diff options
| author | Gerald Carter <jerry@samba.org> | 2001-05-21 08:34:49 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2001-05-21 08:34:49 +0000 |
| commit | 46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c (patch) | |
| tree | 33ee571e2f69e56c71111dbc9995220b2024e0b1 /docs/htmldocs | |
| parent | 72461f96dd72bb5ba06c11281585e79e94580f48 (diff) | |
| download | samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.tar.gz samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.tar.xz samba-46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c.zip | |
working on updates for the 2.2.1 release
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 931 | ||||
| -rw-r--r-- | docs/htmldocs/Samba-PDC-HOWTO.html | 520 | ||||
| -rw-r--r-- | docs/htmldocs/printer_driver2.html | 263 | ||||
| -rw-r--r-- | docs/htmldocs/rpcclient.1.html | 2 |
4 files changed, 1106 insertions, 610 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 401f4272159..4f1bd067c0d 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -376,193 +376,198 @@ HREF="#AEN764" ><DT >6.1. <A HREF="#AEN781" ->Background</A +>Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN819" ->Configuring the Samba Domain Controller</A +HREF="#AEN787" +>Background</A ></DT ><DT >6.3. <A -HREF="#AEN862" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +HREF="#AEN827" +>Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN900" ->Common Problems and Errors</A -></DT -><DT ->6.5. <A -HREF="#AEN942" ->System Policies and Profiles</A -></DT -><DT ->6.6. <A -HREF="#AEN982" ->What other help can I get ?</A +HREF="#AEN870" +>Creating Machine Trust Accounts and Joining Clients +to the Domain</A ></DT ><DD ><DL ><DT ->6.6.1. <A -HREF="#AEN1029" ->URLs and similar</A +>6.4.1. <A +HREF="#AEN884" +>Manually creating machine trust accounts</A ></DT ><DT ->6.6.2. <A -HREF="#AEN1053" ->Mailing Lists</A +>6.4.2. <A +HREF="#AEN912" +>Creating machine trust accounts "on the fly"</A ></DT ></DL ></DD ><DT +>6.5. <A +HREF="#AEN923" +>Common Problems and Errors</A +></DT +><DT +>6.6. <A +HREF="#AEN971" +>System Policies and Profiles</A +></DT +><DT >6.7. <A -HREF="#AEN1092" +HREF="#AEN1015" +>What other help can I get ?</A +></DT +><DT +>6.8. <A +HREF="#AEN1129" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >7. <A -HREF="#AEN1116" +HREF="#AEN1154" >Unifed Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN1134" +HREF="#AEN1172" >Abstract</A ></DT ><DT >7.2. <A -HREF="#AEN1138" +HREF="#AEN1176" >Introduction</A ></DT ><DT >7.3. <A -HREF="#AEN1151" +HREF="#AEN1189" >What Winbind Provides</A ></DT ><DD ><DL ><DT >7.3.1. <A -HREF="#AEN1158" +HREF="#AEN1196" >Target Uses</A ></DT ></DL ></DD ><DT >7.4. <A -HREF="#AEN1162" +HREF="#AEN1200" >How Winbind Works</A ></DT ><DD ><DL ><DT >7.4.1. <A -HREF="#AEN1167" +HREF="#AEN1205" >Microsoft Remote Procedure Calls</A ></DT ><DT >7.4.2. <A -HREF="#AEN1171" +HREF="#AEN1209" >Name Service Switch</A ></DT ><DT >7.4.3. <A -HREF="#AEN1187" +HREF="#AEN1225" >Pluggable Authentication Modules</A ></DT ><DT >7.4.4. <A -HREF="#AEN1195" +HREF="#AEN1233" >User and Group ID Allocation</A ></DT ><DT >7.4.5. <A -HREF="#AEN1199" +HREF="#AEN1237" >Result Caching</A ></DT ></DL ></DD ><DT >7.5. <A -HREF="#AEN1202" +HREF="#AEN1240" >Installation and Configuration</A ></DT ><DT >7.6. <A -HREF="#AEN1208" +HREF="#AEN1246" >Limitations</A ></DT ><DT >7.7. <A -HREF="#AEN1220" +HREF="#AEN1258" >Conclusion</A ></DT ></DL ></DD ><DT >8. <A -HREF="#AEN1223" +HREF="#AEN1261" >UNIX Permission Bits and WIndows NT Access Control Lists</A ></DT ><DD ><DL ><DT >8.1. <A -HREF="#AEN1234" +HREF="#AEN1272" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >8.2. <A -HREF="#AEN1243" +HREF="#AEN1281" >How to view file security on a Samba share</A ></DT ><DT >8.3. <A -HREF="#AEN1254" +HREF="#AEN1292" >Viewing file ownership</A ></DT ><DT >8.4. <A -HREF="#AEN1274" +HREF="#AEN1312" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1289" +HREF="#AEN1327" >File Permissions</A ></DT ><DT >8.4.2. <A -HREF="#AEN1303" +HREF="#AEN1341" >Directory Permissions</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1310" +HREF="#AEN1348" >Modifying file or directory permissions</A ></DT ><DT >8.6. <A -HREF="#AEN1332" +HREF="#AEN1370" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >8.7. <A -HREF="#AEN1396" +HREF="#AEN1434" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -570,39 +575,39 @@ HREF="#AEN1396" ></DD ><DT >9. <A -HREF="#AEN1406" +HREF="#AEN1444" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1417" +HREF="#AEN1455" >FAQs</A ></DT ><DD ><DL ><DT >9.1.1. <A -HREF="#AEN1419" +HREF="#AEN1457" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >9.1.2. <A -HREF="#AEN1434" +HREF="#AEN1472" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >9.1.3. <A -HREF="#AEN1443" +HREF="#AEN1481" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >9.1.4. <A -HREF="#AEN1447" +HREF="#AEN1485" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -3099,7 +3104,7 @@ CLASS="FILENAME" ></P ><P >will reveal that Windows NT always uses the NT driver - name. The is ok as Windows NT always requires that at least + name. This is ok as Windows NT always requires that at least the Windows NT version of the printer driver is present. However, Samba does not have the requirement internally. Therefore, how can you use the NT driver name if is has not @@ -3648,7 +3653,35 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="AEN781" ->6.1. Background</A +>6.1. Prerequisite Reading</A +></H1 +><P +>Before you continue readingin this chapter, please make sure +that you are comfortable with configuring basic files services +in smb.conf and how to enable and administrate password +encryption in Samba. Theses two topics are covered in the +<A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> +manpage and the <A +HREF="EMCRYPTION.html" +TARGET="_top" +>Encryption chapter</A +> +of this HOWTO Collection.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN787" +>6.2. Background</A ></H1 ><DIV CLASS="NOTE" @@ -3666,14 +3699,30 @@ Both documents are superceeded by this one.</P ></DIV ><P >Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2:</P +act as a Windows NT 4.0 Primary Domain Controller (PDC). Beginning with +Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 +style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through +SP1) clients. This article outlines the steps necessary for configuring Samba +as a PDC. It is necessary to have a working Samba server prior to implementing the +PDC functionality. If you have not followed the steps outlined in +<A +HREF="UNIX_INSTALL.html" +TARGET="_top" +> UNIX_INSTALL.html</A +>, please make sure +that your server is configured correctly before proceeding. Another good +resource in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5) man +page</A +>. The following functionality should work in 2.2:</P ><P ></P ><UL ><LI ><P -> domain logons for Windows NT 4.0/2000 clients +> domain logons for Windows NT 4.0/2000 clients. </P ></LI ><LI @@ -3698,6 +3747,32 @@ functionality should work in 2.2:</P </P ></LI ></UL +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Windows 2000 Service Pack 2 Clients</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> Samba 2.2.1 is required for PDC functionality when using Windows 2000 + SP2 clients. + </P +></TD +></TR +></TABLE +></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -3733,25 +3808,6 @@ support Windows 9x style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P ->Beginning with Samba 2.2.0, we are proud to announce official -support for Windows NT 4.0 style domain logons from Windows NT -4.0 and Windows 2000 (including SP1) clients. This article -outlines the steps necessary for configuring Samba as a PDC. -It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A -HREF="UNIX_INSTALL.html" -TARGET="_top" -> UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5) man -page</A ->.</P -><P >Implementing a Samba PDC can basically be divided into 2 broad steps.</P ><P @@ -3781,8 +3837,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN819" ->6.2. Configuring the Samba Domain Controller</A +NAME="AEN827" +>6.3. Configuring the Samba Domain Controller</A ></H1 ><P >The first step in creating a working Samba PDC is to @@ -3976,7 +4032,9 @@ CLASS="FILENAME" ><LI ><P > The server must be the domain master browser in order for Windows - client to locate the server as a DC. + client to locate the server as a DC. Please refer to the various + Network Browsing documentation included with this distribution for + details. </P ></LI ></UL @@ -4001,26 +4059,39 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN862" ->6.3. Creating Machine Trust Accounts and Joining Clients +NAME="AEN870" +>6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 ><P ->A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.</P +communication with the Domain Controller. This is a security feature +to prevent an unauthorized machine with the same netbios name from +joining the domain and gaining access to domain user/group accounts. +Hence a Windows 9x host is never a true member of a domain because it does +not posses a machine trust account, and thus has no shared secret with the DC.</P ><P >On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently <TT CLASS="FILENAME" >smbpasswd</TT >). However, machine trust accounts only possess and use the NT password hash.</P ><P +>Because Samba requires machine accounts to possess a UNIX uid from +which an Windows NT SID can be generated, all of these accounts +must have an entry in <TT +CLASS="FILENAME" +>/etc/passwd</TT +> and smbpasswd. +Future releases will alleviate the need to create +<TT +CLASS="FILENAME" +>/etc/passwd</TT +> entries. </P +><P >There are two means of creating machine trust accounts.</P ><P ></P @@ -4037,22 +4108,42 @@ However, machine trust accounts only possess and use the NT password hash.</P > Creation of the account at the time of joining the domain. In this case, the session key of the administrative account used to join the client to the domain acts as an encryption key for setting the - password to a random value. + password to a random value (This is the recommended method). </P ></LI ></UL +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN884" +>6.4.1. Manually creating machine trust accounts</A +></H2 ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -will have an entry in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entries.</P +>The first step in creating a machine trust account by hand is to +create an entry for the machine in /etc/passwd. This can be done +using <B +CLASS="COMMAND" +>vipw</B +> or any 'add userr' command which is normally +used to create new UNIX accounts. The following is an example for a Linux +based Samba server:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/sbin/useradd -g 100 -d /dev/null -c <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> -m -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$</P ><P >The <TT CLASS="FILENAME" @@ -4073,23 +4164,43 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE +>doppy$:x:505:501:<TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +>:/dev/null:/bin/false</PRE ></TD ></TR ></TABLE ></P ><P ->If you are manually creating the machine accounts, it is necessary -to add the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> (or NIS passwd -map) entry prior to adding the <TT -CLASS="FILENAME" ->smbpasswd</TT -> -entry. The following command will create a new machine account -ready for use.</P +>Above, <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> can be any descriptive name for the +pc i.e. BasementComputer. The <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +> absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account</P +><P +>Now that the UNIX account has been created, the next step is to create +the smbpasswd entry for the machine containing the well known initial +trust account password. This can be done using the <A +HREF="smbpasswd.6.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> command +as shown here:</P ><P ><TT CLASS="PROMPT" @@ -4107,23 +4218,57 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's netbios -name.</P +name. </P +><DIV +CLASS="WARNING" ><P -><EM ->If you manually create a machine account, immediately join -the client to the domain.</EM -> An open account like this -can allow intruders to gain access to user account information -in your domain.</P -><P ->The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the <A +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Join the client to the domain immediately</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> Manually creating a machine trust account using this method is the + equivalent of creating a machine account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which th client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using a + a machine with the same netbios name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! + </P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN912" +>6.4.2. Creating machine trust accounts "on the fly"</A +></H2 +><P +>The second, and most recommended way of creating machine trust accounts +is to create them as needed at the time the client is joined to +the domain. You will need to include a value for the <A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A > -parameter. Below is an example I use on a RedHat 6.2 Linux system.</P +parameter. Below is an example from a RedHat 6.2 Linux system.</P ><P ><TABLE BORDER="0" @@ -4139,10 +4284,10 @@ CLASS="PROGRAMLISTING" ></TABLE ></P ><P ->In Samba 2.2, <EM +>In Samba 2.2.1, <EM >only the root account</EM > can be used to create -machine accounts on the fly like this. Therefore, it is required to create +machine accounts like this. Therefore, it is required to create an entry in smbpasswd for <EM >root</EM >. The password @@ -4154,178 +4299,213 @@ CLASS="FILENAME" >/etc/passwd</TT > entry for security reasons.</P ></DIV +></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN900" ->6.4. Common Problems and Errors</A +NAME="AEN923" +>6.5. Common Problems and Errors</A ></H1 ><P ></P ><P -><EM ->I cannot include a '$' in a machine name.</EM ></P +><UL +><LI ><P ->A 'machine name' in (typically) <TT +> <EM +>I cannot include a '$' in a machine name.</EM +> + </P +><P +> A 'machine name' in (typically) <TT CLASS="FILENAME" >/etc/passwd</TT > -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.</P + of the machine name with a '$' appended. FreeBSD (and other BSD + systems ?) won't create a user with a '$' in their name. + </P ><P ->The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use <B +> The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use <B CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !</P + the whole entry with vipw if you like, make sure you use a + unique uid ! + </P +></LI +><LI ><P -><EM +> <EM >I get told "You already have a connection to the Domain...." -or "Cannot join domain, the credentials supplied conflict with an -existing set.." when creating a machine account.</EM -></P + or "Cannot join domain, the credentials supplied conflict with an + existing set.." when creating a machine account.</EM +> + </P ><P ->This happens if you try to create a machine account from the -machine itself and already have a connection (e.g. mapped drive) -to a share (or IPC$) on the Samba PDC. The following command -will remove all network drive connections:</P +> This happens if you try to create a machine account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: + </P ><P -><TT +> <TT CLASS="PROMPT" >C:\WINNT\></TT > <B CLASS="COMMAND" >net use * /d</B -></P +> + </P ><P ->Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.</P +> Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. + </P +></LI +><LI ><P -><EM ->"The system can not log you on (C000019B)...."</EM -></P +> <EM +>The system can not log you on (C000019B)....</EM +> + </P ><P >I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.</P + to a newer version of the Samba code I get the message, "The system + can not log you on (C000019B), Please try a gain or consult your + system administrator" when attempting to logon. + </P ><P ->This occurs when the domain SID stored in -<TT +> This occurs when the domain SID stored in + <TT CLASS="FILENAME" >private/WORKGROUP.SID</TT > is -changed. For example, you remove the file and <B + changed. For example, you remove the file and <B CLASS="COMMAND" >smbd</B > automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.</P + creates a new one. Or you are swapping back and forth between + versions 2.0.7, TNG and the HEAD branch code (not recommended). The + only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. + </P +></LI +><LI ><P -><EM ->"The machine account for this computer either does not -exist or is not accessible."</EM -></P +> <EM +>The machine account for this computer either does not + exist or is not accessible.</EM +> + </P ><P ->When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?</P +> When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". Whats + wrong? + </P ><P ->This problem is caused by the PDC not having a suitable machine account. -If you are using the <TT +> This problem is caused by the PDC not having a suitable machine account. + If you are using the <TT CLASS="PARAMETER" ><I >add user script</I ></TT > method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.</P -><P ->Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.</P + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. + </P ><P -><EM +> Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. + </P +></LI +><LI +><P +> <EM >When I attempt to login to a Samba Domain from a NT4/W2K workstation, -I get a message about my account being disabled.</EM -></P + I get a message about my account being disabled.</EM +> + </P ><P ->This problem is caused by a PAM related bug in Samba 2.2.0. This bug is -fixed in 2.2.1. Other symptoms could be unaccessible shares on -NT/W2K member servers in the domain or the following error in your smbd.log: -passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%</P +> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% + </P ><P ->At first be ensure to enable the useraccounts with <B +> At first be ensure to enable the useraccounts with <B CLASS="COMMAND" >smbpasswd -e -%user%</B ->, this is normaly done, when you create an account.</P + %user%</B +>, this is normaly done, when you create an account. + </P ><P ->In order to work around this problem in 2.2.0, configure the -<TT +> In order to work around this problem in 2.2.0, configure the + <TT CLASS="PARAMETER" ><I >account</I ></TT > control flag in -<TT + <TT CLASS="FILENAME" >/etc/pam.d/samba</TT -> file as follows:</P +> file as follows: + </P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" -WIDTH="100%" +WIDTH="90%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ->account required pam_permit.so</PRE +> account required pam_permit.so + </PRE ></TD ></TR ></TABLE ></P ><P ->If you want to remain backward compatibility to samba 2.0.x use -<TT +> If you want to remain backward compatibility to samba 2.0.x use + <TT CLASS="FILENAME" >pam_permit.so</TT >, it's also possible to use -<TT + <TT CLASS="FILENAME" >pam_pwdb.so</TT >. There are some bugs if you try to -use <TT + use <TT CLASS="FILENAME" >pam_unix.so</TT >, if you need this, be ensure to use -the most recent version of this file.</P + the most recent version of this file. + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN942" ->6.5. System Policies and Profiles</A +NAME="AEN971" +>6.6. System Policies and Profiles</A ></H1 ><P >Much of the information necessary to implement System Policies and @@ -4340,92 +4520,107 @@ Profiles and Policies in Windows NT 4.0</A ><P >Here are some additional details:</P ><P -><EM ->What about Windows NT Policy Editor ?</EM ></P +><UL +><LI +><P +> <EM +>What about Windows NT Policy Editor ?</EM +> + </P ><P ->To create or edit <TT +> To create or edit <TT CLASS="FILENAME" >ntconfig.pol</TT > you must use -the NT Server Policy Editor, <B + the NT Server Policy Editor, <B CLASS="COMMAND" >poledit.exe</B > which -is included with NT Server but <EM + is included with NT Server but <EM >not NT Workstation</EM >. -There is a Policy Editor on a NTws -but it is not suitable for creating <EM + There is a Policy Editor on a NTws + but it is not suitable for creating <EM >Domain Policies</EM >. -Further, although the Windows 95 -Policy Editor can be installed on an NT Workstation/Server, it will not -work with NT policies because the registry key that are set by the policy templates. -However, the files from the NT Server will run happily enough on an NTws. -You need <TT + Further, although the Windows 95 + Policy Editor can be installed on an NT Workstation/Server, it will not + work with NT policies because the registry key that are set by the policy templates. + However, the files from the NT Server will run happily enough on an NTws. + You need <TT CLASS="FILENAME" >poledit.exe, common.adm</TT > and <TT CLASS="FILENAME" >winnt.adm</TT >. It is convenient -to put the two *.adm files in <TT + to put the two *.adm files in <TT CLASS="FILENAME" >c:\winnt\inf</TT > which is where -the binary will look for them unless told otherwise. Note also that that -directory is 'hidden'.</P + the binary will look for them unless told otherwise. Note also that that + directory is 'hidden'. + </P ><P ->The Windows NT policy editor is also included with the -Service Pack 3 (and later) for Windows NT 4.0. Extract the files using -<B +> The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <B CLASS="COMMAND" >servicepackname /x</B ->, ie thats <B +>, + ie thats <B CLASS="COMMAND" ->Nt4sp6ai.exe -/x</B -> for service pack 6a. The policy editor, <B +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, + <B CLASS="COMMAND" >poledit.exe</B -> and the -associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft.</P +> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </P +></LI +><LI ><P -><EM +> <EM >Can Win95 do Policies ?</EM -></P +> + </P ><P ->Install the group policy handler for Win9x to pick up group -policies. Look on the Win98 CD in <TT +> Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in <TT CLASS="FILENAME" >\tools\reskit\netadmin\poledit</TT >. -Install group policies on a Win9x client by double-clicking -<TT + Install group policies on a Win9x client by double-clicking + <TT CLASS="FILENAME" >grouppol.inf</TT >. Log off and on again a couple of -times and see if Win98 picks up group policies. Unfortunately this needs -to be done on every Win9x machine that uses group policies....</P + times and see if Win98 picks up group policies. Unfortunately this needs + to be done on every Win9x machine that uses group policies.... + </P ><P ->If group policies don't work one reports suggests getting the updated -(read: working) grouppol.dll for Windows 9x. The group list is grabbed -from /etc/group.</P +> If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. + </P +></LI +><LI ><P -><EM +> <EM >How do I get 'User Manager' and 'Server Manager'</EM -></P +> + </P ><P ->Since I don't need to buy an NT Server CD now, how do I get -the 'User Manager for Domains', the 'Server Manager' ?</P +> Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager' ? + </P ><P ->Microsoft distributes a version of -these tools called nexus for installation on Windows 95 systems. The -tools set includes</P +> Microsoft distributes a version of these tools called nexus for + installation on Windows 95 systems. The tools set includes + </P ><P ></P ><UL @@ -4443,27 +4638,31 @@ tools set includes</P ></LI ></UL ><P ->Click here to download the archived file <A +> Click here to download the archived file <A HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" TARGET="_top" >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -></P +> + </P ><P ->The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from <A +> The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from <A HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" TARGET="_top" >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -></P +> + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN982" ->6.6. What other help can I get ?</A +NAME="AEN1015" +>6.7. What other help can I get ?</A ></H1 ><P >There are many sources of information available in the form @@ -4471,10 +4670,15 @@ of mailing lists, RFC's and documentation. The docs that come with the samba distribution contain very good explanations of general SMB topics such as browsing.</P ><P -><EM ->What are some diagnostics tools I can use to debug the domain logon -process and where can I find them?</EM ></P +><UL +><LI +><P +> <EM +>What are some diagnostics tools I can use to debug the domain logon + process and where can I find them?</EM +> + </P ><P > One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d option for both smbd and nmbd to specifiy what @@ -4516,7 +4720,7 @@ CLASS="COMMAND" ></UL ><P > An SMB enabled version of tcpdump is available from - <A + <A HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A @@ -4539,11 +4743,14 @@ TARGET="_top" local subnet. Be aware that Ethereal can read and write netmon formatted files. </P +></LI +><LI ><P -><EM +> <EM >How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</EM -></P + or a Windows 9x box?</EM +> + </P ><P > Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes @@ -4638,14 +4845,11 @@ CLASS="FILENAME" information on how to do this. Copy the files from a working Netmon installation. </P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1029" ->6.6.1. URLs and similar</A -></H2 +></LI +><LI +><P +> The following is a list if helpful URLs and other links: + </P ><P ></P ><UL @@ -4710,43 +4914,43 @@ TARGET="_top" ></P ></LI ></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1053" ->6.6.2. Mailing Lists</A -></H2 +></LI +></UL ><P -><EM ->How do I get help from the mailing lists ?</EM ></P +><UL +><LI +><P +> <EM +>How do I get help from the mailing lists ?</EM +> + </P ><P ->There are a number of Samba related mailing lists. Go to <A +> There are a number of Samba related mailing lists. Go to <A HREF="http://samba.org" TARGET="_top" >http://samba.org</A >, click on your nearest mirror -and then click on <B + and then click on <B CLASS="COMMAND" >Support</B > and then click on <B CLASS="COMMAND" ->Samba related mailing lists</B ->.</P +> Samba related mailing lists</B +>. + </P ><P ->For questions relating to Samba TNG go to -<A +> For questions relating to Samba TNG go to + <A HREF="http://www.samba-tng.org/" TARGET="_top" >http://www.samba-tng.org/</A > -It has been requested that you don't post questions about Samba-TNG to the -main stream Samba lists.</P + It has been requested that you don't post questions about Samba-TNG to the + main stream Samba lists.</P ><P ->If you post a message to one of the lists please observe the following guide lines :</P +> If you post a message to one of the lists please observe the following guide lines : + </P ><P ></P ><UL @@ -4813,47 +5017,75 @@ main stream Samba lists.</P smb.conf in their attach directory ?</P ></LI ></UL +></LI +><LI ><P -><EM +> <EM >How do I get off the mailing lists ?</EM -></P +> + </P ><P >To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A + same place you went to to get on it. Go to <A HREF="http://lists.samba.org/" TARGET="_top" >http://lists.samba.org</A ->, click - on your nearest mirror and then click on <B +>, + click on your nearest mirror and then click on <B CLASS="COMMAND" >Support</B > and - then click on <B + then click on <B CLASS="COMMAND" > Samba related mailing lists</B >. Or perhaps see - <A + <A HREF="http://lists.samba.org/mailman/roster/samba-ntdom" TARGET="_top" >here</A -></P +> + </P ><P > Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></DIV + be referred to the above address (unless that process failed in some way...) + </P +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1092" ->6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A +NAME="AEN1129" +>6.8. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 +><DIV +CLASS="WARNING" ><P ->This appendix was originally authored by John H Terpstra of the Samba Team -and is included here for posterity.</P +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>Possibly Outdated Material</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +> This appendix was originally authored by John H Terpstra of + the Samba Team and is included here for posterity. + </P +></TD +></TR +></TABLE +></DIV ><P ><EM >NOTE :</EM @@ -4869,12 +5101,9 @@ Windows NT SAM.</P ><P >Windows NT Server can be installed as either a plain file and print server (WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P -><P ->The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licensed Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P +Control (DOMAIN member, Primary Domain controller or Backup Domain controller). +The same is true for OS/2 Warp Server, Digital Pathworks and other similar +products, all of which can participate in Domain Control along with Windows NT.</P ><P >To many people these terms can be confusing, so let's try to clear the air.</P ><P @@ -4949,7 +5178,7 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1116" +NAME="AEN1154" >Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV @@ -4957,7 +5186,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1134" +NAME="AEN1172" >7.1. Abstract</A ></H1 ><P @@ -4979,7 +5208,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1138" +NAME="AEN1176" >7.2. Introduction</A ></H1 ><P @@ -5033,7 +5262,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1151" +NAME="AEN1189" >7.3. What Winbind Provides</A ></H1 ><P @@ -5075,7 +5304,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1158" +NAME="AEN1196" >7.3.1. Target Uses</A ></H2 ><P @@ -5099,7 +5328,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1162" +NAME="AEN1200" >7.4. How Winbind Works</A ></H1 ><P @@ -5119,7 +5348,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1167" +NAME="AEN1205" >7.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -5145,7 +5374,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1171" +NAME="AEN1209" >7.4.2. Name Service Switch</A ></H2 ><P @@ -5224,7 +5453,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1187" +NAME="AEN1225" >7.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -5273,7 +5502,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1195" +NAME="AEN1233" >7.4.4. User and Group ID Allocation</A ></H2 ><P @@ -5299,7 +5528,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1199" +NAME="AEN1237" >7.4.5. Result Caching</A ></H2 ><P @@ -5322,7 +5551,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1202" +NAME="AEN1240" >7.5. Installation and Configuration</A ></H1 ><P @@ -5353,7 +5582,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1208" +NAME="AEN1246" >7.6. Limitations</A ></H1 ><P @@ -5401,7 +5630,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1220" +NAME="AEN1258" >7.7. Conclusion</A ></H1 ><P @@ -5417,7 +5646,7 @@ NAME="AEN1220" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1223" +NAME="AEN1261" >Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A ></H1 ><DIV @@ -5425,7 +5654,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1234" +NAME="AEN1272" >8.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -5464,7 +5693,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1243" +NAME="AEN1281" >8.2. How to view file security on a Samba share</A ></H1 ><P @@ -5510,7 +5739,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1254" +NAME="AEN1292" >8.3. Viewing file ownership</A ></H1 ><P @@ -5596,7 +5825,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1274" +NAME="AEN1312" >8.4. Viewing file or directory permissions</A ></H1 ><P @@ -5658,7 +5887,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1289" +NAME="AEN1327" >8.4.1. File Permissions</A ></H2 ><P @@ -5720,7 +5949,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1303" +NAME="AEN1341" >8.4.2. Directory Permissions</A ></H2 ><P @@ -5752,7 +5981,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1310" +NAME="AEN1348" >8.5. Modifying file or directory permissions</A ></H1 ><P @@ -5850,7 +6079,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1332" +NAME="AEN1370" >8.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -6123,7 +6352,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1396" +NAME="AEN1434" >8.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -6170,7 +6399,7 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1406" +NAME="AEN1444" >Chapter 9. OS2 Client HOWTO</A ></H1 ><DIV @@ -6178,7 +6407,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1417" +NAME="AEN1455" >9.1. FAQs</A ></H1 ><DIV @@ -6186,7 +6415,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1419" +NAME="AEN1457" >9.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -6245,7 +6474,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1434" +NAME="AEN1472" >9.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -6298,7 +6527,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1443" +NAME="AEN1481" >9.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -6320,7 +6549,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1447" +NAME="AEN1485" >9.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html index 668f7f9aff3..6dc467ed9ed 100644 --- a/docs/htmldocs/Samba-PDC-HOWTO.html +++ b/docs/htmldocs/Samba-PDC-HOWTO.html @@ -1,7 +1,7 @@ <HTML ><HEAD ><TITLE ->How to Configure Samba 2.2.x as a Primary Domain Controller</TITLE +>How to Configure Samba 2.2 as a Primary Domain Controller</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD @@ -20,7 +20,7 @@ CLASS="TITLEPAGE" CLASS="TITLE" ><A NAME="AEN1" ->How to Configure Samba 2.2.x as a Primary Domain Controller</A +>How to Configure Samba 2.2 as a Primary Domain Controller</A ></H1 ><HR></DIV ><DIV @@ -31,40 +31,53 @@ CLASS="SECT1" NAME="AEN3" >Background</A ></H1 +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" ><P +><B +>Note: </B ><I CLASS="EMPHASIS" >Author's Note :</I -> This document -is a combination of David Bannon's Samba 2.2 PDC HOWTO -and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P +> This document is a combination +of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +Both documents are superceeded by this one.</P +></BLOCKQUOTE +></DIV ><P >Version of Samba prior to release 2.2 had marginal capabilities to act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2.0:</P +functionality should work in 2.2:</P ><P ></P ><UL ><LI ><P ->domain logons for Windows NT 4.0/2000 clients</P +> domain logons for Windows NT 4.0/2000 clients + </P ></LI ><LI ><P ->placing a Windows 9x client in user level security</P +> placing a Windows 9x client in user level security + </P ></LI ><LI ><P ->retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients </P +> retrieving a list of users and groups from a Samba PDC to + Windows 9x/NT/2000 clients + </P ></LI ><LI ><P ->roving user profiles</P +> roving (roaming) user profiles + </P ></LI ><LI ><P ->Windows NT 4.0 style system policies</P +> Windows NT 4.0 style system policies + </P ></LI ></UL ><P @@ -74,21 +87,25 @@ functionality should work in 2.2.0:</P ><UL ><LI ><P ->Windows NT 4 domain trusts</P +> Windows NT 4 domain trusts + </P ></LI ><LI ><P ->Sam replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa) </P +> SAM replication with Windows NT 4.0 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa) + </P ></LI ><LI ><P ->Adding users via the User Manager for Domains</P +> Adding users via the User Manager for Domains + </P ></LI ><LI ><P ->Acting as a Windows 2000 Domain Controller (i.e. Kerberos - and Active Directory)</P +> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and + Active Directory) + </P ></LI ></UL ><P @@ -102,14 +119,14 @@ time.</P support for Windows NT 4.0 style domain logons from Windows NT 4.0 and Windows 2000 (including SP1) clients. This article outlines the steps necessary for configuring Samba as a PDC. -Note that it is necessary to have a working Samba server -prior to implementing the PDC functionality. If you have not -followed the steps outlined in <A +It is necessary to have a working Samba server prior to implementing the +PDC functionality. If you have not followed the steps outlined in +<A HREF="UNIX_INSTALL.html" TARGET="_top" ->UNIX_INSTALL.html</A ->, please make sure that your server -is configured correctly before proceeding. Another good +> UNIX_INSTALL.html</A +>, please make sure +that your server is configured correctly before proceeding. Another good resource in the <A HREF="smb.conf.5.html" TARGET="_top" @@ -125,13 +142,14 @@ steps.</P TYPE="1" ><LI ><P ->Configuring the Samba Domain Controller +> Configuring the Samba PDC </P ></LI ><LI ><P ->Creating machine trust accounts - and joining clients to the domain</P +> Creating machine trust accounts and joining clients + to the domain + </P ></LI ></OL ><P @@ -145,7 +163,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN40" +NAME="AEN41" >Configuring the Samba Domain Controller</A ></H1 ><P @@ -251,7 +269,7 @@ TARGET="_top" > = \\homeserver\%u ; specify a generic logon script for all users - ; this is a relative path to the [netlogon] share + ; this is a relative **DOS** path to the [netlogon] share <A HREF="smb.conf.5.html#LOGONSCRIPT" TARGET="_top" @@ -305,16 +323,14 @@ TARGET="_top" > = 0700</PRE ></P ><P ->There are a couple of points to emphasize in the above -configuration.</P +>There are a couple of points to emphasize in the above configuration.</P ><P ></P ><UL ><LI ><P ->encrypted passwords must be enabled. - For more details on how to do this, refer to - <A +> Encrypted passwords must be enabled. For more details on how + to do this, refer to <A HREF="ENCRYPTION.html" TARGET="_top" >ENCRYPTION.html</A @@ -323,23 +339,25 @@ TARGET="_top" ></LI ><LI ><P ->The server must support domain logons - and a <TT +> The server must support domain logons and a + <TT CLASS="FILENAME" >[netlogon]</TT -> share</P +> share + </P ></LI ><LI ><P ->The server must be the domain master browser - in order for Windows client to locate the server as a DC.</P +> The server must be the domain master browser in order for Windows + client to locate the server as a DC. + </P ></LI ></UL ><P >As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMONUSERS" +HREF="smb.conf.5.html#DOMAINADMINUSERS" TARGET="_top" >domain admin users</A @@ -356,51 +374,30 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN83" +NAME="AEN84" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 ><P ->First you must understand what a machine trust account is and what -it is used for.</P -><P ->A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.</P +communication with the Domain Controller (This is a security feature +to prevent an unauthorized machine with the same netbios name from +joining the domain). Hence a Windows 9x host is never a true member +of a domain because it does not posses a machine trust account, and thus +has no shared secret with the DC.</P ><P >On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently <TT CLASS="FILENAME" >smbpasswd</TT >). -However, machine trust accounts only possess the NT password hash.</P -><P ->There are two means of creating machine trust accounts.</P -><P -></P -><UL -><LI -><P ->Manual creation before joining the client - to the domain. In this case, the password is set to a known - value -- the lower case of the machine's netbios name.</P -></LI -><LI -><P ->Creation of the account at the time of - joining the domain. In this case, the session key of the - administrative account used to join the client to the domain acts - as an encryption key for setting the password to a random value.</P -></LI -></UL +However, machine trust accounts only possess and use the NT password hash.</P ><P >Because Samba requires machine accounts to possess a UNIX uid from which an Windows NT SID can be generated, all of these accounts -will have an entry in <TT +must have an entry in <TT CLASS="FILENAME" >/etc/passwd</TT > and smbpasswd. @@ -408,7 +405,23 @@ Future releases will alleviate the need to create <TT CLASS="FILENAME" >/etc/passwd</TT -> entries.</P +> entries. For those who wish to avoid +editing the passwd file manually the command below should work well:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/sbin/useradd -g 100 -d /dev/null -c <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> -m -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$</P ><P >The <TT CLASS="FILENAME" @@ -423,20 +436,53 @@ CLASS="FILENAME" ><P ><PRE CLASS="PROGRAMLISTING" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE +>doppy$:x:505:501:<TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +>:/dev/null:/bin/false</PRE ></P ><P ->If you are manually creating the machine accounts, it is necessary -to add the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> (or NIS passwd -map) entry prior to adding the <TT -CLASS="FILENAME" ->smbpasswd</TT -> -entry. The following command will create a new machine account -ready for use.</P +>Above, <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> can be any descriptive name for the +pc i.e. BasementComputer. The <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +> absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account</P +><P +>Now that the UNIX account has been created, +the following command shows how to create a new machine account, +enabling the machine to join the domain.</P +><P +>There are two means of creating machine trust accounts.</P +><P +></P +><UL +><LI +><P +> Manual creation before joining the client to the domain. In this case, + the password is set to a known value -- the lower case of the + machine's netbios name. + </P +></LI +><LI +><P +> Creation of the account at the time of joining the domain. In + this case, the session key of the administrative account used to join + the client to the domain acts as an encryption key for setting the + password to a random value (This is the recommended method). + </P +></LI +></UL ><P ><TT CLASS="PROMPT" @@ -454,20 +500,17 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's netbios -name.</P -><P -><I +name. Will permit use of the first method.<I CLASS="EMPHASIS" ->If you manually create a machine account, immediately join -the client to the domain.</I -> An open account like this -can allow intruders to gain access to user account information -in your domain.</P -><P ->The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the -<A +>If you manually create a +machine account, immediately join the client to the domain.</I +> +An open account like this can allow intruders to gain access to user +account information in your domain.</P +><P +>The second, and again recommended way of creating machine trust accounts +is to add them on the fly at the time the client is joined to the domain. +You will need to include a value for the <A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A @@ -479,142 +522,255 @@ CLASS="PROGRAMLISTING" >add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE ></P ><P ->In Samba 2.2.0, <I +>In Samba 2.2, <I CLASS="EMPHASIS" >only the root account</I > can be used to create -machine accounts on the fly like this. Therefore, it is required -to create an entry in smbpasswd for <I +machine accounts on the fly like this. Therefore, it is required to create +an entry in smbpasswd for <I CLASS="EMPHASIS" >root</I ->. -The password <I +>. The password +<I CLASS="EMPHASIS" >SHOULD</I -> be set to s different -password that the associated <TT +> be set to s different password that the +associated <TT CLASS="FILENAME" >/etc/passwd</TT -> -entry for security reasons.</P +> entry for security reasons.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN122" +NAME="AEN127" >Common Problems and Errors</A ></H1 ><P ></P ><P -><I +></P +><UL +><LI +><P +> <I CLASS="EMPHASIS" >I cannot include a '$' in a machine name.</I -></P +> + </P +><A +NAME="AEN134" +></A +><BLOCKQUOTE +CLASS="BLOCKQUOTE" ><P ->A 'machine name' in (typically) <TT +> A 'machine name' in (typically) <TT CLASS="FILENAME" >/etc/passwd</TT > -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.</P + of the machine name with a '$' appended. FreeBSD (and other BSD + systems ?) won't create a user with a '$' in their name. + </P ><P ->The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use <B +> The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use <B CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !</P + the whole entry with vipw if you like, make sure you use a + unique uid ! + </P +></BLOCKQUOTE +></LI +><LI ><P -><I +> <I CLASS="EMPHASIS" >I get told "You already have a connection to the Domain...." -when creating a machine account.</I -></P -><P ->This happens if you try to create a machine account from the -machine itself and use a user name that does not work (for whatever -reason) and then try another (possibly valid) user name. -Exit out of the network applet to close the initial connection -and try again.</P -><P ->Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.</P -><P -><I -CLASS="EMPHASIS" ->I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."</I -></P -><P ->This is the same basic problem as mentioned above, "You already -have a connection..."</P + or "Cannot join domain, the credentials supplied conflict with an + existing set.." when creating a machine account.</I +> + </P +><A +NAME="AEN142" +></A +><BLOCKQUOTE +CLASS="BLOCKQUOTE" +><P +> This happens if you try to create a machine account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: + </P +><P +> <TT +CLASS="PROMPT" +>C:\WINNT\></TT +> <B +CLASS="COMMAND" +>net use * /d</B +> + </P +><P +> Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. + </P +></BLOCKQUOTE +></LI +><LI ><P -><I +> <I CLASS="EMPHASIS" ->"The system can not log you on (C000019B)...."</I -></P +>The system can not log you on (C000019B)....</I +> + </P +><A +NAME="AEN151" +></A +><BLOCKQUOTE +CLASS="BLOCKQUOTE" ><P >I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.</P + to a newer version of the Samba code I get the message, "The system + can not log you on (C000019B), Please try a gain or consult your + system administrator" when attempting to logon. + </P ><P ->This occurs when the domain SID stored in -<TT +> This occurs when the domain SID stored in + <TT CLASS="FILENAME" >private/WORKGROUP.SID</TT > is -changed. For example, you remove the file and <B + changed. For example, you remove the file and <B CLASS="COMMAND" >smbd</B > automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.</P + creates a new one. Or you are swapping back and forth between + versions 2.0.7, TNG and the HEAD branch code (not recommended). The + only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. + </P +></BLOCKQUOTE +></LI +><LI ><P -><I +> <I CLASS="EMPHASIS" ->"The machine account for this computer either does not -exist or is not accessible."</I -></P +>The machine account for this computer either does not + exist or is not accessible.</I +> + </P +><A +NAME="AEN159" +></A +><BLOCKQUOTE +CLASS="BLOCKQUOTE" +><P +> When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". Whats + wrong ? + </P ><P ->When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?</P +> This problem is caused by the PDC not having a suitable machine account. + If you are using the <TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +> method to create + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. + </P +><P +> Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. + </P +></BLOCKQUOTE +></LI +><LI ><P ->This problem is caused by the PDC not having a suitable machine account. -If you are using the <B +> <I +CLASS="EMPHASIS" +>When I attempt to login to a Samba Domain from a NT4/W2K workstation, + I get a message about my account being disabled.</I +> + </P +><A +NAME="AEN167" +></A +><BLOCKQUOTE +CLASS="BLOCKQUOTE" +><P +> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% + </P +><P +> At first be ensure to enable the useraccounts with <B CLASS="COMMAND" ->add user script =</B -> method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.</P -><P ->Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.</P +>smbpasswd -e + %user%</B +>, this is normaly done, when you create an account. + </P +><P +> In order to work around this problem in 2.2.0, configure the + <TT +CLASS="PARAMETER" +><I +>account</I +></TT +> control flag in + <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file as follows: + </P +><P +><PRE +CLASS="PROGRAMLISTING" +> account required pam_permit.so + </PRE +></P +><P +> If you want to remain backward compatibility to samba 2.0.x use + <TT +CLASS="FILENAME" +>pam_permit.so</TT +>, it's also possible to use + <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>. There are some bugs if you try to + use <TT +CLASS="FILENAME" +>pam_unix.so</TT +>, if you need this, be ensure to use + the most recent version of this file. + </P +></BLOCKQUOTE +></LI +></UL ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN150" +NAME="AEN180" >System Policies and Profiles</A ></H1 ><P @@ -757,7 +913,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN190" +NAME="AEN220" >What other help can I get ?</A ></H1 ><P @@ -940,7 +1096,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN237" +NAME="AEN267" >URLs and similar</A ></H2 ><P @@ -1014,7 +1170,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN261" +NAME="AEN291" >Mailing Lists</A ></H2 ><P @@ -1149,7 +1305,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN300" +NAME="AEN330" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><P diff --git a/docs/htmldocs/printer_driver2.html b/docs/htmldocs/printer_driver2.html index ac845b84334..796065fe068 100644 --- a/docs/htmldocs/printer_driver2.html +++ b/docs/htmldocs/printer_driver2.html @@ -83,23 +83,61 @@ TARGET="_top" information</P ></LI ></UL +><P +>There has been some initial confusion about what all this means +and whether or not it is a requirement for printer drivers to be +installed on a Samba host in order to support printing from Windows +clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients +require that the Samba server possess a valid driver for the printer. +This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients +can use the local APW for installing drivers to be used with a Samba +served printer. This is the same behavior exhibited by Windows 9x clients. +As a side note, Samba does not use these drivers in any way to process +spooled files. They are utilized entirely by the clients.</P +><P +>The following MS KB article, may be of some help if you are dealing with +Windows 2000 clients: <I +CLASS="EMPHASIS" +>How to Add Printers with No User +Interaction in Windows 2000</I +></P +><P +><A +HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP" +TARGET="_top" +>http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A +></P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN20" +NAME="AEN25" >Configuration</A ></H1 +><DIV +CLASS="WARNING" ><P -><I -CLASS="EMPHASIS" ->WARNING!!!</I -> Previous versions of Samba -recommended using a share named [printer$]. This name was taken from the -printer$ service created by Windows 9x clients when a -printer was shared. Windows 9x printer servers always have +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>[print$] vs. [printer$]</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +>Previous versions of Samba recommended using a share named [printer$]. +This name was taken from the printer$ service created by Windows 9x +clients when a printer was shared. Windows 9x printer servers always have a printer$ service which provides read-only access via no password in order to support printer driver downloads.</P ><P @@ -124,21 +162,26 @@ the client.</P >These parameters, including <TT CLASS="PARAMETER" ><I ->printer driver +>printer driver file</I ></TT > parameter, are being depreciated and should not be used in new installations. For more information on this change, you should refer to the <A HREF="#MIGRATION" ->Migration section </A ->of this document.</P +>Migration section</A +> +of this document.</P +></TD +></TR +></TABLE +></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN30" +NAME="AEN36" >Creating [print$]</A ></H2 ><P @@ -161,6 +204,11 @@ CLASS="PROGRAMLISTING" guest ok = yes browseable = yes read only = yes + ; since this share is configured as read only, then we need + ; a 'write list'. Check the file system permissions to make + ; sure this account can copy files to the share. If this + ; is setup to a non-root account, then it should also exist + ; as a 'printer admin' write list = ntadmin</PRE ></P ><P @@ -178,16 +226,17 @@ level user accounts to have write access in order to update files on the share. See the <A HREF="smb./conf.5.html" TARGET="_top" ->smb.conf(5) man page</A -> for more information on -configuring file shares.</P +>smb.conf(5) +man page</A +> for more information on configuring file shares.</P ><P >The requirement for <A HREF="smb.conf.5.html#GUESTOK" TARGET="_top" ><B CLASS="COMMAND" ->guest ok = yes</B +>guest +ok = yes</B ></A > depends upon how your site is configured. If users will be guaranteed to have @@ -257,26 +306,26 @@ ALIGN="CENTER" ALIGN="LEFT" ><P >In order to currently add a new driver to you Samba host, - one of two conditions must hold true:</P +one of two conditions must hold true:</P ><P ></P ><UL ><LI ><P >The account used to connect to the Samba host - must have a uid of 0 (i.e. a root account)</P + must have a uid of 0 (i.e. a root account)</P ></LI ><LI ><P >The account used to connect to the Samba host - must be a member of the <A + must be a member of the <A HREF="smb.conf.5.html#PRINTERADMIN" TARGET="_top" ><TT CLASS="PARAMETER" ><I >printer - admin</I + admin</I ></TT ></A > list.</P @@ -284,7 +333,8 @@ CLASS="PARAMETER" ></UL ><P >Of course, the connected account must still possess access - to add files to the subdirectories beneath [print$].</P +to add files to the subdirectories beneath [print$]. Remember +that all file shares are set to 'read only' by default.</P ></TD ></TR ></TABLE @@ -307,14 +357,34 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN65" +NAME="AEN71" >Setting Drivers for Existing Printers</A ></H2 ><P >The initial listing of printers in the Samba host's -Printers folder will have no printer driver assigned to them. -The way assign a driver to a printer is to view the Properties -of the printer and either</P +Printers folder will have no real printer driver assigned +to them. By default, in Samba 2.2.0 this driver name was set to +<I +CLASS="EMPHASIS" +>NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</I +>. +Later versions changed this to a NULL string to allow the use +tof the local Add Printer Wizard on NT/2000 clients. +Attempting to view the printer properties for a printer +which has this default driver assigned will result in +the error message:</P +><P +><I +CLASS="EMPHASIS" +>Device settings cannot be displayed. The driver +for the specified printer is not installed, only spooler +properties will be displayed. Do you want to install the +driver now?</I +></P +><P +>Click "No" in the error dialog and you will be presented with +the printer properties window. The way assign a driver to a +printer is to either</P ><P ></P ><UL @@ -361,7 +431,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN78" +NAME="AEN88" >Support a large number of printers</A ></H2 ><P @@ -413,7 +483,7 @@ Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] <TT CLASS="PROMPT" >$ </TT ->rpcclient pogo -U root%bleaK.er \ +>rpcclient pogo -U root%secret \ <TT CLASS="PROMPT" >> </TT @@ -427,7 +497,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN89" +NAME="AEN99" >Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -449,7 +519,7 @@ CLASS="PARAMETER" ><I >printer admin</I ></TT ->. +>). </P ></LI ><LI @@ -476,8 +546,8 @@ TARGET="_top" ><TT CLASS="PARAMETER" ><I ->addprinter -command</I +>add +printer command</I ></TT ></A > must have a defined value. The program @@ -499,7 +569,7 @@ CLASS="COMMAND" CLASS="PARAMETER" ><I >add printer -program</I +command</I ></TT > and reparse to the <TT CLASS="FILENAME" @@ -512,7 +582,7 @@ CLASS="PARAMETER" ><I >add printer program</I ></TT -> is executed undet the context +> is executed under the context of the connected user, not necessarily a root account.</P ><P >There is a complementing <A @@ -521,8 +591,8 @@ TARGET="_top" ><TT CLASS="PARAMETER" ><I ->deleteprinter -command</I +>delete +printer command</I ></TT ></A > for removing entries from the "Printers..." @@ -533,7 +603,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN114" +NAME="AEN124" >Samba and Printer Ports</A ></H2 ><P @@ -570,7 +640,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN122" +NAME="AEN132" >The Imprints Toolset</A ></H1 ><P @@ -588,7 +658,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN126" +NAME="AEN136" >What is Imprints?</A ></H2 ><P @@ -620,7 +690,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN136" +NAME="AEN146" >Creating Printer Driver Packages</A ></H2 ><P @@ -636,7 +706,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN139" +NAME="AEN149" >The Imprints server</A ></H2 ><P @@ -657,7 +727,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN143" +NAME="AEN153" >The Installation Client</A ></H2 ><P @@ -751,18 +821,61 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN165" +NAME="AEN175" ><A NAME="MIGRATION" ></A ->Migration to from Samba 2.0.x to - 2.2.x</A +>Migration to from Samba 2.0.x to 2.2.x</A ></H1 ><P ->Given that printer driver management has changed - (we hope improved :) ) in 2.2.0 over prior releases, - migration from an existing setup to 2.2.0 can follow - several paths.</P +>Given that printer driver management has changed (we hope improved) in +2.2 over prior releases, migration from an existing setup to 2.2 can +follow several paths.</P +><P +>Windows clients have a tendency to remember things for quite a while. +For example, if a Windows NT client has attached to a Samba 2.0 server, +it will remember the server as a LanMan printer server. Upgrading +the Samba host to 2.2 makes support for MSRPC printing possible, but +the NT client will still remember the previous setting.</P +><P +>In order to give an NT client printing "amesia" (only necessary if you +want to use the newer MSRPC printing functionality in Samba), delete +the registry keys associated with the print server contained in +<TT +CLASS="CONSTANT" +>[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT +>. The +spooler service on the client should be stopped prior to doing this:</P +><P +><TT +CLASS="PROMPT" +>C:\WINNT\ ></TT +> <TT +CLASS="USERINPUT" +><B +>net stop spooler</B +></TT +></P +><P +><I +CLASS="EMPHASIS" +>All the normal disclaimers about editing the registry go +here.</I +> Be careful, and know what you are doing.</P +><P +>The spooler service should be restarted after you have finished +removing the appropriate registry entries by replacing the +<B +CLASS="COMMAND" +>stop</B +> command above with <B +CLASS="COMMAND" +>start</B +>.</P +><P +>Windows 9x clients will continue to use LanMan printing calls +with a 2.2 Samba server so there is no need to perform any of these +modifications on non-NT clients.</P ><DIV CLASS="WARNING" ><P @@ -782,9 +895,8 @@ ALIGN="CENTER" ><TD ALIGN="LEFT" ><P ->The following smb.conf parameters are considered to be - depreciated and will be removed soon. Do not use them - in new installations</P +>The following smb.conf parameters are considered to be depreciated and will +be removed soon. Do not use them in new installations</P ><P ></P ><UL @@ -796,7 +908,7 @@ CLASS="PARAMETER" >printer driver file (G)</I ></TT > - </P + </P ></LI ><LI ><P @@ -806,7 +918,7 @@ CLASS="PARAMETER" >printer driver (S)</I ></TT > - </P + </P ></LI ><LI ><P @@ -816,7 +928,7 @@ CLASS="PARAMETER" >printer driver location (S)</I ></TT > - </P + </P ></LI ></UL ></TD @@ -831,31 +943,31 @@ CLASS="PARAMETER" ><LI ><P >If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.</P + print driver support, nothing needs to be done. + All existing parameters work the same.</P ></LI ><LI ><P >If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The <B + driver support but do not want to migrate the + 9x drivers to the new setup, the leave the existing + printers.def file. When smbd attempts to locate a + 9x driver for the printer in the TDB and fails it + will drop down to using the printers.def (and all + associated parameters). The <B CLASS="COMMAND" >make_printerdef</B > - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</P + tool will also remain for backwards compatibility but will + be moved to the "this tool is the old way of doing it" + pile.</P ></LI ><LI ><P >If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).</P + on your Samba host (in the printing TDB), this information will + take precedence and the three old printing parameters + will be ignored (including print driver location).</P ></LI ><LI ><P @@ -863,23 +975,22 @@ CLASS="COMMAND" CLASS="FILENAME" >printers.def</TT > - file into the new setup, the current only - solution is to use the Windows NT APW to install the NT drivers - and the 9x drivers. This can be scripted using <B + file into the new setup, the current only solution is to use the Windows + NT APW to install the NT drivers and the 9x drivers. This can be scripted + using <B CLASS="COMMAND" >smbclient</B -> - and <B +> and <B CLASS="COMMAND" >rpcclient</B >. See the - Imprints installation client at <A + Imprints installation client at <A HREF="http://imprints.sourceforge.net/" TARGET="_top" >http://imprints.sourceforge.net/</A > - for an example. - </P + for an example. + </P ></LI ></UL ></DIV diff --git a/docs/htmldocs/rpcclient.1.html b/docs/htmldocs/rpcclient.1.html index e41f5a7c93e..7a8466c880c 100644 --- a/docs/htmldocs/rpcclient.1.html +++ b/docs/htmldocs/rpcclient.1.html @@ -285,7 +285,7 @@ CLASS="COMMAND" ><B CLASS="COMMAND" >lookupnames</B ->Resolve s list +> - Resolve s list of usernames to SIDs. </P ></LI |