. NetBIOS names are discoverable with <span class="emphasis"><em>smbclient</em></span> :</p><div class="itemizedlist"><ul type="disc"><li><p>If you can list shares on your Samba server with <span class="emphasis"><em>smbclient</em></span> and a <code class="literal">-L</code> option (list shares) of <em class="replaceable"><code>short_name_of_server</code></em>, the short name is the NetBIOS name.</p></li><li><p>If you get "Get_Hostbyname: Unknown host name," there is probably a mismatch. Check in the <code class="filename">smb.conf</code> file to see if the NetBIOS name is explicitly set.</p></li><li><p>Try again, specifying <code class="literal">-I</code> and the IP address of the Samba server (e.g., <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">server</code> <code class="literal">-I</code> <code class="literal">192.168.236.86</code>). This overrides the name lookup and forces the packets to go to the IP address. If this works, there was a mismatch.</p></li><li><p>Try with <code class="literal">-I</code> and the full domain name of the server (e.g., <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">server</code> <code class="literal">-I</code> <code class="literal">server.example.com</code>). This tests the lookup of the domain name, using whatever scheme the Samba server uses (e.g., DNS). If it fails, you have a name service problem. You should reread <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a> after you finish troubleshooting the NetBIOS names.</p></li><li><p>Try with <code class="literal">-n</code> (NetBIOS name) and the name you expect to work (e.g., <code class="literal">smbclient</code> <code class="literal">-n</code> <code class="literal">server</code> <code class="literal">-L</code> <code class="literal">server-12</code>) but without overriding the IP address through <code class="literal">-I</code>. If this works, the name you specified with <code class="literal">-n</code> is the actual NetBIOS name of the server. If you receive "Get-Hostbyname: Unknown host MARY," it's not the right server yet.</p></li><li><p>If nothing is working so far, repeat the tests specifying <code class="literal">-U</code> <em class="replaceable"><code>username</code></em> and <code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em>, with the username and workgroup in uppercase, to make sure you're not being derailed by a user or workgroup mismatch.</p></li><li><p>If nothing works still and you had evidence of a name service problem, troubleshoot name service in <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," and then return to NetBIOS name<a class="indexterm" name="ch09-idx-953533-0"></a> +<a class="indexterm" name="ch09-idx-953533-1"></a> service.<a class="indexterm" name="ch09-idx-953526-0"></a></p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-49719"></a>Extra Resources</h2></div></div></div><p> +<a class="indexterm" name="ch09-idx-953618-0"></a> +<a class="indexterm" name="ch09-idx-953618-1"></a>At some point during your Samba career, you will want to turn to online or printed resources for news, updates, and aid.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.1"></a>Documentation and FAQs</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953626-0"></a> +<a class="indexterm" name="ch09-idx-953626-1"></a>It's okay to read the documentation. Really. Nobody can see you, and we won't tell. In fact, Samba ships with a large set of documentation files, and it is well worth the effort to at least browse through them, either in the distribution directory on your computer under <code class="filename">/docs</code>, or online at the Samba web site: <a class="indexterm" name="ch09-idx-953628-0"></a> +<a class="indexterm" name="ch09-idx-953628-1"></a><code class="systemitem">http://samba.anu.edu.au/samba/</code>. The most current FAQ list, bug information, and distribution locations are located at the web site, with links to all of the Samba manual pages and HOW-TOs.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.2"></a>Samba Newsgroups</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953634-0"></a>Usenet newsgroups have always been a great place to get advice on just about any topic. In the past few years, though, this vast pool of knowledge has developed something that has made it into an invaluable resource: a memory. Archival and search sites such as DejaNews (<code class="systemitem">http://www.dejanews.com</code>) have made sifting through years of valuable solutions on a topic as simple as a few mouse clicks.</p><p>The primary newsgroup for Samba is <span class="emphasis"><em>comp.protocols.smb</em></span>. This should always be your first stop when there's a problem. More often than not, spending five minutes researching an error here will save hours of frustration while trying to debug something yourself.</p><p>When searching a newsgroup, try to be as specific as possible, but not too wordy. Searching on actual error messages is best. If you don't find an answer immediately in the newsgroup, resist the temptation to post a request for help until you've done a bit more work on the problem. You may find that the answer is in a FAQ or one of the many documentation files that ships with Samba, or a solution might become evident when you run one of Samba's diagnostic tools. If nothing works, post a request in <span class="emphasis"><em>comp.protocols.smb</em></span>, and be as specific as possible about what you have tried and what you are seeing. Include any error messages that appear. It may be several days before you receive help, so be patient and keep trying things while you wait.</p><p>Once you post a request for help, keep poking at the problem yourself. Most of us have had the experience of posting a Usenet article containing hundreds of lines of intricate detail, only to solve the problem an hour later after the article has blazed its way across several continents. The rule of thumb goes something like this: the more folks who have read your request, the simpler the solution. Usually this means that once everyone in the Unix community has seen your article, the solution will be something simple like, "Plug the computer into the wall socket."</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.3"></a>Samba Mailing Lists</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953635-0"></a>The following are mailing lists for support with Samba. See the Samba homepage, <code class="systemitem">http://www.samba.org/</code> for information on subscribing and unsubscribing to these mailing lists:</p><div class="variablelist"><dl><dt><span class="term"><code class="email"><<a href="mailto:samba-binaries@samba.org">samba-binaries@samba.org</a>></code></span></dt><dd><p>This mailing list has information on precompiled binaries for the Samba platform.</p></dd><dt><span class="term"><code class="email"><<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>></code></span></dt><dd><p>This mailing list is the place to report suspected bugs in Samba.</p></dd><dt><span class="term"><code class="email"><<a href="mailto:samba-ntdom@samba.org">samba-ntdom@samba.org</a>></code></span></dt><dd><p>This mailing list has information on support for domains (particularly Windows NT) with the Samba product.</p></dd><dt><span class="term"><code class="email"><<a href="mailto:samba-technical@samba.org">samba-technical@samba.org</a>></code></span></dt><dd><p>This mailing list maintains debate about where the future of Samba is headed.</p></dd><dt><span class="term"><code class="email"><<a href="mailto:samba@samba.org">samba@samba.org</a>></code></span></dt><dd><p>This is the primary Samba mailing list that contains general questions and HOW-TO information on Samba.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.4"></a>Samba Discussion Archives</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953640-0"></a>There is a search service for the primary Samba mailing list. At the time this book was written, it was listed under "searchable" in the Sources paragraph on the first page of the Samba site and its mirrors, <code class="systemitem">http://samba.anu.edu.au/listproc/ghindex.html</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.5"></a>Further Reading</h3></div></div></div><p> +<a class="indexterm" name="ch09-idx-953645-0"></a>Hunt, Craig; <em class="citetitle">TCP/IP +Network Administration: 2nd Edition</em>. Sebastopol, CA: +O'Reilly and Associates, 1997 (ISBN 1-56592-322-7).</p><p>Hunt, Craig, and Robert Bruce Thompson; <em class="citetitle">Windows NT +TCP/IP Network Administration</em>. Sebastopol, CA: O'Reilly +and Associates, 1998 (ISBN 1-56592-377-4).</p><p> +<a class="indexterm" name="ch09-idx-953646-0"></a>Albitz, Paul, and Cricket Liu; +<em class="citetitle">DNS and Bind, 3rd Edition</em>. Sebastopol, CA: +O'Reilly and Associates, 1998 (ISBN 1-56592-512-2).</p><p> +<a class="indexterm" name="ch09-idx-953653-0"></a> +<a class="indexterm" name="ch09-idx-953653-1"></a> +<a class="indexterm" name="ch09-idx-953653-2"></a> +<a class="indexterm" name="ch09-idx-953657-0"></a>Stern, Hal; <em class="citetitle">Managing NFS +and NIS</em>. Sebastopol, CA: O'Reilly and Associates, 1991 +(ISBN 0-937175-75-7).<a class="indexterm" name="ch09-idx-953621-0"></a> <a class="indexterm" name="ch09-idx-953621-1"></a></p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-A"></a>Appendix A. Configuring Samba with SSL</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appa-SECT-1">A.1. About Certificates</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-1.1">A.1.1. What is a Certificate?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.2">A.1.2. What is an X.509 certificate, technically?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.3">A.1.3. What are the implications of this certificate structure?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-2">A.2. Requirements</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-3">A.3. Installing SSLeay</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-3.1">A.3.1. Configuring SSLeay for Your System</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.2">A.3.2. Configuring Samba to use SSL</a></span></dt><dt><span class="sect2"><a href="#appa-62097">A.3.3. Becoming a Certificate Authority</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.4">A.3.4. Creating Certificates for Clients</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.5">A.3.5. Configuring the Samba Server</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.6">A.3.6. Testing with smbclient</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-4">A.4. Setting Up SSL Proxy</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-5">A.5. SSL Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-5.0.1">A.5.1. +ssl</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.2">A.5.2. +ssl hosts</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.3">A.5.3. +ssl hosts resign</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.4">A.5.4. +ssl CA certDir</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.5">A.5.5. +ssl CA certFile</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.6">A.5.6. +ssl server cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.7">A.5.7. +ssl server key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.8">A.5.8. +ssl client cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.9">A.5.9. +ssl client key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.10">A.5.10. +ssl require clientcert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.11">A.5.11. +ssl require servercert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.12">A.5.12. +ssl ciphers</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.13">A.5.13. +ssl version</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.14">A.5.14. +ssl compatibility</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="appa-idx-990325-0"></a> +<a class="indexterm" name="appa-idx-990325-1"></a>This appendix describes how to set up Samba to use secure connections between the Samba server and its clients. The protocol used here is Netscape's Secure Sockets Layer (SSL). For this example, we will establish a secure connection between a Samba server and a Windows NT workstation.</p><p>Before we begin, we will assume that you are familiar with the fundamentals of public-key cryptography and X.509 certificates. If not, we highly recommend Bruce Schneier's <code class="filename">Applied Cryptography, 2nd Edition</code> (Wiley) as the premiere source for learning the many secret faces of cryptography.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on Samba and SSL, be sure to look at the document <code class="filename">SSLeay.txt</code> in the <code class="filename">docs/textdocs</code> directory of the Samba distribution, which is the basis for this appendix.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-1"></a>About Certificates</h2></div></div></div><p>Here are a few quick questions and answers from the <code class="filename">SSLeay.txt</code> file in the Samba documentation, regarding the benefits of SSL and certificates. This text was written by Christian Starkjohann for the Samba projects.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.1"></a>What is a Certificate?</h3></div></div></div><p>A certificate is issued by an issuer, usually a <span class="emphasis"><em>Certification Authority</em></span> (CA), who confirms something by issuing the certificate. The subject of this confirmation depends on the CA's policy. CAs for secure web servers (used for shopping malls, etc.) usually attest only that the given public key belongs the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server, and so on.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.2"></a>What is an X.509 certificate, technically?</h3></div></div></div><p>Technically, the certificate is a block of data signed by the certificate issuer (the CA). The relevant fields are:</p><div class="itemizedlist"><ul type="disc"><li><p> +Unique identifier (name) of the certificate issuer</p></li><li><p>Time range during which the certificate is valid</p></li><li><p>Unique identifier (name) of the certified object</p></li><li><p>Public key of the certified object</p></li><li><p>The issuer's signature over all the above</p></li></ul></div><p>If this certificate is to be verified, the verifier must have a table of the names and public keys of trusted CAs. For simplicity, these tables should list certificates issued by the respective CAs for themselves (self-signed certificates).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.3"></a>What are the implications of this certificate structure?</h3></div></div></div><p>Four implications follow:</p><div class="itemizedlist"><ul type="disc"><li><p>Because the certificate contains the subjects's public key, the certificate and the private key together are all that is needed to encrypt and decrypt.</p></li><li><p>To verify certificates, you need the certificates of all CAs you trust.</p></li><li><p>The simplest form of a dummy-certificate is one that is signed by the subject.</p></li><li><p>A CA is needed. The client can't simply issue local certificates for servers it trusts because the server determines which certificate it presents.</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-2"></a>Requirements</h2></div></div></div><p> +<a class="indexterm" name="appa-idx-990348-0"></a> +<a class="indexterm" name="appa-idx-990348-1"></a>To set up SSL connections, you will need to download two programs in addition to Samba:</p><div class="variablelist"><dl><dt><span class="term"> +<a class="indexterm" name="appa-idx-990613-0"></a>SSLeay</span></dt><dd><p>Eric <a class="indexterm" name="appa-idx-990362-0"></a>Young's implementation of the Secure Socket's Layer (SSL) protocol as a series of Unix programming libraries</p></dd><dt><span class="term"> +<a class="indexterm" name="appa-idx-990357-0"></a>SSL Proxy</span></dt><dd><p>A freeware SSL application from Objective Development, which can be used to proxy a secure link on Unix or Windows NT platforms</p></dd></dl></div><p>These two products assist with the server and client side of the encrypted SSL connection. The SSLeay libraries are compiled and installed directly on the Unix system. SSL Proxy, on the other hand, can be downloaded and compiled (or downloaded in binary format) and located on the client side. If you intend to have a Windows NT client or a Samba client on the other end of the SSL connection, you will not require a special setup.</p><p>SSL Proxy, however, does not work on Windows 95/98 machines. Therefore, if you want to have a secure connection between a Samba server and Windows 95/98 client, you will need to place either a Unix server or a Windows NT machine on the same subnet with the Windows 9<span class="emphasis"><em>x</em></span> clients and route all network connections through the SSL-Proxy-enabled machine. See <a href="#appa-89929" title="Figure A.1. Two possible ways of proxying Windows 95/98 clients">Figure 1.1</a>.</p><div class="figure"><a name="appa-89929"></a><p class="title"><b>Figure A.1. Two possible ways of proxying Windows 95/98 clients</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 317px"><td><img src="figs/sam.aa01.gif" height="317" alt="Two possible ways of proxying Windows 95/98 clients"></td></tr></table></div></div></div><br class="figure-break"><p>For the purposes of this chapter, we will create a simple SSL connection between the Samba server and a Windows NT client. This configuration can be used to set up more complex networks at the administrator's discretion.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-3"></a>Installing SSLeay</h2></div></div></div><p>Samba uses the SSLeay package, written by Eric Young, to provide Secure Sockets Layer support on the server side. Because of U.S. export law, however, the SSLeay package cannot be shipped with Samba distributions that are based in the United States. For that reason, the Samba creators decided to leave it as a separate package entirely. You can download the SSLeay distribution from any of the following sites:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="systemitem">ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/</code></p></li><li><p><code class="systemitem">ftp://ftp.uni-mainz.de/pub/internet/security/ssl</code></p></li><li><p><code class="systemitem">ftp://ftp.cert.dfn.de/pub/tools/crypt/sslapps</code></p></li><li><p><code class="systemitem">ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au</code></p></li><li><p><code class="systemitem">ftp://ftp.sunet.se/ftp/pub/security/tools/crypt/ssleay</code></p></li></ul></div><p>The latest version as of this printing is 0.9.0b. Download it to the same server as the Samba distribution, then uncompress and untar it. You should be left with a directory entitled <code class="filename">SSLeay-0.9.0b</code>. After changing to that directory, you will need to configure and build the SSL encryption package in the same way that you did with Samba.</p><p>SSLeay uses a Perl-based <code class="filename">configure</code> script. This script modifies the Makefile that constructs the utilities and libraries of the SSLeay package. However, the default script is hardcoded to find Perl at <code class="filename">/usr/local/bin/perl</code>. You may need to change the <code class="filename">configure</code> script to point to the location of the Perl executable file on your Unix system. For example, you can type the following to locate the Perl executable:</p><pre class="programlisting"># <strong class="userinput"><code>which perl</code></strong> +/usr/bin/perl</pre><p>Then modify the first line of the <code class="filename">configure</code> script to force it to use the correct Perl executable. For example, on our Red Hat Linux system:</p><pre class="programlisting">#!/usr/bin/perl +# +# see PROBLEMS for instructions on what sort of things to do +# when tracking a bug -tjh +...</pre><p>After that, you need to run the <code class="filename">configure</code> script by specifying a target platform for the distribution. This target platform can be any of the following:</p><pre class="programlisting">BC-16 BC-32 FreeBSD NetBSD-m86 +NetBSD-sparc NetBSD-x86 SINIX-N VC-MSDOS +VC-NT VC-W31-16 VC-W31-32 VC-WIN16 +VC-WIN32 aix-cc aix-gcc alpha-cc +alpha-gcc alpha400-cc cc cray-t90-cc +debug debug-irix-cc debug-linux-elf dgux-R3-gcc +dgux-R4-gcc dgux-R4-x86-gcc dist gcc +hpux-cc hpux-gcc hpux-kr-cc irix-cc +irix-gcc linux-aout linux-elf ncr-scde +nextstep purify sco5-cc solaris-sparc-cc +solaris-sparc-gcc solaris-sparc-sc4 solaris-usparc-sc4 solaris-x86-gcc +sunos-cc sunos-gcc unixware-2.0 unixware</pre><p>For our system, we would enter the following:</p><pre class="programlisting"># <strong class="userinput"><code>./Configure linux-elf</code></strong> +CC =gcc +CFLAG =-DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer +EX_LIBS = +BN_MULW =asm/bn86-elf.o +DES_ENC =asm/dx86-elf.o asm/yx86-elf.o +BF_ENC =asm/bx86-elf.o +CAST_ENC =asm/cx86-elf.o +RC4_ENC =asm/rx86-elf.o +RC5_ENC =asm/r586-elf.o +MD5_OBJ_ASM =asm/mx86-elf.o +SHA1_OBJ_ASM =asm/sx86-elf.o +RMD160_OBJ_ASM=asm/rm86-elf.o +THIRTY_TWO_BIT mode +DES_PTR used +DES_RISC1 used +DES_UNROLL used +BN_LLONG mode +RC4_INDEX mode</pre><p>After the package has been configured, you can build it by typing <code class="literal">make</code>. If the build did not successfully complete, consult the documentation that comes with the distribution or the FAQ at <code class="systemitem">http://www.cryptsoft.com/ssleay/</code> for more information on what may have happened. If the build did complete, type <code class="literal">make</code> <code class="literal">install</code> to install the libraries on the system. Note that the makefile installs the package in <code class="filename">/usr/local/ssl</code> by default. If you decide to install it in another directory, remember the directory when configuring Samba to use SSL.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.1"></a>Configuring SSLeay for Your System</h3></div></div></div><p>The first thing you need to do is to set the <code class="literal">PATH</code> environment variable on your system to include the <code class="filename">/bin</code> directory of the SSL distribution. This can be done with the following statement:</p><pre class="programlisting">PATH=$PATH:/usr/local/ssl/bin</pre><p>That's the easy part. Following that, you will need to create a random series of characters that will be used to prime SSLeay's random number generator. The random number generator will be used to create key pairs for both the clients and the server. You can create this random series by filling a text file of a long series of random characters. For example, you can use your favorite editor to create a text file with random characters, or use this command and enter arbitrary characters at the standard input:</p><pre class="programlisting">cat >/tmp/private.txt</pre><p>The Samba documentation recommends that you type characters for longer than a minute before interrupting the input stream by hitting Control-D. Try not to type only the characters that are under your fingers on the keyboard; throw in some symbols and numbers as well. Once you've completed the random file, you can prime the random number generator with the following command:</p><pre class="programlisting"># ssleay genrsa -rand /tmp/private.txt >/dev/null +2451 semi-random bytes loaded +Generating RSA private key, 512 bit long modulus +..+++++ +.................................+++++ +e is 65537 (0x10001)</pre><p>You can safely ignore the output of this command. After it has completed, remove the series of characters used to create the key because this could be used to recreate any private keys that were generated from this random number generator:</p><pre class="programlisting">rm -f /tmp/private.txt</pre><p>The result of this command is the hidden file .<span class="emphasis"><em>rnd</em></span>, which is stored in your home directory. SSLeay will use this file when creating key pairs in the future.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.2"></a>Configuring Samba to use SSL</h3></div></div></div><p> +<a class="indexterm" name="appa-idx-990398-0"></a>At this point, you can compile Samba to use SSL. Recall that in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, we said you have to first run the configure script, which initializes the makefile, before you compile Samba. In order to use SSL with Samba, you will need to reconfigure the makefile:</p><pre class="programlisting">./configure --with-ssl</pre><p>After that, you can compile Samba with the following commands:</p><pre class="programlisting"># <strong class="userinput"><code>make clean</code></strong> +# <strong class="userinput"><code>make all</code></strong></pre><p>If you encounter an error that says the <code class="filename">smbd</code> executable is missing the file <code class="filename">ssl.h</code>, you probably didn't install SSLeay in the default directory. Use the configure option <code class="literal">--with-sslinc</code> to point to the base directory of the SSL distribution—in this case, the directory that contains <span class="emphasis"><em>include/ssl.h</em></span>.</p><p>On the other hand, if you have a clean compile, you're ready to move on to the next step: creating certificates.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-62097"></a>Becoming a Certificate Authority</h3></div></div></div><p><em class="firstterm"></em> +<a class="indexterm" name="appa-idx-990405-0"></a>The SSL protocol requires the use of X.509 certificates in the protocol handshake to ensure that either one or both parties involved in the communication are indeed who they say they are. Certificates in real life, such as those use for SSL connections on public web sites, can cost in the arena of $300 a year. This is because the certificate must have a digital signature placed on it by a <em class="firstterm">certificate authority</em>. A certificate authority is an entity that vouches for the authenticity of a digital certificate by signing it with its own private key. This way, anyone who wishes to check the authenticity of the certificate can simply use the certificate authority's public key to check the signature.</p><p>You are allowed to use a public certificate authority with SSLeay. However, you don't have to. Instead, SSLeay will allow you to declare yourself a trusted certificate authority—specifying which clients you choose to trust and which clients you do not. In order to do this, you will need to perform several tasks with the SSLeay distribution.</p><p>The first thing you need to do is specify a secure location where the certificates of the clients and potentially the server will be stored. We have chosen <code class="filename">/etc/certificates</code> as our default. Execute the following commands as <code class="literal">root</code>:</p><pre class="programlisting"># <strong class="userinput"><code>cd /etc</code></strong> +# <strong class="userinput"><code>mkdir certificates</code></strong> +# <strong class="userinput"><code>chmod 700 certificates</code></strong></pre><p>Note that we shut out all access to users other than <code class="literal">root</code> for this directory. This is very important.</p><p>Next, you need to set up the SSLeay scripts and configuration files to use the certificates stored in this directory. In order to do this, first modify the <code class="filename">CA.sh</code> script located at <span class="emphasis"><em>/usr/local/ssl/bin/CA.sh</em></span> to specify the location of the directory you just created. Find the line that contains the following entry:</p><pre class="programlisting">CATOP=./demoCA</pre><p>Then change it to:</p><pre class="programlisting">CATOP=/etc/certificates</pre><p>Next, you need to modify the <span class="emphasis"><em>/usr/local/ssl/lib/ssleay.cnf</em></span> file to specify the same directory. Find the entry:</p><pre class="programlisting">[ CA_default ] +dir = ./demoCA # Where everything is kept</pre><p>Then change it to:</p><pre class="programlisting">[ CA_default ] +dir = /etc/certificates # Where everything is kept</pre><p>Next, run the certificate authority setup script, <code class="filename">CA.sh</code>, in order to create the certificates. Be sure to do this as the same user that you used to prime the random number generator above:</p><pre class="programlisting">/usr/local/ssl/bin/CA.sh -newca +mkdir: cannot make directory '/etc/certificates': File exists +CA certificate filename (or enter to create)</pre><p>Press the Enter key to create a certificate for the CA. You should then see:</p><pre class="programlisting">Making CA certificate ... +Using configuration from /usr/local/ssl/lib/ssleay.cnf +Generating a 1024 bit RSA private key +.............................+++++ +.....................+++++ +writing new private key to /etc/certificates/private/cakey.pem +Enter PEM pass phrase:</pre><p>Enter a new pass phrase for your certificate. You will need to enter it twice correctly before SSLeay will accept it:</p><pre class="programlisting">Enter PEM pass phrase: +Verifying password - Enter PEM pass phrase:</pre><p>Be sure to remember this pass phrase. You will need it to sign the client certificates in the future. Once SSLeay has accepted the pass phrase, it will continue on with a series of questions for each of the fields in the X509 certificate:</p><pre class="programlisting">You are about to be asked to enter information that will be +incorporated into your certificate request. +What you are about to enter is what is called a Distinguished +Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank.</pre><p>Fill out the remainder of the fields with information about your organization. For example, our certificate looks like this:</p><pre class="programlisting">Country Name (2 letter code) [AU]:<strong class="userinput"><code>US</code></strong> +State or Province Name (full name) [Some-State]:<strong class="userinput"><code>California</code></strong> +Locality Name (eg, city) []:<strong class="userinput"><code>Sebastopol</code></strong> +Organization Name (eg, company) []:<strong class="userinput"><code>O'Reilly</code></strong> +Organizational Unit Name (eg, section) []:<strong class="userinput"><code>Books</code></strong> +Common Name (eg, YOUR name) []:<strong class="userinput"><code>John Doe</code></strong> +Email Address []:<strong class="userinput"><code>doe@ora.com</code></strong></pre><p>After that, SSLeay will be configured as a certificate authority and can be used to sign certificates for client machines that will be connecting to the Samba server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.4"></a>Creating Certificates for Clients</h3></div></div></div><p>It's simple to create a certificate for a client machine. First, you need to generate a public/private key pair for each entity, create a certificate request file, and then use <span class="emphasis"><em>SSLeay</em></span> to sign the file as a trusted authority.</p><p>For our example client <code class="literal">phoenix</code>, this boils down to three SSLeay commands. The first generates a key pair for the client and places it in the file <code class="filename">phoenix.key</code>. The private key will be encrypted, in this case using triple DES. Enter a pass phrase when requested below—you'll need it for the next step:</p><pre class="programlisting"># ssleay genrsa -des3 1024 >phoenix.key +1112 semi-random bytes loaded +Generating RSA private key, 1024 bit long modulus +........................................+++++ +.............+++++ +e is 65537 (0x10001) +Enter PEM pass phrase: +Verifying password - Enter PEM pass phrase:</pre><p>After that command has completed, type in the following command:</p><pre class="programlisting"># <strong class="userinput"><code>ssleay req -new -key phoenix.key -out phoenix-csr</code></strong> +Enter PEM pass phrase:</pre><p>Enter the pass phrase for the client certificate you just created (not the certificate authority). At this point, you will need to answer the questionnaire again, this time for the client machine. In addition, you must type in a challenge password and an optional company name—those do not matter here. When the command completes, you will have a certificate request in the file <span class="emphasis"><em>phoenix-csr.</em></span></p><p>Then, you must sign the certificate request as the trusted certificate authority. Type in the following command:</p><pre class="programlisting"># <strong class="userinput"><code>ssleay ca -days 1000 -inflies phoenix-csr >phoenix.pem</code></strong></pre><p>This command will prompt you to enter the PEM pass phrase of the <span class="emphasis"><em>certificate authority</em></span>. Be sure that you do not enter the PEM pass phrase of the client certificate that you just created. After entering the correct pass phrase, you should see the following:</p><pre class="programlisting">Check that the request matches the signature +Signature ok +The Subjects Distinguished Name is as follows: +...</pre><p>This will be followed by the information that you just entered for the client certificate. If there is an error in the fields, the program will notify you. On the other hand, if everything is fine, SSLeay will confirm that it should sign the certificate and commit it to the database. This adds a record of the certificate to the <code class="filename">/etc/certificates/newcerts</code> directory.</p><p>The operative files at the end of this exercise are the <span class="emphasis"><em>phoenix.key</em></span> and <span class="emphasis"><em>phoenix.pem</em></span> files, which reside in the current directory. These files will be passed off to the client with whom the SSL-enabled Samba server will interact, and will be used by SSL Proxy.<em class="firstterm"></em> +<a class="indexterm" name="appa-idx-990421-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.5"></a>Configuring the Samba Server</h3></div></div></div><p>The next step is to modify the Samba configuration file to include the following setup options. These options assume that you created the certificates directory for the certificate authority at <code class="filename">/etc/certificates </code>:</p><pre class="programlisting">[global] + ssl = yes + ssl server cert = /etc/certificates/cacert.pem + ssl server key = /etc/certificates/private/cakey.pem + ssl CA certDir = /etc/certificates</pre><p>At this point, you will need to kill the Samba daemons and restart them manually:</p><pre class="programlisting"># <strong class="userinput"><code>nmbd -D</code></strong> +# <strong class="userinput"><code>smbd -D</code></strong> +Enter PEM pass phrase:</pre><p>You will need to enter the PEM pass phrase of the certificate authority to start up the Samba daemons. Note that this may present a problem in terms of starting the program using ordinary means. However, you can get around this using advanced scripting languages, such as Expect or Python.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.6"></a>Testing with smbclient</h3></div></div></div><p>A good way to test whether Samba is working properly is to use the <span class="emphasis"><em>smbclient</em></span> program. On the Samba server, enter the following command, substituting the appropriate share and user for a connection:</p><pre class="programlisting"># <strong class="userinput"><code>smbclient //hydra/data -U tom</code></strong></pre><p>You should see several debugging statements followed by a line indicating the negotiated cipher, such as:</p><pre class="programlisting">SSL: negotiated cipher: DES-CBC3-SHA</pre><p>After that, you can enter your password and connect to the share normally. If this works, you can be sure that Samba is correctly supporting SSL connections. Now, on to the client setup. <a class="indexterm" name="appa-idx-990386-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-4"></a>Setting Up SSL Proxy</h2></div></div></div><p>The <a class="indexterm" name="appa-idx-990393-0"></a>SSL Proxy program is available as a standalone binary or as source code. You can download it from <code class="systemitem">http://obdev.at/Products/sslproxy.html</code>.</p><p>Once it is downloaded, you can configure and compile it like Samba. We will configure it on a Windows NT system. However, setting it up for a Unix system involves a nearly identical series of steps. Be sure that you are the superuser (administrator) for the next series of steps.</p><p>If you downloaded the binary for Windows NT, you should have the following files in a directory:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">cygwinb19.dll</code></p></li><li><p><code class="filename">README.TXT</code></p></li><li><p><code class="filename">sslproxy.exe</code></p></li><li><p><code class="filename">dummyCert.pem</code></p></li></ul></div><p>The only one that you will be interested in is the SSL Proxy executable. Copy over the <span class="emphasis"><em>phoenix.pem</em></span> and <span class="emphasis"><em>phoenix.key</em></span> files that you generated earlier for the client to the same directory as the SSL proxy executable. Make sure that the directory is secure from the prying eyes of other users.</p><p>The next step is to ensure that the Windows NT machine can resolve the NetBIOS name of the Samba server. This means that you should either have a WINS server up and running (the Samba server can perform this task with the <code class="literal">wins</code> <code class="literal">support</code> <code class="literal">=</code> <code class="literal">yes</code> option) or have it listed in the appropriate <span class="emphasis"><em>hosts</em></span> file of the system. See <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for more information on WINS server.<sup>[<a name="appa-pgfId-986801" href="#ftn.appa-pgfId-986801">1</a>]</sup></p><p>Finally, start up SSL Proxy with the following command. Here, we assume that <code class="literal">hydra</code> is the name of the Samba server:</p><pre class="programlisting">#<strong class="userinput"><code> C:\SSLProxy>sslproxy -l 139 -R hydra -r 139 -n -c phoenix.pem -k phoenix.key</code></strong></pre><p>This tells SSL Proxy to listen for connections to port 139 and relay those requests to port 139 on the NetBIOS machine <code class="literal">hydra</code>. It also instructs SSL Proxy to use the <code class="filename">phoenix.pem</code> and <code class="filename">phoenix.key</code> files to generate the certificate and keys necessary to initiate the SSL connection. SSL Proxy responds with:</p><pre class="programlisting">Enter PEM pass phrase:</pre><p>Enter the PEM pass phrase of the client keypair that you generated, <span class="emphasis"><em>not</em></span> the certificate authority. You should then see the following output:</p><pre class="programlisting">SSL: No verify locations, trying default +proxy ready, listening for connections</pre><p>That should take care of the client. You can place this command in a startup sequence on either Unix or Windows NT if you want this functionality available at all times. Be sure to set any clients you have connecting to the NT server (including the NT server itself) to point to this server instead of the Samba server.</p><p>After you've completed setting this up, try to connect using clients that proxy through the NT server. You should find that it works almost transparently.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-5"></a>SSL Configuration Options</h2></div></div></div><p> +<a class="indexterm" name="appa-idx-990427-0"></a><a href="#appa-61150" title="Table A.1. SSL Configuration Options">Table 1.1</a> summarizes the configuration options introduced in the previous section for using SSL. Note that all of these options are global in scope; in other words, they must appear in the <code class="literal">[global]</code> section of the configuration file.</p><div class="table"><a name="appa-61150"></a><p class="title"><b>Table A.1. SSL Configuration Options </b></p><div class="table-contents"><table summary="SSL Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">ssl</code></p></td><td><p>boolean</p></td><td><p>Indicates whether SSL mode is enabled with Samba.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl hosts</code></p></td><td><p>string (list of addresses)</p></td><td><p>Specifies a list of hosts that must always connect using SSL.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl hosts resign</code></p></td><td><p>string (list of addresses)</p></td><td><p>Specifies a list of hosts that never connect using SS.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl CA certDir</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the directory where the certificates are stored.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl CA certFile</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies a file that contains all of the certificates for Samba.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl server cert</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the server's certificate.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl server key</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the server's private key.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl client cert</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the client's certificate.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl client key</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the client's private key.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl require clientcert</code></p></td><td><p>boolean</p></td><td><p>Indicates whether Samba should require each client to have a certificate.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl require servercert</code></p></td><td><p>boolean</p></td><td><p>Indicates whether the server itself should have a certificate.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl ciphers</code></p></td><td><p>String</p></td><td><p>Specifies the cipher suite to use during protocol negotiation.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl version</code></p></td><td><p><code class="literal">ssl2or3</code>, <code class="literal">ssl3</code>, or <code class="literal">tls1</code></p></td><td><p>Specifies the version of SSL to use.</p></td><td><p><code class="literal">ssl2or3</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl compatibility</code></p></td><td><p>boolean</p></td><td><p>Indicates whether compatibility with other implementations of SSL should be activated.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.1"></a> +ssl</h3></div></div></div><a class="indexterm" name="appa-idx-990620-0"></a><p>This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is <code class="literal">no</code>. You can reset it as follows:</p><pre class="programlisting">[global] + ssl = yes</pre><p>Note that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.2"></a> +ssl hosts</h3></div></div></div><a class="indexterm" name="appa-idx-990625-0"></a><p>This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the <code class="literal">hosts</code> <code class="literal">allow</code> and the <code class="literal">hosts</code> <code class="literal">deny</code> configuration options. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220.</pre><p>This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the <code class="literal">ssl</code> <code class="literal">hosts</code> <code class="literal">resign</code> option has been specified, and <code class="literal">ssl</code> is set to <code class="literal">yes</code>, Samba will allow only SSL connections from all clients.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.3"></a> +ssl hosts resign</h3></div></div></div><a class="indexterm" name="appa-idx-990628-0"></a><p>This option specifies the hosts that will <span class="emphasis"><em>not</em></span> be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the <code class="literal">hosts</code> <code class="literal">allow</code> and the <code class="literal">hosts</code> <code class="literal">deny</code> configuration options. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts resign = 160.2.310. 160.2.320.</pre><p>This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the <code class="literal">ssl</code> <code class="literal">hosts</code> option has been specified, and <code class="literal">ssl</code> is set to <code class="literal">yes</code>, Samba will allow only SSL connections from all clients.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.4"></a> +ssl CA certDir</h3></div></div></div><a class="indexterm" name="appa-idx-990631-0"></a><p>This option specifies the directory containing the certificate authority's certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certDir = /usr/local/samba/cert</pre><p>There is no default for this option. You can alternatively use the option <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certFile</code> if you wish to place all the certificate authority information in the same file.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.5"></a> +ssl CA certFile</h3></div></div></div><a class="indexterm" name="appa-idx-990634-0"></a><p>This option specifies a file that contains the certificate authority's certificates that Samba will use to authenticate clients. This option differs from <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> in that there is only one file used for all the certificate authorities. An example of its usage follows:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile</pre><p>There is no default for this option. You can also use the option <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> if you wish to have a separate file for each certificate authority that Samba trusts.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.6"></a> +ssl server cert</h3></div></div></div><a class="indexterm" name="appa-idx-990637-0"></a><p>This option specifies the location of the server's certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server cert = /usr/local/samba/private/server.pem</pre><p>There is no default for this option. Note that the certificate may contain the private key for the server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.7"></a> +ssl server key</h3></div></div></div><a class="indexterm" name="appa-idx-990640-0"></a><p>This option specifies the location of the server's private key. You should ensure that the location of the file cannot be accessed by anyone other than <code class="literal">root</code>. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server key = /usr/local/samba/private/samba.pem</pre><p>There is no default for this option. Note that the private key may be contained in the certificate for the server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.8"></a> +ssl client cert</h3></div></div></div><a class="indexterm" name="appa-idx-990643-0"></a><p>This option specifies the location of the client's certificate. The certificate may be requested by the Samba server with the <code class="literal">ssl</code> <code class="literal">require</code> <code class="literal">clientcert</code> option; the certificate is also used by <code class="filename">smbclient</code>. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server cert = /usr/local/ssl/private/server.pem + ssl client cert= /usr/local/ssl/private/clientcert.pem</pre><p>There is no default for this option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.9"></a> +ssl client key</h3></div></div></div><a class="indexterm" name="appa-idx-990646-0"></a><p>This option specifies the location of the client's private key. You should ensure that the location of the file cannot be accessed by anyone other than <code class="literal">root</code>. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certDir = /usr/local/samba/cert/ + ssl server key = /usr/local/ssl/private/samba.pem + ssl client key = /usr/local/ssl/private/clients.pem</pre><p>There is no default for this option. This option is only needed if the client has a certificate.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.10"></a> +ssl require clientcert</h3></div></div></div><a class="indexterm" name="appa-idx-990649-0"></a><p>This option specifies whether the client is required to have a certificate. The certificates listed with either the <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> or the <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certFile</code> will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl require clientcert = yes</pre><p>We recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.11"></a> +ssl require servercert</h3></div></div></div><a class="indexterm" name="appa-idx-990652-0"></a><p>This option specifies whether the server is required to have a certificate. Again, this will be used by the <code class="filename">smbclient</code> program. The value of this option is a simple boolean. For example:</p><pre class="programlisting">[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl require clientcert = yes + ssl require servercert = yes</pre><p>Although we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however, recommended. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.12"></a> +ssl ciphers</h3></div></div></div><a class="indexterm" name="appa-idx-990655-0"></a><p>This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:</p><pre class="programlisting">DEFAULT +DES-CFB-M1 +NULL-MD5 +RC4-MD5 +EXP-RC4-MD5 +RC2-CBC-MD5 +EXP-RC2-CBC-MD5 +IDEA-CBC-MD5 +DES-CBC-MD5 +DES-CBC-SHA +DES-CBC3-MD5 +DES-CBC3-SHA +RC4-64-MD5 +NULL</pre><p>It is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.13"></a> +ssl version</h3></div></div></div><a class="indexterm" name="appa-idx-990658-0"></a><p>This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is <code class="literal">ssl2or3</code>, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:</p><pre class="programlisting">[global] + ssl version = ssl3</pre><p>Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.14"></a> +ssl compatibility</h3></div></div></div><a class="indexterm" name="appa-idx-990661-0"></a><p>This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is moot and the variable should always be left at the<a class="indexterm" name="appa-idx-990431-0"></a> default.<a class="indexterm" name="appa-idx-990339-0"></a> +<a class="indexterm" name="appa-idx-990339-1"></a></p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.appa-pgfId-986801" href="#appa-pgfId-986801">1</a>] </sup>If you are running SSL Proxy on a Unix server, you should ensure that the DNS name of the Samba server can be resolved.</p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-B"></a>Appendix B. Samba Performance Tuning</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appb-47134">B.1. A Simple Benchmark</a></span></dt><dt><span class="sect1"><a href="#appb-50295">B.2. Samba Tuning</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-2.1">B.2.1. Benchmarking</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.2">B.2.2. Things to Tweak</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.3">B.2.3. Other Samba Options</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.4">B.2.4. Our Recommendations </a></span></dt></dl></dd><dt><span class="sect1"><a href="#appb-22511">B.3. Sizing Samba Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-3.1">B.3.1. The Bottlenecks</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.2">B.3.2. Reducing Bottlenecks </a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.3">B.3.3. Practical Examples</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.4">B.3.4. How Many Clients can Samba Handle?</a></span></dt><dt><span class="sect2"><a href="#appb-90359">B.3.5. Measurement Forms</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="appb-idx-959725-0"></a> +<a class="indexterm" name="appb-idx-959725-1"></a> +<a class="indexterm" name="appb-idx-959725-2"></a>This appendix discusses various ways of performance tuning and system sizing with Samba. <em class="firstterm">Performance tuning</em> is the art of finding bottlenecks and adjusting to eliminate them. <span class="emphasis"><em>Sizing</em></span> is the practice of eliminating bottlenecks by spending money to avoid having them in the first place. Normally, you won't have to worry about either with Samba. On a completely untuned server, Samba will happily support a small community of users. However, on a properly tuned server, Samba will support at least twice as many users. This chapter is devoted to outlining various performance-tuning and sizing techniques that you can use if you want to stretch your Samba server to the limit.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-47134"></a>A Simple Benchmark</h2></div></div></div><p> +<a class="indexterm" name="appb-idx-959739-0"></a> +<a class="indexterm" name="appb-idx-959739-1"></a> +<a class="indexterm" name="appb-idx-959739-2"></a>How do you know if you're getting reasonable performance? A simple benchmark is to compare Samba with FTP. <a href="#appb-73167" title="Table B.1. Sample Benchmark Benchmarks">Table 2.1</a> shows the throughput, in kilobytes per second, of a pair of servers: a medium-size Sun SPARC Ultra and a small Linux Pentium server. Numbers are reported in kilobytes per second (KB/s).</p><div class="table"><a name="appb-73167"></a><p class="title"><b>Table B.1. Sample Benchmark Benchmarks </b></p><div class="table-contents"><table summary="Sample Benchmark Benchmarks " border="1"><colgroup><col><col><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>FTP</p></th><th><p>Untuned Samba</p></th><th><p>Tuned Samba</p></th></tr></thead><tbody><tr><td><p>Sparc get</p></td><td><p>1014.5</p></td><td><p>645.3</p></td><td><p>866.7</p></td></tr><tr><td><p>Sparc put</p></td><td><p>379.8</p></td><td><p>386.1</p></td><td><p>329.5</p></td></tr><tr><td><p>Pentium get</p></td><td><p>973.27</p></td><td><p>N/A</p></td><td><p>725</p></td></tr><tr><td><p>Pentium put</p></td><td><p>1014.5</p></td><td><p>N/A</p></td><td><p>1100</p></td></tr></tbody></table></div></div><br class="table-break"><p>If you run the same tests on your server, you probably won't see the same numbers. However, you <span class="emphasis"><em>should</em></span> see similar ratios of Samba to FTP, probably in the range of 68 to 80 percent. It's not a good idea to base <span class="emphasis"><em>all</em></span> of Samba's throughput against FTP. The golden rule to remember is this: if Samba is much slower than FTP, it's time to tune it.</p><p>You might think that an equivalent test would be to compare Samba to NFS. In reality, however, it's much less useful to compare their speeds. Depending entirely on whose version of NFS you have and how well it's tuned, Samba can be slower or faster than NFS. We usually find that Samba is faster, but watch out; NFS uses a different algorithm from Samba, so tuning options that are optimal for NFS may be detrimental for Samba. If you run Samba on a well-tuned NFS server, Samba may perform rather badly.</p><p>A more popular benchmark is Ziff-Davis' <span class="emphasis"><em>NetBench,</em></span> a simulation of many users on client machines running word processors and accessing data on the SMB server. It's not a prefect measure (each NetBench client does about ten times the work of a normal user on our site), but it is a fair comparison of similar servers. In tests performed by Jeremy Allison in November 1998, Samba 2.0 on a SGI multiprocessor outperformed NT Server 4.0 (Patch Level 2) on an equivalent high-end Compaq. This was confirmed and strengthened by a Sm@rt Reseller test of NT and Linux on identical hardware in February 1999.</p><p>In April 1999, the Mindcraft test lab released a report about a test showing that Samba on a four-processor Linux machine was significantly slower than native file serving on the same machine running Windows NT. While the original report was slammed by the Open Source community because it was commissioned by Microsoft and tuned the systems to favor Windows NT, a subsequent test was fairer and generally admitted to reveal some areas where Linux needed to improve its performance, especially on multiprocessors. Little was said about Samba itself. Samba is known to scale well on multiprocessors, and exceeds 440MB/s on a four-processor SGI O200, beating Mindcraft's 310MB/s.</p><p>Relative performance will probably change as NT and PC hardware get faster, of course, but Samba is improving as well. For example, Samba 1.9.18 was faster only with more than 35 clients. Samba 2.0, however, is faster regardless of the number of clients. In short, Samba is very competitive with the best networking software in the industry, and is only getting better.</p><p>As we went to press, Andrew Tridgell released the alpha-test version suite of benchmarking programs for Samba and SMB networks. Expect even more work on performance from the Samba team in the future.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-50295"></a>Samba Tuning</h2></div></div></div><p> +<a class="indexterm" name="appb-idx-959765-0"></a>That being said, let's discuss how you can take an already fast networking package and make it even faster.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.1"></a>Benchmarking</h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959749-0"></a> +<a class="indexterm" name="appb-idx-959749-1"></a> +<a class="indexterm" name="appb-idx-959749-2"></a>Benchmarking is an arcane and somewhat black art, but the level of expertise needed for simple performance tuning is fairly low. Since the Samba server's goal in life is to transfer files, we will examine only throughput, not response time to particular events, under the benchmarking microscope. After all, it's relatively easy to measure file transfer speed, and Samba doesn't suffer too badly from response-time problems that would require more sophisticated techniques.</p><p>Our basic strategy for this work will be:</p><div class="itemizedlist"><ul type="disc"><li><p>Find a reasonably-sized file to copy and a program that reports on copy speeds, such as <code class="filename">smbclient</code>.</p></li><li><p>Find a quiet (or typical) time to do the test.</p></li><li><p>Pre-run each test a few times to preload buffers.</p></li><li><p>Run tests several times and watch for unusual results.</p></li><li><p>Record each run in detail.</p></li><li><p>Compare the average of the valid runs to expected values.</p></li></ul></div><p>After establishing a baseline using this method, we can adjust a single parameter and do the measurements all over again. An empty table for your tests is provided at the end of this chapter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.2"></a>Things to Tweak</h3></div></div></div><p>There are literally thousands of Samba setting combinations that you can use in search of that perfect server. Those of us with lives outside of system administration, however, can narrow down the number of options to those listed in this section, which are the most likely to affect overall throughput. They are presented roughly in order of impact.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.1"></a>Log level</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959753-0"></a>This is an obvious one. Increasing the logging level (<code class="literal">log</code> +<a class="indexterm" name="appb-idx-960330-0"></a> +<a class="indexterm" name="appb-idx-960330-1"></a> <code class="literal">level</code> or <code class="literal">debug</code> <code class="literal">level</code> configuration options) is a good way to debug a problem, unless you happen to be searching for a performance problem! As mentioned in <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, Samba produces a ton of debugging messages at level 3 and above, and writing them to disk or syslog is a slow operation. In our <code class="filename">smbclient/ftp</code> tests, raising the log level from 0 to 3 cut the untuned <code class="literal">get</code> <code class="literal">speed</code> from 645.3 to 622.2KB/s, or roughly 5 percent. Higher log levels were even worse.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.2"></a>Socket options</h4></div></div></div><p>The next thing to look at are the <code class="literal">socket</code> +<a class="indexterm" name="appb-idx-960332-0"></a> <code class="literal">options</code> configuration options. These are really host system tuning options, but they're set on a per-connection basis, and can be reset by Samba on the sockets it employs by adding <code class="literal">socket</code> <code class="literal">options</code> <code class="literal">=</code> <code class="literal">option</code> to the <code class="literal">[global]</code> section of your <code class="filename">smb.conf </code>file. Not all of these options are supported by all vendors; check your vendor's manual pages on <span class="emphasis"><em>setsockopt </em></span>(1) or <span class="emphasis"><em>socket </em></span>(5) for details.</p><p>The main options are:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">TCP_NODELAY</code></span></dt><dd><p>Have the server send as many packets as necessary to keep delay low. This is used on telnet connections to give good response time, and is used—somewhat counter-intuitively—to get good speed even when doing small requests or when acknowledgments are delayed (as seems to occur with Microsoft TCP/IP). This is worth a 30-50 percent speedup by itself. Incidentally, in Samba 2.0.4, <code class="literal">socket</code> <code class="literal">options</code> <code class="literal">=</code> <code class="literal">TCP_NODELAY</code> became the default value for that option.</p></dd><dt><span class="term"><code class="literal">IPTOS_LOWDELAY</code></span></dt><dd><p>This is another option that trades off throughput for lower delay, but which affects routers and other systems, not the server. All the IPTOS options are new; they're not supported by all operating systems and routers. If they are supported, set <code class="literal">IPTOS_LOWDELAY</code> whenever you set <code class="literal">TCP_NODELAY</code>.</p></dd><dt><span class="term"><code class="literal">SO_SNDBUF</code> <code class="literal">and</code> <code class="literal">SO_RCVBUF</code></span></dt><dd><p>The send and receive buffers can often be the reset to a value higher than that of the operating system. This yields a marginal increase of speed (until it reaches a point of diminishing returns).</p></dd><dt><span class="term"><code class="literal">SO_KEEPALIVE</code></span></dt><dd><p>This initiates a periodic (four-hour) check to see if the client has disappeared. Expired connections are addressed somewhat better with Samba's <code class="literal">keepalive</code> and <code class="literal">dead</code> <code class="literal">time</code> options. All three eventually arrange to close dead connections, returning unused memory and process-table entries to the operating system.</p></dd></dl></div><p>There are several other socket options you might look at, (e.g., <code class="literal">SO_SNDLOWAT</code>), but they vary in availability from vendor to vendor. You probably want to look at <em class="citetitle">TCP/IP Illustrated</em> if you're interested in exploring more of these options for performance tuning with Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.3"></a>read raw and write raw</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959754-0"></a> +<a class="indexterm" name="appb-idx-959754-1"></a>These are important performance configuration options; they enable Samba to use large reads and writes to the network, of up to 64KB in a single SMB request. They also require the largest SMB packet structures, <code class="literal">SMBreadraw</code> and <code class="literal">SMBwriteraw</code>, from which the options take their names. Note that this is not the same as a Unix <span class="emphasis"><em>raw read</em></span>. This Unix term usually refers to reading disks without using the files system, quite a different sense from the one described here for Samba.</p><p>In the past, some client programs failed if you tried to use <code class="literal">read</code> <code class="literal">raw</code>. As far as we know, no client suffers from this problem any more. Read and write raw default to <code class="literal">yes</code>, and should be left on unless you find you have one of the buggy clients.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.4"></a>Opportunistic locking</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959755-0"></a> +<a class="indexterm" name="appb-idx-959755-1"></a>Opportunistic locks, or <span class="emphasis"><em>oplocks</em></span>, allow clients to cache files locally, improving performance on the order of 30 percent. This option is now enabled by default. For read-only files, the <code class="literal">fake</code> <code class="literal">oplocks</code> provides the same functionality without actually doing any caching. If you have files that cannot be cached, <span class="emphasis"><em>oplocks</em></span> can be turned off.</p><p>Database files should never be cached, nor should any files that are updated both on the server and the client and whose changes must be immediately visible. For these files, the <code class="literal">veto</code> <code class="literal">oplock</code> +<a class="indexterm" name="appb-idx-960336-0"></a> <code class="literal">files</code> option allows you to specify a list of individual files or a pattern containing wildcards to avoid caching. <span class="emphasis"><em>oplocks</em></span> can be turned off on a share-by-share basis if you have large groups of files you don't want cached on clients. See <a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a>, for more information on opportunistic locks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.5"></a>IP packet size (MTU)</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959756-0"></a>Networks generally set a limit to the size of an individual transmission or packet This is called the Maximum Segment Size, or if the packet header size is included, the <a class="indexterm" name="appb-idx-959757-0"></a> +<a class="indexterm" name="appb-idx-959757-1"></a>Maximum Transport Unit (MTU). This MTU is not set by Samba, but Samba needs to use a <code class="literal">max</code> <code class="literal">xmit</code> (write size) bigger than the MTU, or throughput will be reduced. This is discussed in further detail in the following note. The MTU is normally preset to 1500 bytes on an Ethernet and 4098 bytes on FDDI. In general, having it too low cuts throughput, and having it too high causes a sudden performance dropoff due to fragmentation and retransmissions.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you are communicating over a router, some systems will assume the router is a serial link (e.g., a T1) and set the MTU to more or less 536 bytes. Windows 95 makes this mistake, which causes nearby clients to perform well, but clients on the other side of the router to be noticeably slower. If the client makes the opposite error and uses a large MTU on a link which demands a small one, the packets will be broken up into fragments. This slows transfers slightly, and any networking errors will cause multiple fragments to be retransmitted, which slows Samba significantly. Fortunately, you can modify the Windows MTU size to prevent either error. To understand this in more detail, see "The Windows 95 Networking Frequently Asked Questions (FAQ)" at <code class="systemitem">http://www.stanford.edu/~llurch/win95netbugs/faq.html</code>, which explains how to override the Windows MTU and Window Size.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-19919"></a>The TCP receive window</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959758-0"></a>TCP/IP works by breaking down data into small packets that can be transmitted from one machine to another. When each packet is transmitted, it contains a checksum that allows the receiver to check the packet data for potential errors in transmission. Theoretically, when a packet is received and verified, an acknowledgment packet should be sent back to the sender that essentially says, "Everything arrived intact: please continue."</p><p>In order to keep things moving, however, TCP accepts a range (window) of packets that allows a sender to keep transmitting without having to wait for an acknowledgment of every single packet. (It can then bundle a group of acknowledgments and transmit them back to the sender at the same time.) In other words, this receive window is the number of bytes that the sender can transmit before it has to stop and wait for a receiver's acknowledgment. Like the MTU, it is automatically set based on the type of connection. Having the window too small causes a lot of unnecessary waiting for acknowledgment messages. Various operating systems set moderate buffer sizes on a per-socket basis to keep one program from hogging all the memory.</p><p>The buffer sizes are assigned in bytes, such as <code class="literal">SO_SNDBUF=8192</code> in the <code class="literal">socket</code> <code class="literal">options</code> line. Thus, an example <code class="literal">socket</code> <code class="literal">options</code> configuration option is:</p><pre class="programlisting">socket options = SO_SNDBUF=8192</pre><p>Normally, one tries to set these socket options higher than the default: 4098 in SunOS 4.1.3 and SVR4, and 8192-16384 in AIX, Solaris, and BSD. 16384 has been suggested as a good starting point: in a non-Samba test mentioned in Stevens' book, it yielded a 40 percent improvement. You'll need to experiment, because performance will fall off again if you set the sizes too high. This is illustrated in <a href="#appb-34738" title="Figure B.1. SO_SNDBUF size and performance">Figure 2.1</a>, a test done on a particular Linux system.</p><div class="figure"><a name="appb-34738"></a><p class="title"><b>Figure B.1. SO_SNDBUF size and performance</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 263px"><td><img src="figs/sam.ab01.gif" height="263" alt="SO_SNDBUF size and performance"></td></tr></table></div></div></div><br class="figure-break"><p>Setting the socket options <code class="literal">O_SNDBUF</code> and <code class="literal">SO_RCVBUF</code> to less than the default is inadvisable. Setting them higher improves performance, up to a network-specific limit. However, once you exceed that limit, performance will abruptly level off.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.7"></a> +max xmit</h4></div></div></div><a class="indexterm" name="appb-idx-960371-0"></a><p> +<a class="indexterm" name="appb-idx-960373-0"></a>In Samba, the option that is directly related with the MTU and window size is <code class="literal">max</code> <code class="literal">xmit</code>. This option sets the largest block of data Samba will try to write at any one time. It's sometimes known as the <em class="firstterm">write size</em>, although that is not the name of the Samba configuration option.</p><p>Because the percentage of each block required for overhead falls as the blocks get larger, max xmit is conventionally set as large as possible. It defaults to the protocol's upper limit, which is 64 kilobytes. The smallest value that doesn't cause significant slowdowns is 2048. If it is set low enough, it will limit the largest packet size that Samba will be able to negotiate. This can be used to simulate a small MTU if you need to test an unreliable network connection. However, such a test should not be used in production for reducing the effective MTU.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.8"></a>read size</h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959760-0"></a>If <code class="literal">max</code> <code class="literal">xmit</code> is commonly called the write size, you'd expect <code class="literal">read</code> <code class="literal">size</code> to be the maximum amount of data that Samba would want to read from the client via the network. Actually, it's not. In fact, it's an option to trigger <em class="firstterm">write ahead</em> +<a class="indexterm" name="appb-idx-959764-0"></a>. This means that if Samba gets behind reading from the disk and writing to the network (or vice versa) by the specified amount, it will start overlapping network writes with disk reads (or vice versa).</p><p>The read size doesn't have a big performance effect on Unix, unless you set its value quite small. At that point, it causes a detectable slowdown. For this reason, it defaults to 2048 and can't be set lower than 1024.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.9"></a>read prediction </h4></div></div></div><p> +<a class="indexterm" name="appb-idx-959766-0"></a>Besides being counterintuitive, this option is also obsolete. It enables Samba to read ahead on files opened read only by the clients. The option is disabled in Samba 2.0 (and late 1.9) Because it interferes with opportunistic locking.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.3"></a>Other Samba Options</h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959775-0"></a> +<a class="indexterm" name="appb-idx-959775-1"></a> +<a class="indexterm" name="appb-idx-959775-2"></a>The following Samba options will affect performance if they're set incorrectly, much like the debug level. They're mentioned here so you will know what to look out for:</p><div class="variablelist"><dl><dt><span class="term"> +<a class="indexterm" name="appb-idx-960358-0"></a><code class="literal">hide files</code></span></dt><dd><p>Providing a pattern to identify files hidden by the Windows client <code class="literal">hide</code> <code class="literal">files</code> will result in any file matching the pattern being passed to the client with the DOS hidden attribute set. It requires a pattern match per file when listing directories, and slows the server noticeably.</p></dd><dt><span class="term"><code class="literal">lpq cache time</code> +<a class="indexterm" name="appb-idx-960359-0"></a></span></dt><dd><p>If your <code class="literal">lpq</code> (printer queue contents) command takes a long time to complete, you should increase <code class="literal">lpq</code> <code class="literal">cache</code> <code class="literal">time</code> to a value higher than the actual time required for <code class="literal">lpq</code> to execute, so as to keep Samba from starting a new query when one's already running. The default is 10 seconds, which is reasonable.</p></dd><dt><span class="term"><code class="literal">strict locking</code> +<a class="indexterm" name="appb-idx-960360-0"></a></span></dt><dd><p>Setting the <code class="literal">strict</code> <code class="literal">locking</code> option causes Samba to check for locks on every access, not just when asked to by the client. The option is primarily a bug-avoidance feature, and can prevent ill-behaved DOS and Windows applications from corrupting shared files. However, it is slow and should typically be avoided.</p></dd><dt><span class="term"><code class="literal">strict sync</code> +<a class="indexterm" name="appb-idx-960361-0"></a></span></dt><dd><p>Setting <code class="literal">strict</code> <code class="literal">sync</code> will cause Samba to write each packet to disk and wait for the write to complete whenever the client sets the sync bit in a packet. Windows 98 Explorer sets the bit in all packets transmitted, so if you turn this on, anyone with Windows 98 will think Samba servers are horribly slow.</p></dd><dt><span class="term"><code class="literal">sync always</code> +<a class="indexterm" name="appb-idx-960362-0"></a></span></dt><dd><p>Setting <code class="literal">sync</code> <code class="literal">always</code> causes Samba to flush every write to disk. This is good if your server crashes constantly, but the performance costs are immense. SMB servers normally use oplocks and automatic reconnection to avoid the ill effects of crashes, so setting this option is not normally necessary.</p></dd><dt><span class="term"> +<a class="indexterm" name="appb-idx-960363-0"></a><code class="literal">wide links</code></span></dt><dd><p>Turning off <code class="literal">wide</code> <code class="literal">links</code> prevents Samba from following symbolic links in one file share to files that are not in the share. It is turned on by default, since following links in Unix is not a security problem. Turning it off requires extra processing on every file open. If you do turn off wide links, be sure to turn on <code class="literal">getwd</code> <code class="literal">cache</code> to cache some of the required data.</p><p>There is also a <code class="literal">follow</code> <code class="literal">symlinks</code> option that can be turned off to prevent following any symbolic links at all. However, this option does not pose a performance problem.</p></dd><dt><span class="term"> +<a class="indexterm" name="appb-idx-960364-0"></a><code class="literal">getwd cache</code></span></dt><dd><p>This option caches the path to the current directory, avoiding long tree-walks to discover it. It's a nice performance improvement on a printer server or if you've turned off <code class="literal">wide</code> <code class="literal">links</code>.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.4"></a>Our Recommendations </h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959782-0"></a>Here's an <code class="filename">smb.conf</code> file that incorporates the recommended performance enhancements so far. Comments have been added on the right side.</p><pre class="programlisting">[global] + log level = 1 # Default is 0 + socket options = TCP_NODELAY IPTOS_LOWDELAY + read raw = yes # Default + write raw = yes # Default + oplocks = yes # Default + max xmit = 65535 # Default + dead time = 15 # Default is 0 + getwd cache = yes + lpq cache = 30 +[okplace] + veto oplock files = this/that/theotherfile +[badplace] + oplocks = no</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-22511"></a>Sizing Samba Servers</h2></div></div></div><p> +<a class="indexterm" name="appb-idx-959783-0"></a> +<a class="indexterm" name="appb-idx-959783-1"></a>Sizing is a way to prevent bottlenecks before they occur. The preferred way to do this is to know how many requests per second or how many kilobytes per second the clients will need, and ensure that all the components of the server provide at least that many.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.1"></a>The Bottlenecks</h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959791-0"></a>The <a class="indexterm" name="appb-idx-959799-0"></a>three primary bottlenecks you should worry about are CPU, disk I/O, and the network. For most machines, CPUs are rarely a bottleneck. A single Sun SPARC 10 CPU can start (and complete) between 700 and 800 I/O operations a second, giving approximately 5,600 to 6,400KB/s of throughput when the data averages around 8KBs (a common buffer size). A single Intel Pentium 133 can do less only because of somewhat slower cache and bus interfaces, not due to lack of CPU power. Purpose-designed Pentium servers, like some Compaq servers, will be able to start 700 operations per CPUs, on up to four CPUs.</p><p>Too little memory, on the other hand, can easily be a bottleneck; each Samba process will use between 600 and 800KB on Intel Linux, and more on RISC CPUs. Having less will cause an increase in virtual memory paging and therefore a performance hit. On Solaris, where it has been measured, <span class="emphasis"><em>smbd</em></span> will use 2.6 MB for program and shared libraries, plus 768KB for each connected client. <span class="emphasis"><em>nmbd</em></span> occupies 2.1 MB, plus 496KB extra for its (single) auxiliary process.</p><p>Hard disks will always bottleneck at a specific number of I/O operations per second: for example, each 7200 RPM SCSI disk is capable of performing 70 operations per second, for a throughput of 560KB/s; a 4800 RPM disk will perform fewer than 50, for a throughput of 360KB/s. A single IDE disk will do still fewer. If the disks are independent, or striped together in a RAID 1 configuration, they will each peak out at 400 to 560KB/s and will scale linearly as you add more. Note that this is true only of RAID 1. RAID levels other than 1 (striping) add extra overhead.</p><p>Ethernets (and other networks) are obvious bottleneck: a 10 Mb/s (mega<span class="emphasis"><em>bits</em></span>/second) Ethernet will handle around 1100KB/s (kilo<span class="emphasis"><em>bytes</em></span>/s) using 1500-byte packets A 100 Mb/s Fast Ethernet will bottleneck below 65,000KB/s with the same packet size. FDDI, at 155 Mb/s will top out at approximately 6,250KB/s, but gives good service at even 100 percent load and transmits much larger packets (4KB).</p><p>ATM should be much better, but as of the writing of this book it was too new to live up to its potential; it seems to deliver around 7,125 Mb/s using 9KB packets.</p><p>Of course, there can be other bottlenecks: more than one IDE disk per controller is not good, as are more than three 3600 SCSI-I disks per slow/narrow controller, or more than three 7200 SCSI-II disks per SCSI-II fast/wide controller. RAID 5 is also slow, as it requires twice as many writes as independent disks or RAID 1.</p><p>After the second set of Ethernets and the second disk controller, start worrying about bus bandwidth, especially if you are using ISA/EISA buses.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.2"></a>Reducing Bottlenecks </h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959800-0"></a>From the information above we can work out a model that will tell us the maximum capability of a given machine. The data is mostly taken from <a class="indexterm" name="appb-idx-959815-0"></a> +<a class="indexterm" name="appb-idx-959815-1"></a>Brian Wong's <em class="citetitle">Configuration and Capacity Planning for Solaris Servers</em>,<em class="citetitle"> +<sup>[<a name="appb-pgfId-951214" href="#ftn.appb-pgfId-951214">1</a>]</sup></em> so there is a slight Sun bias to our examples.</p><p>A word of warning: this is not a complete model. Don't assume that this model will predict every bottleneck or even be within 10 percent in its estimates. A model to predict performance instead of one to warn you of bottlenecks would be much more complex and would contain rules like "not more than three disks per SCSI chain". (A good book on real models is Raj Jain's <em class="citetitle">The Art of Computer Systems Performance Analysis</em>.<sup>[<a name="appb-pgfId-951230" href="#ftn.appb-pgfId-951230">2</a>]</sup>) With that warning, we present the system in <a href="#appb-98866" title="Figure B.2. Data flow through a Samba server, with possible bottlenecks">Figure 2.2</a>.</p><div class="figure"><a name="appb-98866"></a><p class="title"><b>Figure B.2. Data flow through a Samba server, with possible bottlenecks</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 185px"><td><img src="figs/sam.ab02.gif" height="185" alt="Data flow through a Samba server, with possible bottlenecks"></td></tr></table></div></div></div><br class="figure-break"><p>The flow of data should be obvious. For example, on a read, data flows from the disk, across the bus, through or past the CPU, and to the network interface card (NIC). It is then broken up into packets and sent across the network. Our strategy here is to follow the data through the system and see what bottlenecks will choke it off. Believe it or not, it's rather easy to make a set of tables that list the maximum performance of common disks, CPUs, and network cards on a system. So that's exactly what we're going to do.</p><p>Let's take a concrete example: a Linux Pentium 133 MHz machine with a single 7200 RPM data disk, a PCI bus, and a 10-Mb/s Ethernet card. This is a perfectly reasonable server. We start with <a href="#appb-78077" title="Table B.2. Disk Throughput">Table 2.2</a>, which describes the hard drive—the first potential bottleneck in the system.</p><div class="table"><a name="appb-78077"></a><p class="title"><b>Table B.2. Disk Throughput </b></p><div class="table-contents"><table summary="Disk Throughput " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Disk RPM</p></th><th><p>I/O Operations/second</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p>7200</p></td><td><p>70</p></td><td><p>560</p></td></tr><tr><td><p>4800</p></td><td><p>60</p></td><td><p>480</p></td></tr><tr><td><p>3600</p></td><td><p>40</p></td><td><p>320</p></td></tr></tbody></table></div></div><br class="table-break"><p>Disk throughput is the number of kilobytes of data that a disk can transfer per second. It is computed from the number of 8KB I/O operations per second a disk can perform, which in turn is strongly influenced by disk RPM and bit density. In effect, the question is: how much data can pass below the drive heads in one second? With a single 7200 RPM disk, the example server will give us 70 I/O operations per second at roughly 560KB/s.</p><p>The second possible bottleneck is the CPU. The data doesn't actually flow through the CPU on any modern machines, so we have to compute throughput somewhat indirectly.</p><p>The CPU has to issue I/O requests and handle the interrupts coming back, then transfer the data across the bus to the network card. From much past experimentation, we know that the overhead that dominates the processing is consistently in the filesystem code, so we can ignore the other software being run. We compute the throughput by just multiplying the (measured) number of file I/O operations per second that a CPU can process by the same 8K average request size. This gives us the results shown in <a href="#appb-42029" title="Table B.3. CPU Throughput">Table 2.3</a>.</p><div class="table"><a name="appb-42029"></a><p class="title"><b>Table B.3. CPU Throughput </b></p><div class="table-contents"><table summary="CPU Throughput " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>I/O Operations/second</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p>Intel Pentium 133</p></td><td><p>700</p></td><td><p>5,600</p></td></tr><tr><td><p>Dual Pentium 133</p></td><td><p>1,200</p></td><td><p>9,600</p></td></tr><tr><td><p>Sun SPARC II</p></td><td><p>660</p></td><td><p>5,280</p></td></tr><tr><td><p>Sun SPARC 10</p></td><td><p>750</p></td><td><p>6,000</p></td></tr><tr><td><p>Sun Ultra 200</p></td><td><p>2,650</p></td><td><p>21,200</p></td></tr></tbody></table></div></div><br class="table-break"><p>Now we put the disk and the CPU together: in the Linux example, we have a single 7200 RPM disk, which can give us 560KB/s, and a CPU capable of starting 700 I/O operations, which could give us 5600KB/s. So far, as you would expect, our bottleneck is clearly going to be the hard disk.</p><p>The last potential bottleneck is the network. If the network speed is below 100 Mb/s, the bottleneck will be the network speed. After that, the design of the network card is more likely to slow us down. <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> shows us the average throughput of many types of data networks. Although network speed is conventionally measured in bits per second, <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> lists bytes per second to make comparison with the disk and CPU (<a href="#appb-78077" title="Table B.2. Disk Throughput">Table 2.2</a> and <a href="#appb-42029" title="Table B.3. CPU Throughput">Table 2.3</a>) easier.</p><div class="table"><a name="appb-67604"></a><p class="title"><b>Table B.4. Network Throughput </b></p><div class="table-contents"><table summary="Network Throughput " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Type</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p> ISDN</p></td><td><p> 16</p></td></tr><tr><td><p> T1</p></td><td><p> 197</p></td></tr><tr><td><p> Ethernet 10m</p></td><td><p> 1,113</p></td></tr><tr><td><p> Token ring</p></td><td><p> 1,500</p></td></tr><tr><td><p> FDDI</p></td><td><p> 6,250</p></td></tr><tr><td><p> Ethernet 100m</p></td><td><p> 6,500<sup>[<a name="appb-pgfId-960131" href="#ftn.appb-pgfId-960131">3</a>]</sup></p></td></tr><tr><td><p> ATM 155</p></td><td><p> 7,125a</p></td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-960131" href="#appb-pgfId-960131">3</a>] </sup>These will increase. For example, Crays, Sun Ultras, and DEC/Compaq Alphas already have bettered these figures.</p></div></td></tr></tbody></table></div></div><br class="table-break"><p>In the running example, we have a bottleneck at 560KB/s due to the disk. <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> shows us that a standard 10 megabit per second Ethernet (1,113KB/s) is far faster than the disk. Therefore, the hard disk is still the limiting factor. (This scenario, by the way, is very common.) Just by looking at the tables, we can predict that small servers won't have CPU problems, and that large ones with multiple CPUs will support striping and multiple Ethernets long before they start running out of CPU power. This, in fact, is exactly what happens.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.3"></a>Practical Examples</h3></div></div></div><p>An example from <span class="emphasis"><em>Configuration and Capacity Planning for Solaris Servers</em></span> (Wong) shows that a dual-processor SPARCstation 20/712 with four Ethernets and six 2.1 GB disks will spend all its time waiting for the disks to return some data. If it was loaded with disks (Brian Wong suggests as many as 34 of them), it would still be held below 1,200KB/s by the Ethernet cards. To get the performance the machine is capable of, we would need to configure multiple Ethernets, 100 Mbps Fast Ethernet, or 155 Mbps FDDI.</p><p>The progression you'd work through to get that conclusion looks something like <a href="#appb-26613" title="Table B.5. Tuning a Medium-Sized Server">Table 2.5</a>.</p><div class="table"><a name="appb-26613"></a><p class="title"><b>Table B.5. Tuning a Medium-Sized Server </b></p><div class="table-contents"><table summary="Tuning a Medium-Sized Server " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Machine</p></th><th><p>Disk Throughput</p></th><th><p>CPU Throughput</p></th><th><p>Network Throughput</p></th><th><p>Actual Throughput</p></th></tr></thead><tbody><tr><td><p>Dual SPARC 10, 1 disk</p></td><td><p>560</p></td><td><p>6000</p></td><td><p>1,113</p></td><td><p>560</p></td></tr><tr><td><p>Add 5 more disks</p></td><td><p>3,360</p></td><td><p>6000</p></td><td><p>1,113</p></td><td><p>1,113</p></td></tr><tr><td><p>Add 3 more Ethernets</p></td><td><p>3,360</p></td><td><p>16000</p></td><td><p>4,452</p></td><td><p>3,360</p></td></tr><tr><td><p>Change to using a 20-disk array</p></td><td><p>11,200</p></td><td><p>6000</p></td><td><p>4,452</p></td><td><p>4,452</p></td></tr><tr><td><p>Use dual 100 Mbps ether</p></td><td><p>11,200</p></td><td><p>6000</p></td><td><p>13,000</p></td><td><p>11,200</p></td></tr></tbody></table></div></div><br class="table-break"><p>Initially, the bottleneck is the disk with only 560 MB/s of throughput available. Our solution is to add five more disks. This gives us more throughput on the disks than on the Ethernet, so then the Ethernet becomes the problem. Consequently, as we continue to expand, we go back and forth several times between these two. As you add disks, CPUs, and network cards, the bottleneck moves. Essentially, the strategy is to add more equipment to try to avoid each bottleneck until you reach your target performance, or (unfortunately) you either can't add any more or run out of money.</p><p>Our experience bears out this kind of calculation; a large SPARC 10 file server that one author maintained was quite capable of saturating an Ethernet plus about a third of an FDDI ring when using two processors. It did nearly as well with a single processor, albeit with a fast operating system and judicious over-optimization.</p><p>The same process applies to other brands of purpose-designed servers. We found the same rules applied to DECstation 2100s as to the newest Alphas or Compaqs, old MIPS 3350s and new SGI O2s. In general, a machine offering multi-CPU server configurations will have enough bus bandwidth and CPU power to reliably bottleneck on hard disk I/O when doing file service. As one would hope, considering the cost!</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.4"></a>How Many Clients can Samba Handle?</h3></div></div></div><p>Well, that depends entirely on how much data each user consumes. A small server with three SCSI-1 disks, which can serve about 960KB/s of data, will support between 36 and 80 clients in an ordinary office environment where they are typically loading, and saving equal-sized spreadsheets or word processing documents (36 clients × 2.3 transfers/second × 12k file 1 MB/s).</p><p>On the same server in a development environment with programmers running a fairly heavy edit-compile-test cycle, one can easily see requests for 1 MB/s, limiting the server to 25 or fewer clients. To take this a bit further, an imaging system whose clients each require 10 MB/s will perform poorly no matter how big a server is if they're all on a 10 MB/s Ethernet. And so on.</p><p>If you don't know how much data an average user consumes, you can size your Samba servers by patterning them after existing NFS, Netware, or LAN Manager servers. You should be especially careful that the new servers have as many disks and disk controllers as the ones you've copied. This technique is appropriately called "punt and hope."</p><p>If you know how many clients an existing server can support, you're in <span class="emphasis"><em>much</em></span> better shape. You can analyze the server to see what its maximum capacity is and use that to estimate how much data they must be demanding. For example, if serving home directories to 30 PCs from a PC server with two IDE disks is just too slow, and 25 clients is about right, then you can safely assume you're bottlenecked on Ethernet I/O (approximately 375KB) rather than disk I/O (up to 640KB). If so, you can then conclude that the clients are demanding 15 (that is, 375/25)KB/s on average.</p><p>Supporting a new lab of 75 clients will mean you'll need 1,125KB/s, spread over multiple (preferably three) Ethernets, and a server with at least three 7200 RPM disks and a CPU capable of keeping up. These requirements can be met by a Pentium 133 or above with the bus architecture to drive them all at full speed (e.g., PCI).</p><p>A custom-built PC server or a multiprocessor-capable workstation like a Sun Sparc, a DEC/Compaq Alpha, an SGI, or the like, would scale up easier, as would a machine with fast Ethernet, plus a switching hub to drive the client machines on individual 10 MB/s Ethernets.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-3.4.1"></a>How to guess</h4></div></div></div><p>If you have no idea at all what you need, the best thing is to try to guess based on someone else's experience. Each individual client machine can average from less than 1 I/O per second (normal PC or Mac used for sales/accounting) to as much as 4 (fast workstation using large applications). A fast workstation running a compiler can happily average 3-4 MB/s in data transfer requests, and an imaging system can demand even more.</p><p>Our recommendation? Spy on someone with a similar configuration and try to estimate their bandwidth requirements from their bottlenecks and the volume of the screams from their users. We also recommend Brian Wong's <em class="citetitle">Configuration and Capacity Planning for Solaris Servers</em>. While he uses Sun Solaris foremost in his examples, his bottlenecks are disks and network cards, which are common among all the major vendors. His tables for FTP servers also come very close to what we calculated for Samba servers, and make a good starting point.<a class="indexterm" name="appb-idx-959809-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-90359"></a>Measurement Forms</h3></div></div></div><p> +<a class="indexterm" name="appb-idx-959816-0"></a><a href="#appb-82208" title="Table B.6. Ethernet Interface to Same Host: FTP">Table 2.6</a> and <a href="#appb-34846" title="Table B.7. Ethernet Interface to Same Host: FTP">Table 2.7</a> are empty tables that you can use for copying and recording data. The bottleneck calculation in the previous example can be done in a spreadsheet, or manually with <a href="#appb-51003" title="Table B.8. Bottleneck Calculation Table">Table 2.8</a>. If Samba is as good as or better than FTP, and if there aren't any individual test runs that are much different from the average, you have a well-configured system. If loopback isn't much faster than anything else, you have a problem with your TCP/IP software. If both FTP and Samba are slow, you probably have a problem with your networking: a faulty Ethernet card will produce this, as will accidentally setting an Ethernet card to half-duplex when it's not connected to a half-duplex hub. Remember that CPU and disk speeds are commonly measured in bytes, network speeds in bits.</p><p>We've included columns for both bytes and bits in the tables. In the last column, we compare results to 10 Mb/s because that's the speed of a traditional Ethernet.</p><div class="table"><a name="appb-82208"></a><p class="title"><b>Table B.6. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time (sec)</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Deviation:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="appb-34846"></a><p class="title"><b>Table B.7. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time, sec</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Deviation:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="appb-51003"></a><p class="title"><b>Table B.8. Bottleneck Calculation Table</b></p><div class="table-contents"><table summary="Bottleneck Calculation Table" border="1"><colgroup><col><col><col><col><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>Throughput</p></th><th><p>of Disks</p></th><th><p>Disk Throughput</p></th><th><p>Number of Networks</p></th><th><p>Network Throughput</p></th><th><p>Total Throughput</p></th></tr></thead><tbody><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><p>In <a href="#appb-51003" title="Table B.8. Bottleneck Calculation Table">Table 2.8</a>:</p><div class="itemizedlist"><ul type="disc"><li><p>CPU throughput = (KB/second from <a href="#ch06-89804" title="Figure 6.5. Configuring a Windows NT client for domain logons">Figure 6.5</a>) × (number of CPUs)</p></li><li><p>Disk throughput = (KB/second from <a href="#ch06-48609" title="Figure 6.4. Configuring a Windows 95/98 client for domain logons">Figure 6.4</a>) × (number of disks)</p></li><li><p>Network throughput = (KB/second from <a href="#ch06-71393" title="Figure 6.6. Local profiles versus roaming profiles">Figure 6.6</a>) × (number of networks)</p></li><li><p>Total throughput = min (Disk, CPU, and Network throughput)</p></li></ul></div><p>A typical test, in this case for an FTP <code class="literal">get</code>, would be entered as in <a href="#appb-37370" title="Table B.9. Ethernet Interface to Same Host: FTP">Table 2.9</a></p><div class="table"><a name="appb-37370"></a><p class="title"><b>Table B.9. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time, sec</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td><p>1812898</p></td><td><p>2.3</p></td><td><p>761580</p></td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td><p>2.3</p></td><td><p>767820</p></td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td><p>2.4</p></td><td><p>747420</p></td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td><p>2.3</p></td><td><p>760020</p></td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td><p>2.3</p></td><td><p>772700</p></td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td><p>2.32</p></td><td><p>777310</p></td><td><p>6218480</p></td><td><p>62</p></td></tr><tr><td><p>Deviation:</p></td><td> </td><td><p>0.04</p></td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><p>The Sparc example we used earlier would look like <a href="#SAMBA-AP-B-TBL-10" title="Table B.10. Sparc 20 Example, Redux">Table 2.10</a>.</p><div class="table"><a name="SAMBA-AP-B-TBL-10"></a><p class="title"><b>Table B.10. Sparc 20 Example, Redux</b></p><div class="table-contents"><table summary="Sparc 20 Example, Redux" border="1"><colgroup><col><col><col><col><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>CPU Throughput</p></th><th><p>Number of Disks</p></th><th><p>Disk Throughput</p></th><th><p>Number of Networks</p></th><th><p>Network Throughput</p></th><th><p>Total Throughput</p></th></tr></thead><tbody><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>1</p></td><td><p>560</p></td><td><p>1 10base2</p></td><td><p>1,113</p></td><td><p>560</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>6</p></td><td><p>3,360</p></td><td><p>1</p></td><td><p>1,113</p></td><td><p>1,113</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>6</p></td><td><p>3,360</p></td><td><p>4 10base2</p></td><td><p>4,452</p></td><td><p>3,360</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>20</p></td><td><p>11,200</p></td><td><p>4</p></td><td><p>4,452</p></td><td><p>4,452</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>20</p></td><td><p>11,200</p></td><td><p>2 100base2</p></td><td><p>13,000</p></td><td><p>11,200</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-951214" href="#appb-pgfId-951214">1</a>] </sup>See Wong. Brian L, <span class="emphasis"><em>Configuration and Capacity Planning for Solaris Servers</em></span>, Englewood Cliffs, NJ (Sun/Prentice-Hall), 1997, ISBN 0-13-349952-9.</p></div><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-951230" href="#appb-pgfId-951230">2</a>] </sup>See Jain, Raj, <span class="emphasis"><em>The Art of Computer Systems Performance Analysis</em></span>, New York, NY (John Wiley and Sons), 1991, ISBN 0-47-150336-3.</p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-C"></a>Appendix C. Samba Configuration Option Quick Reference</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appc-SECT-1">C.1. Configuration Options</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-2">C.2. Glossary of Configuration Values</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-3">C.3. Configuration File Variables</a></span></dt></dl></div><p>The following pages list each of the Samba configuration +options. If an option is applicable only to the global section, +"[global]" will appear before its name. Any lists mentioned are space +separated, except where noted. A glossary of terms follows the +options.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-1"></a>Configuration Options</h2></div></div></div><div class="refentry" lang="en"><a name="appc-refentry-1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>admin users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users who will be granted root permissions on the share by Samba.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-2"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>allow hosts = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">hosts allow</code>. List of machines that may connect to a share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-3"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>alternate permissions = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Has no effect in Samba 2. Files will be shown as read-only if the owner can't write them. In Samba 1.9 and earlier, setting this option would set the DOS filesystem read-only attribute on any file the user couldn't read. This in turn required the <code class="literal">delete readonly</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-4"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] announce as = system type</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Have Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] announce version = number.number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Instructs Samba to announce itself as an older version SMB server. Discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-6"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] auto services = share list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of shares that will always appear in browse lists. A synonym is <code class="literal">preload</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-7"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>available = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to NO, denies access to a share. Doesn't affect browsing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] bind interfaces only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, shares and browsing will be provided only on interfaces in an interfaces list (see <code class="literal">interfaces</code>). New in Samba 1.9.18. If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow <span class="emphasis"><em>smbpasswd</em></span> to connect to the local machine to change passwords. This is a convienence option; it does not improve security.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-9"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>browsable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows a share to be announced in browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-10"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>blocking locks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, honors byte range lock requests with time limits for queuing the request and retrying it until the time period expires. New in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-11"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] browse list = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Turns on/off <code class="literal">browse</code> <code class="literal">list</code> from this server. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-12"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] case sensitive = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, uses exactly the case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-13"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] case sig names = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">case sensitive</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-14"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] change notify timeout = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the number of seconds between checks when a client asks for notification of changes in a directory. Introduced in Samba 2.0 to limit the performance cost of the checks. Avoid lowering.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-15"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>character set = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The <code class="literal">client code page</code> must be set to 850.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-16"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>client code page = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the DOS code page explicitly, overriding any previous <code class="literal">valid chars</code> settings. Examples of values are 850 for European, 437 is the US standard, and 932 for Japanese Shift-JIS. Introduced in Samba 1.9.19.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-17"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>coding system = code</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the coding system used, notably for Kanji. This is employed for filenames and should correspond to the code page in use. The <code class="literal">client code page</code> option must be set to 932 (Japanese Shift-JIS). Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-18"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>comment = text</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the comment that appears beside a share in a NET VIEW or the details list of a Microsoft directory window. See also the <code class="literal">server string</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-19"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] config file = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Selects an additional Samba configuration file to read instead of the current one. Used to relocate the configuration file, or used with %-variables to select custom configuration files for some users or machines.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-20"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>copy = section name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Copies the configuration of a previously seen share into the share where it appears. Used with %-variables to select custom configurations for machines, architectures and users. The copied section must be earlier in the configuration file. Copied options are of lesser priority than those explicitly listed in the section.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-21"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>create mask = octal value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">create mode</code>. Sets the maximum allowable permissions for new files (e.g., 0755). See also <code class="literal">directory mask</code>. To require certain permissions to be set, see <code class="literal">force create mask/force directory mask</code>. This option stopped affecting directories in Samba 1.9.17, and the default value changed in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-22"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>create mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">create mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-23"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] deadtime = minutes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>The time in minutes before an unused connection will be terminated. Zero means forever. Used to keep clients from tying up server resources forever. If used, clients will have to auto-reconnect after minutes of inactivity. See also <code class="literal">keepalive</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-24"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] debug level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the logging level used. Values of 3 or more slow Samba noticeably. A synonym is <code class="literal">log level</code>. Recommended value: 1.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-25"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] debug timestamp = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging). New in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-26"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] default = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">default service</code>. The name of a service (share) to provide if someone requests a service they don't have permission to use or which doesn't exist. As of Samba 1.9.14, the path will be set from the name the client specified, with any "_" characters changed to "/" characters, allowing access to any directory on the Samba server. Use is strongly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-27"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>default case = case</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the case in which to store new filenames. LOWER indicates mixed case, UPPER indicates uppercase letters.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-28"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] default service = share name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">default</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-29"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>delete readonly = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow delete requests to remove read-only files. This is not allowed in DOS/Windows, but is normal in Unix, which has separate directory permissions. Used with programs like RCS, or with the older <code class="literal">alternate permissions</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-30"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>delete veto files = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow delete requests for a directory containing files or subdirectories the user can't see due to the <code class="literal">veto files</code> option. If set to NO, the directory will not be deleted and will still contain invisible files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-31"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>deny hosts = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym is <code class="literal">hosts deny</code>. Specifies a list of machines from which to refuse connections or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-32"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] dfree command = command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A command to run on the server to return disk free space. Not needed unless the OS command does not work properly.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-33"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">path</code>. A directory provided by a file share, or used by a printer share. Set automatically in the <code class="literal">[homes]</code> share to user's home directory, otherwise defaults to<code class="filename"> /tmp</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-34"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">directory mode</code>. Sets the maximum allowable permissions for newly created directories. To require certain permissions be set, see the <code class="literal">force create mask</code> and <code class="literal">force directory mask</code> options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-35"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">directory mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-36"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] dns proxy = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, and if <code class="literal">wins server = YES</code>, look up hostnames in DNS if they are not found using WINS.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-37"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] domain logons = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow Windows 95/98 or NT clients to log on to an NT-like domain.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-38"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] domain master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Become a domain master browser list collector if possible for the entire workgroup/domain.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-39"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dont descend = comma-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Does not allow a change directory or search in the directories specified. This is a browsing convenience option; it doesn't provide any extra security.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-40"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dos filetimes = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow non-owners to change file times if they can write to the file. See also <code class="literal">dos filetime resolution</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-41"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dos filetime resolution = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set file times on Unix to match DOS standards (round to next even second). Recommended if using Visual C++ or a PC <span class="emphasis"><em>make</em></span> program to avoid remaking the programs unnecesarily. Use with the <code class="literal">dos filetimes</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-42"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] encrypt passwords = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Uses Windows NT-style password encryption. Requires an <code class="filename">smbpasswd</code> on the Samba server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-43"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>exec = command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">preexec</code>, a command to run as the user just before connecting to the share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-44"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fake directory create times = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Bug fix for users of Microsoft <span class="emphasis"><em>nmake</em></span>. If set, Samba will set directory create times such that <span class="emphasis"><em>nmake</em></span> won't remake all files every time.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-45"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fake oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Return YES whenever a client asks if it can lock a file and cache it locally, but does not enforce lock on the server. Use only for read-only disks, as Samba now supports real <code class="literal">oplocks</code> and has per-file overrides. See also <code class="literal">oplocks</code> and <code class="literal">veto oplock files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-46"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>follow symlinks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba will follow symlinks in a file share or shares. See the <code class="literal">wide links</code> option if you want to restrict symlinks to just the current share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-47"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force create mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Provides bits that will be <code class="literal">OR</code>ed into the permissions of newly created files. Used with the <code class="literal">create mode</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-48"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force create mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">force create mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-49"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force directory mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Provides bits that will be <code class="literal">OR</code>ed into the permissions of newly created directories, forcing those bits to be set. Used with <code class="literal">directory mode</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-50"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force directory mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">force</code> <code class="literal">directory</code> <code class="literal">mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-51"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force group = unix group</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the effective group name assigned to all users accessing a share. Used to override user's normal groups.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-52"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force user = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the effective username assigned to all users accessing a share. Discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-53"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fstype = string</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the filesystem type reported to the client.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-54"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] getwd cache = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Cache current directory for performance. Recommended with the <code class="literal">wide links</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-55"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>group = group</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>An obsolete form of <code class="literal">force group</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-56"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest account = user</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name of the unprivileged Unix account to use for tasks like printing and for accessing shares marked with <code class="literal">guest ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-57"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, passwords are not needed for this share. Synonym of <code class="literal">public</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-58"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Forces user of a share to do so as the guest account. Requires <code class="literal">guest</code> <code class="literal">ok</code> or <code class="literal">public</code> to be <code class="literal">yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-59"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hide dot files = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Treats files beginning with a dot in a share as if they had the DOS/Windows hidden attribute set.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-60"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hide files = slash-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of file or directory names to set the DOS hidden attribute on. Names may contain <code class="literal">?</code> or <code class="literal">*</code> pattern-characters and <code class="literal">%</code>-variables. See also <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code> and <code class="literal">veto</code> <code class="literal">files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-61"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] homedir map = NIS map name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Used with <code class="literal">nis homedir</code> to locate user's Unix home directory from Sun NIS (not NIS+).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-62"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hosts allow = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">allow hosts</code>, a list of machines that can access a share or shares. If NULL (the default) any machine can access the share unless there is a <code class="literal">hosts deny</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-63"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hosts deny = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">deny hosts</code>, a list of machines that cannot connect to a share or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-64"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] hosts equiv = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Path to a file of trusted machines from which password-less logins are allowed. Strongly discouraged, because Windows/NT users can always override the user name, the only security in this scheme.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-65"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>include = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Include the named file in <code class="filename">smb.conf</code> at the line where it appears. This option does not understand the variables <code class="literal">%u</code> (user), <code class="literal">%P</code> (current share's root directory), or <code class="literal">%S</code> (current share name), because they are not set at the time the file is read.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-66"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] interfaces = interface list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the interfaces to which Samba will respond. The default is the machine's primary interface only. Recommended on multihomed machines or to override erroneous addresses and netmasks.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-67"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>invalid users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that will not be permitted access to a share or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-68"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] keepalive = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Number of seconds between checks for a crashed client. The default of 0 causes no checks to be performed. Recommended if you want checks more often than every four hours. 3600 (10 minutes) is reasonable. See also <code class="literal">socket options</code> for another approach.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-69"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] kernel oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Break oplock when a Unix process accesses an <span class="emphasis"><em>oplocked</em></span> file, preventing corruption. Set to YES on operating systems supporting this, otherwise set to NO. New in Samba 2.0; supported on SGI, and hopefully soon on Linux and BSD. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-70"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap filter = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-71"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap port = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-72"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap root = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-73"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap server = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-74"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap suffix = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-75"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] load printers = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Load all printer names from the system printer capabilities into browse list. Uses configuration options from the <code class="literal">[printers]</code> section.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-76"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] local master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Stands for election as the local master browser. See also <code class="literal">domain master</code> and <code class="literal">os level</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-77"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lm announce = value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Produce OS/2 SMB broadcasts at an interval specified by the <code class="literal">lm interval</code> option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN Manager announcement from another client before sending one out. Required for OS/2 client browsing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-78"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lm interval = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the time period, in seconds, between OS/2 SMB broadcast announcements.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-79"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lock directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set a directory to keep lock files in. The directory must be writable by Samba, readable by everyone.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-80"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>locking = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Perform file locking. If set to NO, Samba will accept lock requests but will not actually lock resources. Recommended only for read-only file systems.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-81"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] log file = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set name and location of the log file. Allows all %-variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-82"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] log level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym of <code class="literal">debug level</code>. Sets the logging level used. Values of 3 or more slow the system noticeably.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-83"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon drive = drive</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the drive on Windows NT (only) of the <code class="literal">logon path</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-84"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon home = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the home directory of a Windows 95/98 or NT Workstation user. Allows <code class="literal">NET</code> <code class="literal">USE</code> <code class="literal">H:/HOME</code> from the command prompt.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-85"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon path = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets path to Windows profile directory. This contains <span class="emphasis"><em>USER.MAN</em></span> and/or <span class="emphasis"><em>USER.DAT</em></span> profile files and the Windows 95 Desktop, Start Menu, Network Neighborhood, and programs folders.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-86"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon script = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets pathname relative to <code class="literal">[netlogin]</code> share of a DOS/NT script to run on the client at login time. Allows all %-variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-87"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lppause command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to pause a print job. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> (job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-88"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lpresume command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to resume a paused print job. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> ( job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-89"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lpq cache time = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets how long to keep print queue (<code class="literal">lpq </code>) status is cached, in seconds.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-90"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lpq command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to get printer status. Usually initialized to a default value by the <code class="literal">printing</code> option. Honors the <code class="literal">%p</code> (printer name) variable.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-91"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lprm command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to delete a print job. Usually initialized to a default value by the <code class="literal">printing</code> option. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> (job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-92"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>machine password timeout = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-93"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>magic output = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the output file for the discouraged <code class="literal">magic scripts</code> option. Default is the script name, followed by the extension <span class="emphasis"><em>.out</em></span>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-94"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>magic script = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a filename for execution via a shell whenever the file is closed from the client, to allow clients to run commands on the server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-95"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangle case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Mangle a name if it is in mixed case.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-96"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangled map = map list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set up a table of names to remap (e.g., <span class="emphasis"><em>.html</em></span> to <span class="emphasis"><em>.htm</em></span>).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-97"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangled names = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets Samba to abbreviate names that are too long or have unsupported characters to the DOS 8.3 style.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-98"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangling char = character</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the unique mangling character used in all mangled names.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-99"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] mangled stack = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the size of a cache of recently-mangled filenames.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-100"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map aliasname = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Points to a file of Unix group/NT group pairs, one per line. This is used to map NT aliases to Unix group names. See also the configuration options <code class="literal">username</code> <code class="literal">map</code> and <code class="literal">map</code> <code class="literal">groupname</code>. Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-101"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map archive = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba sets the executable-by-user (0100) bit on Unix files if the DOS archive attribute is set. Recommended: if used, the <code class="literal">create mask</code> must contain the 0100 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-102"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map hidden = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, sets executable-by-other (0001) bit on Unix files if the DOS hidden attribute is set. If used, the <code class="literal">create mask</code> option must contain the 0001 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-103"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map groupname = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Points to a file of Unix group/NT group, one per line. This is used to map NT group names to Unix group names. See also the configuration options <code class="literal">username</code> <code class="literal">map</code> and <code class="literal">map</code> <code class="literal">aliasname</code>. Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-104"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map system = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba sets the executable-by-group (0010) bit on Unix files if the DOS system attribute is set. If used, the <code class="literal">create mask</code> must contain the 0010 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-105"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>max connections = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set maximum number of connections allowed to a share from each individual client machine.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-106"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max disk size = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets maximum disk size/free-space size (in megabytes) to return to client. Some clients or applications can't understand large maximum disk sizes.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-107"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max log size = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the size (in kilobytes) at which Samba will start a new log file. The current log file will be renamed with an <span class="emphasis"><em>.old</em></span> extension, replacing any previous file with that name.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-108"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max mux = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the number of simultaneous operations that Samba clients may make. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-109"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max packet = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">packet size</code>. Obsolete as of Samba 1.7. Use <code class="literal">max xmit</code> instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-110"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max open files = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Limits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the Unix maximum. This option is a workaround for a separate problem. Avoid changing. This option was introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-111"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the time to keep NetBIOS names in <span class="emphasis"><em>nmbd</em></span> cache while trying to perform a lookup on it. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-112"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max wins ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Limits time-to-live of a NetBIOS name in <span class="emphasis"><em>nmbd</em></span> WINS cache, in seconds. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-113"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max xmit = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets maximum packet size that will be negotiated by Samba. Tuning parameter for slow links and older client bugs. Values less than 2048 are discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-114"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] message command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command on the server to run when a WinPopup message arrives from a client. The command must end in "<code class="literal">&</code>" to allow immediate return. Honors all %-variables except <code class="literal">%u</code> (user), and supports the extra variables <code class="literal">%s</code> (filename the message is in), <code class="literal">%t</code> (destination machine), and <code class="literal">%f</code> (from).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-115"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>min print space = kilobytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets minimum spool space required before accepting a print request.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-116"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] min wins ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets minimum time-to-live of a NetBIOS name in <span class="emphasis"><em>nmbd</em></span> WINS cache, in seconds. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-117"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>name resolve order = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets order of lookup when trying to get IP address from names. The <code class="literal">hosts</code> parameter carrries out a regular name look up using the server's normal sources: <span class="emphasis"><em>/etc/hosts</em></span>, DNS, NIS, or a combination of them. Introduced in Samba 1.9.18p4.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-118"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] netbios aliases = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Adds additional NetBIOS names by which a Samba server will advertise itself.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-119"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>netbios name = hostname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the NetBIOS name by which a Samba server is known, or primary name if NetBIOS aliases exist.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-120"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] networkstation user login = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to NO, clients will not do a full login when <code class="literal">security = server</code>. Avoid changing. Turning it off is a temporary workaround (introduced in Samba 1.9.18p3) for NT trusted domains bug. Automatic correction was introduced in Samba 1.9.18p10; the parameter may eventually be removed.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-121"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nis homedir = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, the <code class="literal">homedir map</code> will be used to look up the user's home-directory server name and return it to the client. The client will contact that machine to connect to the share. This avoids mounting from a machine that doesn't actually have the disk. The machine with the home directories must be an SMB server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-122"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nt pipe support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows turning off NT-specific pipe calls. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-123"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nt smb support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, allow NT-specific SMBs to be used. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-124"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] null passwords = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, allows access to accounts that have null passwords. Strongly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-125"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ole locking compatibility = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, locking ranges will be mapped to avoid Unix locks crashing when Windows uses locks above 32KB. You should avoid changing this option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-126"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>only guest = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym for <code class="literal">guest only</code>. Forces user of a share to login as the guest account.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-127"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>only user = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Requires that users of the share be on a <code class="literal">username =</code> list.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-128"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, support local caching of <span class="emphasis"><em>opportunistic</em></span> locked files on client. This option is recommended because it improves performance by about 30%. See also <code class="literal">fake</code> <code class="literal">oplocks</code> and <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-129"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] os level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the candidacy of the server when electing a browse master. Used with the <code class="literal">domain</code> <code class="literal">master</code> or <code class="literal">local</code> <code class="literal">master</code> options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95 use 1, Windows NT client uses 17, and Windows NT Server uses 33.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-130"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] packet size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Discouraged synonym of <code class="literal">max packet</code>. See <code class="literal">max xmit</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-131"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd chat debug = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Logs an entire password chat, including passwords passed, with a log level of 100. For debugging only. Introduced in Samba 1.9.18p5.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-132"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd chat = command sequence</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to change passwords on the server. Supports the variables <code class="literal">%o</code> (old password) and <code class="literal">%n</code> (new password) and allows <code class="literal">\r</code> <code class="literal">\n</code> <code class="literal">\t</code> and <code class="literal">\s</code> (space) escapes in the sequence.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-133"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd program = program</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to change user's password. Will be run as <code class="literal">root</code>. Supports <code class="literal">%u</code> (user).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-134"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] password level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-135"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] password server = netbios names</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A list of SMB servers that will validate passwords for you. Used with an NT password server (PDC or BDC) and the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code> or <code class="literal">security</code> <code class="literal">=</code> <code class="literal">domain</code> configuration options. Caution: an NT password server must allow logins from the Samba server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-136"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>panic action = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to run when Samba panics. For Samba developers and testers, <code class="literal">/usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d</code> is a possible value.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-137"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>path = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the path to the directory provided by a file share or used by a printer share. Set automatically in <code class="literal">[homes]</code> share to user's home directory, otherwise defaults to<code class="filename"> /tmp</code>. Honors the <code class="literal">%u</code> (user) and <code class="literal">%m</code> (machine) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-138"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>postexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as the user after disconnecting from the share. See also the options <code class="literal">preexec</code>, <code class="literal">root preexec</code>, and <code class="literal">root postexec</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-139"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>postscript = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Flags a printer as PostScript to avoid a Windows bug by inserting <code class="literal">%!</code> as the first line. Works only if printer actually is PostScript compatible.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-140"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as the user before connecting to the share. See also the options <code class="literal">postexec</code>, <code class="literal">root preexec</code>, and <code class="literal">root postexec</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-141"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] preferred master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba is preferred to become the master browser. Causes Samba to call a browsing election when it comes online.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-142"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preload = share list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">auto</code> <code class="literal">services</code>. Specifies a list of shares that will always appear in browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-143"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preserve case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, this option leaves filenames in the case sent by client. If no, it forces filenames to the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. See also <code class="literal">short preserve case</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-144"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>print command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to send a spooled file to the printer. Usually initialized to a default value by the <code class="literal">printing</code> option. This option honors the <code class="literal">%p</code> (printer name), <code class="literal">%s</code> (spool file) and <code class="literal">%f</code> (spool file as a relative path) variables. Note that the command in the value of the option must include file deletion of the spool file.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-145"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>print ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">printable</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-146"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a share to be a print share. Required for all printers.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-147"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] printcap name = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the path to the printer capabilities file used by the <code class="literal">[printers]</code> share. The default value changes to <code class="filename">/etc/qconfig</code> under AIX and <code class="filename">lpstat</code> on System V.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-148"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name of the Unix printer.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-149"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer driver = printer driver name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the string to pass to Windows when asked what driver to use to prepare files for a printer share. Note that the value is case sensitive.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-150"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] printer driver file = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the location of a <span class="emphasis"><em>msprint.def</em></span> file, usable by Windows 95/98.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-151"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer driver location = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the location of the driver for a particular printer. The value is a pathname for a share that stores the printer driver files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-152"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer name = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">printer</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-153"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printing = style</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets printing style to one of the above, instead of the compiled-in value. This sets initial values of at least the <code class="literal">print</code> <code class="literal">command </code>, <code class="literal">print</code> <code class="literal">command </code>, <code class="literal">lpq</code> <code class="literal">command </code>, and <code class="literal">lprm</code> <code class="literal">command</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-154"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] protocol = protocol</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets SMB protocol version to one of the allowable +values. Resetting is highly discouraged. Only for backwards +compatibility with older-client bugs.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-155"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>public = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, passwords are not needed for this share. A synonym is <code class="literal">guest ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-156"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>queuepause command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to pause a print queue. Usually initialized to a default value by the <code class="literal">printing</code> option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-157"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>queueresume command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to resume a print queue. Usually initialized to a default value by the <code class="literal">printing</code> option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-158"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read bmpx = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Do not change.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-159"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read list = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies a list of users given read-only access to a writeable share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-160"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a share to read-only. Antonym of <code class="literal">writable</code> and <code class="literal">write ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-161"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read prediction = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Reads ahead data for read-only files. Obsolete; removed in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-162"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read raw = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows fast streaming reads over TCP using 64K buffers. Recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-163"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a buffering option for servers with mismatched disk and network speeds. Requires experimentation. Avoid changing. Should not exceed 65536.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-164"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] remote announce = remote list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Adds workgroups to the list on which the Samba server will announce itself. Specified as IP address/workgroup (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those workgroup's browse lists. Does not require WINS.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-165"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] remote browse sync = address list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Enables Samba-only browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter will cause Samba to hunt down the local master.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-166"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>revalidate = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, requires users to re-enter passwords even after a successful initial logon to a share with a password.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-167"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">root directory</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-168"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root dir = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">root directory</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-169"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies a directory to <code class="literal">chroot()</code> to before starting daemons. Prevents any access below that directory tree. See also the <code class="literal">wide links</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-170"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>root postexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as root after disconnecting from the share. See also <code class="literal">preexec</code>, <code class="literal">postexec</code>, and <code class="literal">root</code> <code class="literal">preexec</code> configuration options. Runs after the user's <code class="literal">postexec</code> command. Use with caution.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>root preexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as root before connecting to the share. See also <code class="literal">preexec</code>, <code class="literal">postexec</code>, and <code class="literal">root</code> <code class="literal">postexec</code> configuration options. Runs before the user's <code class="literal">preexec</code> command. Use with caution.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-172"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] security = value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets password-security policy. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code>, services have a shared password, available to everyone. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">user</code>, users have (Unix) accounts and passwords. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code>, users have accounts and passwords and a separate machine authenticates them for Samba. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">domain</code>, full NT-domain authentication is done. See also the <code class="literal">password server</code> and <code class="literal">encrypted passwords</code> configuration options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-173"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] server string = text</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name that appears beside a server in browse lists. Honors the <code class="literal">%v</code> (Samba version number) and <code class="literal">%h</code> (hostname) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-174"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>set directory = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows DEC Pathworks client to use the <span class="emphasis"><em>set dir</em></span> command.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-175"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] shared file entries = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete; do not use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-176"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shared mem size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If compiled with FAST_SHARE_MODES (mmap), sets the shared memory size in bytes. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-177"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] smb passwd file = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Overrides compiled-in path to password file if <code class="literal">encrypted passwords</code> <code class="literal">=</code> <code class="literal">yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-178"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] smbrun = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Overrides compiled-in path to <code class="filename">smbrun</code> binary. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-179"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>share modes = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, this option supports Windows-style whole-file (deny mode) locks.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-180"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>short preserve case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, leaves mangled 8.3-style filenames in the case sent by client. If no, it forces the case to that specified by the <code class="literal">default case</code> option. See also <code class="literal">preserve case</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-181"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] socket address = IP address</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets address on which to listen for connections. Default is to listen to all addresses. Used to support multiple virtual interfaces on one server. Highly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-182"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] socket options = socket option list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets OS-specific socket options. <code class="literal">SO_KEEPALIVE</code> has TCP check clients every 4 hours to see if they are still accessible. <code class="literal">TCP_NODELAY</code> sends even tiny packets to keep delay low. Recommended wherever the operating system supports them. See <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>, for more information.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-183"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] status = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, logs connections to a file (or shared memory) accessible to <code class="filename">smbstatus</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-184"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>strict sync = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba will synchronize to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-185"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>strict locking = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba checks locks on every access, not just on demand and at open time. Not recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-186"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] strip dot = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Removes trailing dots from filenames. Use <code class="literal">mangled map</code> instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-187"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] syslog = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets number of Samba log messages to send to <code class="filename">syslog</code>. Higher is more verbose. The <code class="filename">syslog.conf</code> file must have suitable logging enabled.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-188"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] syslog only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, log only to <span class="emphasis"><em>syslog,</em></span> not standard Samba log files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-189"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>sync always = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba calls <span class="emphasis"><em>fsync</em></span>(3) after every write. Avoid except for debugging crashing servers.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-190"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] time offset = minutes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets number of minutes to add to system time zone calculation. Provided to fix a client daylight-savings bug; not recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-191"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] time server = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, <span class="emphasis"><em>nmbd</em></span> will provide time service to its clients.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-192"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>unix password sync = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, will attempt to change the user's Unix password whenever the user changes his or her SMB password. Used to ease synchronization of Unix and Microsoft password databases. Added in Samba 1.9.18p4. See also <code class="literal">passwd chat</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-193"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>unix realname = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, will provide the GCOS field of <code class="filename">/etc/passwd</code> to the client as the user's full name.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-194"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>update encrypted = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-195"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>user = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">username</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-196"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>username = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a list of users to try to log in as for a share or shares with share-level security. Synonyms are <code class="literal">user</code> and <code class="literal">users</code>. Discouraged. Use <code class="literal">NET USE \\</code><em class="replaceable"><code>server</code></em><code class="literal">\</code><em class="replaceable"><code>share </code></em><code class="literal">%</code><em class="replaceable"><code>user</code></em> from the client instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-197"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>username level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Number of uppercase letter permutations allowed to match Unix usernames. Workaround for Windows feature (single-case usernames). Use is discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-198"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] username map = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Names a file of Unix-to-Windows name pairs; used to map different spellings of account names and those Windows usernames longer than eight characters.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-199"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>valid chars = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Semi-obsolete. Adds national characters to a character set map. Overridden by <code class="literal">client code page</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-200"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>valid users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that can log in to a share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-201"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>veto files = slash-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of files not to allow the client to see when listing a directory's contents. See also <code class="literal">delete veto files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-202"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>veto oplock files = slash-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of files not to oplock (and cache on clients). See also <code class="literal">oplocks</code> and <code class="literal">fake oplocks</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-203"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>volume = share name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the volume label of a disk share, notably a CD-ROM.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-204"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>wide links = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba will follow symlinks out of the current disk share(s). See also the <code class="literal">root dir</code> and <code class="literal">follow symlinks</code> options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-205"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins proxy = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, <span class="emphasis"><em>nmbd</em></span> will proxy resolution requests to WINS servers on behalf of old clients, which use broadcasts. WINS server is typically on another subnet.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-206"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins server = host</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the DNS name or IP address of the WINS server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-207"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba activates WINS service. The <code class="literal">wins server</code> option must not be set if <code class="literal">wins support = yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-208"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] workgroup = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the workgroup to which things will be served. Overrides compiled-in value. Choosing a name other than <code class="literal">WORKGROUP</code> is strongly recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-209"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>writable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Antonym for <code class="literal">read only</code>; synonym of <code class="literal">write ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-210"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>write list = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that are given read-write access to a read-only share. See also <code class="literal">read list</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-211"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>write ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of the <code class="literal">writable</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-212"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] write raw = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows fast streaming writes over TCP, using 64KB buffers. Recommended.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-2"></a>Glossary of Configuration Values</h2></div></div></div><div class="variablelist"><dl><dt><span class="term"> +<a class="indexterm" name="appc-idx-990655-0"></a>Address list</span></dt><dd><p>A space-separated list of IP addresses in ###.###.###.### format.</p></dd><dt><span class="term">Comma-separated list</span></dt><dd><p>A list of items separated by commas.</p></dd><dt><span class="term">Command</span></dt><dd><p>A Unix command, with full path and parameters.</p></dd><dt><span class="term">Host list</span></dt><dd><p>A space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT</p></dd><dt><span class="term">Interface list</span></dt><dd><p>A space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0</p></dd><dt><span class="term">Map list</span></dt><dd><p>A space-separated list of file-remapping strings such as <code class="literal">(*.html</code> <code class="literal">*.htm)</code>.</p></dd><dt><span class="term">Remote list</span></dt><dd><p>A space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF.</p></dd><dt><span class="term">Service (share) list</span></dt><dd><p>A space-separated list of share names, without the enclosing square brackets.</p></dd><dt><span class="term">Slash-list</span></dt><dd><p>A list of filenames, separated by "/" characters to allow embedded spaces. For example, <code class="literal">/.*/fred</code> <code class="literal">flintstone/*.frk/</code>.</p></dd><dt><span class="term">Text</span></dt><dd><p>One line of text.</p></dd><dt><span class="term">User list</span></dt><dd><p>A space-separated list of usernames. In Samba 1.9, <code class="literal">@group-name</code> will include everyone in Unix group <code class="literal">group-name</code>. In Samba 2.0, <code class="literal">@group-name</code> includes whomever is in the NIS netgroup <code class="literal">group_name</code> if one exists, otherwise whomever is in the Unix group <code class="literal">group_name</code>. In addition, +<code class="literal">group_name</code> is a Unix group, &<code class="literal">group_name</code> is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups.</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-3"></a>Configuration File Variables</h2></div></div></div><p><a href="#appc-88529" title="Table C.1. Variables in Alphabetic Order">Table 3.1</a> lists of Samba configuration file variables.</p><div class="table"><a name="appc-88529"></a><p class="title"><b>Table C.1. Variables in Alphabetic Order </b></p><div class="table-contents"><table summary="Variables in Alphabetic Order " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Name</p></th><th><p>Meaning</p></th></tr></thead><tbody><tr><td><p><code class="literal">%a</code></p></td><td><p>Client's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN)</p></td></tr><tr><td><p><code class="literal">%d</code></p></td><td><p>Current server process's processID</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>Print-spool file as a relative path (printing only)</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>User from which a message was sent (messages only)</p></td></tr><tr><td><p><code class="literal">%G</code></p></td><td><p>Primary group name of <code class="literal">%U</code> (requested username)</p></td></tr><tr><td><p><code class="literal">%g</code></p></td><td><p>Primary group name of <code class="literal">%u</code> (actual username)</p></td></tr><tr><td><p><code class="literal">%H</code></p></td><td><p>Home directory of <code class="literal">%u</code> (actual username)</p></td></tr><tr><td><p><code class="literal">%h</code></p></td><td><p>Samba server's (Internet) hostname</p></td></tr><tr><td><p><code class="literal">%I</code></p></td><td><p>Client's IP address</p></td></tr><tr><td><p><code class="literal">%j</code></p></td><td><p>Print job number (printing only)</p></td></tr><tr><td><p><code class="literal">%L</code></p></td><td><p>Samba server's NetBIOS name (virtual servers have multiple names)</p></td></tr><tr><td><p><code class="literal">%M</code></p></td><td><p>Client's (Internet) hostname</p></td></tr><tr><td><p><code class="literal">%m</code></p></td><td><p>Client's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%n</code></p></td><td><p>New password (password change only)</p></td></tr><tr><td><p><code class="literal">%N</code></p></td><td><p>Name of the NIS home directory server (without NIS, same as <code class="literal">%L</code>)</p></td></tr><tr><td><p><code class="literal">%o</code></p></td><td><p>Old password (password change only)</p></td></tr><tr><td><p><code class="literal">%P</code></p></td><td><p>Current share's root directory (actual)</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Current share's root directory (in an NIS homedir map)</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Print filename (printing only)</p></td></tr><tr><td><p><code class="literal">%R</code></p></td><td><p>Protocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</p></td></tr><tr><td><p><code class="literal">%S</code></p></td><td><p>Current share's name</p></td></tr><tr><td><p><code class="literal">%s</code></p></td><td><p>Filename the message is in (messages only)</p></td></tr><tr><td><p><code class="literal">%s</code></p></td><td><p>Print-spool file name (printing only)</p></td></tr><tr><td><p><code class="literal">%T</code></p></td><td><p>Current date and time</p></td></tr><tr><td><p><code class="literal">%t</code></p></td><td><p>Destination machine (messages only)</p></td></tr><tr><td><p><code class="literal">%u</code></p></td><td><p>Current share's username</p></td></tr><tr><td><p><code class="literal">%U</code></p></td><td><p>Requested username for current share</p></td></tr><tr><td><p><code class="literal">%v</code></p></td><td><p>Samba version</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-D"></a>Appendix D. Summary of Samba Daemons and Commands</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appd-SECT-1">D.1. Samba Distribution Programs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appd-SECT-1.1">D.1.1. smbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.2">D.1.2. nmbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.3">D.1.3. Samba Startup File </a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.4">D.1.4. smbsh</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.5">D.1.5. smbclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.6">D.1.6. smbstatus</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.7">D.1.7. smbtar</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.8">D.1.8. nmblookup</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.9">D.1.9. smbpasswd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.10">D.1.10. testparm</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.11">D.1.11. testprns</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.12">D.1.12. rpcclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.13">D.1.13. tcpdump</a></span></dt></dl></dd></dl></div><p>This appendix is a reference listing of command-line options and other information to help you use the executables that come with Samba distribution.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appd-SECT-1"></a>Samba Distribution Programs</h2></div></div></div><p>The following sections provide information about the command-line parameters for Samba programs.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.1"></a>smbd</h3></div></div></div><p> +<a class="indexterm" name="appd-idx-993627-0"></a> +<a class="indexterm" name="appd-idx-993627-1"></a>The <span class="emphasis"><em>smbd</em></span> program provides Samba's file and printer services, using one TCP/IP stream and one daemon per client. It is controlled from the default configuration file, <em class="replaceable"><code>samba_dir</code></em><span class="emphasis"><em>/lib/smb.conf</em></span>, and can be overridden by command-line options.</p><p>The configuration file is automatically re-evaluated every minute. If it has changed, most new options are immediately effective. You can force Samba to immediately reload the configuration file if you send a SIGHUP to <span class="emphasis"><em>smbd</em></span>. Reloading the configuration file, however, will not affect any clients that are already connected. To escape this "grandfather" configuration, a client would need to disconnect and reconnect, or the server itself would have to be restarted, forcing all clients to reconnect.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.1"></a>Other signals</h4></div></div></div><p>To shut down a <span class="emphasis"><em>smbd</em></span> process, send it the termination signal SIGTERM (-15) which allows it to die gracefully instead of a SIGKILL (-9). To increment the debug logging level of <span class="emphasis"><em>smbd</em></span> at runtime, send the program a SIGUSR1 signal. To decrement it at runtime, send the program a SIGUSR2 signal.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.2"></a>Command-line options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code></span></dt><dd><p>The <span class="emphasis"><em>smbd</em></span> program is run as a daemon. This is the recommended way to use <span class="emphasis"><em>smbd</em></span> (it is also the default action). In addition, <span class="emphasis"><em>smbd</em></span> can also be run from <span class="emphasis"><em>inetd</em></span>.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Specifying the value on the command line overrides the value specified in the <code class="filename">smb.conf</code> file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow <span class="emphasis"><em>smbd</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code> </span></dt><dd><p>Prints command-line usage information for the <code class="filename">smbd</code> program.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.3"></a>Testing/debugging options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <code class="literal">-o</code>, and is the default.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backwards compatibility.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Send the log messages to somewhere other than the location compiled in or specified in the <code class="filename">smb.conf</code> file. The default is often <code class="filename">/usr/local/samba/var/log.smb</code>, <code class="filename">/usr/samba/var/log.smb,</code> or <code class="filename">/var/log/log.smb</code>. The first two are strongly discouraged on Linux, where <code class="filename">/usr</code> may be a read-only filesystem.</p></dd><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>This sets the TCP/IP socket options, using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-o</code></span></dt><dd><p>This option is the opposite of <code class="literal">-a</code>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</p></dd><dt><span class="term"><code class="literal">-P</code></span></dt><dd><p>This option forces <code class="filename">smbd</code> not to send any network data out. This option is typically used only by Samba developers.<a class="indexterm" name="appd-idx-994096-0"></a></p></dd><dt><span class="term"><code class="literal">-P</code></span></dt><dd><p>This option forces <code class="filename">smbd</code> not to send any network data out. This option is typically used only by Samba developers. <a class="indexterm" name="appd-idx-994102-0"></a></p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>This sets the TCP/IP port number that the server will accept requests from. Currently, all Microsoft clients send only to the default port: 139.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command line, typically for debugging.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.2"></a>nmbd</h3></div></div></div><p> +<a class="indexterm" name="appd-idx-993645-0"></a>The <span class="emphasis"><em>nmbd</em></span> program is Samba's NetBIOS name and browsing daemon. It replies to broadcast NetBIOS over TCP/IP (NBT) name-service requests from SMB clients and optionally to Microsoft's Windows Internet Name Service (WINS) requests. Both of these are versions of the name-to-address lookup required by SMB clients. The broadcast version uses UDP/IP broadcast on the local subnet only, while WINS uses TCP/IP, which may be routed. If running as a WINS server, <span class="emphasis"><em>nmbd</em></span> keeps a current name and address database in the file <code class="filename">wins.dat</code> in the <code class="literal">samba_dir</code><code class="filename">/var/locks</code> directory.</p><p>An active <span class="emphasis"><em>nmbd</em></span> program can also respond to browsing protocol requests used by the Windows Network Neighborhood. Browsing is a combined advertising, service announcement, and active directory protocol. This protocol provides a dynamic directory of servers and the disks and printers that the servers are providing. As with WINS, this was initially done by making UDP/IP broadcasts on the local subnet. Now, with the concept of a local master browser, it is done by making TCP/IP connections to a server. If <span class="emphasis"><em>nmbd</em></span> is acting as a local master browser, it stores the browsing database in the file <code class="filename">browse.dat</code> in the <code class="literal">samba_dir</code><code class="filename">/var/locks</code> directory.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.1"></a>Signals</h4></div></div></div><p>Like <span class="emphasis"><em>smbd</em></span>, the <span class="emphasis"><em>nmbd</em></span> program responds to several Unix signals. Sending <span class="emphasis"><em>nmbd</em></span> a SIGHUP signal will cause it to dump the names it knows about to the file <code class="filename">namelist.debug</code> in the <code class="literal">samba_dir</code>/<span class="emphasis"><em>locks</em></span> directory and its browsing database to the <code class="filename">browse.dat </code>file in the same directory. To shut down a <span class="emphasis"><em>nmbd</em></span> process send it a SIGTERM (-15) signal instead of a SIGKILL (-9) to allow it to die gracefully. You can increment the debug logging level of <span class="emphasis"><em>nmbd</em></span> by sending it a SIGUSR1 signal; you can decrement it by sending a SIGUSR2 signal.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.2"></a>Command-line options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code></span></dt><dd><p>Instructs the <code class="filename">nmbd</code> program to run as a daemon. This is the recommended way to use <code class="filename">nmbd</code>. In addition, <code class="filename">nmbd</code> can also be run from <em class="firstterm">inetd</em>.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0, all the way to 10. Specifying the value on the command line overrides the value specified in the <code class="filename">smb.conf</code> file. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <span class="emphasis"><em>nmbd</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code> </span></dt><dd><p>Prints command-line usage information for the <code class="filename">nmbd</code> program (also <code class="literal">-?</code>).</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.3"></a>Testing/debugging options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <code class="literal">-o</code>, and is the default.</p></dd><dt><span class="term"><code class="literal">-H</code> <em class="replaceable"><code>hosts_ file</code></em></span></dt><dd><p>This option loads a standard <span class="emphasis"><em>hosts</em></span> file for name resolution.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward<a class="indexterm" name="appd-idx-994134-0"></a> compatibility.<a class="indexterm" name="appd-idx-994135-0"></a></p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Sends the log messages to somewhere other than the location compiled-in or specified in the <code class="filename">smb.conf</code> file. The default is often <code class="filename">/usr/local/samba/var/log.nmb</code>, <code class="filename">/usr/samba/var/log.nmb,</code> or <code class="filename">/var/log/log.nmb</code>. The first two are strongly discouraged on Linux, where <code class="filename">/usr</code> may be a read-only filesystem.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>This option allows you to override the NetBIOS name by which the daemon will advertise itself. Specifying the option on the command line overrides the <code class="literal">netbios</code> <code class="literal">name</code> option in the Samba configuration file.</p></dd><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>This sets the TCP/IP socket options, using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-o</code></span></dt><dd><p>This option is the opposite of <code class="literal">-a</code>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>This sets the UDP/IP port number from which the server will accept requests. Currently, all Microsoft clients send only to the default port: 137.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command line, typically for debugging.</p></dd><dt><span class="term"><code class="literal">-v</code></span></dt><dd><p>This option prints the current version of Samba.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.3"></a>Samba Startup File </h3></div></div></div><p> +<a class="indexterm" name="appd-idx-993647-0"></a> +<a class="indexterm" name="appd-idx-993647-1"></a> +<a class="indexterm" name="appd-idx-993647-2"></a>Samba is normally started by running it from your Unix system's <code class="filename">rc</code> files at boot time. For systems with a System V-like set of <code class="filename">/etc/rcN.d</code> directories, this can be done by placing a suitably named script in the <code class="filename">/rc</code> directory. Usually, the script starting Samba is called <span class="emphasis"><em>S91samba</em></span>, while the script stopping or "killing" Samba is called <span class="emphasis"><em>K91samba.</em></span> On Linux, the usual subdirectory for the scripts is <code class="filename">/etc/rc2.d.</code> On Solaris, the directory is <code class="filename">/etc/rc3.d</code>. For machines with <code class="filename">/etc/rc.local</code> files, you would normally add the following lines to that file:</p><pre class="programlisting">/usr/local/samba/bin/smbd -D +/usr/local/samba/bin/nmbd -D</pre><p>The following example script supports two extra commands, <code class="literal">status</code> and <code class="literal">restart</code>, in addition to the normal <code class="literal">start</code> and <code class="literal">stop</code> for System V machines:</p><pre class="programlisting">#!/bin/sh +# +# /etc/rc2.d./S91Samba --manage the SMB server in a System V manner +# +OPTS="-D" +#DEBUG=-d3 +PS="ps ax" +SAMBA_DIR=/usr/local/samba +case "$1" in +'start') + echo "samba " + $SAMBA_DIR/bin/smbd $OPTS $DEBUG + $SAMBA_DIR/bin/nmbd $OPTS $DEBUG + ;; +'stop') + echo "Stopping samba" + $PS | awk '/usr.local.samba.bin/ { print $1}' |\ + xargs kill + ;; +'status') + x=`$PS | grep -v grep | grep '$SAMBA_DIR/bin'` + if [ ! "$x" ]; then + echo "No samba processes running" + else + echo " PID TT STAT TIME COMMAND" + echo "$x" + fi + ;; +'restart') + /etc/rc2.d/S91samba stop + /etc/rc2.d/S91samba start + /etc/rc2.d/S91samba status + ;; +*) + echo "$0: Usage error -- you must say $0 start, stop, status or restart ." + ;; +esac +exit</pre><p>You'll need to set the actual paths and <code class="literal">ps</code> options to suit the machine you're using. In addition, you might want to add additional commands to tell Samba to reload its <code class="filename">smb.conf</code> file or dump its <span class="emphasis"><em>nmbd</em></span> tables, depending on your actual needs.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.4"></a>smbsh</h3></div></div></div><p>The <span class="emphasis"><em>smbsh</em></span> +<a class="indexterm" name="appd-idx-993744-0"></a> program lets you use a remote Windows share on your Samba server as if the share was a regular Unix directory. When it's run, it provides an extra directory tree under <code class="filename">/smb</code>. Subdirectories of <code class="filename">/smb</code> are servers, and subdirectories of the servers are their individual disk and printer shares. Commands run by <span class="emphasis"><em>smbsh</em></span> treat the <code class="filename">/smb</code> filesystem as if it were local to Unix. This means that you don't need <span class="emphasis"><em>smbmount</em></span> in your kernel to mount Windows filesystems the way you mount with NFS filesystems. However, you do need to configure Samba with the <code class="literal">--with-smbwrappers</code> option to enable <code class="filename">smbsh</code>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.4.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-d</code> debuglevel</span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0, the default, all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <span class="emphasis"><em>smbsh</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>logfile</code></em></span></dt><dd><p>Sets the name of the logfile to use.</p></dd><dt><span class="term"><code class="literal">-P</code> <em class="replaceable"><code>prefix</code></em></span></dt><dd><p>Sets the root directory to mount the SMB filesystem. The default is <code class="filename">/smb</code>.</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>, in any order.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>user</code></em></span></dt><dd><p>Supports <em class="replaceable"><code>user%password.</code></em></p></dd><dt><span class="term"><code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em></span></dt><dd><p>Sets the NetBIOS workgroup to which the client will connect.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.5"></a>smbclient</h3></div></div></div><p>The <span class="emphasis"><em>smbclient</em></span> +<a class="indexterm" name="appd-idx-993745-0"></a> +<a class="indexterm" name="appd-idx-993745-1"></a> program is the maid-of-all-work of the Samba suite. Initially intended as a testing tool, it has become a full command-line Unix client, with an FTP-like interactive client. Some of its options are still used for testing and tuning, and it makes a simple tool for ensuring that Samba is running on a server.</p><p>It's convenient to look at <span class="emphasis"><em>smbclient</em></span> as a suite of programs:</p><div class="itemizedlist"><ul type="disc"><li><p>FTP-like interactive file transfer program</p></li><li><p>Interactive printing program</p></li><li><p>Interactive tar program</p></li><li><p>Command-line message program</p></li><li><p>Command-line <span class="emphasis"><em>tar</em></span> program (but see <span class="emphasis"><em>smbtar</em></span> later)</p></li><li><p>"What services do you have" query program</p></li><li><p>Command-line debugging program</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.1"></a>General command-line options</h4></div></div></div><p>The program has the usual set of <span class="emphasis"><em>smbd</em></span>-like options, which apply to all the interactive and command-line use. The syntax is:</p><pre class="programlisting">smbclient //<em class="replaceable"><code>server_name</code></em>/<em class="replaceable"><code>share_name</code></em> [<em class="replaceable"><code>password</code></em>] [-<em class="replaceable"><code>options</code></em>]</pre><p>Here is an explanation of each of the command-line options:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (logging) level, from 0 to 10, with <code class="literal">A</code> for all. Overrides the value in <code class="filename">smb.conf</code>. Debug level 0 logs only the most important messages; level 1 is normal; debug level 3 and above are for debugging, and slow <span class="emphasis"><em>smbclient</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints the command-line help information (usage) for smbclient.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>Allows you to override the NetBIOS name by which the program will advertise itself.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.2"></a>Smbclient operations</h4></div></div></div><p>Running <code class="literal">smbclient</code> <code class="literal">//</code><em class="replaceable"><code>server_name</code></em><code class="literal">/</code><em class="replaceable"><code>share</code></em> will cause it to prompt you for a username and password. If the login is successful, it will connect to the share and give you a prompt much like an FTP prompt (the backslash in the prompt will be replaced by the current directory within the share as you move around the filesystem):</p><pre class="programlisting">smb:\></pre><p> +<a class="indexterm" name="appd-idx-994034-0"></a>From this command line, you can use several FTP-like commands, as listed in <a href="#appd-89417" title="Table D.1. smbclient Commands">Table 4.1</a>. Arguments in square brackets are optional.</p><div class="table"><a name="appd-89417"></a><p class="title"><b>Table D.1. smbclient Commands </b></p><div class="table-contents"><table summary="smbclient Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">?</code> <em class="replaceable"><code>command</code></em></p></td><td><p>Provides list of commands or help on specified command.</p></td></tr><tr><td><p><code class="literal">help</code> [<em class="replaceable"><code>command</code></em>]</p></td><td><p>Provides list of commands or help on specified command.</p></td></tr><tr><td><p><code class="literal">!</code> [<em class="replaceable"><code>command</code></em>]</p></td><td><p>If a command is specified, it will be run in a local shell. If not, you will be placed into a local shell on the client.</p></td></tr><tr><td><p><code class="literal">dir</code> [<em class="replaceable"><code>filename</code></em>]</p></td><td><p>Displays any files matching <em class="replaceable"><code>filename</code></em> in the current directory on the server, or all files if <em class="replaceable"><code>filename</code></em> is omitted.</p></td></tr><tr><td><p><code class="literal">ls</code> [<em class="replaceable"><code>filename</code></em>]</p></td><td><p>Displays any files matching <em class="replaceable"><code>filename</code></em> in the current directory on the server, or all files if <em class="replaceable"><code>filename</code></em> is omitted.</p></td></tr><tr><td><p><code class="literal">cd</code> [<em class="replaceable"><code>directory</code></em>]</p></td><td><p>If <em class="replaceable"><code>directory</code></em> is specified, changes to the specified directory on the remote server. If not, reports the current directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">lcd</code> [<em class="replaceable"><code>director</code></em><code class="literal">y</code>]</p></td><td><p>If <em class="replaceable"><code>directory</code></em> is specified, the current directory on the local machine will be changed. If not, the name of the current directory on the local machine will be reported.</p></td></tr><tr><td><p><code class="literal">get</code> <span class="emphasis"><em>remotefile</em></span> [<em class="replaceable"><code>localfile</code></em>]</p></td><td><p>Copies the file <em class="replaceable"><code>remotefile</code></em> to the local machine. If a <em class="replaceable"><code>localfile</code></em> is specified, uses that name to copy the file to. Treats the file as binary; does <span class="emphasis"><em>not</em></span> do LF to CR/LF conversions.</p></td></tr><tr><td><p><code class="literal">put</code> <span class="emphasis"><em>localfile</em></span> [<em class="replaceable"><code>remotefile</code></em>]</p></td><td><p>Copies <em class="replaceable"><code>localfile</code></em> to the remote machine. If a <em class="replaceable"><code>remotefile</code></em> is specified, uses that as the name to copy to on the remote server. Treats the file as binary; does <span class="emphasis"><em>not</em></span> do LF to CR/LF conversions.</p></td></tr><tr><td><p><code class="literal">mget</code> <em class="replaceable"><code>pattern</code></em></p></td><td><p>Gets all files matching <em class="replaceable"><code>pattern</code></em> from the remote machine.</p></td></tr><tr><td><p><code class="literal">mput</code><em class="replaceable"><code> pattern</code></em></p></td><td><p>Places all local files matching <em class="replaceable"><code>pattern</code></em> on the remote machine.</p></td></tr><tr><td><p><code class="literal">prompt</code></p></td><td><p>Toggles interactive prompting on and off for <code class="literal">mget</code> and <code class="literal">mput</code>.</p></td></tr><tr><td><p><code class="literal">lowercase ON </code>(or<code class="literal"> OFF </code>)</p></td><td><p>If lowercase is on, <span class="emphasis"><em>smbclient</em></span> will convert filenames to lowercase during an <code class="literal">mget</code> or <code class="literal">get</code> (but not a <code class="literal">mput</code> or <code class="literal">put</code>).</p></td></tr><tr><td><p><code class="literal">del</code> <em class="replaceable"><code>filename</code></em></p></td><td><p>Delete a file on the remote machine.</p></td></tr><tr><td><p><code class="literal">md</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Create a directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">mkdir</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Create a directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">rd</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Remove the specified directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">rmdir</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Remove the specified directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">setmode</code> <em class="replaceable"><code>filename</code></em> <code class="literal">[+|-]rsha</code></p></td><td><p>Set DOS filesystem attribute bits, using Unix-like modes. <code class="literal">r</code> is read-only, <code class="literal">s</code> is system, <code class="literal">h</code> is hidden, and <code class="literal">a</code> is archive.</p></td></tr><tr><td><p><code class="literal">exit</code></p></td><td><p>Exits <span class="emphasis"><em>smbclient</em></span>.</p></td></tr><tr><td><p><code class="literal">quit</code></p></td><td><p>Exits <span class="emphasis"><em>smbclient</em></span>.</p></td></tr></tbody></table></div></div><br class="table-break"><p>There are also mask and recursive commands for large copies; see the <code class="filename">smbclient</code> manual page for details on how to use these. With the exception of mask, recursive, and the lack of an ASCII transfer mode, <span class="emphasis"><em>smbclient</em></span> works exactly the same as FTP. Note that because it does binary transfers, Windows files copied to Unix will have lines ending in carriage-return and linefeed (<code class="literal">\r\n</code>), not Unix's linefeed (<code class="literal">\n</code>).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.3"></a>Printing commands</h4></div></div></div><p>The <span class="emphasis"><em>smbclient</em></span> program can also be used for access to a printer by connecting to a print share. Once connected, the commands shown in <a href="#appd-39300" title="Table D.2. smbclient Printing Commands">Table 4.2</a> can be used to print.</p><div class="table"><a name="appd-39300"></a><p class="title"><b>Table D.2. smbclient Printing Commands </b></p><div class="table-contents"><table summary="smbclient Printing Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">print</code><em class="replaceable"><code> filename</code></em></p></td><td><p>Prints the file by copying it from the local machine to the remote one and then submitting it as a print job there.</p></td></tr><tr><td><p><code class="literal">printmode</code> <em class="replaceable"><code>text </code></em>|<em class="replaceable"><code> graphics</code></em></p></td><td><p>Instructs the server that the following files will be plain text (ASCII) or the binary graphics format that the printer requires. It's up to the user to ensure that the file is indeed the right kind.</p></td></tr><tr><td><p><code class="literal">queue</code></p></td><td><p>Displays the queue for the print share you're connected to, showing job ID, name, size, and status.</p></td></tr></tbody></table></div></div><br class="table-break"><p>Finally, to print from the <span class="emphasis"><em>smbclient</em></span>, use the <code class="literal">-c</code> option:</p><pre class="programlisting">cat <em class="replaceable"><code>printfile</code></em> | smbclient //<em class="replaceable"><code>server</code></em>/<em class="replaceable"><code>printer_name</code></em> -c "print -"</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.4"></a>Tar commands</h4></div></div></div><p><span class="emphasis"><em>smbclient</em></span> can tar up files from a file share. This is normally done from the command line using the <span class="emphasis"><em>smbtar</em></span> command, but the commands shown in <a href="#appd-54517" title="Table D.3. smbclient Printing Commands">Table 4.3</a> are also available interactively.</p><div class="table"><a name="appd-54517"></a><p class="title"><b>Table D.3. smbclient Printing Commands </b></p><div class="table-contents"><table summary="smbclient Printing Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">tar c|x[IXbgNa]</code> <em class="replaceable"><code>operands</code></em></p></td><td><p>Performs a creation or extraction <span class="emphasis"><em>tar</em></span> similar to the command-line program.</p></td></tr><tr><td><p><code class="literal">blocksize</code> <em class="replaceable"><code>size</code></em></p></td><td><p>Sets the block size to be used by <span class="emphasis"><em>tar</em></span>, in 512-byte blocks.</p></td></tr><tr><td><p><code class="literal">noreset</code></p></td><td><p>Makes <span class="emphasis"><em>tar</em></span> pay attention to DOS archive bit for all following commands. In <code class="literal">full</code> mode (the default), <span class="emphasis"><em>tar</em></span> will back up everything. In <code class="literal">inc</code> (incremental) mode, <span class="emphasis"><em>tar</em></span> will back up only those files with the archive bit set. In <code class="literal">reset</code> mode, <span class="emphasis"><em>tar</em></span> will reset the archive bit on all files it backs up. (this requires the share to be writable), and in <code class="literal">noreset</code> mode the archive bit will not be reset even after the file has been backed up.</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.5"></a>Command-line message program options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-M</code> <em class="replaceable"><code>NetBIOS_machine_name</code></em></span></dt><dd><p>This option allows you to send immediate messages using the WinPopup protocol to another computer. Once a connection is established, you can type your message, pressing control-D to end. If WinPopup is not running on the receiving machine, the program returns an error.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>user</code></em> </span></dt><dd><p>This<em class="replaceable"><code> </code></em>option allows you to indirectly control the FROM part of the message.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.6"></a>Command-line tar program options</h4></div></div></div><p>The <code class="literal">-T</code> (tar), <code class="literal">-D</code> (starting directory), and <code class="literal">-c</code> (command) options are used together to tar up files interactively. This is better done with <code class="filename">smbtar</code>, which will be discussed shortly. We don't recommend using <span class="emphasis"><em>smbclient</em></span> directly as a <span class="emphasis"><em>tar</em></span> program.</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code> <em class="replaceable"><code>initial_directory</code></em></span></dt><dd><p>Changes to initial directory before starting.</p></dd><dt><span class="term"><code class="literal">-c</code> <em class="replaceable"><code>command_string</code></em> </span></dt><dd><p>Passes a command string to the <span class="emphasis"><em>smbclient</em></span> command interpreter, which treats it as a semicolon-separated list of commands to be executed. This is handy to say things such as <code class="literal">tarmode</code> <code class="literal">inc</code>, for example, which forces <code class="literal">smbclient</code> <code class="literal">-T</code> to back up only files with the archive bit set.</p></dd><dt><span class="term"><code class="literal">-T</code> <em class="replaceable"><code>command filename</code></em></span></dt><dd><p>Runs the <span class="emphasis"><em>tar</em></span> driver, which is <span class="emphasis"><em>gtar</em></span> compatible. The two main commands are: <code class="literal">c</code> (create) and <code class="literal">x</code> (extract), which may be followed by any of:</p></dd><dt><span class="term"><code class="literal">a</code></span></dt><dd><p>Resets archive bits once files are saved.</p></dd><dt><span class="term"><code class="literal">b</code> <em class="replaceable"><code>size</code></em></span></dt><dd><p>Sets blocksize in 512-byte units.</p></dd><dt><span class="term"><code class="literal">g</code></span></dt><dd><p>Backs up only files with the archive bit set.</p></dd><dt><span class="term"><code class="literal">I</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Includes files and directories (this is the default). Does not do pattern-matching.</p></dd><dt><span class="term"><code class="literal">N</code> <em class="replaceable"><code>filename</code></em></span></dt><dd><p>Backs up only those files newer than <em class="replaceable"><code>filename.</code></em></p></dd><dt><span class="term"><code class="literal">q</code></span></dt><dd><p>Does not produce diagnostics.</p></dd><dt><span class="term"><code class="literal">X</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Excludes files.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.7"></a>Command-line query program</h4></div></div></div><p>If <code class="filename">smbclient</code> is run as:</p><pre class="programlisting">smbclient -L <em class="replaceable"><code>server_name</code></em></pre><p>it will list the shares and other services that machine provides. This is handy if you don't have <code class="filename">smbwrappers</code>. It can also be helpful as a testing program in its own right.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.8"></a>Command-line debugging /diagnostic program options</h4></div></div></div><p>Any of the various modes of operation of <span class="emphasis"><em>smbclient</em></span> can be used with the debugging and testing command-line options:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-B</code> <em class="replaceable"><code>IP_addr</code></em></span></dt><dd><p>Sets the broadcast address.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. In addition, you can specify <code class="literal">A</code> for all debugging options. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow operations considerably.</p></dd><dt><span class="term"><code class="literal">-E</code></span></dt><dd><p>Sends all messages to stderr instead of stdout.</p></dd><dt><span class="term"><code class="literal">-I</code> <em class="replaceable"><code>IP_address</code></em> </span></dt><dd><p>Sets the IP address of the server to which it connects.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Sends the log messages to the specified file.</p></dd><dt><span class="term"><code class="literal">-N</code></span></dt><dd><p>Suppresses the password prompt. Unless a password is specified on the command line or this parameter is specified, the client will prompt for a password.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>This option allows you to override the NetBIOS name by which the daemon will advertise itself.</p></dd></dl></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>Sets the TCP/IP socket options using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>Sets the port number from which the client will accept requests.</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve_order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve</code> <code class="literal">order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>, in any order .</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Used for debugging.</p></dd><dt><span class="term"><code class="literal">-t</code> <em class="replaceable"><code>terminal_code</code></em></span></dt><dd><p>Sets the terminal code for Asian languages.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Sets the username and optionally password (e.g., <code class="literal">-U</code> <code class="literal">fred%secret</code>).</p></dd><dt><span class="term"><code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em></span></dt><dd><p>Specifies the workgroup that you want the client to connect as.</p></dd></dl></div><p>If you want to test a particular name service, run <span class="emphasis"><em>smbclient</em></span> with <code class="literal">-R</code> and just the name of the service. This will force <span class="emphasis"><em>smbclient</em></span> to use only the service you gave.<span class="emphasis"><em></em></span> +<a class="indexterm" name="appd-idx-993802-0"></a> +<a class="indexterm" name="appd-idx-993802-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.6"></a>smbstatus</h3></div></div></div><p>The <code class="filename">smbstatus</code> +<a class="indexterm" name="appd-idx-993754-0"></a> +<a class="indexterm" name="appd-idx-993754-1"></a> program lists the current connections on a Samba server. There are three separate sections. The first section lists various shares that are in use by specific users. The second section lists the locked files that Samba currently has on all of its shares. Finally, the third section lists the amount of memory usage for each of the shares. For example:</p><pre class="programlisting"># <span class="bold"><strong>smbstatus</strong></span> +Samba version 2.0.3 +Service uid gid pid machine +---------------------------------------------- +network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 +network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 + +Locked files: +Pid DenyMode R/W Oplock Name +-------------------------------------------------- +7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp +Sun May 16 21:23:40 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe +Sun May 16 20:51:08 1999 +7589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll +Sun May 16 21:23:39 1999 +7589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat +Sun May 16 21:23:41 1999 +7470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe +Sun May 16 20:51:09 1999 +7589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll +Sun May 16 21:20:33 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll +Sun May 16 20:51:11 1999 + +Share mode memory usage (bytes): + 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.6.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-b</code></span></dt><dd><p>Forces <code class="filename">smbstatus</code> to produce brief output. This includes the version of Samba and auditing information about the users that have logged into the server.</p></dd><dt><span class="term"><code class="literal">-d</code></span></dt><dd><p>Gives verbose output, including each of the three reporting sections listed in the previous example. This is the default.</p></dd><dt><span class="term"><code class="literal">-L</code></span></dt><dd><p>Forces <code class="filename">smbstatus</code> to print only the current file locks it has. This corresponds to the second section in a verbose output.</p></dd><dt><span class="term"><code class="literal">-p</code></span></dt><dd><p>Prints a list of <code class="filename">smbd</code> process IDs only. This is often used for scripts.</p></dd><dt><span class="term"><code class="literal">-S</code></span></dt><dd><p>Prints only a list of shares and their connections. This corresponds to the first section in a verbose output.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Sets the Samba configuration file to use when processing this command.</p></dd><dt><span class="term"><code class="literal">-u</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Limits the <code class="filename">smbstatus</code> report to the activity of a single user.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.7"></a>smbtar</h3></div></div></div><p>The <span class="emphasis"><em>smbtar</em></span> +<a class="indexterm" name="appd-idx-993755-0"></a> +<a class="indexterm" name="appd-idx-993755-1"></a> program is a shell script on top of <span class="emphasis"><em>smbclient</em></span> that gives the program more intelligible options when doing tar operations. Functionally, it is equivalent to the Unix <span class="emphasis"><em>tar</em></span> program.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.7.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>Resets the archive bit mode</p></dd><dt><span class="term"><code class="literal">-b</code> <em class="replaceable"><code>blocksize</code></em></span></dt><dd><p>Blocking size. Defaults to 20.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>directory</code></em></span></dt><dd><p>Changes to initial directory before restoring or backing up files.</p></dd><dt><span class="term"><code class="literal">-i</code></span></dt><dd><p>Incremental mode; tar files are backed up only if they have the DOS archive bit set. The archive bit is reset after each file is read.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_level</code></em></span></dt><dd><p> Sets the logging level.</p></dd><dt><span class="term"><code class="literal">-N</code> <em class="replaceable"><code>filename</code></em></span></dt><dd><p>Backs up only the files newer than the last modification date of <em class="replaceable"><code>filename</code></em>. For incremental backups.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>password</code></em></span></dt><dd><p>Specifies the password to use to access a share.</p></dd><dt><span class="term"><code class="literal">-r</code></span></dt><dd><p>Restores files to the share from the tar file.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>server</code></em></span></dt><dd><p>Specifies the SMB/CIFS server in which the share resides.</p></dd><dt><span class="term"><code class="literal">-t</code> <em class="replaceable"><code>tape</code></em></span></dt><dd><p>Tape device or file. Default is the value of the environment variable <code class="literal">$TAPE</code>, or <span class="emphasis"><em>tar.out</em></span> if <code class="literal">$TAPE</code> isn't set.</p></dd><dt><span class="term"><code class="literal">-u</code> <em class="replaceable"><code>user</code></em></span></dt><dd><p>Specifies the user to connect to the share as. You can specify the password as well, in the format <em class="replaceable"><code>username</code></em><code class="literal">%</code><em class="replaceable"><code>password</code></em>.</p></dd><dt><span class="term"><code class="literal">-v</code></span></dt><dd><p>Specifies the use of verbose mode.</p></dd><dt><span class="term"><code class="literal">-X</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Tells <em class="firstterm">smbtar</em> to exclude the specified file from the <span class="emphasis"><em>tar</em></span> create or restore.</p></dd><dt><span class="term"><code class="literal">-x</code> <em class="replaceable"><code>share</code></em></span></dt><dd><p>States the share name on the server to connect to. The default is <code class="literal">backup</code>, which is a common share name to perform backups with.</p></dd></dl></div><p>For example, a trivial backup command to archive the data for user <code class="literal">sue</code> is:</p><pre class="programlisting"># <span class="bold"><strong>smbtar -s pc_name -x sue -u sue -p secret -t sue.tar</strong></span></pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.8"></a>nmblookup</h3></div></div></div><p>The <code class="filename">nmblookup</code> +<a class="indexterm" name="appd-idx-993756-0"></a> +<a class="indexterm" name="appd-idx-993756-1"></a> program is a client program that exercises the NetBIOS-over-UDP/IP name service for resolving NBT machine names into IP addresses. The command works by broadcasting its queries on the local subnet until a machine with that name responds. You can think of it as a Windows <span class="emphasis"><em>nslookup(1)</em></span> or <span class="emphasis"><em>dig(1)</em></span>. This is useful for looking up both normal NetBIOS names, and the odd ones like <code class="literal">_ _MSBROWSE_ _</code> that the Windows name services use to provide directory-like services. If you wish to query for a particular type of NetBIOS name, add the NetBIOS <code class="literal"><type></code> to the end of the name.</p><p>The command line is:</p><pre class="programlisting">nmblookup [-options] <em class="replaceable"><code>name</code></em></pre><p>The options supported are:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-A</code></span></dt><dd><p>Interprets <em class="replaceable"><code>name</code></em> as an IP address and do a node-status query on this address.</p></dd><dt><span class="term"><code class="literal">-B</code> <em class="replaceable"><code>broadcast _address</code></em></span></dt><dd><p>Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line usage information for the program.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>Sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</p></dd><dt><span class="term"><code class="literal">-M</code></span></dt><dd><p>Searches for a local master browser. This is done with a broadcast searching for a machine that will respond to the special name <code class="literal">_ _MSBROWSE_ _ </code>, and then asking that machine for information, instead of broadcasting the query itself.</p></dd><dt><span class="term"><code class="literal">-R</code></span></dt><dd><p>Sets the recursion desired bit in the packet. This will cause the machine that responds to try to do a WINS lookup and return the address and any other information the WINS server has saved.</p></dd><dt><span class="term"><code class="literal">-r</code></span></dt><dd><p>Use the root port of 137 for Windows 95 machines.</p></dd><dt><span class="term"><code class="literal">-S</code></span></dt><dd><p>Once the name query has returned an IP address, does a node status query as well. This returns all the resource types that the machine knows about, with their numeric attributes. For example:</p></dd></dl></div><pre class="programlisting">% <span class="bold"><strong>nmblookup -d 4 -S elsbeth</strong></span> +received 6 names + ELSBETH <00> - <GROUP> B <ACTIVE> + ELSBETH <03> - B <ACTIVE> + ELSBETH <1d> - B <ACTIVE> + ELSBETH <1e> - <GROUP> B <ACTIVE> + ELSBETH <20> - B <ACTIVE> + .._ _MSBROWSE_ _.. <01> - <GROUP> B <ACTIVE></pre><div class="variablelist"><dl><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command-line, normally for debugging.</p></dd><dt><span class="term"><code class="literal">-T</code></span></dt><dd><p>This option can be used to translate IP addresses into resolved names.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>unicast_address</code></em></span></dt><dd><p>Performs a unicast query to the specified address. Used with <code class="literal">-R</code> to query WINS servers.</p></dd></dl></div><p>Note that there is no workgroup option for <span class="emphasis"><em>nmblookup</em></span> ; you can get around this by putting <code class="literal">workgroup</code> <code class="literal">=</code> <em class="replaceable"><code>workgroup_name </code></em>in a file and passing it to <span class="emphasis"><em>nmblookup</em></span> with the <code class="literal">-s</code> <em class="replaceable"><code>smb.conf_file</code></em> option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.9"></a>smbpasswd</h3></div></div></div><p>The <span class="emphasis"><em>smbpasswd</em></span> +<a class="indexterm" name="appd-idx-993757-0"></a> +<a class="indexterm" name="appd-idx-993757-1"></a> password has two distinct sets of functions. When run by users, it changes their encrypted passwords. When run by <code class="literal">root</code>, it updates the encrypted password file. When run by an ordinary user with no options, it connects to the primary domain controller and changes his or her Windows password.</p><p>The program will fail if <span class="emphasis"><em>smbd</em></span> is not operating, if the <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> configuration options will not permit connections from localhost (IP address 127.0.0.1), or the <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">no</code> option is set.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.9.1"></a>Regular user options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (also called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line usage information for the program.</p></dd><dt><span class="term"><code class="literal">-r</code> <em class="replaceable"><code>remote_machine_name</code></em></span></dt><dd><p>Specifies on which machine the password should change. The remote machine must be a primary domain controller (PDC).</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve_order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve</code> <code class="literal">order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>,<code class="literal"> </code>in any order.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Used only with <code class="literal">-r</code>, to modify a username that is spelled differently on the remote machine.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.9.2"></a>Root-only options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Adds a user to the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Disables a user in the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-e</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Enables a disabled user in the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-m</code> <em class="replaceable"><code>machine_name</code></em></span></dt><dd><p>Changes a machine account's password. The machine accounts are used to authenticate machines when they connect to a primary or backup domain controller.</p></dd><dt><span class="term"><code class="literal">-j</code> <em class="replaceable"><code>domain_name</code></em></span></dt><dd><p>Adds a Samba server to a Windows NT Domain.</p></dd><dt><span class="term"><code class="literal">-n</code></span></dt><dd><p>Sets no password for the user.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Causes <span class="emphasis"><em>smbpasswd</em></span> to be silent and to read its old and new passwords from standard input, rather than from <code class="filename">/dev/tty</code>. This is useful for writing scripts.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.10"></a>testparm</h3></div></div></div><p>The <span class="emphasis"><em>testparm</em></span> +<a class="indexterm" name="appd-idx-993999-0"></a> +<a class="indexterm" name="appd-idx-993999-1"></a> program checks an <code class="filename">smb.conf</code> file for obvious errors and self-consistency. Its command line is:</p><pre class="programlisting">testparm [options] <em class="replaceable"><code>configfile_name [hostname IP_addr]</code></em></pre><p>If the configuration file is not specified, the file at <em class="replaceable"><code>samba_dir</code></em><code class="filename">/lib/smb.conf</code> is checked by default. If you specify a hostname and an IP address, an extra check will be made to ensure that the specified machine would be allowed to connect to Samba. If a hostname is specified, an IP address should be present as well.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.10.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line information for the program.</p></dd><dt><span class="term"><code class="literal">-L</code> server_name</span></dt><dd><p>Resets the <code class="literal">%L</code> configuration variable to the specified server name.</p></dd><dt><span class="term"><code class="literal">-s</code></span></dt><dd><p>This option prevents the <span class="emphasis"><em>testparm</em></span> program from prompting the user to press the Enter key before printing a list of the configuration options for the server.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.11"></a>testprns</h3></div></div></div><p>The<a class="indexterm" name="appd-idx-993761-0"></a> +<a class="indexterm" name="appd-idx-993761-1"></a> <span class="emphasis"><em>testprns</em></span> program checks a specified printer name against the system printer capabilities (<code class="filename">printcap</code>) file. Its command line is:</p><pre class="programlisting">testprns <em class="replaceable"><code>printername</code></em> [<em class="replaceable"><code>printcapname</code></em>]</pre><p>If the <code class="literal">printcapname</code> isn't specified, Samba attempts to use one located in the <code class="filename">smb.conf</code> file. If one isn't specified there, Samba will try <code class="filename">/etc/printcap</code>. If that fails, the program will generate an error.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.12"></a>rpcclient</h3></div></div></div><p>This is a new client that exercises the <a class="indexterm" name="appd-idx-993762-0"></a> +<a class="indexterm" name="appd-idx-993762-1"></a>RPC (remote procedure call) interfaces of an SMB server. Like <span class="emphasis"><em>smbclient</em></span>, <span class="emphasis"><em>rpcclient</em></span> +<a class="indexterm" name="appd-idx-993763-0"></a> started its life as a test program for the Samba developers and will likely stay that way for a while. Its command line is:</p><pre class="programlisting">rpcclient //<em class="replaceable"><code>server</code></em>/<em class="replaceable"><code>share</code></em></pre><p>The command-line options are the same as the Samba 2.0 <span class="emphasis"><em>smbclient</em></span>, and the operations you can try are listed in <a href="#appd-65243" title="Table D.4. rpcclient commands">Table 4.4</a>.</p><div class="table"><a name="appd-65243"></a><p class="title"><b>Table D.4. rpcclient commands </b></p><div class="table-contents"><table summary="rpcclient commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">regenum keyname</code></p></td><td><p>Registry Enumeration (keys, values)</p></td></tr><tr><td><p><code class="literal">regdeletekey keyname </code></p></td><td><p>Registry Key Delete</p></td></tr><tr><td><p><code class="literal">regcreatekey keyname [keyvalue]</code></p></td><td><p>Registry Key Create</p></td></tr><tr><td><p><code class="literal">regquerykey keyname</code></p></td><td><p>Registry Key Query</p></td></tr><tr><td><p><code class="literal">regdeleteval valname</code></p></td><td><p>Registry Value Delete</p></td></tr><tr><td><p><code class="literal">regcreateval valname valtype value</code></p></td><td><p>Registry Key Create</p></td></tr><tr><td><p><code class="literal">reggetsec keyname</code></p></td><td><p>Registry Key Security</p></td></tr><tr><td><p><code class="literal">regtestsec keyname</code></p></td><td><p>Test Registry Key Security</p></td></tr><tr><td><p><code class="literal">ntlogin [username] [password]</code></p></td><td><p>NT Domain Login Test</p></td></tr><tr><td><p><code class="literal">wksinfo</code></p></td><td><p>Workstation Query Info</p></td></tr><tr><td><p><code class="literal">srvinfo</code></p></td><td><p>Server Query Info</p></td></tr><tr><td><p><code class="literal">srvsessions</code></p></td><td><p>List Sessions on a Server</p></td></tr><tr><td><p><code class="literal">srvshares</code></p></td><td><p>List shares on a server</p></td></tr><tr><td><p><code class="literal">srvconnections</code></p></td><td><p>List connections on a server</p></td></tr><tr><td><p><code class="literal">srvfiles</code></p></td><td><p>List files on a server</p></td></tr><tr><td><p><code class="literal">lsaquery</code></p></td><td><p>Query Info Policy (domain member or server)</p></td></tr><tr><td><p><code class="literal">lookupsids</code></p></td><td><p>Resolve names from SIDs</p></td></tr><tr><td><p><code class="literal">ntpass</code></p></td><td><p>NT SAM Password Change</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.13"></a>tcpdump</h3></div></div></div><p>The <span class="emphasis"><em>tcpdump</em></span> +<a class="indexterm" name="appd-idx-993765-0"></a> +<a class="indexterm" name="appd-idx-993765-1"></a> utility, a classic system administration tool, dumps all the packet headers it sees on an interface that match an expression. The version included in the Samba distribution is enhanced to understand the SMB protocol. The <span class="emphasis"><em>expression</em></span> is a logical expression with "and," "or," and "not," although sometimes it's very simple. For example, <code class="literal">host</code> <code class="literal">escrime</code> would select every packet going to or from <code class="literal">escrime</code>. The expression is normally one or more of:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">host</code> <em class="replaceable"><code>name</code></em></p></li><li><p><code class="literal">ne</code>t <em class="replaceable"><code>network_number</code></em></p></li><li><p><code class="literal">port</code> <em class="replaceable"><code>number</code></em></p></li><li><p><code class="literal">src</code> <em class="replaceable"><code>name </code></em></p></li><li><p><code class="literal">dst</code> <em class="replaceable"><code>name</code></em></p></li></ul></div><p>The most common options are <code class="literal">src</code> (source), <code class="literal">dst</code> (destination), and <code class="literal">port</code>. For example, in the book we used the command:</p><pre class="programlisting">tcpdump port not telnet</pre><p>This dumps all the packets except telnet; we were logged-in via telnet and wanted to see only the SMB packets.</p><p>Another <span class="emphasis"><em>tcpdump</em></span> example is selecting traffic between server and either <code class="literal">sue</code> or <code class="literal">joe</code>:</p><pre class="programlisting">tcpdump host server and \( sue or joe \)</pre><p>We recommend using the <code class="literal">-s</code> <code class="literal">1500</code> option so that you capture all of the SMB messages sent, instead of just the header information.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.13.1"></a>Options</h4></div></div></div><p>There are many options, and many other kinds of expressions that can be used with <span class="emphasis"><em>tcpdump</em></span>. See the manual page for details on the advanced options. The most common options are as follows:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-c</code> <em class="replaceable"><code>count</code></em></span></dt><dd><p>Forces the program to exit after receiving the specified number of packets.</p></dd><dt><span class="term"><code class="literal">-F</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Reads the expression from the specified file and ignores expressions on the command line.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>interface</code></em></span></dt><dd><p>Forces the program to listen on the specified interface.</p></dd><dt><span class="term"><code class="literal">-r</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Reads packets from the specified file (captured with <code class="literal">-w</code>).</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>length</code></em></span></dt><dd><p>Saves the specified number of bytes of data from each packet (rather than 68 bytes).</p></dd><dt><span class="term"><code class="literal">-w</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Writes the packets to the specified file.<a class="indexterm" name="appd-idx-993743-0"></a></p></dd></dl></div></div></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-E"></a>Appendix E. Downloading Samba with CVS</h2></div></div></div><p> +<a class="indexterm" name="appe-idx-992918-0"></a> +<a class="indexterm" name="appe-idx-992918-1"></a>This appendix contains information on how to download the latest source version of Samba using the C<a class="indexterm" name="appe-idx-992919-0"></a> +<a class="indexterm" name="appe-idx-992919-1"></a>oncurrent Versions System (CVS). CVS is a freely available configuration management tool available from <a class="indexterm" name="appe-idx-992920-0"></a>Cyclic Software and is distributed under the<a class="indexterm" name="appe-idx-992921-0"></a> GNU General Public License. You can download the latest copy from <code class="systemitem">http://www.cyclic.com/</code>.<a class="indexterm" name="appe-idx-992922-0"></a></p><p>CVS works on top of the GNU <a class="indexterm" name="appe-idx-992923-0"></a> +<a class="indexterm" name="appe-idx-992923-1"></a>Revision Control System (RCS). Many Unix +systems come preinstalled with RCS. However, if you want to download +the latest version of RCS, you can find it at <a class="indexterm" name="appe-idx-992936-0"></a><code class="systemitem">http://ftp.gnu.org/gnu/rcs/</code>.</p><p>One of the nicest things about CVS is its ability to handle remote logins. This means that people across the globe on the Internet can download and update various source files for any project that uses a CVS repository. Such is the case with Samba. Once you have RCS and CVS installed on your system, you must first log in to the Samba source server with the following command:</p><pre class="programlisting">cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login</pre><p>This tells CVS to connect to the CVS server at <code class="filename">cvs.samba.org</code>. Once you are connected, you can download the latest source tree with the following command:</p><pre class="programlisting">cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba</pre><p>This will download the entire Samba distribution (file by file) into a directory entitled <code class="filename">/samba</code>, which it will create on your hard drive. This directory will have the same structure as the Samba source distribution described in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>. It includes source and header files, documentation, and sample configuration files to help get you started. After that is completed, you can follow the instructions in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> to configure and compile Samba on your server.</p></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-F"></a>Appendix F. Sample Configuration File</h2></div></div></div><p> +<a class="indexterm" name="appf-idx-993481-0"></a>This appendix gives an example of a production <code class="filename">smb.conf</code> file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:</p><pre class="programlisting"># smb.conf -- File Server System for: 1 Example.COM BSC & Management Office +[globals] + workgroup = 1EG_BSC + interfaces = 10.10.1.14/24</pre><p>We provide this service on only one of the machine's interfaces. The <code class="literal">interfaces</code> option sets its address and netmask, where <code class="literal">/24</code> is the same as using the netmask 255.255.255.0:</p><pre class="programlisting">comment = Samba ver. %v + preexec = csh -c `echo /usr/samba/bin/smbclient \ + -M %m -I %I` &</pre><p>We use the <span><strong class="command">preexec</strong></span> command to log information about all connections by machine name (<code class="literal">%m</code>) and IP address (<code class="literal">%I)</code>:</p><pre class="programlisting"># smbstatus will output various info on current status + status = yes + browseable = yes + printing = bsd + + # the username that will be used for access to services + # specified with 'guest = ok' + guest account = samba</pre><p>The default guest account was <code class="literal">nobody</code>, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:</p><pre class="programlisting"># superuser account - admin privilages to shares, with no + # restrictions + # WARNING - use this with care: files can be modified, + # regardless of file permissions + admin users = root + + # who is NOT allowed to connect to ANY service + invalid users = @wheel, mail, deamon, adt</pre><p>Daemons can't use Samba, only people. The <code class="literal">invalid</code> <code class="literal">users</code> option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.</p><pre class="programlisting"># hosts that are ALLOWED or DENIED from connecting to ANY service + hosts allow = 10.10.1. + hosts deny = 10.10.1.6 + + # where the lock files will be located + lock directory = /var/lock/samba/locks + + # debug log files + # %m = separate log for each NetBIOS name (each machine) + log file = /var/log/samba/log.%m + + # We send priority 0, 1 and 2 messages to the system logs + syslog = 2 + + # If a WinPopup message is sent to the server, + # redirect it to a user via e-mail + + message command = /bin/mail -s 'message from #% on %m' \ + pkelly < %s; rm %s + +# --------------------------------------------------- +# [globals] Performance Tuning +# --------------------------------------------------- + + # caching algorithm to reduce time doing getwd() calls. + getwd cache = yes + + socket options = TCP_NODELAY + + # tell the server whether the client is present and + # responding in seconds + keep alive = 60 + + # num minutes of inactivity before a connection is + # considered dead + dead time = 30 + + read prediction = yes + share modes = yes + max xmit = 17384 + read size = 512</pre><p>The <code class="literal">share</code> <code class="literal">modes</code>, <code class="literal">max</code>, <code class="literal">xinit</code>, and <code class="literal">read</code> <code class="literal">size</code> options are machine-specific (see <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>):</p><pre class="programlisting"># locking is done by the server + locking = yes + + # control whether dos style attributes should be mapped + # to unix execute bits + map hidden = yes + map archive = yes + map system = yes</pre><p>The three <code class="literal">map</code> options will work only on shares with a create mode that includes the execute bits (0111). Our <code class="literal">homes</code> and <code class="literal">printers</code> shares won't honor them, but the [<code class="literal">www]</code> share will:</p><pre class="programlisting"># --------------------------------------------------------- +# [globals] Security and Domain Logon Services +# --------------------------------------------------------- +# connections are made with UID and GID, not as shares + security = user + +# boolean variable that controls whether passwords +# will be encrypted + encrypt passwords = yes + passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" + passwd program = /usr/bin/passwd %u + +# Always become the local master browser + domain master = yes + preferred master = yes + os level = 34 + +# For domain logons to work correctly. Samba acts as a +# primary domain controller. + domain logons = yes + +# Logon script to run for user off the server each time +# username (%U) logs in. Set the time, connect to shares, +# virus checks, etc. + logon script = scripts\%U.bat + +[netlogon] + comment = "Domain Logon Services" + path = /u/netlogon + writable = yes + create mode = 444 + guest ok = no + volume = "Network"</pre><p>This share, discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, is required for Samba to work smoothly in a Windows NT domain:</p><pre class="programlisting"># ----------------------------------------------------------- +# [homes] User Home Directories +# ----------------------------------------------------------- +[homes] + comment = "Home Directory for : %u " + path = /u/users/%u</pre><p>The password file of the Samba server specifies each person's home directory as <span class="emphasis"><em>/home/</em></span><em class="replaceable"><code>machine_name</code></em><span class="emphasis"><em>/</em></span><em class="replaceable"><code>person</code></em>, which NFS converts to point to the actual physicl location under <span class="emphasis"><em>/u/users</em></span>. The <code class="literal">path</code> option in the <code class="literal">[homes]</code> share tells Samba the actual (non-NFS) location:</p><pre class="programlisting">guest ok = no + read only = no + create mode = 644 + writable = yes + browseable = no + +# ----------------------------------------------------------- +# [printers] System Printers +# ----------------------------------------------------------- +[printers] + comment = "Printers" + path = /var/spool/lpd/samba + printcap name = /etc/printcap + printable = yes + public = no + writable = no + + lpq command = /usr/bin/lpq -P%p + lprm command = /usr/bin/lprm -P%p %j + lppause command = /usr/sbin/lpc stop %p + lpresume command = /usr/sbin/lpc start %p + + create mode = 0700 + + browseable = no + load printers = yes + +# ----------------------------------------------------------- +# Specific Descriptions: [programs] [data] [retail] +# ----------------------------------------------------------- +[programs] + comment = "Shared Programs %T" + volume = "programs"</pre><p>Shared Programs shows up in the Network Neighborhood, and <code class="literal">programs</code> is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:</p><pre class="programlisting">path = /u/programs + public = yes + writeable = yes + printable = no + create mode = 664 +[cdrom] + comment = "Unix CDROM" + path = /u/cdrom + public = no + writeable = no + printable = no + volume = "cdrom" + +[data] + comment = "Data Directories %T" + path = /u/data + public = no + create mode = 770 + writeable = yes + volume = "data" + +[nt4] + comment = "NT4 Server" + path = /u/systems/nt4 + public = yes + create mode = 770 + writeable = yes + volume = "nt4_server" + +[www] + comment = "WWW System" + path = /usr/www/http + public = yes + create mode = 775 + writeable = yes + volume = "www_system"</pre><p>The <code class="literal">[www]</code> share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.</p></div><div class="colophon" lang="en"><h2 class="title"><a name="colophon"></a>Colophon</h2><p>Our look is the result of reader comments, our own +experimentation, and feedback from distribution channels. Distinctive +covers complement our distinctive approach to technical topics, +breathing personality and life into potentially dry subjects.</p><p>The animal on the cover of <em class="citetitle">Using Samba</em> is +a African ground hornbill (<span class="foreignphrase"><em class="foreignphrase">Bucorvus +cafer</em></span>). This type of bird is one of fifty hornbill +species. The African ground hornbill is a medium to large sized bird +characterized by a bright red waddle under a very long beak, +dark-colored body and wings, long eyelashes, and short legs. Like all +hornbills, it has a casque, a large but lightweight growth on the top +of its beak, which grows more folds as the bird ages. It is the only +ground-dwelling species of hornbill, though it is able to fly when +necessary. It lives in the grasslands of southern and eastern Africa, +and nests in the foliage of dense trees, not in nest holes in the +ground as other hornbills do. Its diet includes mostly fruit, as well +as large insects and small mammals. The African ground hornbill is +considered to be sacred by many Africans, and as such this bird is +part of many legends and superstitions.</p><p>Sarah Jane Shangraw was the production editor and proofreader +for <em class="citetitle">Using Samba</em>. Sarah Lemaire copyedited the +text. Maureen Dempsey and Claire Cloutier LeBlanc provided quality +control. Brenda Miller wrote the index.</p><p>Edie Freedman designed the cover of this book based on her own +series design. The cover image of an African ground hornbill is a +19th-century engraving from the Dover Pictorial Archive. Kathleen +Wilson produced the cover layout with QuarkXPress 3.32 using Adobe's +ITC Garamond font. Kathleen Wilson also created the CD design.</p><p>Alicia Cech designed the interior layout based on a series +design by Nancy Priest. Mike Sierra implemented the design in +FrameMaker 5.5. The text and heading fonts are ITC Garamond Light and +Garamond Book. The illustrations that appear in the book were produced +by Robert Romano and Rhon Porter using Macromedia FreeHand 8 and Adobe +Photoshop 5. Interior composition was done by Sarah Jane Shangraw, +Sebastian Banker, Jeff Holcolmb, and Abigail Myers. This colophon was +written by Nicole Arigo.</p><p>The online edition of this book was created by the Safari +production group (John Chodacki, Becki Maisch, and Madeleine Newell) +using a set of Frame-to-XML conversion and cleanup tools written and +maintained by Erik Ray, Benn Salter, John Chodacki, and Jeff +Liggett.</p></div></div></body></html> diff --git a/docs/htmldocs/using_samba/figs/sam.0101.gif b/docs/htmldocs/using_samba/figs/sam.0101.gif Binary files differnew file mode 100644 index 0000000000..2fd7ffe480 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0101.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0102.gif b/docs/htmldocs/using_samba/figs/sam.0102.gif Binary files differnew file mode 100644 index 0000000000..02f885b37c --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0102.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0103.gif b/docs/htmldocs/using_samba/figs/sam.0103.gif Binary files differnew file mode 100644 index 0000000000..907f8b480a --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0103.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0104.gif b/docs/htmldocs/using_samba/figs/sam.0104.gif Binary files differnew file mode 100644 index 0000000000..7629fddedb --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0104.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0105.gif b/docs/htmldocs/using_samba/figs/sam.0105.gif Binary files differnew file mode 100644 index 0000000000..129fde33f8 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0105.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0106.gif b/docs/htmldocs/using_samba/figs/sam.0106.gif Binary files differnew file mode 100644 index 0000000000..b424ef30ec --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0106.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0107.gif b/docs/htmldocs/using_samba/figs/sam.0107.gif Binary files differnew file mode 100644 index 0000000000..325622a79f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0107.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0108.gif b/docs/htmldocs/using_samba/figs/sam.0108.gif Binary files differnew file mode 100644 index 0000000000..6e54912097 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0108.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0109.gif b/docs/htmldocs/using_samba/figs/sam.0109.gif Binary files differnew file mode 100644 index 0000000000..ee281d6504 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0109.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0110.gif b/docs/htmldocs/using_samba/figs/sam.0110.gif Binary files differnew file mode 100644 index 0000000000..5af69ba75e --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0110.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0111.gif b/docs/htmldocs/using_samba/figs/sam.0111.gif Binary files differnew file mode 100644 index 0000000000..4c1ed81044 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0111.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0112.gif b/docs/htmldocs/using_samba/figs/sam.0112.gif Binary files differnew file mode 100644 index 0000000000..4f559e0d0f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0112.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0113.gif b/docs/htmldocs/using_samba/figs/sam.0113.gif Binary files differnew file mode 100644 index 0000000000..16a884284c --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0113.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0114.gif b/docs/htmldocs/using_samba/figs/sam.0114.gif Binary files differnew file mode 100644 index 0000000000..52f3416d9e --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0114.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0201.gif b/docs/htmldocs/using_samba/figs/sam.0201.gif Binary files differnew file mode 100644 index 0000000000..9a601f47d3 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0201.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0202.gif b/docs/htmldocs/using_samba/figs/sam.0202.gif Binary files differnew file mode 100644 index 0000000000..b6e687efa4 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0202.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0203.gif b/docs/htmldocs/using_samba/figs/sam.0203.gif Binary files differnew file mode 100644 index 0000000000..2737654f30 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0203.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0204.gif b/docs/htmldocs/using_samba/figs/sam.0204.gif Binary files differnew file mode 100644 index 0000000000..87c08e0b40 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0204.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0301.gif b/docs/htmldocs/using_samba/figs/sam.0301.gif Binary files differnew file mode 100644 index 0000000000..cb3922ba5c --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0301.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0302.gif b/docs/htmldocs/using_samba/figs/sam.0302.gif Binary files differnew file mode 100644 index 0000000000..9b9dd5d853 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0302.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0303.gif b/docs/htmldocs/using_samba/figs/sam.0303.gif Binary files differnew file mode 100644 index 0000000000..b5cc6f08f1 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0303.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0304.gif b/docs/htmldocs/using_samba/figs/sam.0304.gif Binary files differnew file mode 100644 index 0000000000..e5fdd94da9 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0304.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0305.gif b/docs/htmldocs/using_samba/figs/sam.0305.gif Binary files differnew file mode 100644 index 0000000000..b297326a8e --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0305.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0306.gif b/docs/htmldocs/using_samba/figs/sam.0306.gif Binary files differnew file mode 100644 index 0000000000..b7854c230c --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0306.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0307.gif b/docs/htmldocs/using_samba/figs/sam.0307.gif Binary files differnew file mode 100644 index 0000000000..d8da9c2803 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0307.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0308.gif b/docs/htmldocs/using_samba/figs/sam.0308.gif Binary files differnew file mode 100644 index 0000000000..e913cf164f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0308.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0309.gif b/docs/htmldocs/using_samba/figs/sam.0309.gif Binary files differnew file mode 100644 index 0000000000..f8bc5223e0 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0309.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0310.gif b/docs/htmldocs/using_samba/figs/sam.0310.gif Binary files differnew file mode 100644 index 0000000000..38a8041f66 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0310.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0311.gif b/docs/htmldocs/using_samba/figs/sam.0311.gif Binary files differnew file mode 100644 index 0000000000..097de50a00 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0311.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0312.gif b/docs/htmldocs/using_samba/figs/sam.0312.gif Binary files differnew file mode 100644 index 0000000000..51dc80fc06 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0312.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0313.gif b/docs/htmldocs/using_samba/figs/sam.0313.gif Binary files differnew file mode 100644 index 0000000000..b18999f496 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0313.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0314.gif b/docs/htmldocs/using_samba/figs/sam.0314.gif Binary files differnew file mode 100644 index 0000000000..a49e7f403c --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0314.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0315.gif b/docs/htmldocs/using_samba/figs/sam.0315.gif Binary files differnew file mode 100644 index 0000000000..68515e580d --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0315.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0316.gif b/docs/htmldocs/using_samba/figs/sam.0316.gif Binary files differnew file mode 100644 index 0000000000..1febc01768 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0316.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0317.gif b/docs/htmldocs/using_samba/figs/sam.0317.gif Binary files differnew file mode 100644 index 0000000000..638b7a3646 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0317.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0318.gif b/docs/htmldocs/using_samba/figs/sam.0318.gif Binary files differnew file mode 100644 index 0000000000..2027e025d4 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0318.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0319.gif b/docs/htmldocs/using_samba/figs/sam.0319.gif Binary files differnew file mode 100644 index 0000000000..aa2ead8c4a --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0319.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0320.gif b/docs/htmldocs/using_samba/figs/sam.0320.gif Binary files differnew file mode 100644 index 0000000000..81bebab8a0 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0320.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0321.gif b/docs/htmldocs/using_samba/figs/sam.0321.gif Binary files differnew file mode 100644 index 0000000000..65cee014f7 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0321.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0322.gif b/docs/htmldocs/using_samba/figs/sam.0322.gif Binary files differnew file mode 100644 index 0000000000..0e1eca6cec --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0322.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0323.gif b/docs/htmldocs/using_samba/figs/sam.0323.gif Binary files differnew file mode 100644 index 0000000000..a2531501bd --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0323.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0324.gif b/docs/htmldocs/using_samba/figs/sam.0324.gif Binary files differnew file mode 100644 index 0000000000..eded928dd8 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0324.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0325.gif b/docs/htmldocs/using_samba/figs/sam.0325.gif Binary files differnew file mode 100644 index 0000000000..7b6bd32b00 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0325.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0326.gif b/docs/htmldocs/using_samba/figs/sam.0326.gif Binary files differnew file mode 100644 index 0000000000..a6384081b0 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0326.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0327.gif b/docs/htmldocs/using_samba/figs/sam.0327.gif Binary files differnew file mode 100644 index 0000000000..270c8caf11 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0327.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0328.gif b/docs/htmldocs/using_samba/figs/sam.0328.gif Binary files differnew file mode 100644 index 0000000000..e754a9ce13 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0328.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0401.gif b/docs/htmldocs/using_samba/figs/sam.0401.gif Binary files differnew file mode 100644 index 0000000000..e7d7a9933f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0401.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0402.gif b/docs/htmldocs/using_samba/figs/sam.0402.gif Binary files differnew file mode 100644 index 0000000000..826ae22b02 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0402.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0403.gif b/docs/htmldocs/using_samba/figs/sam.0403.gif Binary files differnew file mode 100644 index 0000000000..4cf6a17526 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0403.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0404.gif b/docs/htmldocs/using_samba/figs/sam.0404.gif Binary files differnew file mode 100644 index 0000000000..9e3d744d5a --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0404.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0405.gif b/docs/htmldocs/using_samba/figs/sam.0405.gif Binary files differnew file mode 100644 index 0000000000..2e567a4c25 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0405.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0406.gif b/docs/htmldocs/using_samba/figs/sam.0406.gif Binary files differnew file mode 100644 index 0000000000..d1a7754f91 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0406.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0407.gif b/docs/htmldocs/using_samba/figs/sam.0407.gif Binary files differnew file mode 100644 index 0000000000..d19dd4273a --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0407.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0501.gif b/docs/htmldocs/using_samba/figs/sam.0501.gif Binary files differnew file mode 100644 index 0000000000..e973c784ea --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0501.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0502.gif b/docs/htmldocs/using_samba/figs/sam.0502.gif Binary files differnew file mode 100644 index 0000000000..e6018918fc --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0502.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0503.gif b/docs/htmldocs/using_samba/figs/sam.0503.gif Binary files differnew file mode 100644 index 0000000000..596db84611 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0503.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0504.gif b/docs/htmldocs/using_samba/figs/sam.0504.gif Binary files differnew file mode 100644 index 0000000000..96893237cd --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0504.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0505.gif b/docs/htmldocs/using_samba/figs/sam.0505.gif Binary files differnew file mode 100644 index 0000000000..de9c07baab --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0505.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0506.gif b/docs/htmldocs/using_samba/figs/sam.0506.gif Binary files differnew file mode 100644 index 0000000000..c5bb495d67 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0506.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0507.gif b/docs/htmldocs/using_samba/figs/sam.0507.gif Binary files differnew file mode 100644 index 0000000000..7c77c94c8d --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0507.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0508.gif b/docs/htmldocs/using_samba/figs/sam.0508.gif Binary files differnew file mode 100644 index 0000000000..fc364d5d05 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0508.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0601.gif b/docs/htmldocs/using_samba/figs/sam.0601.gif Binary files differnew file mode 100644 index 0000000000..aa9eb28baf --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0601.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0602.gif b/docs/htmldocs/using_samba/figs/sam.0602.gif Binary files differnew file mode 100644 index 0000000000..1ee0ac78b8 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0602.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0603.gif b/docs/htmldocs/using_samba/figs/sam.0603.gif Binary files differnew file mode 100644 index 0000000000..f23cdf877d --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0603.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0604.gif b/docs/htmldocs/using_samba/figs/sam.0604.gif Binary files differnew file mode 100644 index 0000000000..75460ba4b4 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0604.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0605.gif b/docs/htmldocs/using_samba/figs/sam.0605.gif Binary files differnew file mode 100644 index 0000000000..96f2bb56f3 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0605.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0606.gif b/docs/htmldocs/using_samba/figs/sam.0606.gif Binary files differnew file mode 100644 index 0000000000..c47c4c9b51 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0606.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0701.gif b/docs/htmldocs/using_samba/figs/sam.0701.gif Binary files differnew file mode 100644 index 0000000000..3c7693929b --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0701.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0702.gif b/docs/htmldocs/using_samba/figs/sam.0702.gif Binary files differnew file mode 100644 index 0000000000..c1160e2838 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0702.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0703.gif b/docs/htmldocs/using_samba/figs/sam.0703.gif Binary files differnew file mode 100644 index 0000000000..9967b58e0b --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0703.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0704.gif b/docs/htmldocs/using_samba/figs/sam.0704.gif Binary files differnew file mode 100644 index 0000000000..5808a87530 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0704.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0705.gif b/docs/htmldocs/using_samba/figs/sam.0705.gif Binary files differnew file mode 100644 index 0000000000..155498ca33 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0705.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0706.gif b/docs/htmldocs/using_samba/figs/sam.0706.gif Binary files differnew file mode 100644 index 0000000000..536997665b --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0706.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0707.gif b/docs/htmldocs/using_samba/figs/sam.0707.gif Binary files differnew file mode 100644 index 0000000000..6049b66752 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0707.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0708.gif b/docs/htmldocs/using_samba/figs/sam.0708.gif Binary files differnew file mode 100644 index 0000000000..013674af64 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0708.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0709.gif b/docs/htmldocs/using_samba/figs/sam.0709.gif Binary files differnew file mode 100644 index 0000000000..bae978dc86 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0709.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0801.gif b/docs/htmldocs/using_samba/figs/sam.0801.gif Binary files differnew file mode 100644 index 0000000000..243c3bfa57 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0801.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0802.gif b/docs/htmldocs/using_samba/figs/sam.0802.gif Binary files differnew file mode 100644 index 0000000000..ae8b40dd58 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0802.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0803.gif b/docs/htmldocs/using_samba/figs/sam.0803.gif Binary files differnew file mode 100644 index 0000000000..375e1000dd --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0803.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0804.gif b/docs/htmldocs/using_samba/figs/sam.0804.gif Binary files differnew file mode 100644 index 0000000000..0c17d6a6f6 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0804.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0805.gif b/docs/htmldocs/using_samba/figs/sam.0805.gif Binary files differnew file mode 100644 index 0000000000..271291801d --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0805.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0901.gif b/docs/htmldocs/using_samba/figs/sam.0901.gif Binary files differnew file mode 100644 index 0000000000..695b93786f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0901.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0902.gif b/docs/htmldocs/using_samba/figs/sam.0902.gif Binary files differnew file mode 100644 index 0000000000..d45787d245 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0902.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0903.gif b/docs/htmldocs/using_samba/figs/sam.0903.gif Binary files differnew file mode 100644 index 0000000000..c28000d7fb --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0903.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0904.gif b/docs/htmldocs/using_samba/figs/sam.0904.gif Binary files differnew file mode 100644 index 0000000000..f1fe5b4ecf --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0904.gif diff --git a/docs/htmldocs/using_samba/figs/sam.0905.gif b/docs/htmldocs/using_samba/figs/sam.0905.gif Binary files differnew file mode 100644 index 0000000000..f958389c42 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.0905.gif diff --git a/docs/htmldocs/using_samba/figs/sam.aa01.gif b/docs/htmldocs/using_samba/figs/sam.aa01.gif Binary files differnew file mode 100644 index 0000000000..78964348c3 --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.aa01.gif diff --git a/docs/htmldocs/using_samba/figs/sam.ab01.gif b/docs/htmldocs/using_samba/figs/sam.ab01.gif Binary files differnew file mode 100644 index 0000000000..8abcb431ee --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.ab01.gif diff --git a/docs/htmldocs/using_samba/figs/sam.ab02.gif b/docs/htmldocs/using_samba/figs/sam.ab02.gif Binary files differnew file mode 100644 index 0000000000..a2bce6399f --- /dev/null +++ b/docs/htmldocs/using_samba/figs/sam.ab02.gif |
