diff options
| author | Gerald Carter <jerry@samba.org> | 2001-03-06 18:33:38 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2001-03-06 18:33:38 +0000 |
| commit | 6feb616800ee806cb059d16fccf5e85911049cb5 (patch) | |
| tree | 61d4b35b42da95d1abc64ac2db1b92a5a34a384f /docs/htmldocs/Samba-HOWTO-Collection.html | |
| parent | e2e1746c8005d85db937cfbcf4bf5d90e7efa83a (diff) | |
| download | samba-6feb616800ee806cb059d16fccf5e85911049cb5.tar.gz samba-6feb616800ee806cb059d16fccf5e85911049cb5.tar.xz samba-6feb616800ee806cb059d16fccf5e85911049cb5.zip | |
updated Samba-HOWTO-Collection articles to reflect authorship
by the correct people. Moved ENCRYPTION.txt over. More as I get time.
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 875 |
1 files changed, 785 insertions, 90 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 844d4f6d490..3596af76022 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -54,7 +54,7 @@ HREF="#AEN12" ><DT ><A HREF="#AEN20" ->Building the Binaries</A +>Step 1: Building the Binaries</A ></DT ><DT ><A @@ -121,37 +121,37 @@ HREF="#AEN166" ><DT ><A HREF="#AEN171" ->DIAGNOSING PROBLEMS</A +>Diagnosing Problems</A ></DT ><DT ><A HREF="#AEN175" ->SCOPE IDs</A +>Scope IDs</A ></DT ><DT ><A HREF="#AEN178" ->CHOOSING THE PROTOCOL LEVEL</A +>Choosing the Protocol Level</A ></DT ><DT ><A HREF="#AEN187" ->PRINTING FROM UNIX TO A CLIENT PC</A +>Printing from UNIX to a Client PC</A ></DT ><DT ><A HREF="#AEN191" ->LOCKING</A +>Locking</A ></DT ><DT ><A HREF="#AEN201" ->MAPPING USERNAMES</A +>Mapping Usernames</A ></DT ><DT ><A HREF="#AEN204" ->OTHER CHARACTER SETS</A +>Other Character Sets</A ></DT ></DL ></DD @@ -160,71 +160,131 @@ HREF="#AEN204" ><DT >2. <A HREF="#AEN207" ->Hosting a Microsoft Distributed File System tree on Samba</A +>LanMan and NT Password Encryption in Samba 2.x</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN209" ->HOWTO</A +HREF="#AEN218" +>Introduction</A ></DT ><DT ><A -HREF="#AEN243" ->NOTES</A +HREF="#AEN222" +>How does it work?</A +></DT +><DT +><A +HREF="#AEN233" +>Important Notes About Security</A +></DT +><DD +><DL +><DT +><A +HREF="#AEN252" +>Advantages of SMB Encryption</A +></DT +><DT +><A +HREF="#AEN259" +>Advantages of non-encrypted passwords</A +></DT +></DL +></DD +><DT +><A +HREF="#AEN268" +><A +NAME="SMBPASSWDFILEFORMAT" +></A +>The smbpasswd file</A +></DT +><DT +><A +HREF="#AEN320" +>The smbpasswd Command</A +></DT +><DT +><A +HREF="#AEN359" +>Setting up Samba to support LanManager Encryption</A ></DT ></DL ></DD ><DT >3. <A -HREF="#AEN252" +HREF="#AEN374" +>Hosting a Microsoft Distributed File System tree on Samba</A +></DT +><DD +><DL +><DT +><A +HREF="#AEN385" +>Instructions</A +></DT +><DD +><DL +><DT +><A +HREF="#AEN419" +>Notes</A +></DT +></DL +></DD +></DL +></DD +><DT +>4. <A +HREF="#AEN428" >Printing Support in Samba 2.2.x</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN254" +HREF="#AEN439" >Introduction</A ></DT ><DT ><A -HREF="#AEN271" +HREF="#AEN456" >Configuration</A ></DT ><DT ><A -HREF="#AEN325" +HREF="#AEN510" >The Imprints Toolset</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN329" +HREF="#AEN514" >What is Imprints?</A ></DT ><DT ><A -HREF="#AEN339" +HREF="#AEN524" >Creating Printer Driver Packages</A ></DT ><DT ><A -HREF="#AEN342" +HREF="#AEN527" >The Imprints server</A ></DT ><DT ><A -HREF="#AEN346" +HREF="#AEN531" >The Installation Client</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN368" +HREF="#AEN553" ><A NAME="MIGRATION" ></A @@ -234,80 +294,80 @@ NAME="MIGRATION" ></DL ></DD ><DT ->4. <A -HREF="#AEN396" +>5. <A +HREF="#AEN581" >security = domain in Samba 2.x</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN398" +HREF="#AEN592" >Joining an NT Domain with Samba 2.2</A ></DT ><DT ><A -HREF="#AEN461" +HREF="#AEN655" >Why is this better than security = server?</A ></DT ></DL ></DD ><DT ->5. <A -HREF="#AEN475" +>6. <A +HREF="#AEN669" >UNIX Permission Bits and WIndows NT Access Control Lists</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN477" +HREF="#AEN680" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT ><A -HREF="#AEN486" +HREF="#AEN689" >How to view file security on a Samba share</A ></DT ><DT ><A -HREF="#AEN497" +HREF="#AEN700" >Viewing file ownership</A ></DT ><DT ><A -HREF="#AEN517" +HREF="#AEN720" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN532" +HREF="#AEN735" >File Permissions</A ></DT ><DT ><A -HREF="#AEN546" +HREF="#AEN749" >Directory Permissions</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN553" +HREF="#AEN756" >Modifying file or directory permissions</A ></DT ><DT ><A -HREF="#AEN575" +HREF="#AEN778" >Interaction with the standard Samba create mask parameters</A ></DT ><DT ><A -HREF="#AEN639" +HREF="#AEN842" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -360,7 +420,7 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="AEN20" ->Building the Binaries</A +>Step 1: Building the Binaries</A ></H1 ><P >To do this, first run the program <B @@ -933,7 +993,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN171" ->DIAGNOSING PROBLEMS</A +>Diagnosing Problems</A ></H2 ><P >If you have instalation problems then go to @@ -949,7 +1009,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN175" ->SCOPE IDs</A +>Scope IDs</A ></H2 ><P >By default Samba uses a blank scope ID. This means @@ -965,7 +1025,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN178" ->CHOOSING THE PROTOCOL LEVEL</A +>Choosing the Protocol Level</A ></H2 ><P >The SMB protocol has many dialects. Currently @@ -1006,7 +1066,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN187" ->PRINTING FROM UNIX TO A CLIENT PC</A +>Printing from UNIX to a Client PC</A ></H2 ><P >To use a printer that is available via a smb-based @@ -1024,7 +1084,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN191" ->LOCKING</A +>Locking</A ></H2 ><P >One area which sometimes causes trouble is locking.</P @@ -1085,7 +1145,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN201" ->MAPPING USERNAMES</A +>Mapping Usernames</A ></H2 ><P >If you have different usernames on the PCs and @@ -1098,7 +1158,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN204" ->OTHER CHARACTER SETS</A +>Other Character Sets</A ></H2 ><P >If you have problems using filenames with accented @@ -1114,15 +1174,650 @@ CLASS="CHAPTER" ><HR><H1 ><A NAME="AEN207" ->Chapter 2. Hosting a Microsoft Distributed File System tree on Samba</A +>Chapter 2. LanMan and NT Password Encryption in Samba 2.x</A +></H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN218" +>Introduction</A +></H1 +><P +>With the development of LanManager and Windows NT + compatible password encryption for Samba, it is now able + to validate user connections in exactly the same way as + a LanManager or Windows NT server.</P +><P +>This document describes how the SMB password encryption + algorithm works and what issues there are in choosing whether + you want to use it. You should read it carefully, especially + the part about security and the "PROS and CONS" section.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN222" +>How does it work?</A +></H1 +><P +>LanManager encryption is somewhat similar to UNIX + password encryption. The server uses a file containing a + hashed value of a user's password. This is created by taking + the user's plaintext password, capitalising it, and either + truncating to 14 bytes or padding to 14 bytes with null bytes. + This 14 byte value is used as two 56 bit DES keys to encrypt + a 'magic' eight byte value, forming a 16 byte value which is + stored by the server and client. Let this value be known as + the "hashed password".</P +><P +>Windows NT encryption is a higher quality mechanism, + consisting of doing an MD4 hash on a Unicode version of the user's + password. This also produces a 16 byte hash value that is + non-reversible.</P +><P +>When a client (LanManager, Windows for WorkGroups, Windows + 95 or Windows NT) wishes to mount a Samba drive (or use a Samba + resource), it first requests a connection and negotiates the + protocol that the client and server will use. In the reply to this + request the Samba server generates and appends an 8 byte, random + value - this is stored in the Samba server after the reply is sent + and is known as the "challenge". The challenge is different for + every client connection.</P +><P +>The client then uses the hashed password (16 byte values + described above), appended with 5 null bytes, as three 56 bit + DES keys, each of which is used to encrypt the challenge 8 byte + value, forming a 24 byte value known as the "response".</P +><P +>In the SMB call SMBsessionsetupX (when user level security + is selected) or the call SMBtconX (when share level security is + selected), the 24 byte response is returned by the client to the + Samba server. For Windows NT protocol levels the above calculation + is done on both hashes of the user's password and both responses are + returned in the SMB call, giving two 24 byte values.</P +><P +>The Samba server then reproduces the above calculation, using + its own stored value of the 16 byte hashed password (read from the + <TT +CLASS="FILENAME" +>smbpasswd</TT +> file - described later) and the challenge + value that it kept from the negotiate protocol reply. It then checks + to see if the 24 byte value it calculates matches the 24 byte value + returned to it from the client.</P +><P +>If these values match exactly, then the client knew the + correct password (or the 16 byte hashed value - see security note + below) and is thus allowed access. If not, then the client did not + know the correct password and is denied access.</P +><P +>Note that the Samba server never knows or stores the cleartext + of the user's password - just the 16 byte hashed values derived from + it. Also note that the cleartext password or 16 byte hashed values + are never transmitted over the network - thus increasing security.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN233" +>Important Notes About Security</A +></H1 +><P +>The unix and SMB password encryption techniques seem similar + on the surface. This similarity is, however, only skin deep. The unix + scheme typically sends clear text passwords over the nextwork when + logging in. This is bad. The SMB encryption scheme never sends the + cleartext password over the network but it does store the 16 byte + hashed values on disk. This is also bad. Why? Because the 16 byte hashed + values are a "password equivalent". You cannot derive the user's + password from them, but they could potentially be used in a modified + client to gain access to a server. This would require considerable + technical knowledge on behalf of the attacker but is perfectly possible. + You should thus treat the smbpasswd file as though it contained the + cleartext passwords of all your users. Its contents must be kept + secret, and the file should be protected accordingly.</P +><P +>Ideally we would like a password scheme which neither requires + plain text passwords on the net or on disk. Unfortunately this + is not available as Samba is stuck with being compatible with + other SMB systems (WinNT, WfWg, Win95 etc). </P +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Warning</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +>Note that Windows NT 4.0 Service pack 3 changed the + default for permissible authentication so that plaintext + passwords are <I +CLASS="EMPHASIS" +>never</I +> sent over the wire. + The solution to this is either to switch to encrypted passwords + with Samba or edit the Windows NT registry to re-enable plaintext + passwords. See the document WinNT.txt for details on how to do + this.</P +><P +>Other Microsoft operating systems which also exhibit + this behavior includes</P +><P +></P +><UL +><LI +><P +>MS DOS Network client 3.0 with + the basic network redirector installed</P +></LI +><LI +><P +>Windows 95 with the network redirector + update installed</P +></LI +><LI +><P +>Windows 98 [se]</P +></LI +><LI +><P +>Windows 2000</P +></LI +></UL +><P +><I +CLASS="EMPHASIS" +>Note :</I +>All current release of + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to particpate in encrypted authentication.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN252" +>Advantages of SMB Encryption</A +></H2 +><P +></P +><UL +><LI +><P +>plain text passwords are not passed across + the network. Someone using a network sniffer cannot just + record passwords going to the SMB server.</P +></LI +><LI +><P +>WinNT doesn't like talking to a server + that isn't using SMB encrypted passwords. It will refuse + to browse the server if the server is also in user level + security mode. It will insist on prompting the user for the + password on each connection, which is very annoying. The + only things you can do to stop this is to use SMB encryption. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN259" +>Advantages of non-encrypted passwords</A +></H2 +><P +></P +><UL +><LI +><P +>plain text passwords are not kept + on disk. </P +></LI +><LI +><P +>uses same password file as other unix + services such as login and ftp</P +></LI +><LI +><P +>you are probably already using other + services (such as telnet and ftp) which send plain text + passwords over the net, so sending them for SMB isn't + such a big deal.</P +></LI +></UL +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN268" +><A +NAME="SMBPASSWDFILEFORMAT" +></A +>The smbpasswd file</A +></H1 +><P +>In order for Samba to participate in the above protocol + it must be able to look up the 16 byte hashed values given a user name. + Unfortunately, as the UNIX password value is also a one way hash + function (ie. it is impossible to retrieve the cleartext of the user's + password given the UNIX hash of it), a separate password file + containing this 16 byte value must be kept. To minimise problems with + these two password files, getting out of sync, the UNIX <TT +CLASS="FILENAME" +> /etc/passwd</TT +> and the <TT +CLASS="FILENAME" +>smbpasswd</TT +> file, + a utility, <B +CLASS="COMMAND" +>mksmbpasswd.sh</B +>, is provided to generate + a smbpasswd file from a UNIX <TT +CLASS="FILENAME" +>/etc/passwd</TT +> file. + </P +><P +>To generate the smbpasswd file from your <TT +CLASS="FILENAME" +>/etc/passwd + </TT +> file use the following command :</P +><P +><TT +CLASS="PROMPT" +>$ </TT +><TT +CLASS="USERINPUT" +><B +>cat /etc/passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd</B +></TT +></P +><P +>If you are running on a system that uses NIS, use</P +><P +><TT +CLASS="PROMPT" +>$ </TT +><TT +CLASS="USERINPUT" +><B +>ypcat passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd</B +></TT +></P +><P +>The <B +CLASS="COMMAND" +>mksmbpasswd.sh</B +> program is found in + the Samba source directory. By default, the smbpasswd file is + stored in :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +></P +><P +>The owner of the <TT +CLASS="FILENAME" +>/usr/local/samba/private/</TT +> + directory should be set to root, and the permissions on it should + be set to 0500 (<B +CLASS="COMMAND" +>chmod 500 /usr/local/samba/private</B +>). + </P +><P +>Likewise, the smbpasswd file inside the private directory should + be owned by root and the permissions on is should be set to 0600 + (<B +CLASS="COMMAND" +>chmod 600 smbpasswd</B +>).</P +><P +>The format of the smbpasswd file is (The line has been + wrapped here. It should appear as one entry per line in + your smbpasswd file.)</P +><P +><PRE +CLASS="PROGRAMLISTING" +>username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + [Account type]:LCT-<last-change-time>:Long name + </PRE +></P +><P +>Although only the <TT +CLASS="REPLACEABLE" +><I +>username</I +></TT +>, + <TT +CLASS="REPLACEABLE" +><I +>uid</I +></TT +>, <TT +CLASS="REPLACEABLE" +><I +> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</I +></TT +>, + [<TT +CLASS="REPLACEABLE" +><I +>Account type</I +></TT +>] and <TT +CLASS="REPLACEABLE" +><I +> last-change-time</I +></TT +> sections are significant + and are looked at in the Samba code.</P +><P +>It is <I +CLASS="EMPHASIS" +>VITALLY</I +> important that there by 32 + 'X' characters between the two ':' characters in the XXX sections - + the smbpasswd and Samba code will fail to validate any entries that + do not have 32 characters between ':' characters. The first XXX + section is for the Lanman password hash, the second is for the + Windows NT version.</P +><P +>When the password file is created all users have password entries + consisting of 32 'X' characters. By default this disallows any access + as this user. When a user has a password set, the 'X' characters change + to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii + representation of the 16 byte hashed value of a user's password.</P +><P +>To set a user to have no password (not recommended), edit the file + using vi, and replace the first 11 characters with the ascii text + <TT +CLASS="CONSTANT" +>"NO PASSWORD"</TT +> (minus the quotes).</P +><P +>For example, to clear the password for user bob, his smbpasswd file + entry would look like :</P +><P +><PRE +CLASS="PROGRAMLISTING" +> bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell + </PRE +></P +><P +>If you are allowing users to use the smbpasswd command to set + their own passwords, you may want to give users NO PASSWORD initially + so they do not have to enter a previous password when changing to their + new password (not recommended). In order for you to allow this the + <B +CLASS="COMMAND" +>smbpasswd</B +> program must be able to connect to the + <B +CLASS="COMMAND" +>smbd</B +> daemon as that user with no password. Enable this + by adding the line :</P +><P +><B +CLASS="COMMAND" +>null passwords = yes</B +></P +><P +>to the [global] section of the smb.conf file (this is why + the above scenario is not recommended). Preferably, allocate your + users a default password to begin with, so you do not have + to enable this on your server.</P +><P +><I +CLASS="EMPHASIS" +>Note : </I +>This file should be protected very + carefully. Anyone with access to this file can (with enough knowledge of + the protocols) gain access to your SMB server. The file is thus more + sensitive than a normal unix <TT +CLASS="FILENAME" +>/etc/passwd</TT +> file.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN320" +>The smbpasswd Command</A +></H1 +><P +>The smbpasswd command maintains the two 32 byte password fields + in the smbpasswd file. If you wish to make it similar to the unix + <B +CLASS="COMMAND" +>passwd</B +> or <B +CLASS="COMMAND" +>yppasswd</B +> programs, + install it in <TT +CLASS="FILENAME" +>/usr/local/samba/bin/</TT +> (or your + main Samba binary directory).</P +><P +>Note that as of Samba 1.9.18p4 this program <I +CLASS="EMPHASIS" +>MUST NOT + BE INSTALLED</I +> setuid root (the new <B +CLASS="COMMAND" +>smbpasswd</B +> + code enforces this restriction so it cannot be run this way by + accident).</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> now works in a client-server mode + where it contacts the local smbd to change the user's password on its + behalf. This has enormous benefits - as follows.</P +><P +></P +><UL +><LI +><P +>smbpasswd no longer has to be setuid root - + an enormous range of potential security problems is + eliminated.</P +></LI +><LI +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password).</P +></LI +></UL +><P +>To run smbpasswd as a normal user just type :</P +><P +><TT +CLASS="PROMPT" +>$ </TT +><TT +CLASS="USERINPUT" +><B +>smbpasswd</B +></TT +></P +><P +><TT +CLASS="PROMPT" +>Old SMB password: </TT +><TT +CLASS="USERINPUT" +><B +><type old value here - + or hit return if there was no old password></B +></TT +></P +><P +><TT +CLASS="PROMPT" +>New SMB Password: </TT +><TT +CLASS="USERINPUT" +><B +><type new value> + </B +></TT +></P +><P +><TT +CLASS="PROMPT" +>Repeat New SMB Password: </TT +><TT +CLASS="USERINPUT" +><B +><re-type new value + </B +></TT +></P +><P +>If the old value does not match the current value stored for + that user, or the two new values do not match each other, then the + password will not be changed.</P +><P +>If invoked by an ordinary user it will only allow the user + to change his or her own Samba password.</P +><P +>If run by the root user smbpasswd may take an optional + argument, specifying the user name whose SMB password you wish to + change. Note that when run as root smbpasswd does not prompt for + or check the old password value, thus allowing root to set passwords + for users who have forgotten their passwords.</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> is designed to work in the same way + and be familiar to UNIX users who use the <B +CLASS="COMMAND" +>passwd</B +> or + <B +CLASS="COMMAND" +>yppasswd</B +> commands.</P +><P +>For more details on using <B +CLASS="COMMAND" +>smbpasswd</B +> refer + to the man page which will always be the definitive reference.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN359" +>Setting up Samba to support LanManager Encryption</A +></H1 +><P +>This is a very brief description on how to setup samba to + support password encryption. </P +><P +></P +><OL +TYPE="1" +><LI +><P +>compile and install samba as usual</P +></LI +><LI +><P +>enable encrypted passwords in <TT +CLASS="FILENAME" +> smb.conf</TT +> by adding the line <B +CLASS="COMMAND" +>encrypt + passwords = yes</B +> in the [global] section</P +></LI +><LI +><P +>create the initial <TT +CLASS="FILENAME" +>smbpasswd</TT +> + password file in the place you specified in the Makefile + (--prefix=<dir>). See the notes under the <A +HREF="#SMBPASSWDFILEFORMAT" +>The smbpasswd File</A +> + section earlier in the document for details.</P +></LI +></OL +><P +>Note that you can test things using smbclient.</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="AEN374" +>Chapter 3. Hosting a Microsoft Distributed File System tree on Samba</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN209" ->HOWTO</A +NAME="AEN385" +>Instructions</A ></H1 ><P >The Distributed File System (or Dfs) provides a means of @@ -1257,53 +1952,53 @@ CLASS="USERINPUT" on the Samba server at \\samba\dfs. Accessing links linka or linkb (which appear as directories to the client) takes users directly to the appropriate shares on the network.</P -></DIV ><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" ><A -NAME="AEN243" ->NOTES</A -></H1 +NAME="AEN419" +>Notes</A +></H2 ><P ></P ><UL ><LI ><P >Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P + if a previously mounted non-dfs share is made a dfs + root or vice versa. A better way is to introduce a + new share and make it the dfs root.</P ></LI ><LI ><P >Currently there's a restriction that msdfs - symlink names should all be lowercase.</P + symlink names should all be lowercase.</P ></LI ><LI ><P >For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P + acting as the root of the Dfs tree should have ownership + and permissions set so that only designated users can + modify the symbolic links in the directory.</P ></LI ></UL ></DIV ></DIV +></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN252" ->Chapter 3. Printing Support in Samba 2.2.x</A +NAME="AEN428" +>Chapter 4. Printing Support in Samba 2.2.x</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN254" +NAME="AEN439" >Introduction</A ></H1 ><P @@ -1363,7 +2058,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN271" +NAME="AEN456" >Configuration</A ></H1 ><P @@ -1640,7 +2335,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN325" +NAME="AEN510" >The Imprints Toolset</A ></H1 ><P @@ -1658,7 +2353,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN329" +NAME="AEN514" >What is Imprints?</A ></H2 ><P @@ -1690,7 +2385,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN339" +NAME="AEN524" >Creating Printer Driver Packages</A ></H2 ><P @@ -1706,7 +2401,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN342" +NAME="AEN527" >The Imprints server</A ></H2 ><P @@ -1727,7 +2422,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN346" +NAME="AEN531" >The Installation Client</A ></H2 ><P @@ -1822,7 +2517,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN368" +NAME="AEN553" ><A NAME="MIGRATION" ></A @@ -1946,15 +2641,15 @@ CLASS="FILENAME" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN396" ->Chapter 4. security = domain in Samba 2.x</A +NAME="AEN581" +>Chapter 5. security = domain in Samba 2.x</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN398" +NAME="AEN592" >Joining an NT Domain with Samba 2.2</A ></H1 ><P @@ -2039,11 +2734,11 @@ CLASS="REPLACEABLE" ><I ><NT DOMAIN NAME></I ></TT ->. - <TT +>.<TT CLASS="REPLACEABLE" ><I -><Samba Server Name></I +><Samba + Server Name></I ></TT >.mac</TT ></P @@ -2177,7 +2872,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN461" +NAME="AEN655" >Why is this better than security = server?</A ></H1 ><P @@ -2254,15 +2949,15 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN475" ->Chapter 5. UNIX Permission Bits and WIndows NT Access Control Lists</A +NAME="AEN669" +>Chapter 6. UNIX Permission Bits and WIndows NT Access Control Lists</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN477" +NAME="AEN680" >Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -2301,7 +2996,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN486" +NAME="AEN689" >How to view file security on a Samba share</A ></H1 ><P @@ -2353,7 +3048,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN497" +NAME="AEN700" >Viewing file ownership</A ></H1 ><P @@ -2441,7 +3136,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN517" +NAME="AEN720" >Viewing file or directory permissions</A ></H1 ><P @@ -2503,7 +3198,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN532" +NAME="AEN735" >File Permissions</A ></H2 ><P @@ -2565,7 +3260,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN546" +NAME="AEN749" >Directory Permissions</A ></H2 ><P @@ -2597,7 +3292,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN553" +NAME="AEN756" >Modifying file or directory permissions</A ></H1 ><P @@ -2695,7 +3390,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN575" +NAME="AEN778" >Interaction with the standard Samba create mask parameters</A ></H1 @@ -2969,7 +3664,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN639" +NAME="AEN842" >Interaction with the standard Samba file attribute mapping</A ></H1 |