diff options
| author | Gerald Carter <jerry@samba.org> | 2001-05-21 08:34:49 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2001-05-21 08:34:49 +0000 |
| commit | 46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c (patch) | |
| tree | 33ee571e2f69e56c71111dbc9995220b2024e0b1 /docs/htmldocs/Samba-HOWTO-Collection.html | |
| parent | 72461f96dd72bb5ba06c11281585e79e94580f48 (diff) | |
| download | samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.tar.gz samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.tar.xz samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.zip | |
working on updates for the 2.2.1 release
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 931 |
1 files changed, 580 insertions, 351 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 401f4272159..4f1bd067c0d 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -376,193 +376,198 @@ HREF="#AEN764" ><DT >6.1. <A HREF="#AEN781" ->Background</A +>Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN819" ->Configuring the Samba Domain Controller</A +HREF="#AEN787" +>Background</A ></DT ><DT >6.3. <A -HREF="#AEN862" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +HREF="#AEN827" +>Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN900" ->Common Problems and Errors</A -></DT -><DT ->6.5. <A -HREF="#AEN942" ->System Policies and Profiles</A -></DT -><DT ->6.6. <A -HREF="#AEN982" ->What other help can I get ?</A +HREF="#AEN870" +>Creating Machine Trust Accounts and Joining Clients +to the Domain</A ></DT ><DD ><DL ><DT ->6.6.1. <A -HREF="#AEN1029" ->URLs and similar</A +>6.4.1. <A +HREF="#AEN884" +>Manually creating machine trust accounts</A ></DT ><DT ->6.6.2. <A -HREF="#AEN1053" ->Mailing Lists</A +>6.4.2. <A +HREF="#AEN912" +>Creating machine trust accounts "on the fly"</A ></DT ></DL ></DD ><DT +>6.5. <A +HREF="#AEN923" +>Common Problems and Errors</A +></DT +><DT +>6.6. <A +HREF="#AEN971" +>System Policies and Profiles</A +></DT +><DT >6.7. <A -HREF="#AEN1092" +HREF="#AEN1015" +>What other help can I get ?</A +></DT +><DT +>6.8. <A +HREF="#AEN1129" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >7. <A -HREF="#AEN1116" +HREF="#AEN1154" >Unifed Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN1134" +HREF="#AEN1172" >Abstract</A ></DT ><DT >7.2. <A -HREF="#AEN1138" +HREF="#AEN1176" >Introduction</A ></DT ><DT >7.3. <A -HREF="#AEN1151" +HREF="#AEN1189" >What Winbind Provides</A ></DT ><DD ><DL ><DT >7.3.1. <A -HREF="#AEN1158" +HREF="#AEN1196" >Target Uses</A ></DT ></DL ></DD ><DT >7.4. <A -HREF="#AEN1162" +HREF="#AEN1200" >How Winbind Works</A ></DT ><DD ><DL ><DT >7.4.1. <A -HREF="#AEN1167" +HREF="#AEN1205" >Microsoft Remote Procedure Calls</A ></DT ><DT >7.4.2. <A -HREF="#AEN1171" +HREF="#AEN1209" >Name Service Switch</A ></DT ><DT >7.4.3. <A -HREF="#AEN1187" +HREF="#AEN1225" >Pluggable Authentication Modules</A ></DT ><DT >7.4.4. <A -HREF="#AEN1195" +HREF="#AEN1233" >User and Group ID Allocation</A ></DT ><DT >7.4.5. <A -HREF="#AEN1199" +HREF="#AEN1237" >Result Caching</A ></DT ></DL ></DD ><DT >7.5. <A -HREF="#AEN1202" +HREF="#AEN1240" >Installation and Configuration</A ></DT ><DT >7.6. <A -HREF="#AEN1208" +HREF="#AEN1246" >Limitations</A ></DT ><DT >7.7. <A -HREF="#AEN1220" +HREF="#AEN1258" >Conclusion</A ></DT ></DL ></DD ><DT >8. <A -HREF="#AEN1223" +HREF="#AEN1261" >UNIX Permission Bits and WIndows NT Access Control Lists</A ></DT ><DD ><DL ><DT >8.1. <A -HREF="#AEN1234" +HREF="#AEN1272" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >8.2. <A -HREF="#AEN1243" +HREF="#AEN1281" >How to view file security on a Samba share</A ></DT ><DT >8.3. <A -HREF="#AEN1254" +HREF="#AEN1292" >Viewing file ownership</A ></DT ><DT >8.4. <A -HREF="#AEN1274" +HREF="#AEN1312" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1289" +HREF="#AEN1327" >File Permissions</A ></DT ><DT >8.4.2. <A -HREF="#AEN1303" +HREF="#AEN1341" >Directory Permissions</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1310" +HREF="#AEN1348" >Modifying file or directory permissions</A ></DT ><DT >8.6. <A -HREF="#AEN1332" +HREF="#AEN1370" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >8.7. <A -HREF="#AEN1396" +HREF="#AEN1434" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -570,39 +575,39 @@ HREF="#AEN1396" ></DD ><DT >9. <A -HREF="#AEN1406" +HREF="#AEN1444" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1417" +HREF="#AEN1455" >FAQs</A ></DT ><DD ><DL ><DT >9.1.1. <A -HREF="#AEN1419" +HREF="#AEN1457" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >9.1.2. <A -HREF="#AEN1434" +HREF="#AEN1472" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >9.1.3. <A -HREF="#AEN1443" +HREF="#AEN1481" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >9.1.4. <A -HREF="#AEN1447" +HREF="#AEN1485" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -3099,7 +3104,7 @@ CLASS="FILENAME" ></P ><P >will reveal that Windows NT always uses the NT driver - name. The is ok as Windows NT always requires that at least + name. This is ok as Windows NT always requires that at least the Windows NT version of the printer driver is present. However, Samba does not have the requirement internally. Therefore, how can you use the NT driver name if is has not @@ -3648,7 +3653,35 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="AEN781" ->6.1. Background</A +>6.1. Prerequisite Reading</A +></H1 +><P +>Before you continue readingin this chapter, please make sure +that you are comfortable with configuring basic files services +in smb.conf and how to enable and administrate password +encryption in Samba. Theses two topics are covered in the +<A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> +manpage and the <A +HREF="EMCRYPTION.html" +TARGET="_top" +>Encryption chapter</A +> +of this HOWTO Collection.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN787" +>6.2. Background</A ></H1 ><DIV CLASS="NOTE" @@ -3666,14 +3699,30 @@ Both documents are superceeded by this one.</P ></DIV ><P >Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2:</P +act as a Windows NT 4.0 Primary Domain Controller (PDC). Beginning with +Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 +style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through +SP1) clients. This article outlines the steps necessary for configuring Samba +as a PDC. It is necessary to have a working Samba server prior to implementing the +PDC functionality. If you have not followed the steps outlined in +<A +HREF="UNIX_INSTALL.html" +TARGET="_top" +> UNIX_INSTALL.html</A +>, please make sure +that your server is configured correctly before proceeding. Another good +resource in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5) man +page</A +>. The following functionality should work in 2.2:</P ><P ></P ><UL ><LI ><P -> domain logons for Windows NT 4.0/2000 clients +> domain logons for Windows NT 4.0/2000 clients. </P ></LI ><LI @@ -3698,6 +3747,32 @@ functionality should work in 2.2:</P </P ></LI ></UL +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Windows 2000 Service Pack 2 Clients</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> Samba 2.2.1 is required for PDC functionality when using Windows 2000 + SP2 clients. + </P +></TD +></TR +></TABLE +></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -3733,25 +3808,6 @@ support Windows 9x style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P ->Beginning with Samba 2.2.0, we are proud to announce official -support for Windows NT 4.0 style domain logons from Windows NT -4.0 and Windows 2000 (including SP1) clients. This article -outlines the steps necessary for configuring Samba as a PDC. -It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A -HREF="UNIX_INSTALL.html" -TARGET="_top" -> UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5) man -page</A ->.</P -><P >Implementing a Samba PDC can basically be divided into 2 broad steps.</P ><P @@ -3781,8 +3837,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN819" ->6.2. Configuring the Samba Domain Controller</A +NAME="AEN827" +>6.3. Configuring the Samba Domain Controller</A ></H1 ><P >The first step in creating a working Samba PDC is to @@ -3976,7 +4032,9 @@ CLASS="FILENAME" ><LI ><P > The server must be the domain master browser in order for Windows - client to locate the server as a DC. + client to locate the server as a DC. Please refer to the various + Network Browsing documentation included with this distribution for + details. </P ></LI ></UL @@ -4001,26 +4059,39 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN862" ->6.3. Creating Machine Trust Accounts and Joining Clients +NAME="AEN870" +>6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 ><P ->A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.</P +communication with the Domain Controller. This is a security feature +to prevent an unauthorized machine with the same netbios name from +joining the domain and gaining access to domain user/group accounts. +Hence a Windows 9x host is never a true member of a domain because it does +not posses a machine trust account, and thus has no shared secret with the DC.</P ><P >On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently <TT CLASS="FILENAME" >smbpasswd</TT >). However, machine trust accounts only possess and use the NT password hash.</P ><P +>Because Samba requires machine accounts to possess a UNIX uid from +which an Windows NT SID can be generated, all of these accounts +must have an entry in <TT +CLASS="FILENAME" +>/etc/passwd</TT +> and smbpasswd. +Future releases will alleviate the need to create +<TT +CLASS="FILENAME" +>/etc/passwd</TT +> entries. </P +><P >There are two means of creating machine trust accounts.</P ><P ></P @@ -4037,22 +4108,42 @@ However, machine trust accounts only possess and use the NT password hash.</P > Creation of the account at the time of joining the domain. In this case, the session key of the administrative account used to join the client to the domain acts as an encryption key for setting the - password to a random value. + password to a random value (This is the recommended method). </P ></LI ></UL +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN884" +>6.4.1. Manually creating machine trust accounts</A +></H2 ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -will have an entry in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entries.</P +>The first step in creating a machine trust account by hand is to +create an entry for the machine in /etc/passwd. This can be done +using <B +CLASS="COMMAND" +>vipw</B +> or any 'add userr' command which is normally +used to create new UNIX accounts. The following is an example for a Linux +based Samba server:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/sbin/useradd -g 100 -d /dev/null -c <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> -m -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$</P ><P >The <TT CLASS="FILENAME" @@ -4073,23 +4164,43 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE +>doppy$:x:505:501:<TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +>:/dev/null:/bin/false</PRE ></TD ></TR ></TABLE ></P ><P ->If you are manually creating the machine accounts, it is necessary -to add the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> (or NIS passwd -map) entry prior to adding the <TT -CLASS="FILENAME" ->smbpasswd</TT -> -entry. The following command will create a new machine account -ready for use.</P +>Above, <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> can be any descriptive name for the +pc i.e. BasementComputer. The <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +> absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account</P +><P +>Now that the UNIX account has been created, the next step is to create +the smbpasswd entry for the machine containing the well known initial +trust account password. This can be done using the <A +HREF="smbpasswd.6.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> command +as shown here:</P ><P ><TT CLASS="PROMPT" @@ -4107,23 +4218,57 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's netbios -name.</P +name. </P +><DIV +CLASS="WARNING" ><P -><EM ->If you manually create a machine account, immediately join -the client to the domain.</EM -> An open account like this -can allow intruders to gain access to user account information -in your domain.</P -><P ->The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the <A +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Join the client to the domain immediately</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> Manually creating a machine trust account using this method is the + equivalent of creating a machine account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which th client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using a + a machine with the same netbios name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! + </P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN912" +>6.4.2. Creating machine trust accounts "on the fly"</A +></H2 +><P +>The second, and most recommended way of creating machine trust accounts +is to create them as needed at the time the client is joined to +the domain. You will need to include a value for the <A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A > -parameter. Below is an example I use on a RedHat 6.2 Linux system.</P +parameter. Below is an example from a RedHat 6.2 Linux system.</P ><P ><TABLE BORDER="0" @@ -4139,10 +4284,10 @@ CLASS="PROGRAMLISTING" ></TABLE ></P ><P ->In Samba 2.2, <EM +>In Samba 2.2.1, <EM >only the root account</EM > can be used to create -machine accounts on the fly like this. Therefore, it is required to create +machine accounts like this. Therefore, it is required to create an entry in smbpasswd for <EM >root</EM >. The password @@ -4154,178 +4299,213 @@ CLASS="FILENAME" >/etc/passwd</TT > entry for security reasons.</P ></DIV +></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN900" ->6.4. Common Problems and Errors</A +NAME="AEN923" +>6.5. Common Problems and Errors</A ></H1 ><P ></P ><P -><EM ->I cannot include a '$' in a machine name.</EM ></P +><UL +><LI ><P ->A 'machine name' in (typically) <TT +> <EM +>I cannot include a '$' in a machine name.</EM +> + </P +><P +> A 'machine name' in (typically) <TT CLASS="FILENAME" >/etc/passwd</TT > -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.</P + of the machine name with a '$' appended. FreeBSD (and other BSD + systems ?) won't create a user with a '$' in their name. + </P ><P ->The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use <B +> The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use <B CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !</P + the whole entry with vipw if you like, make sure you use a + unique uid ! + </P +></LI +><LI ><P -><EM +> <EM >I get told "You already have a connection to the Domain...." -or "Cannot join domain, the credentials supplied conflict with an -existing set.." when creating a machine account.</EM -></P + or "Cannot join domain, the credentials supplied conflict with an + existing set.." when creating a machine account.</EM +> + </P ><P ->This happens if you try to create a machine account from the -machine itself and already have a connection (e.g. mapped drive) -to a share (or IPC$) on the Samba PDC. The following command -will remove all network drive connections:</P +> This happens if you try to create a machine account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: + </P ><P -><TT +> <TT CLASS="PROMPT" >C:\WINNT\></TT > <B CLASS="COMMAND" >net use * /d</B -></P +> + </P ><P ->Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.</P +> Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. + </P +></LI +><LI ><P -><EM ->"The system can not log you on (C000019B)...."</EM -></P +> <EM +>The system can not log you on (C000019B)....</EM +> + </P ><P >I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.</P + to a newer version of the Samba code I get the message, "The system + can not log you on (C000019B), Please try a gain or consult your + system administrator" when attempting to logon. + </P ><P ->This occurs when the domain SID stored in -<TT +> This occurs when the domain SID stored in + <TT CLASS="FILENAME" >private/WORKGROUP.SID</TT > is -changed. For example, you remove the file and <B + changed. For example, you remove the file and <B CLASS="COMMAND" >smbd</B > automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.</P + creates a new one. Or you are swapping back and forth between + versions 2.0.7, TNG and the HEAD branch code (not recommended). The + only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. + </P +></LI +><LI ><P -><EM ->"The machine account for this computer either does not -exist or is not accessible."</EM -></P +> <EM +>The machine account for this computer either does not + exist or is not accessible.</EM +> + </P ><P ->When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?</P +> When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". Whats + wrong? + </P ><P ->This problem is caused by the PDC not having a suitable machine account. -If you are using the <TT +> This problem is caused by the PDC not having a suitable machine account. + If you are using the <TT CLASS="PARAMETER" ><I >add user script</I ></TT > method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.</P -><P ->Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.</P + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. + </P ><P -><EM +> Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. + </P +></LI +><LI +><P +> <EM >When I attempt to login to a Samba Domain from a NT4/W2K workstation, -I get a message about my account being disabled.</EM -></P + I get a message about my account being disabled.</EM +> + </P ><P ->This problem is caused by a PAM related bug in Samba 2.2.0. This bug is -fixed in 2.2.1. Other symptoms could be unaccessible shares on -NT/W2K member servers in the domain or the following error in your smbd.log: -passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%</P +> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% + </P ><P ->At first be ensure to enable the useraccounts with <B +> At first be ensure to enable the useraccounts with <B CLASS="COMMAND" >smbpasswd -e -%user%</B ->, this is normaly done, when you create an account.</P + %user%</B +>, this is normaly done, when you create an account. + </P ><P ->In order to work around this problem in 2.2.0, configure the -<TT +> In order to work around this problem in 2.2.0, configure the + <TT CLASS="PARAMETER" ><I >account</I ></TT > control flag in -<TT + <TT CLASS="FILENAME" >/etc/pam.d/samba</TT -> file as follows:</P +> file as follows: + </P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" -WIDTH="100%" +WIDTH="90%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ->account required pam_permit.so</PRE +> account required pam_permit.so + </PRE ></TD ></TR ></TABLE ></P ><P ->If you want to remain backward compatibility to samba 2.0.x use -<TT +> If you want to remain backward compatibility to samba 2.0.x use + <TT CLASS="FILENAME" >pam_permit.so</TT >, it's also possible to use -<TT + <TT CLASS="FILENAME" >pam_pwdb.so</TT >. There are some bugs if you try to -use <TT + use <TT CLASS="FILENAME" >pam_unix.so</TT >, if you need this, be ensure to use -the most recent version of this file.</P + the most recent version of this file. + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN942" ->6.5. System Policies and Profiles</A +NAME="AEN971" +>6.6. System Policies and Profiles</A ></H1 ><P >Much of the information necessary to implement System Policies and @@ -4340,92 +4520,107 @@ Profiles and Policies in Windows NT 4.0</A ><P >Here are some additional details:</P ><P -><EM ->What about Windows NT Policy Editor ?</EM ></P +><UL +><LI +><P +> <EM +>What about Windows NT Policy Editor ?</EM +> + </P ><P ->To create or edit <TT +> To create or edit <TT CLASS="FILENAME" >ntconfig.pol</TT > you must use -the NT Server Policy Editor, <B + the NT Server Policy Editor, <B CLASS="COMMAND" >poledit.exe</B > which -is included with NT Server but <EM + is included with NT Server but <EM >not NT Workstation</EM >. -There is a Policy Editor on a NTws -but it is not suitable for creating <EM + There is a Policy Editor on a NTws + but it is not suitable for creating <EM >Domain Policies</EM >. -Further, although the Windows 95 -Policy Editor can be installed on an NT Workstation/Server, it will not -work with NT policies because the registry key that are set by the policy templates. -However, the files from the NT Server will run happily enough on an NTws. -You need <TT + Further, although the Windows 95 + Policy Editor can be installed on an NT Workstation/Server, it will not + work with NT policies because the registry key that are set by the policy templates. + However, the files from the NT Server will run happily enough on an NTws. + You need <TT CLASS="FILENAME" >poledit.exe, common.adm</TT > and <TT CLASS="FILENAME" >winnt.adm</TT >. It is convenient -to put the two *.adm files in <TT + to put the two *.adm files in <TT CLASS="FILENAME" >c:\winnt\inf</TT > which is where -the binary will look for them unless told otherwise. Note also that that -directory is 'hidden'.</P + the binary will look for them unless told otherwise. Note also that that + directory is 'hidden'. + </P ><P ->The Windows NT policy editor is also included with the -Service Pack 3 (and later) for Windows NT 4.0. Extract the files using -<B +> The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <B CLASS="COMMAND" >servicepackname /x</B ->, ie thats <B +>, + ie thats <B CLASS="COMMAND" ->Nt4sp6ai.exe -/x</B -> for service pack 6a. The policy editor, <B +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, + <B CLASS="COMMAND" >poledit.exe</B -> and the -associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft.</P +> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </P +></LI +><LI ><P -><EM +> <EM >Can Win95 do Policies ?</EM -></P +> + </P ><P ->Install the group policy handler for Win9x to pick up group -policies. Look on the Win98 CD in <TT +> Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in <TT CLASS="FILENAME" >\tools\reskit\netadmin\poledit</TT >. -Install group policies on a Win9x client by double-clicking -<TT + Install group policies on a Win9x client by double-clicking + <TT CLASS="FILENAME" >grouppol.inf</TT >. Log off and on again a couple of -times and see if Win98 picks up group policies. Unfortunately this needs -to be done on every Win9x machine that uses group policies....</P + times and see if Win98 picks up group policies. Unfortunately this needs + to be done on every Win9x machine that uses group policies.... + </P ><P ->If group policies don't work one reports suggests getting the updated -(read: working) grouppol.dll for Windows 9x. The group list is grabbed -from /etc/group.</P +> If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. + </P +></LI +><LI ><P -><EM +> <EM >How do I get 'User Manager' and 'Server Manager'</EM -></P +> + </P ><P ->Since I don't need to buy an NT Server CD now, how do I get -the 'User Manager for Domains', the 'Server Manager' ?</P +> Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager' ? + </P ><P ->Microsoft distributes a version of -these tools called nexus for installation on Windows 95 systems. The -tools set includes</P +> Microsoft distributes a version of these tools called nexus for + installation on Windows 95 systems. The tools set includes + </P ><P ></P ><UL @@ -4443,27 +4638,31 @@ tools set includes</P ></LI ></UL ><P ->Click here to download the archived file <A +> Click here to download the archived file <A HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" TARGET="_top" >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -></P +> + </P ><P ->The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from <A +> The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from <A HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" TARGET="_top" >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -></P +> + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN982" ->6.6. What other help can I get ?</A +NAME="AEN1015" +>6.7. What other help can I get ?</A ></H1 ><P >There are many sources of information available in the form @@ -4471,10 +4670,15 @@ of mailing lists, RFC's and documentation. The docs that come with the samba distribution contain very good explanations of general SMB topics such as browsing.</P ><P -><EM ->What are some diagnostics tools I can use to debug the domain logon -process and where can I find them?</EM ></P +><UL +><LI +><P +> <EM +>What are some diagnostics tools I can use to debug the domain logon + process and where can I find them?</EM +> + </P ><P > One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d option for both smbd and nmbd to specifiy what @@ -4516,7 +4720,7 @@ CLASS="COMMAND" ></UL ><P > An SMB enabled version of tcpdump is available from - <A + <A HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A @@ -4539,11 +4743,14 @@ TARGET="_top" local subnet. Be aware that Ethereal can read and write netmon formatted files. </P +></LI +><LI ><P -><EM +> <EM >How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</EM -></P + or a Windows 9x box?</EM +> + </P ><P > Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes @@ -4638,14 +4845,11 @@ CLASS="FILENAME" information on how to do this. Copy the files from a working Netmon installation. </P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1029" ->6.6.1. URLs and similar</A -></H2 +></LI +><LI +><P +> The following is a list if helpful URLs and other links: + </P ><P ></P ><UL @@ -4710,43 +4914,43 @@ TARGET="_top" ></P ></LI ></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1053" ->6.6.2. Mailing Lists</A -></H2 +></LI +></UL ><P -><EM ->How do I get help from the mailing lists ?</EM ></P +><UL +><LI +><P +> <EM +>How do I get help from the mailing lists ?</EM +> + </P ><P ->There are a number of Samba related mailing lists. Go to <A +> There are a number of Samba related mailing lists. Go to <A HREF="http://samba.org" TARGET="_top" >http://samba.org</A >, click on your nearest mirror -and then click on <B + and then click on <B CLASS="COMMAND" >Support</B > and then click on <B CLASS="COMMAND" ->Samba related mailing lists</B ->.</P +> Samba related mailing lists</B +>. + </P ><P ->For questions relating to Samba TNG go to -<A +> For questions relating to Samba TNG go to + <A HREF="http://www.samba-tng.org/" TARGET="_top" >http://www.samba-tng.org/</A > -It has been requested that you don't post questions about Samba-TNG to the -main stream Samba lists.</P + It has been requested that you don't post questions about Samba-TNG to the + main stream Samba lists.</P ><P ->If you post a message to one of the lists please observe the following guide lines :</P +> If you post a message to one of the lists please observe the following guide lines : + </P ><P ></P ><UL @@ -4813,47 +5017,75 @@ main stream Samba lists.</P smb.conf in their attach directory ?</P ></LI ></UL +></LI +><LI ><P -><EM +> <EM >How do I get off the mailing lists ?</EM -></P +> + </P ><P >To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A + same place you went to to get on it. Go to <A HREF="http://lists.samba.org/" TARGET="_top" >http://lists.samba.org</A ->, click - on your nearest mirror and then click on <B +>, + click on your nearest mirror and then click on <B CLASS="COMMAND" >Support</B > and - then click on <B + then click on <B CLASS="COMMAND" > Samba related mailing lists</B >. Or perhaps see - <A + <A HREF="http://lists.samba.org/mailman/roster/samba-ntdom" TARGET="_top" >here</A -></P +> + </P ><P > Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></DIV + be referred to the above address (unless that process failed in some way...) + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1092" ->6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A +NAME="AEN1129" +>6.8. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 +><DIV +CLASS="WARNING" ><P ->This appendix was originally authored by John H Terpstra of the Samba Team -and is included here for posterity.</P +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Possibly Outdated Material</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> This appendix was originally authored by John H Terpstra of + the Samba Team and is included here for posterity. + </P +></TD +></TR +></TABLE +></DIV ><P ><EM >NOTE :</EM @@ -4869,12 +5101,9 @@ Windows NT SAM.</P ><P >Windows NT Server can be installed as either a plain file and print server (WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P -><P ->The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licensed Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P +Control (DOMAIN member, Primary Domain controller or Backup Domain controller). +The same is true for OS/2 Warp Server, Digital Pathworks and other similar +products, all of which can participate in Domain Control along with Windows NT.</P ><P >To many people these terms can be confusing, so let's try to clear the air.</P ><P @@ -4949,7 +5178,7 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1116" +NAME="AEN1154" >Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV @@ -4957,7 +5186,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1134" +NAME="AEN1172" >7.1. Abstract</A ></H1 ><P @@ -4979,7 +5208,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1138" +NAME="AEN1176" >7.2. Introduction</A ></H1 ><P @@ -5033,7 +5262,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1151" +NAME="AEN1189" >7.3. What Winbind Provides</A ></H1 ><P @@ -5075,7 +5304,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1158" +NAME="AEN1196" >7.3.1. Target Uses</A ></H2 ><P @@ -5099,7 +5328,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1162" +NAME="AEN1200" >7.4. How Winbind Works</A ></H1 ><P @@ -5119,7 +5348,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1167" +NAME="AEN1205" >7.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -5145,7 +5374,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1171" +NAME="AEN1209" >7.4.2. Name Service Switch</A ></H2 ><P @@ -5224,7 +5453,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1187" +NAME="AEN1225" >7.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -5273,7 +5502,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1195" +NAME="AEN1233" >7.4.4. User and Group ID Allocation</A ></H2 ><P @@ -5299,7 +5528,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1199" +NAME="AEN1237" >7.4.5. Result Caching</A ></H2 ><P @@ -5322,7 +5551,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1202" +NAME="AEN1240" >7.5. Installation and Configuration</A ></H1 ><P @@ -5353,7 +5582,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1208" +NAME="AEN1246" >7.6. Limitations</A ></H1 ><P @@ -5401,7 +5630,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1220" +NAME="AEN1258" >7.7. Conclusion</A ></H1 ><P @@ -5417,7 +5646,7 @@ NAME="AEN1220" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1223" +NAME="AEN1261" >Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A ></H1 ><DIV @@ -5425,7 +5654,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1234" +NAME="AEN1272" >8.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -5464,7 +5693,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1243" +NAME="AEN1281" >8.2. How to view file security on a Samba share</A ></H1 ><P @@ -5510,7 +5739,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1254" +NAME="AEN1292" >8.3. Viewing file ownership</A ></H1 ><P @@ -5596,7 +5825,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1274" +NAME="AEN1312" >8.4. Viewing file or directory permissions</A ></H1 ><P @@ -5658,7 +5887,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1289" +NAME="AEN1327" >8.4.1. File Permissions</A ></H2 ><P @@ -5720,7 +5949,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1303" +NAME="AEN1341" >8.4.2. Directory Permissions</A ></H2 ><P @@ -5752,7 +5981,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1310" +NAME="AEN1348" >8.5. Modifying file or directory permissions</A ></H1 ><P @@ -5850,7 +6079,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1332" +NAME="AEN1370" >8.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -6123,7 +6352,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1396" +NAME="AEN1434" >8.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -6170,7 +6399,7 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1406" +NAME="AEN1444" >Chapter 9. OS2 Client HOWTO</A ></H1 ><DIV @@ -6178,7 +6407,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1417" +NAME="AEN1455" >9.1. FAQs</A ></H1 ><DIV @@ -6186,7 +6415,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1419" +NAME="AEN1457" >9.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -6245,7 +6474,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1434" +NAME="AEN1472" >9.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -6298,7 +6527,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1443" +NAME="AEN1481" >9.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -6320,7 +6549,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1447" +NAME="AEN1485" >9.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 |