diff options
| author | Jeremy Allison <jra@samba.org> | 2001-10-11 20:00:58 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-10-11 20:00:58 +0000 |
| commit | 61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c (patch) | |
| tree | 4142084a56bce4b6d9a4ff910a91ed36b2fbc972 /docs/htmldocs/Samba-HOWTO-Collection.html | |
| parent | 6fcdd2590d555d24bdb6bd2e30dfdd5e45666a34 (diff) | |
| download | samba-61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c.tar.gz samba-61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c.tar.xz samba-61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c.zip | |
More docs sync.
Jeremy.
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 1621 |
1 files changed, 1223 insertions, 398 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index d93a4543d47..c4e4b2c74b5 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -34,10 +34,14 @@ NAME="AEN4" ><HR></DIV ><HR><H1 ><A -NAME="AEN9" +NAME="AEN8" >Abstract</A ></H1 ><P +><EM +>Last Update</EM +> : Tue Jul 31 15:58:03 CDT 2001</P +><P >This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job than one person can maintain. The most recent version of this document @@ -69,27 +73,27 @@ HREF="#INSTALL" ><DL ><DT >1.1. <A -HREF="#AEN17" +HREF="#AEN18" >Step 0: Read the man pages</A ></DT ><DT >1.2. <A -HREF="#AEN25" +HREF="#AEN26" >Step 1: Building the Binaries</A ></DT ><DT >1.3. <A -HREF="#AEN53" +HREF="#AEN54" >Step 2: The all important step</A ></DT ><DT >1.4. <A -HREF="#AEN57" +HREF="#AEN58" >Step 3: Create the smb configuration file.</A ></DT ><DT >1.5. <A -HREF="#AEN71" +HREF="#AEN72" >Step 4: Test your config file with <B CLASS="COMMAND" @@ -98,80 +102,80 @@ CLASS="COMMAND" ></DT ><DT >1.6. <A -HREF="#AEN77" +HREF="#AEN78" >Step 5: Starting the smbd and nmbd</A ></DT ><DD ><DL ><DT >1.6.1. <A -HREF="#AEN87" +HREF="#AEN88" >Step 5a: Starting from inetd.conf</A ></DT ><DT >1.6.2. <A -HREF="#AEN116" +HREF="#AEN117" >Step 5b. Alternative: starting it as a daemon</A ></DT ></DL ></DD ><DT >1.7. <A -HREF="#AEN132" +HREF="#AEN133" >Step 6: Try listing the shares available on your server</A ></DT ><DT >1.8. <A -HREF="#AEN141" +HREF="#AEN142" >Step 7: Try connecting with the unix client</A ></DT ><DT >1.9. <A -HREF="#AEN157" +HREF="#AEN158" >Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></DT ><DT >1.10. <A -HREF="#AEN171" +HREF="#AEN172" >What If Things Don't Work?</A ></DT ><DD ><DL ><DT >1.10.1. <A -HREF="#AEN176" +HREF="#AEN177" >Diagnosing Problems</A ></DT ><DT >1.10.2. <A -HREF="#AEN180" +HREF="#AEN181" >Scope IDs</A ></DT ><DT >1.10.3. <A -HREF="#AEN183" +HREF="#AEN184" >Choosing the Protocol Level</A ></DT ><DT >1.10.4. <A -HREF="#AEN192" +HREF="#AEN193" >Printing from UNIX to a Client PC</A ></DT ><DT >1.10.5. <A -HREF="#AEN196" +HREF="#AEN197" >Locking</A ></DT ><DT >1.10.6. <A -HREF="#AEN206" +HREF="#AEN207" >Mapping Usernames</A ></DT ><DT >1.10.7. <A -HREF="#AEN209" +HREF="#AEN210" >Other Character Sets</A ></DT ></DL @@ -187,19 +191,19 @@ HREF="#INTEGRATE-MS-NETWORKS" ><DL ><DT >2.1. <A -HREF="#AEN223" +HREF="#AEN224" >Agenda</A ></DT ><DT >2.2. <A -HREF="#AEN245" +HREF="#AEN246" >Name Resolution in a pure Unix/Linux world</A ></DT ><DD ><DL ><DT >2.2.1. <A -HREF="#AEN261" +HREF="#AEN262" ><TT CLASS="FILENAME" >/etc/hosts</TT @@ -207,7 +211,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.2. <A -HREF="#AEN277" +HREF="#AEN278" ><TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -215,7 +219,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.3. <A -HREF="#AEN288" +HREF="#AEN289" ><TT CLASS="FILENAME" >/etc/host.conf</TT @@ -223,7 +227,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.4. <A -HREF="#AEN296" +HREF="#AEN297" ><TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -233,47 +237,47 @@ CLASS="FILENAME" ></DD ><DT >2.3. <A -HREF="#AEN308" +HREF="#AEN309" >Name resolution as used within MS Windows networking</A ></DT ><DD ><DL ><DT >2.3.1. <A -HREF="#AEN320" +HREF="#AEN321" >The NetBIOS Name Cache</A ></DT ><DT >2.3.2. <A -HREF="#AEN325" +HREF="#AEN326" >The LMHOSTS file</A ></DT ><DT >2.3.3. <A -HREF="#AEN333" +HREF="#AEN334" >HOSTS file</A ></DT ><DT >2.3.4. <A -HREF="#AEN338" +HREF="#AEN339" >DNS Lookup</A ></DT ><DT >2.3.5. <A -HREF="#AEN341" +HREF="#AEN342" >WINS Lookup</A ></DT ></DL ></DD ><DT >2.4. <A -HREF="#AEN353" +HREF="#AEN354" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT >2.5. <A -HREF="#AEN363" +HREF="#AEN364" >MS Windows security options and how to configure Samba for seemless integration</A ></DT @@ -281,29 +285,29 @@ Samba for seemless integration</A ><DL ><DT >2.5.1. <A -HREF="#AEN391" +HREF="#AEN392" >Use MS Windows NT as an authentication server</A ></DT ><DT >2.5.2. <A -HREF="#AEN399" +HREF="#AEN400" >Make Samba a member of an MS Windows NT security domain</A ></DT ><DT >2.5.3. <A -HREF="#AEN416" +HREF="#AEN417" >Configure Samba as an authentication server</A ></DT ><DD ><DL ><DT >2.5.3.1. <A -HREF="#AEN423" +HREF="#AEN424" >Users</A ></DT ><DT >2.5.3.2. <A -HREF="#AEN428" +HREF="#AEN429" >MS Windows NT Machine Accounts</A ></DT ></DL @@ -312,7 +316,7 @@ HREF="#AEN428" ></DD ><DT >2.6. <A -HREF="#AEN433" +HREF="#AEN434" >Conclusions</A ></DT ></DL @@ -327,17 +331,17 @@ managed authentication</A ><DL ><DT >3.1. <A -HREF="#AEN454" +HREF="#AEN455" >Samba and PAM</A ></DT ><DT >3.2. <A -HREF="#AEN496" +HREF="#AEN497" >Distributed Authentication</A ></DT ><DT >3.3. <A -HREF="#AEN503" +HREF="#AEN504" >PAM Configuration in smb.conf</A ></DT ></DL @@ -351,14 +355,14 @@ HREF="#MSDFS" ><DL ><DT >4.1. <A -HREF="#AEN523" +HREF="#AEN524" >Instructions</A ></DT ><DD ><DL ><DT >4.1.1. <A -HREF="#AEN558" +HREF="#AEN559" >Notes</A ></DT ></DL @@ -374,53 +378,53 @@ HREF="#UNIX-PERMISSIONS" ><DL ><DT >5.1. <A -HREF="#AEN578" +HREF="#AEN579" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >5.2. <A -HREF="#AEN587" +HREF="#AEN588" >How to view file security on a Samba share</A ></DT ><DT >5.3. <A -HREF="#AEN598" +HREF="#AEN599" >Viewing file ownership</A ></DT ><DT >5.4. <A -HREF="#AEN618" +HREF="#AEN619" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >5.4.1. <A -HREF="#AEN633" +HREF="#AEN634" >File Permissions</A ></DT ><DT >5.4.2. <A -HREF="#AEN647" +HREF="#AEN648" >Directory Permissions</A ></DT ></DL ></DD ><DT >5.5. <A -HREF="#AEN654" +HREF="#AEN655" >Modifying file or directory permissions</A ></DT ><DT >5.6. <A -HREF="#AEN676" +HREF="#AEN677" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >5.7. <A -HREF="#AEN740" +HREF="#AEN741" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -435,75 +439,75 @@ HREF="#PRINTING" ><DL ><DT >6.1. <A -HREF="#AEN761" +HREF="#AEN762" >Introduction</A ></DT ><DT >6.2. <A -HREF="#AEN783" +HREF="#AEN784" >Configuration</A ></DT ><DD ><DL ><DT >6.2.1. <A -HREF="#AEN794" +HREF="#AEN795" >Creating [print$]</A ></DT ><DT >6.2.2. <A -HREF="#AEN829" +HREF="#AEN830" >Setting Drivers for Existing Printers</A ></DT ><DT >6.2.3. <A -HREF="#AEN846" +HREF="#AEN847" >Support a large number of printers</A ></DT ><DT >6.2.4. <A -HREF="#AEN857" +HREF="#AEN858" >Adding New Printers via the Windows NT APW</A ></DT ><DT >6.2.5. <A -HREF="#AEN882" +HREF="#AEN883" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >6.3. <A -HREF="#AEN890" +HREF="#AEN891" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >6.3.1. <A -HREF="#AEN894" +HREF="#AEN895" >What is Imprints?</A ></DT ><DT >6.3.2. <A -HREF="#AEN904" +HREF="#AEN905" >Creating Printer Driver Packages</A ></DT ><DT >6.3.3. <A -HREF="#AEN907" +HREF="#AEN908" >The Imprints server</A ></DT ><DT >6.3.4. <A -HREF="#AEN911" +HREF="#AEN912" >The Installation Client</A ></DT ></DL ></DD ><DT >6.4. <A -HREF="#AEN933" +HREF="#AEN934" ><A NAME="MIGRATION" ></A @@ -520,17 +524,17 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >7.1. <A -HREF="#AEN995" +HREF="#AEN988" >Joining an NT Domain with Samba 2.2</A ></DT ><DT >7.2. <A -HREF="#AEN1059" +HREF="#AEN1052" >Samba and Windows 2000 Domains</A ></DT ><DT >7.3. <A -HREF="#AEN1064" +HREF="#AEN1057" >Why is this better than security = server?</A ></DT ></DL @@ -544,22 +548,22 @@ HREF="#SAMBA-PDC" ><DL ><DT >8.1. <A -HREF="#AEN1097" +HREF="#AEN1090" >Prerequisite Reading</A ></DT ><DT >8.2. <A -HREF="#AEN1103" +HREF="#AEN1096" >Background</A ></DT ><DT >8.3. <A -HREF="#AEN1145" +HREF="#AEN1138" >Configuring the Samba Domain Controller</A ></DT ><DT >8.4. <A -HREF="#AEN1188" +HREF="#AEN1180" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT @@ -567,83 +571,83 @@ to the Domain</A ><DL ><DT >8.4.1. <A -HREF="#AEN1202" +HREF="#AEN1194" >Manually creating machine trust accounts</A ></DT ><DT >8.4.2. <A -HREF="#AEN1230" +HREF="#AEN1225" >Creating machine trust accounts "on the fly"</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1241" +HREF="#AEN1236" >Common Problems and Errors</A ></DT ><DT >8.6. <A -HREF="#AEN1289" +HREF="#AEN1284" >System Policies and Profiles</A ></DT ><DT >8.7. <A -HREF="#AEN1333" +HREF="#AEN1328" >What other help can I get ?</A ></DT ><DT >8.8. <A -HREF="#AEN1447" +HREF="#AEN1442" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >8.8.1. <A -HREF="#AEN1477" +HREF="#AEN1472" >Configuration Instructions: Network Logons</A ></DT ><DT >8.8.2. <A -HREF="#AEN1511" +HREF="#AEN1506" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >8.8.2.1. <A -HREF="#AEN1519" +HREF="#AEN1514" >Windows NT Configuration</A ></DT ><DT >8.8.2.2. <A -HREF="#AEN1527" +HREF="#AEN1522" >Windows 9X Configuration</A ></DT ><DT >8.8.2.3. <A -HREF="#AEN1535" +HREF="#AEN1530" >Win9X and WinNT Configuration</A ></DT ><DT >8.8.2.4. <A -HREF="#AEN1542" +HREF="#AEN1537" >Windows 9X Profile Setup</A ></DT ><DT >8.8.2.5. <A -HREF="#AEN1578" +HREF="#AEN1573" >Windows NT Workstation 4.0</A ></DT ><DT >8.8.2.6. <A -HREF="#AEN1591" +HREF="#AEN1586" >Windows NT Server</A ></DT ><DT >8.8.2.7. <A -HREF="#AEN1594" +HREF="#AEN1589" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -652,7 +656,7 @@ HREF="#AEN1594" ></DD ><DT >8.9. <A -HREF="#AEN1604" +HREF="#AEN1599" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL @@ -666,75 +670,133 @@ HREF="#WINBIND" ><DL ><DT >9.1. <A -HREF="#AEN1647" +HREF="#AEN1642" >Abstract</A ></DT ><DT >9.2. <A -HREF="#AEN1651" +HREF="#AEN1646" >Introduction</A ></DT ><DT >9.3. <A -HREF="#AEN1664" +HREF="#AEN1659" >What Winbind Provides</A ></DT ><DD ><DL ><DT >9.3.1. <A -HREF="#AEN1671" +HREF="#AEN1666" >Target Uses</A ></DT ></DL ></DD ><DT >9.4. <A -HREF="#AEN1675" +HREF="#AEN1670" >How Winbind Works</A ></DT ><DD ><DL ><DT >9.4.1. <A -HREF="#AEN1680" +HREF="#AEN1675" >Microsoft Remote Procedure Calls</A ></DT ><DT >9.4.2. <A -HREF="#AEN1684" +HREF="#AEN1679" >Name Service Switch</A ></DT ><DT >9.4.3. <A -HREF="#AEN1700" +HREF="#AEN1695" >Pluggable Authentication Modules</A ></DT ><DT >9.4.4. <A -HREF="#AEN1708" +HREF="#AEN1703" >User and Group ID Allocation</A ></DT ><DT >9.4.5. <A -HREF="#AEN1712" +HREF="#AEN1707" >Result Caching</A ></DT ></DL ></DD ><DT >9.5. <A -HREF="#AEN1715" +HREF="#AEN1710" >Installation and Configuration</A ></DT +><DD +><DL +><DT +>9.5.1. <A +HREF="#AEN1715" +>Introduction</A +></DT +><DT +>9.5.2. <A +HREF="#AEN1728" +>Requirements</A +></DT +><DT +>9.5.3. <A +HREF="#AEN1736" +>Testing Things Out</A +></DT +><DD +><DL +><DT +>9.5.3.1. <A +HREF="#AEN1745" +>Configure and compile SAMBA</A +></DT +><DT +>9.5.3.2. <A +HREF="#AEN1757" +>Configure nsswitch.conf and the winbind libraries</A +></DT +><DT +>9.5.3.3. <A +HREF="#AEN1776" +>Configure smb.conf</A +></DT +><DT +>9.5.3.4. <A +HREF="#AEN1785" +>Join the SAMBA server to the PDC domain</A +></DT +><DT +>9.5.3.5. <A +HREF="#AEN1795" +>Start up the winbindd daemon and test it!</A +></DT +><DT +>9.5.3.6. <A +HREF="#AEN1822" +>Fix the /etc/rc.d/init.d/smb startup files</A +></DT +><DT +>9.5.3.7. <A +HREF="#AEN1839" +>Configure Winbind and PAM</A +></DT +></DL +></DD +></DL +></DD ><DT >9.6. <A -HREF="#AEN1721" +HREF="#AEN1880" >Limitations</A ></DT ><DT >9.7. <A -HREF="#AEN1733" +HREF="#AEN1890" >Conclusion</A ></DT ></DL @@ -748,32 +810,32 @@ HREF="#OS2" ><DL ><DT >10.1. <A -HREF="#AEN1747" +HREF="#AEN1904" >FAQs</A ></DT ><DD ><DL ><DT >10.1.1. <A -HREF="#AEN1749" +HREF="#AEN1906" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >10.1.2. <A -HREF="#AEN1764" +HREF="#AEN1921" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >10.1.3. <A -HREF="#AEN1773" +HREF="#AEN1930" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >10.1.4. <A -HREF="#AEN1777" +HREF="#AEN1934" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -790,24 +852,24 @@ HREF="#CVS-ACCESS" ><DL ><DT >11.1. <A -HREF="#AEN1793" +HREF="#AEN1950" >Introduction</A ></DT ><DT >11.2. <A -HREF="#AEN1798" +HREF="#AEN1955" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT >11.2.1. <A -HREF="#AEN1801" +HREF="#AEN1958" >Access via CVSweb</A ></DT ><DT >11.2.2. <A -HREF="#AEN1806" +HREF="#AEN1963" >Access via cvs</A ></DT ></DL @@ -816,7 +878,7 @@ HREF="#AEN1806" ></DD ><DT ><A -HREF="#AEN1834" +HREF="#AEN1991" >Index</A ></DT ></DL @@ -833,7 +895,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN17" +NAME="AEN18" >1.1. Step 0: Read the man pages</A ></H1 ><P @@ -865,7 +927,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN25" +NAME="AEN26" >1.2. Step 1: Building the Binaries</A ></H1 ><P @@ -964,7 +1026,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN53" +NAME="AEN54" >1.3. Step 2: The all important step</A ></H1 ><P @@ -981,7 +1043,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN57" +NAME="AEN58" >1.4. Step 3: Create the smb configuration file.</A ></H1 ><P @@ -1046,7 +1108,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN71" +NAME="AEN72" >1.5. Step 4: Test your config file with <B CLASS="COMMAND" @@ -1070,7 +1132,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN77" +NAME="AEN78" >1.6. Step 5: Starting the smbd and nmbd</A ></H1 ><P @@ -1110,7 +1172,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN87" +NAME="AEN88" >1.6.1. Step 5a: Starting from inetd.conf</A ></H2 ><P @@ -1223,7 +1285,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN116" +NAME="AEN117" >1.6.2. Step 5b. Alternative: starting it as a daemon</A ></H2 ><P @@ -1289,7 +1351,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN132" +NAME="AEN133" >1.7. Step 6: Try listing the shares available on your server</A ></H1 @@ -1330,7 +1392,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN141" +NAME="AEN142" >1.8. Step 7: Try connecting with the unix client</A ></H1 ><P @@ -1393,7 +1455,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN157" +NAME="AEN158" >1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></H1 @@ -1442,7 +1504,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN171" +NAME="AEN172" >1.10. What If Things Don't Work?</A ></H1 ><P @@ -1465,7 +1527,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN176" +NAME="AEN177" >1.10.1. Diagnosing Problems</A ></H2 ><P @@ -1481,7 +1543,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN180" +NAME="AEN181" >1.10.2. Scope IDs</A ></H2 ><P @@ -1497,7 +1559,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN183" +NAME="AEN184" >1.10.3. Choosing the Protocol Level</A ></H2 ><P @@ -1538,7 +1600,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN192" +NAME="AEN193" >1.10.4. Printing from UNIX to a Client PC</A ></H2 ><P @@ -1556,7 +1618,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN196" +NAME="AEN197" >1.10.5. Locking</A ></H2 ><P @@ -1568,20 +1630,25 @@ NAME="AEN196" The second is the "deny modes" that are specified when a file is open.</P ><P ->Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</P -><P ->There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</P +>Record locking semantics under Unix is very + different from record locking under Windows. Versions + of Samba before 2.2 have tried to use the native + fcntl() unix system call to implement proper record + locking between different Samba clients. This can not + be fully correct due to several reasons. The simplest + is the fact that a Windows client is allowed to lock a + byte range up to 2^32 or 2^64, depending on the client + OS. The unix locking only supports byte ranges up to + 2^31. So it is not possible to correctly satisfy a + lock request above 2^31. There are many more + differences, too many to be listed here.</P +><P +>Samba 2.2 and above implements record locking + completely independent of the underlying unix + system. If a byte range lock that the client requests + happens to fall into the range 0-2^31, Samba hands + this request down to the Unix system. All other locks + can not be seen by unix anyway.</P ><P >Strictly a SMB server should check for locks before every read and write call on a file. Unfortunately with the @@ -1617,7 +1684,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN206" +NAME="AEN207" >1.10.6. Mapping Usernames</A ></H2 ><P @@ -1630,7 +1697,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN209" +NAME="AEN210" >1.10.7. Other Character Sets</A ></H2 ><P @@ -1654,7 +1721,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN223" +NAME="AEN224" >2.1. Agenda</A ></H1 ><P @@ -1721,7 +1788,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN245" +NAME="AEN246" >2.2. Name Resolution in a pure Unix/Linux world</A ></H1 ><P @@ -1763,7 +1830,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN261" +NAME="AEN262" >2.2.1. <TT CLASS="FILENAME" >/etc/hosts</TT @@ -1853,7 +1920,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN277" +NAME="AEN278" >2.2.2. <TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -1891,7 +1958,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN288" +NAME="AEN289" >2.2.3. <TT CLASS="FILENAME" >/etc/host.conf</TT @@ -1929,7 +1996,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN296" +NAME="AEN297" >2.2.4. <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -2007,7 +2074,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN308" +NAME="AEN309" >2.3. Name resolution as used within MS Windows networking</A ></H1 ><P @@ -2101,7 +2168,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN320" +NAME="AEN321" >2.3.1. The NetBIOS Name Cache</A ></H2 ><P @@ -2128,7 +2195,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN325" +NAME="AEN326" >2.3.2. The LMHOSTS file</A ></H2 ><P @@ -2240,7 +2307,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN333" +NAME="AEN334" >2.3.3. HOSTS file</A ></H2 ><P @@ -2262,7 +2329,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN338" +NAME="AEN339" >2.3.4. DNS Lookup</A ></H2 ><P @@ -2282,7 +2349,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN341" +NAME="AEN342" >2.3.5. WINS Lookup</A ></H2 ><P @@ -2343,7 +2410,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN353" +NAME="AEN354" >2.4. How browsing functions and how to deploy stable and dependable browsing using Samba</A ></H1 @@ -2410,7 +2477,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN363" +NAME="AEN364" >2.5. MS Windows security options and how to configure Samba for seemless integration</A ></H1 @@ -2552,7 +2619,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN391" +NAME="AEN392" >2.5.1. Use MS Windows NT as an authentication server</A ></H2 ><P @@ -2597,7 +2664,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN399" +NAME="AEN400" >2.5.2. Make Samba a member of an MS Windows NT security domain</A ></H2 ><P @@ -2669,7 +2736,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN416" +NAME="AEN417" >2.5.3. Configure Samba as an authentication server</A ></H2 ><P @@ -2715,7 +2782,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN423" +NAME="AEN424" >2.5.3.1. Users</A ></H3 ><P @@ -2731,7 +2798,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m +> # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" Enter Password: <pw> @@ -2747,7 +2814,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN428" +NAME="AEN429" >2.5.3.2. MS Windows NT Machine Accounts</A ></H3 ><P @@ -2762,7 +2829,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> # useradd -a /bin/false -d /dev/null "machine_name"\$ +> # useradd -s /bin/false -d /dev/null "machine_name"\$ # passwd -l "machine_name"\$ # smbpasswd -a -m "machine_name"</PRE ></TD @@ -2777,7 +2844,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN433" +NAME="AEN434" >2.6. Conclusions</A ></H1 ><P @@ -2822,7 +2889,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN454" +NAME="AEN455" >3.1. Samba and PAM</A ></H1 ><P @@ -3072,7 +3139,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN496" +NAME="AEN497" >3.2. Distributed Authentication</A ></H1 ><P @@ -3105,7 +3172,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN503" +NAME="AEN504" >3.3. PAM Configuration in smb.conf</A ></H1 ><P @@ -3153,7 +3220,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN523" +NAME="AEN524" >4.1. Instructions</A ></H1 ><P @@ -3310,7 +3377,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN558" +NAME="AEN559" >4.1.1. Notes</A ></H2 ><P @@ -3351,7 +3418,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN578" +NAME="AEN579" >5.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -3390,7 +3457,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN587" +NAME="AEN588" >5.2. How to view file security on a Samba share</A ></H1 ><P @@ -3436,7 +3503,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN598" +NAME="AEN599" >5.3. Viewing file ownership</A ></H1 ><P @@ -3522,7 +3589,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN618" +NAME="AEN619" >5.4. Viewing file or directory permissions</A ></H1 ><P @@ -3584,7 +3651,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN633" +NAME="AEN634" >5.4.1. File Permissions</A ></H2 ><P @@ -3646,7 +3713,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN647" +NAME="AEN648" >5.4.2. Directory Permissions</A ></H2 ><P @@ -3678,7 +3745,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN654" +NAME="AEN655" >5.5. Modifying file or directory permissions</A ></H1 ><P @@ -3776,7 +3843,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN676" +NAME="AEN677" >5.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -4049,7 +4116,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN740" +NAME="AEN741" >5.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -4104,7 +4171,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN761" +NAME="AEN762" >6.1. Introduction</A ></H1 ><P @@ -4188,7 +4255,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN783" +NAME="AEN784" >6.2. Configuration</A ></H1 ><DIV @@ -4256,7 +4323,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN794" +NAME="AEN795" >6.2.1. Creating [print$]</A ></H2 ><P @@ -4315,7 +4382,7 @@ CLASS="PARAMETER" > is used to allow administrative level user accounts to have write access in order to update files on the share. See the <A -HREF="smb./conf.5.html" +HREF="smb.conf.5.html" TARGET="_top" >smb.conf(5) man page</A @@ -4457,7 +4524,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN829" +NAME="AEN830" >6.2.2. Setting Drivers for Existing Printers</A ></H2 ><P @@ -4529,7 +4596,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN846" +NAME="AEN847" >6.2.3. Support a large number of printers</A ></H2 ><P @@ -4604,7 +4671,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN857" +NAME="AEN858" >6.2.4. Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -4710,7 +4777,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN882" +NAME="AEN883" >6.2.5. Samba and Printer Ports</A ></H2 ><P @@ -4747,7 +4814,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN890" +NAME="AEN891" >6.3. The Imprints Toolset</A ></H1 ><P @@ -4765,7 +4832,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN894" +NAME="AEN895" >6.3.1. What is Imprints?</A ></H2 ><P @@ -4797,7 +4864,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN904" +NAME="AEN905" >6.3.2. Creating Printer Driver Packages</A ></H2 ><P @@ -4813,7 +4880,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN907" +NAME="AEN908" >6.3.3. The Imprints server</A ></H2 ><P @@ -4833,7 +4900,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN911" +NAME="AEN912" >6.3.4. The Installation Client</A ></H2 ><P @@ -4936,7 +5003,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN933" +NAME="AEN934" >6.4. <A NAME="MIGRATION" ></A @@ -4945,51 +5012,67 @@ NAME="MIGRATION" ><P >Given that printer driver management has changed (we hope improved) in 2.2 over prior releases, migration from an existing setup to 2.2 can -follow several paths.</P +follow several paths. Here are the possible scenarios for +migration:</P ><P ->Windows clients have a tendency to remember things for quite a while. -For example, if a Windows NT client has attached to a Samba 2.0 server, -it will remember the server as a LanMan printer server. Upgrading -the Samba host to 2.2 makes support for MSRPC printing possible, but -the NT client will still remember the previous setting.</P +></P +><UL +><LI ><P ->In order to give an NT client printing "amnesia" (only necessary if you -want to use the newer MSRPC printing functionality in Samba), delete -the registry keys associated with the print server contained in -<TT -CLASS="CONSTANT" ->[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT ->. The -spooler service on the client should be stopped prior to doing this:</P +>If you do not desire the new Windows NT + print driver support, nothing needs to be done. + All existing parameters work the same.</P +></LI +><LI ><P -><TT -CLASS="PROMPT" ->C:\WINNT\ ></TT -> <TT -CLASS="USERINPUT" -><B ->net stop spooler</B -></TT -></P +>If you want to take advantage of NT printer + driver support but do not want to migrate the + 9x drivers to the new setup, the leave the existing + <TT +CLASS="FILENAME" +>printers.def</TT +> file. When smbd attempts + to locate a + 9x driver for the printer in the TDB and fails it + will drop down to using the printers.def (and all + associated parameters). The <B +CLASS="COMMAND" +>make_printerdef</B +> + tool will also remain for backwards compatibility but will + be removed in the next major release.</P +></LI +><LI ><P -><EM ->All the normal disclaimers about editing the registry go -here.</EM -> Be careful, and know what you are doing.</P +>If you install a Windows 9x driver for a printer + on your Samba host (in the printing TDB), this information will + take precedence and the three old printing parameters + will be ignored (including print driver location).</P +></LI +><LI ><P ->The spooler service should be restarted after you have finished -removing the appropriate registry entries by replacing the -<B +>If you want to migrate an existing <TT +CLASS="FILENAME" +>printers.def</TT +> + file into the new setup, the current only solution is to use the Windows + NT APW to install the NT drivers and the 9x drivers. This can be scripted + using <B CLASS="COMMAND" ->stop</B -> command above with <B +>smbclient</B +> and <B CLASS="COMMAND" ->start</B ->.</P -><P ->Windows 9x clients will continue to use LanMan printing calls -with a 2.2 Samba server so there is no need to perform any of these -modifications on non-NT clients.</P +>rpcclient</B +>. See the + Imprints installation client at <A +HREF="http://imprints.sourceforge.net/" +TARGET="_top" +>http://imprints.sourceforge.net/</A +> + for an example. + </P +></LI +></UL ><DIV CLASS="WARNING" ><P @@ -5009,8 +5092,12 @@ ALIGN="CENTER" ><TD ALIGN="LEFT" ><P ->The following smb.conf parameters are considered to be depreciated and will -be removed soon. Do not use them in new installations</P +>The following <TT +CLASS="FILENAME" +>smb.conf</TT +> parameters are considered to +be deprecated and will be removed soon. Do not use them in new +installations</P ><P ></P ><UL @@ -5050,63 +5137,22 @@ CLASS="PARAMETER" ></TABLE ></DIV ><P ->Here are the possible scenarios for supporting migration:</P -><P -></P -><UL -><LI -><P ->If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.</P -></LI -><LI -><P ->If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The <B -CLASS="COMMAND" ->make_printerdef</B -> - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</P -></LI -><LI -><P ->If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).</P -></LI -><LI -><P ->If you want to migrate an existing <TT -CLASS="FILENAME" ->printers.def</TT -> - file into the new setup, the current only solution is to use the Windows - NT APW to install the NT drivers and the 9x drivers. This can be scripted - using <B -CLASS="COMMAND" ->smbclient</B -> and <B -CLASS="COMMAND" ->rpcclient</B ->. See the - Imprints installation client at <A -HREF="http://imprints.sourceforge.net/" -TARGET="_top" ->http://imprints.sourceforge.net/</A -> - for an example. - </P -></LI -></UL +>The have been two new parameters add in Samba 2.2.2 to for +better support of Samba 2.0.x backwards capability (<TT +CLASS="PARAMETER" +><I +>disable +spoolss</I +></TT +>) and for using local printers drivers on Windows +NT/2000 clients (<TT +CLASS="PARAMETER" +><I +>use client driver</I +></TT +>). Both of +these options are described in the smb.coinf(5) man page and are +disabled by default.</P ></DIV ></DIV ><DIV @@ -5121,7 +5167,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN995" +NAME="AEN988" >7.1. Joining an NT Domain with Samba 2.2</A ></H1 ><P @@ -5348,7 +5394,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1059" +NAME="AEN1052" >7.2. Samba and Windows 2000 Domains</A ></H1 ><P @@ -5373,7 +5419,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1064" +NAME="AEN1057" >7.3. Why is this better than security = server?</A ></H1 ><P @@ -5467,7 +5513,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1097" +NAME="AEN1090" >8.1. Prerequisite Reading</A ></H1 ><P @@ -5495,7 +5541,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1103" +NAME="AEN1096" >8.2. Background</A ></H1 ><DIV @@ -5652,7 +5698,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1145" +NAME="AEN1138" >8.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5857,16 +5903,11 @@ CLASS="FILENAME" >As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMINUSERS" -TARGET="_top" ->domain -admin users</A -> and <A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" >domain admin group</A -> smb.conf parameters for information of creating a Domain Admins +> smb.conf parameter for information of creating "Domain Admins" style accounts.</P ></DIV ><DIV @@ -5874,7 +5915,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1188" +NAME="AEN1180" >8.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 @@ -5932,7 +5973,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1202" +NAME="AEN1194" >8.4.1. Manually creating machine trust accounts</A ></H2 ><P @@ -5951,9 +5992,20 @@ CLASS="PROMPT" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I ->machine_nickname</I +>"machine +nickname"</I ></TT -> -m -s /bin/false <TT +> -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$ </P +><P +><TT +CLASS="PROMPT" +>root# </TT +>passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I @@ -6072,7 +6124,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1230" +NAME="AEN1225" >8.4.2. Creating machine trust accounts "on the fly"</A ></H2 ><P @@ -6108,7 +6160,7 @@ an entry in smbpasswd for <EM >. The password <EM >SHOULD</EM -> be set to s different password that the +> be set to a different password that the associated <TT CLASS="FILENAME" >/etc/passwd</TT @@ -6120,7 +6172,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1241" +NAME="AEN1236" >8.5. Common Problems and Errors</A ></H1 ><P @@ -6319,7 +6371,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1289" +NAME="AEN1284" >8.6. System Policies and Profiles</A ></H1 ><P @@ -6476,7 +6528,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1333" +NAME="AEN1328" >8.7. What other help can I get ?</A ></H1 ><P @@ -6872,7 +6924,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1447" +NAME="AEN1442" >8.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -7008,7 +7060,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1477" +NAME="AEN1472" >8.8.1. Configuration Instructions: Network Logons</A ></H2 ><P @@ -7197,7 +7249,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1511" +NAME="AEN1506" >8.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -7244,7 +7296,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1519" +NAME="AEN1514" >8.8.2.1. Windows NT Configuration</A ></H3 ><P @@ -7288,7 +7340,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1527" +NAME="AEN1522" >8.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -7328,7 +7380,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1535" +NAME="AEN1530" >8.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -7366,7 +7418,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1542" +NAME="AEN1537" >8.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7375,7 +7427,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood". These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short case preserve = yes" and +options "preserve case = yes", "short preserve case = yes" and "case sensitive = no" in order to maintain capital letters in shortcuts in any of the profile folders.</P ><P @@ -7522,7 +7574,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1578" +NAME="AEN1573" >8.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7604,7 +7656,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1591" +NAME="AEN1586" >8.8.2.6. Windows NT Server</A ></H3 ><P @@ -7618,7 +7670,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1594" +NAME="AEN1589" >8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7683,7 +7735,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1604" +NAME="AEN1599" >8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7812,17 +7864,18 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1647" +NAME="AEN1642" >9.1. Abstract</A ></H1 ><P >Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present <EM ->winbind - </EM ->, a component of the Samba suite of programs as a - solution to the unified logon problem. Winbind uses a UNIX implementation + computing environments for a long time. We present + <EM +>winbind</EM +>, a component of the Samba suite + of programs as a solution to the unified logon problem. Winbind + uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules, and the Name Service Switch to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine. This paper describes the winbind @@ -7834,7 +7887,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1651" +NAME="AEN1646" >9.2. Introduction</A ></H1 ><P @@ -7849,7 +7902,7 @@ NAME="AEN1651" and use the Samba suite of programs to provide file and print services between the two. This solution is far from perfect however, as adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which which + and two sets of passwords are required both of which can lead to synchronization problems between the UNIX and Windows systems and confusion for users.</P ><P @@ -7888,7 +7941,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1664" +NAME="AEN1659" >9.3. What Winbind Provides</A ></H1 ><P @@ -7902,7 +7955,7 @@ NAME="AEN1664" >The end result is that whenever any program on the UNIX machine asks the operating system to lookup a user or group name, the query will be resolved by asking the - NT domain controller for the specied domain to do the lookup. + NT domain controller for the specified domain to do the lookup. Because Winbind hooks into the operating system at a low level (via the NSS name resolution modules in the C library) this redirection to the NT domain controller is completely @@ -7919,18 +7972,18 @@ NAME="AEN1664" that redirection to a domain controller is wanted for a particular lookup and which trusted domain is being referenced.</P ><P ->Additionally, Winbind provides a authentication service +>Additionally, Winbind provides an authentication service that hooks into the Pluggable Authentication Modules (PAM) system to provide authentication via a NT domain to any PAM enabled applications. This capability solves the problem of synchronizing - passwords between systems as all passwords are stored in a single + passwords between systems since all passwords are stored in a single location (on the domain controller).</P ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1671" +NAME="AEN1666" >9.3.1. Target Uses</A ></H2 ><P @@ -7938,9 +7991,9 @@ NAME="AEN1671" existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly simplies - the administrative overhead of deploying UNIX workstations into - a NT based organization.</P + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into a NT based organization.</P ><P >Another interesting way in which we expect Winbind to be used is as a central part of UNIX based appliances. Appliances @@ -7954,7 +8007,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1675" +NAME="AEN1670" >9.4. How Winbind Works</A ></H1 ><P @@ -7974,7 +8027,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1680" +NAME="AEN1675" >9.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -8000,7 +8053,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1684" +NAME="AEN1679" >9.4.2. Name Service Switch</A ></H2 ><P @@ -8009,9 +8062,9 @@ NAME="AEN1684" information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone UNIX workstation may resolve system information from a series of - flat files stored on the local lesystem. A networked workstation + flat files stored on the local filesystem. A networked workstation may first attempt to resolve system information from local files, - then consult a NIS database for user information or a DNS server + and then consult a NIS database for user information or a DNS server for hostname information.</P ><P >The NSS application programming interface allows winbind @@ -8024,11 +8077,12 @@ NAME="AEN1684" a NT domain plus any trusted domain as though they were local users and groups.</P ><P ->The primary control le for NSS is <TT +>The primary control file for NSS is + <TT CLASS="FILENAME" ->/etc/nsswitch.conf - </TT ->. When a UNIX application makes a request to do a lookup +>/etc/nsswitch.conf</TT +>. + When a UNIX application makes a request to do a lookup the C library looks in <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -8079,7 +8133,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1700" +NAME="AEN1695" >9.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -8098,7 +8152,7 @@ NAME="AEN1700" UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated against a suitable Primary Domain Controller. These users can also change their passwords and have - this change take eect directly on the Primary Domain Controller. + this change take effect directly on the Primary Domain Controller. </P ><P >PAM is configured by providing control files in the directory @@ -8118,7 +8172,7 @@ CLASS="FILENAME" is copied to <TT CLASS="FILENAME" >/lib/security/</TT -> and the pam +> and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation for more details.</P @@ -8128,13 +8182,13 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1708" +NAME="AEN1703" >9.4.4. User and Group ID Allocation</A ></H2 ><P >When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is - slightly different to UNIX which has a range of numbers which are + slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify groups. It is winbind's job to convert RIDs to UNIX id numbers and vice versa. When winbind is configured it is given part of the UNIX @@ -8146,7 +8200,7 @@ NAME="AEN1708" to UNIX user ids and group ids.</P ><P >The results of this mapping are stored persistently in - a ID mapping database held in a tdb database). This ensures that + an ID mapping database held in a tdb database). This ensures that RIDs are mapped to UNIX IDs in a consistent way.</P ></DIV ><DIV @@ -8154,7 +8208,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1712" +NAME="AEN1707" >9.4.5. Result Caching</A ></H2 ><P @@ -8177,43 +8231,821 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1715" +NAME="AEN1710" >9.5. Installation and Configuration</A ></H1 ><P ->The easiest way to install winbind is by using the packages - provided in the <TT +>Many thanks to John Trostel <A +HREF="mailto:jtrostel@snapserver.com" +TARGET="_top" +>jtrostel@snapserver.com</A +> +for providing the HOWTO for this section.</P +><P +>This HOWTO describes how to get winbind services up and running +to control access and authenticate users on your Linux box using +the winbind services which come with SAMBA 2.2.2.</P +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1715" +>9.5.1. Introduction</A +></H2 +><P +>This HOWTO describes the procedures used to get winbind up and +running on my RedHat 7.1 system. Winbind is capable of providing access +and authentication control for Windows Domain users through an NT +or Win2K PDC for 'regular' services, such as telnet a nd ftp, as +well for SAMBA services.</P +><P +>This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution, you may have to modify the instructions +somewhat to fit the way your distribution works.</P +><P +></P +><UL +><LI +><P +> <EM +>Why should I to this?</EM +> + </P +><P +>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate + accounts on the SAMBA server. + </P +></LI +><LI +><P +> <EM +>Who should be reading this document?</EM +> + </P +><P +> This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) + integrate existing NT/Win2K users from your PDC onto the + SAMBA server, this HOWTO is for you. That said, I am no NT or PAM + expert, so you may find a better or easier way to accomplish + these tasks. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1728" +>9.5.2. Requirements</A +></H2 +><P +>If you have a samba configuration file that you are currently +using... BACK IT UP! If your system already uses PAM, BACK UP +THE <TT +CLASS="FILENAME" +>/etc/pam.d</TT +> directory contents! If you +haven't already made a boot disk, MAKE ON NOW!</P +><P +>Messing with the pam configuration files can make it nearly impossible +to log in to yourmachine. That's why you want to be able to boot back +into your machine in single user mode and restore your +<TT CLASS="FILENAME" ->pub/samba/appliance/</TT +>/etc/pam.d</TT +> back to the original state they were in if +you get frustrated with the way things are going. ;-)</P +><P +>The newest version of SAMBA (version 2.2.2), available from +cvs.samba.org, now include a functioning winbindd daemon. Please refer +to the main SAMBA web page or, better yet, your closest SAMBA mirror +site for instructions on downloading the source code.</P +><P +>To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your +SAMBA machine, PAM (pluggable authentication modules) must +be setup properly on your machine. In order to compile the +winbind modules, you should have at least the pam libraries resident +on your system. For recent RedHat systems (7.1, for instance), that +means 'pam-0.74-22'. For best results, it is helpful to also +install the development packages in 'pam-devel-0.74-22'.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1736" +>9.5.3. Testing Things Out</A +></H2 +><P +>Before starting, it is probably best to kill off all the SAMBA +related daemons running on your server. Kill off all <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> processes that may +be running. To use PAM, you will want to make sure that you have the +standard PAM package (for RedHat) which supplies the <TT +CLASS="FILENAME" +>/etc/pam.d</TT > - directory on your nearest - Samba mirror. These packages provide snapshots of the Samba source - code and binaries already setup to provide the full functionality - of winbind. This setup is a little more complex than a normal Samba - build as winbind needs a small amount of functionality from a - development code branch called SAMBA_TNG.</P -><P ->Once you have installed the packages you should read - the <B +directory structure, including the pam modules are used by pam-aware +services, several pam libraries, and the <TT +CLASS="FILENAME" +>/usr/doc</TT +> +and <TT +CLASS="FILENAME" +>/usr/man</TT +> entries for pam. Winbind built better +in SAMBA if the pam-devel package was also installed. This package includes +the header files needed to compile pam-aware applications. For instance, my RedHat +system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1745" +>9.5.3.1. Configure and compile SAMBA</A +></H3 +><P +>The configuration and compilation of SAMBA is pretty straightforward. +The first three steps maynot be necessary depending upon +whether or not you have previously built the Samba binaries.</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +> autoconf +<TT +CLASS="PROMPT" +>root# </TT +> make clean +<TT +CLASS="PROMPT" +>root# </TT +> rm config.cache +<TT +CLASS="PROMPT" +>root# </TT +> ./configure --with-winbind +<TT +CLASS="PROMPT" +>root# </TT +> make +<TT +CLASS="PROMPT" +>root# </TT +> make install</PRE +></TD +></TR +></TABLE +></P +><P +>This will, by default, install SAMBA in /usr/local/samba. See the +main SAMBA documentation if you want to install SAMBA somewhere else. +It will also build the winbindd executable and libraries. </P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1757" +>9.5.3.2. Configure nsswitch.conf and the winbind libraries</A +></H3 +><P +>The libraries needed to run the winbind daemon through nsswitch +need to be copied to their proper locations, so</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +><P +>I also found it necessary to make the following symbolic link:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +><P +>Now, as root you need to edit <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> to +allow user and group entries to be visible from the <B CLASS="COMMAND" ->winbindd(8)</B -> man page which will provide you - with configuration information and give you sample configuration files. - You may also wish to update the main Samba daemons smbd and nmbd) - with a more recent development release, such as the recently - announced Samba 2.2 alpha release.</P +>winbindd</B +> +daemon, as well as from your /etc/hosts files and NIS servers. My +<TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file look like this after editing:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +> passwd: files winbind + shadow: files winbind + group: files winbind</PRE +></TD +></TR +></TABLE +></P +><P +> +The libraries needed by the winbind daemon will be automatically +entered into the ldconfig cache the next time your system reboots, but it +is faster (and you don't need to reboot) if you do it manually:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> /sbin/ldconfig -v | grep winbind</P +><P +>This makes <TT +CLASS="FILENAME" +>libnss_winbind</TT +> available to winbindd +and echos back a check to you.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1776" +>9.5.3.3. Configure smb.conf</A +></H3 +><P +>Several parameters are needed in the smb.conf file to control +the behavior of <B +CLASS="COMMAND" +>winbindd</B +>. Configure +<TT +CLASS="FILENAME" +>smb.conf</TT +> These are described in more detail in +the <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> man page. My +<TT +CLASS="FILENAME" +>smb.conf</TT +> file was modified to +include the following entries in the [global] section:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>[global] + <...> + # separate domain and username with '+', like DOMAIN+username + winbind separator = + + # use uids from 10000 to 20000 for domain users + winbind uid = 10000-20000 + # use gids from 10000 to 20000 for domain groups + winbind gid = 10000-20000 + # allow enumeration of winbind users and groups + winbind enum users = yes + winbind enum groups = yes + # give winbind users a real shell (only needed if they have telnet access) + template shell = /bin/bash</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1785" +>9.5.3.4. Join the SAMBA server to the PDC domain</A +></H3 +><P +>Enter the following command to make the SAMBA server join the +PDC domain, where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> is the name of +your Windows domain and <TT +CLASS="REPLACEABLE" +><I +>Administrator</I +></TT +> is +a domain user who has administrative privileges in the domain.</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +><P +>The proper response to the command should be: "Joined the domain +<TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +>" where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> +is your DOMAIN name.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1795" +>9.5.3.5. Start up the winbindd daemon and test it!</A +></H3 +><P +>Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of +SAMBA start, but it is possible to test out just the winbind +portion first. To start up winbind services, enter the following +command as root:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/winbindd</P +><P +>I'm always paranoid and like to make sure the daemon +is really running...</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ps -ae | grep winbindd +3025 ? 00:00:00 winbindd</P +><P +>Now... for the real test, try to get some information about the +users on your PDC</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> # /usr/local/samba/bin/wbinfo -u</P +><P +> +This should echo back a list of users on your Windows users on +your PDC. For example, I get the following response:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>CEO+Administrator +CEO+burdell +CEO+Guest +CEO+jt-ad +CEO+krbtgt +CEO+TsInternetUser</PRE +></TD +></TR +></TABLE +></P +><P +>Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +><P +>You can do the same sort of thing to get group information from +the PDC:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/wbinfo -g +CEO+Domain Admins +CEO+Domain Users +CEO+Domain Guests +CEO+Domain Computers +CEO+Domain Controllers +CEO+Cert Publishers +CEO+Schema Admins +CEO+Enterprise Admins +CEO+Group Policy Creator Owners</PRE +></TD +></TR +></TABLE +></P +><P +>The function 'getent' can now be used to get unified +lists of both local and PDC users and groups. +Try the following command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent passwd</P +><P +>You should get a list that looks like your <TT +CLASS="FILENAME" +>/etc/passwd</TT +> +list followed by the domain users with their new uids, gids, home +directories and default shells.</P +><P +>The same thing can be done for groups with the command</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent group</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1822" +>9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files</A +></H3 +><P +>The <B +CLASS="COMMAND" +>winbindd</B +> daemon needs to start up after the +<B +CLASS="COMMAND" +>smbd</B +> and <B +CLASS="COMMAND" +>nmbd</B +> daemons are running. +To accomplish this task, you need to modify the <TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> +script to add commands to invoke this daemon in the proper sequence. My +<TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> file starts up <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> from the +<TT +CLASS="FILENAME" +>/usr/local/samba/bin</TT +> directory directly. The 'start' +function in the script looks like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>start() { + KIND="SMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/smbd $SMBDOPTIONS + RETVAL=$? + echo + KIND="NMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/winbindd + RETVAL3=$? + echo + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + RETVAL=1 + return $RETVAL +}</PRE +></TD +></TR +></TABLE +></P +><P +>The 'stop' function has a corresponding entry to shut down the +services and look s like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>stop() { + KIND="SMB" + echo -n $"Shutting down $KIND services: " + killproc smbd + RETVAL=$? + echo + KIND="NMB" + echo -n $"Shutting down $KIND services: " + killproc nmbd + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Shutting down $KIND services: " + killproc winbindd + RETVAL3=$? + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + echo "" + return $RETVAL +}</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1839" +>9.5.3.7. Configure Winbind and PAM</A +></H3 +><P +>If you have made it this far, you know that winbindd is working. +Now it is time to integrate it into the operation of samba and other +services. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original +<TT +CLASS="FILENAME" +>/etc/pam.d</TT +> files? If not, do it now.)</P +><P +>To get samba to allow domain users and groups, I modified the +<TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file from</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>to</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_winbind.so +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>The other services that I modified to allow the use of winbind +as an authentication service were the normal login on the console (or a terminal +session), telnet logins, and ftp service. In order to enable these +services, you may first need to change the entries in +<TT +CLASS="FILENAME" +>/etc/xinetd.d</TT +> (or <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need +to change the lines in <TT +CLASS="FILENAME" +>/etc/xinetd.d/telnet</TT +> +and <TT +CLASS="FILENAME" +>/etc/xinetd.d/wu-ftp</TT +> from </P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>enable = no</PRE +></TD +></TR +></TABLE +></P +><P +>to</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>enable = yes</PRE +></TD +></TR +></TABLE +></P +><P +> +For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on +the server, or change the home directory template to a general +directory for all domain users. These can be easily set using +the <TT +CLASS="FILENAME" +>smb.conf</TT +> global entry +<B +CLASS="COMMAND" +>template homedir</B +>.</P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file can be changed +to allow winbind ftp access in a manner similar to the +samba file. My <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file was +changed to look like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_shells.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/login</TT +> file can be changed nearly the +same way. It now looks like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so</PRE +></TD +></TR +></TABLE +></P +><P +>In this case, I added the <B +CLASS="COMMAND" +>auth sufficient /lib/security/pam_winbind.so</B +> +lines as before, but also added the <B +CLASS="COMMAND" +>required pam_securetty.so</B +> +above it, to disallow root logins over the network. I also added a +<B +CLASS="COMMAND" +>sufficient /lib/security/pam_unix.so use_first_pass</B +> +line after the <B +CLASS="COMMAND" +>winbind.so</B +> line to get rid of annoying +double prompts for passwords.</P +><P +>Finally, don't forget to copy the winbind pam modules from +the source directory in which you originally compiled the new +SAMBA up to the /lib/security directory so that pam can use it:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P +></DIV +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1721" +NAME="AEN1880" >9.6. Limitations</A ></H1 ><P >Winbind has a number of limitations in its current - released version which we hope to overcome in future + released version that we hope to overcome in future releases:</P ><P ></P @@ -8242,13 +9074,6 @@ NAME="AEN1721" into account possible workstation and logon time restrictions that may be been set for Windows NT users.</P ></LI -><LI -><P ->Building winbind from source is currently - quite tedious as it requires combining source code from two Samba - branches. Work is underway to solve this by providing all - the necessary functionality in the main Samba code branch.</P -></LI ></UL ></DIV ><DIV @@ -8256,7 +9081,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1733" +NAME="AEN1890" >9.7. Conclusion</A ></H1 ><P @@ -8280,7 +9105,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1747" +NAME="AEN1904" >10.1. FAQs</A ></H1 ><DIV @@ -8288,7 +9113,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1749" +NAME="AEN1906" >10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -8347,7 +9172,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1764" +NAME="AEN1921" >10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -8400,7 +9225,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1773" +NAME="AEN1930" >10.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -8422,7 +9247,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1777" +NAME="AEN1934" >10.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 @@ -8478,7 +9303,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1793" +NAME="AEN1950" >11.1. Introduction</A ></H1 ><P @@ -8500,7 +9325,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1798" +NAME="AEN1955" >11.2. CVS Access to samba.org</A ></H1 ><P @@ -8513,7 +9338,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1801" +NAME="AEN1958" >11.2.1. Access via CVSweb</A ></H2 ><P @@ -8534,7 +9359,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1806" +NAME="AEN1963" >11.2.2. Access via cvs</A ></H2 ><P @@ -8640,14 +9465,14 @@ CLASS="COMMAND" ></DIV ><HR><H1 ><A -NAME="AEN1834" +NAME="AEN1991" >Index</A ></H1 ><DL ><DT >Primary Domain Controller, <A -HREF="x1103.htm" +HREF="x1096.htm" >Background</A > </DT |