diff options
Diffstat (limited to 'docs/docbook/projdoc')
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 16 | ||||
-rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 9 | ||||
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 443 | ||||
-rw-r--r-- | docs/docbook/projdoc/chapter1.sgml | 446 | ||||
-rw-r--r-- | docs/docbook/projdoc/winbind.sgml | 162 |
5 files changed, 304 insertions, 772 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 0b1db84b204..6d0b36eafcc 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -31,14 +31,7 @@ <title>Joining an NT Domain with Samba 2.2</title> - <para>In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para> - - <para>Assume you have a Samba-2 server with a NetBIOS name of + <para>Assume you have a Samba 2.x server with a NetBIOS name of <constant>SERV1</constant> and are joining an NT domain called <constant>DOM</constant>, which has a PDC with a NetBIOS name of <constant>DOMPDC</constant> and two backup domain controllers @@ -49,11 +42,14 @@ and run the command:</para> <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC - </userinput></para> + -U<replaceable>Administrator%password</replaceable></userinput></para> <para>as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</para> + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> </para> diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index 6c866acecdb..594516640de 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -101,9 +101,12 @@ hashes. This database is stored in either <filename>/etc/samba.d/smbpasswd</filename>, depending on the Samba implementation for your Unix/Linux system. The <filename>pam_smbpass.so</filename> module is provided by -Samba version 2.2.1 or later. It can be compiled only if the -<constant>--with-pam --with-pam_smbpass</constant> options are both -provided to the Samba <command>configure</command> program. +Samba version 2.2.1 or later. It can be compiled by specifying the +<command>--with-pam_smbpass</command> options when running Samba's +<filename>configure</filename> script. For more information +on the <filename>pam_smbpass</filename> module, see the documentation +in the <filename>source/pam_smbpass</filename> directory of the Samba +source distribution. </para> <para><programlisting> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index b980b99e22e..475b66598c2 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -58,25 +58,26 @@ Background <note> <para> -<emphasis>Author's Note :</emphasis> This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +<emphasis>Author's Note:</emphasis> This document is a combination +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one. </para> </note> <para> -Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller <indexterm><primary>Primary -Domain Controller</primary></indexterm> (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<ulink url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <ulink url="smb.conf.5.html">smb.conf(5) man -page</ulink>. The following functionality should work in 2.2: +Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller +<indexterm><primary>Primary Domain Controller</primary></indexterm> +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <ulink +url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <ulink url="smb.conf.5.html">smb.conf(5) man +page</ulink>. The following functionality should work in 2.2: </para> <itemizedlist> @@ -98,18 +99,10 @@ page</ulink>. The following functionality should work in 2.2: </para></listitem> <listitem><para> - Windows NT 4.0 style system policies + Windows NT 4.0-style system policies </para></listitem> </itemizedlist> -<warning> - <title>Windows 2000 Service Pack 2 Clients</title> - <para> - Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </para> -</warning> - <para> The following pieces of functionality are not included in the 2.2 release: @@ -138,7 +131,7 @@ The following pieces of functionality are not included in the 2.2 release: <para> Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time. </para> @@ -189,7 +182,7 @@ linked with the actual smb.conf description. </para> <para> -Here is an example smb.conf for acting as a PDC: +Here is an example <filename>smb.conf</filename> for acting as a PDC: </para> <para><programlisting> @@ -228,13 +221,13 @@ Here is an example smb.conf for acting as a PDC: ; necessary share for domain controller [netlogon] <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon - <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = no + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> ; share for storing user profiles [profiles] <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile - <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = yes + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 </programlisting></para> @@ -263,88 +256,96 @@ There are a couple of points to emphasize in the above configuration. </itemizedlist> <para> -As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain -admin group</ulink> smb.conf parameter for information of creating "Domain Admins" -style accounts. +As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain admin +group</ulink> smb.conf parameter for information of creating "Domain +Admins" style accounts. </para> </sect1> <sect1> -<title>Creating Machine Trust Accounts and Joining Clients -to the Domain</title> +<title>Creating Machine Trust Accounts and Joining Clients to the +Domain</title> <para> -A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC. -</para> +A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</para> <para> -On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>). -However, machine trust accounts only possess and use the NT password hash. +The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller. </para> -<para> -Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <filename>/etc/passwd</filename> and smbpasswd. -Future releases will alleviate the need to create -<filename>/etc/passwd</filename> entries. +<para>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<itemizedlist> + <listitem><para>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <filename>smbpasswd</filename>). The Samba account + possesses and uses only the NT password hash.</para></listitem> + + <listitem><para>A corresponding Unix account, typically stored in + <filename>/etc/passwd</filename>. (Future releases will alleviate the need to + create <filename>/etc/passwd</filename> entries.) </para></listitem> +</itemizedlist> </para> <para> -There are two means of creating machine trust accounts. +There are two ways to create machine trust accounts: </para> <itemizedlist> - <listitem><para> - Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </para></listitem> + <listitem><para> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</para></listitem> - <listitem><para> - Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </para></listitem> + <listitem><para> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </para> + </listitem> + </itemizedlist> <sect2> -<title>Manually creating machine trust accounts</title> +<title>Manual Creation of Machine Trust Accounts</title> <para> -The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <command>vipw</command> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server: +The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<filename>/etc/passwd</filename>. This can be done using +<command>vipw</command> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server: </para> <para> -<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine -nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ + <prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine +nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command> </para> <para> -<prompt>root# </prompt>passwd -l <replaceable>machine_name</replaceable>$ +<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command> </para> <para> The <filename>/etc/passwd</filename> entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an -<filename>/etc/passwd</filename> entry like this : +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an +<filename>/etc/passwd</filename> entry like this: </para> <para><programlisting> @@ -352,28 +353,31 @@ doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/fals </programlisting></para> <para> -Above, <replaceable>machine_nickname</replaceable> can be any descriptive name for the -pc i.e. BasementComputer. The <replaceable>machine_name</replaceable> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account +Above, <replaceable>machine_nickname</replaceable> can be any +descriptive name for the client, i.e., BasementComputer. +<replaceable>machine_name</replaceable> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account. </para> <para> -Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <ulink -url="smbpasswd.6.html"><command>smbpasswd(8)</command></ulink> command +Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <ulink +url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command as shown here: </para> <para> -<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable> +<prompt>root# </prompt><command>smbpasswd -a -m <replaceable>machine_name</replaceable></command> </para> <para> where <replaceable>machine_name</replaceable> is the machine's NetBIOS -name. +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account. </para> <warning> @@ -381,9 +385,9 @@ name. <para> Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -394,30 +398,80 @@ name. <sect2> -<title>Creating machine trust accounts "on the fly"</title> +<title>"On-the-Fly" Creation of Machine Trust Accounts</title> <para> -The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <ulink -url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink> -parameter. Below is an example from a RedHat 6.2 Linux system. +The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </para> + +<para>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<ulink url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink> +option in <filename>smb.conf</filename>. This +method is not required, however; corresponding Unix accounts may also +be created manually. +</para> + + +<para>Below is an example for a RedHat 6.2 Linux system. </para> <para><programlisting> -add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u +[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> +</sect2> + + +<sect2><title>Joining the Client to the Domain</title> + <para> -In Samba 2.2.1, <emphasis>only the root account</emphasis> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <emphasis>root</emphasis>. The password -<emphasis>SHOULD</emphasis> be set to a different password that the -associated <filename>/etc/passwd</filename> entry for security reasons. +The procedure for joining a client to the domain varies with the +version of Windows. </para> + +<itemizedlist> +<listitem><para><emphasis>Windows 2000</emphasis></para> + + <para> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <filename>/etc/passwd</filename> entry, for security + reasons. </para> + + <para>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</para> +</listitem> + +<listitem><para><emphasis>Windows NT</emphasis></para> + + <para> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</para> + + <para> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</para> +</listitem> +</itemizedlist> + </sect2> </sect1> - <!-- ********************************************************** Common Problems @@ -438,7 +492,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> A 'machine name' in (typically) <filename>/etc/passwd</> of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </para> <para> @@ -446,7 +500,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. made, it works perfectly. So create a user without the '$' and use <command>vipw</> to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </para> </listitem> @@ -454,11 +508,11 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> <emphasis>I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</emphasis> + existing set.." when creating a machine trust account.</emphasis> </para> <para> - This happens if you try to create a machine account from the + This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -500,18 +554,18 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <listitem> <para> - <emphasis>The machine account for this computer either does not + <emphasis>The machine trust account for this computer either does not exist or is not accessible.</emphasis> </para> <para> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </para> <para> - This problem is caused by the PDC not having a suitable machine account. + This problem is caused by the PDC not having a suitable machine trust account. If you are using the <parameter>add user script</parameter> method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -520,7 +574,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -600,7 +654,7 @@ Here are some additional details: <listitem> <para> - <emphasis>What about Windows NT Policy Editor ?</emphasis> + <emphasis>What about Windows NT Policy Editor?</emphasis> </para> <para> @@ -633,7 +687,7 @@ Here are some additional details: <listitem> <para> - <emphasis>Can Win95 do Policies ?</emphasis> + <emphasis>Can Win95 do Policies?</emphasis> </para> <para> @@ -660,7 +714,7 @@ Here are some additional details: <para> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </para> <para> @@ -701,7 +755,7 @@ Here are some additional details: <sect1> -<title>What other help can I get ? </title> +<title>What other help can I get? </title> <para> There are many sources of information available in the form @@ -751,7 +805,7 @@ general SMB topics such as browsing.</para> <para> An SMB enabled version of tcpdump is available from <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <ulink url="http://www.ethereal.com/">http://www.ethereal.com</ulink>. </para> @@ -892,7 +946,7 @@ general SMB topics such as browsing.</para> <itemizedlist> <listitem> <para> - <emphasis>How do I get help from the mailing lists ?</emphasis> + <emphasis>How do I get help from the mailing lists?</emphasis> </para> <para> @@ -954,7 +1008,7 @@ general SMB topics such as browsing.</para> <listitem><para>Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</para></listitem> + smb.conf in their attach directory?</para></listitem> </itemizedlist> </listitem> @@ -962,7 +1016,7 @@ general SMB topics such as browsing.</para> <listitem> <para> - <emphasis>How do I get off the mailing lists ?</emphasis> + <emphasis>How do I get off the mailing lists?</emphasis> </para> <para>To have your name removed from a samba mailing list, go to the @@ -995,8 +1049,8 @@ general SMB topics such as browsing.</para> <para> The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe) +the material is based on what went into the book <emphasis>Special +Edition, Using Samba</emphasis>, by Richard Sharpe. </para> </note> @@ -1014,13 +1068,14 @@ The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support. +is totally orthogonal to logon support. </para> <para> Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients. +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section. </para> @@ -1035,40 +1090,6 @@ demonstrates how authentication is quite different from but closely involved with domains. </para> -<para> -Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba. -</para> - -<para> -Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. -</para> - -<para> -Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below. -</para> - -<para> -With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server). -</para> - -<para> -With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below. -</para> <para> Using these features you can make your clients verify their logon via @@ -1077,15 +1098,15 @@ the network and download their preferences, desktop and start menu. </para> <para> -Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon: +Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon: </para> <orderedlist> <listitem> <para> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1147,97 +1168,27 @@ at how a Win9X client performs a logon: <title>Configuration Instructions: Network Logons</title> <para> -To use domain logons and profiles you need to do the following: +The main difference between a PDC and a Windows 9x logon +server configuration is that </para> +<itemizedlist> -<orderedlist> -<listitem> - <para> - Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </para> - - <para> - For example I have used: - </para> - - <para><programlisting> -[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no -</programlisting></para> - - <para> - Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </para> -</listitem> - - - -<listitem> - <para> - in the [global] section of smb.conf set the following: - </para> - - <para><programlisting> -domain logons = yes -logon script = %U.bat - </programlisting></para> - - <para> - The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </para> - - <para><programlisting> -logon script = scripts\%U.bat - </programlisting></para> -</listitem> - -<listitem> - <para> - create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </para> +<listitem><para> +Password encryption is not required for a Windows 9x logon server. +</para></listitem> - <para> - In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </para> -</listitem> +<listitem><para> +Windows 9x/ME clients do not possess machine trust accounts. +</para></listitem> +</itemizedlist> -<listitem> - <para> - Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </para> -</listitem> +<para> +Therefore, a Samba PDC will also act as a Windows 9x logon +server. +</para> -<listitem> - <para> - you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </para> -</listitem> -</orderedlist> <warning> <title>security mode and master browsers</title> @@ -1253,7 +1204,7 @@ mode security is really just a variation on SMB user level security. </para> <para> -Actually, this issue is also closer tied to the debate on whether +Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -1322,7 +1273,7 @@ This means that support for profiles is different for Win9X and WinNT. <title>Windows NT Configuration</title> <para> -To support WinNT clients, inn the [global] section of smb.conf set the +To support WinNT clients, in the [global] section of smb.conf set the following (for example): </para> @@ -1496,7 +1447,7 @@ the newest folders and short-cuts from each set. If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server. </para> diff --git a/docs/docbook/projdoc/chapter1.sgml b/docs/docbook/projdoc/chapter1.sgml deleted file mode 100644 index 71589b5d601..00000000000 --- a/docs/docbook/projdoc/chapter1.sgml +++ /dev/null @@ -1,446 +0,0 @@ -<chapter> - -<title>How to Install and Test SAMBA</title> - -<sect1> - <title>Step 0: Read the man pages</title> - - <para>The man pages distributed with SAMBA contain - lots of useful info that will help to get you started. - If you don't know how to read man pages then try - something like:</para> - - <para><prompt>$ </prompt><userinput>nroff -man smbd.8 | more - </userinput></para> - - <para>Other sources of information are pointed to - by the Samba web site,<ulink url="http://www.samba.org/"> - http://www.samba.org</ulink></para> -</sect1> - -<sect1> - <title>Building the Binaries</title> - - <para>To do this, first run the program <command>./configure - </command> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run</para> - - <para><prompt>root# </prompt><userinput>./configure --help - </userinput></para> - - <para>first to see what special options you can enable. - Then exectuting</para> - - <para><prompt>root# </prompt><userinput>make</userinput></para> - - <para>will create the binaries. Once it's successfully - compiled you can use </para> - - <para><prompt>root# </prompt><userinput>make install</userinput></para> - - <para>to install the binaries and manual pages. You can - separately install the binaries and/or man pages using</para> - - <para><prompt>root# </prompt><userinput>make installbin - </userinput></para> - - <para>and</para> - - <para><prompt>root# </prompt><userinput>make installman - </userinput></para> - - <para>Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with</para> - - <para><prompt>root# </prompt><userinput>make revert - </userinput></para> - - <para>if you find this version a disaster!</para> -</sect1> - -<sect1> - <title>Step 2: The all important step</title> - - <para>At this stage you must fetch yourself a - coffee or other drink you find stimulating. Getting the rest - of the install right can sometimes be tricky, so you will - probably need it.</para> - - <para>If you have installed samba before then you can skip - this step.</para> -</sect1> - -<sect1> - <title>Step 3: Create the smb configuration file. </title> - - <para>There are sample configuration files in the examples - subdirectory in the distribution. I suggest you read them - carefully so you can see how the options go together in - practice. See the man page for all the options.</para> - - <para>The simplest useful configuration file would be - something like this:</para> - - <para><programlisting> - [global] - workgroup = MYGROUP - - [homes] - guest ok = no - read only = no - </programlisting</para> - - <para>which would allow connections by anyone with an - account on the server, using either their login name or - "homes" as the service name. (Note that I also set the - workgroup that Samba is part of. See BROWSING.txt for defails)</para> - - <para>Note that <command>make install</command> will not install - a <filename>smb.conf</filename> file. You need to create it - yourself. </para> - - <para>Make sure you put the smb.conf file in the same place - you specified in the<filename>Makefile</filename> (the default is to - look for it in <filename>/usr/local/samba/lib/</filename>).</para> - - <para>For more information about security settings for the - [homes] share please refer to the document UNIX_SECURITY.txt.</para> -</sect1> - -<sect1> - <title>Step 4: Test your config file with - <command>testparm</command></title> - - <para>It's important that you test the validity of your - <filename>smb.conf</filename> file using the testparm program. - If testparm runs OK then it will list the loaded services. If - not it will give an error message.</para> - - <para>Make sure it runs OK and that the services look - resonable before proceeding. </para> - -</sect1> - -<sect1> - <title>Step 5: Starting the smbd and nmbd</title> - - <para>You must choose to start smbd and nmbd either - as daemons or from <command>inetd</command>. Don't try - to do both! Either you can put them in <filename> - inetd.conf</filename> and have them started on demand - by <command>inetd</command>, or you can start them as - daemons either from the command line or in <filename> - /etc/rc.local</filename>. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.</para> - - <para>The main advantage of starting <command>smbd</command> - and <command>nmbd</command> as a daemon is that they will - respond slightly more quickly to an initial connection - request. This is, however, unlikely to be a problem.</para> - - <sect2> - <title>Step 5a: Starting from inetd.conf</title> - - <para>NOTE; The following will be different if - you use NIS or NIS+ to distributed services maps.</para> - - <para>Look at your <filename>/etc/services</filename>. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:</para> - - <para><userinput>netbios-ssn 139/tcp</userinput></para> - - <para>similarly for 137/udp you should have an entry like:</para> - - <para><userinput>netbios-ns 137/udp</userinput></para> - - <para>Next edit your <filename>/etc/inetd.conf</filename> - and add two lines something like this:</para> - - <para><programlisting> - netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd - netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - </programlisting></para> - - <para>The exact syntax of <filename>/etc/inetd.conf</filename> - varies between unixes. Look at the other entries in inetd.conf - for a guide.</para> - - <para>NOTE: Some unixes already have entries like netbios_ns - (note the underscore) in <filename>/etc/services</filename>. - You must either edit <filename>/etc/services</filename> or - <filename>/etc/inetd.conf</filename> to make them consistant.</para> - - <para>NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run <command>ifconfig</command> - as root if you don't know what the broadcast is for your - net. <command>nmbd</command> tries to determine it at run - time, but fails on somunixes. See the section on "testing nmbd" - for a method of finding if you need to do this.</para> - - <para>!!!WARNING!!! Many unixes only accept around 5 - parameters on the command line in <filename>inetd.conf</filename>. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from <command>inetd</command>.</para> - - <para>Restart <command>inetd</command>, perhaps just send - it a HUP. If you have installed an earlier version of <command> - nmbd</command> then you may need to kill nmbd as well.</para> - </sect2> - - <sect2> - <title>Step 5b. Alternative: starting it as a daemon</title> - - <para>To start the server as a daemon you should create - a script something like this one, perhaps calling - it <filename>startsmb</filename>.</para> - - <para><programlisting> - #!/bin/sh - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - </programlisting></para> - - <para>then make it executable with <command>chmod - +x startsmb</command></para> - - <para>You can then run <command>startsmb</command> by - hand or execute it from <filename>/etc/rc.local</filename> - </para> - - <para>To kill it send a kill signal to the processes - <command>nmbd</command> and <command>smbd</command>.</para> - - <para>NOTE: If you use the SVR4 style init system then - you may like to look at the <filename>examples/svr4-startup</filename> - script to make Samba fit into that system.</para> - </sect2> -</sect1> - -<sect1> - <title>Step 6: Try listing the shares available on your - server</title> - - <para><prompt>$ </prompt><userinput>smbclient -L - <replaceable>yourhostname</replaceable></userinput></para> - - <para>Your should get back a list of shares available on - your server. If you don't then something is incorrectly setup. - Note that this method can also be used to see what shares - are available on other LanManager clients (such as WfWg).</para> - - <para>If you choose user level security then you may find - that Samba requests a password before it will list the shares. - See the <command>smbclient</command> man page for details. (you - can force it to list the shares without a password by - adding the option -U% to the command line. This will not work - with non-Samba servers)</para> -</sect1> - -<sect1> - <title>Step 7: Try connecting with the unix client</title> - - <para><prompt>$ </prompt><userinput>smbclient <replaceable> - //yourhostname/aservice</replaceable></userinput></para> - - <para>Typically the <replaceable>yourhostname</replaceable> - would be the name of the host where you installed <command> - smbd</command>. The <replaceable>aservice</replaceable> is - any service you have defined in the <filename>smb.conf</filename> - file. Try your user name if you just have a [homes] section - in <filename>smb.conf</filename>.</para> - - <para>For example if your unix host is bambi and your login - name is fred you would type:</para> - - <para><prompt>$ </prompt><userinput>smbclient //bambi/fred - </userinput></para> -</sect1> - -<sect1> - <title>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</title> - - <para>Try mounting disks. eg:</para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>net use d: \\servername\service - </userinput></para> - - <para>Try printing. eg:</para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1: - \\servername\spoolservice</userinput></para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>print filename - </userinput></para> - - <para>Celebrate, or send me a bug report!</para> -</sect1> - -<sect1> - <title>What If Things Don't Work?</title> - - <para>If nothing works and you start to think "who wrote - this pile of trash" then I suggest you do step 2 again (and - again) till you calm down.</para> - - <para>Then you might read the file DIAGNOSIS.txt and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</para> - - <para>When you fix the problem PLEASE send me some updates to the - documentation (or source code) so that the next person will find it - easier. </para> - - <sect2> - <title>DIAGNOSING PROBLEMS</title> - - <para>If you have instalation problems then go to - <filename>DIAGNOSIS.txt</filename> to try to find the - problem.</para> - </sect2> - - <sect2> - <title>SCOPE IDs</title> - - <para>By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the -i <scope> option to nmbd, smbd, and - smbclient. All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs.</para> - </sect2> - - - <sect2> - <title>CHOOSING THE PROTOCOL LEVEL</title> - - <para>The SMB protocol has many dialects. Currently - Samba supports 5, called CORE, COREPLUS, LANMAN1, - LANMAN2 and NT1.</para> - - <para>You can choose what maximum protocol to support - in the <filename>smb.conf</filename> file. The default is - NT1 and that is the best for the vast majority of sites.</para> - - <para>In older versions of Samba you may have found it - necessary to use COREPLUS. The limitations that led to - this have mostly been fixed. It is now less likely that you - will want to use less than LANMAN1. The only remaining advantage - of COREPLUS is that for some obscure reason WfWg preserves - the case of passwords in this protocol, whereas under LANMAN1, - LANMAN2 or NT1 it uppercases all passwords before sending them, - forcing you to use the "password level=" option in some cases.</para> - - <para>The main advantage of LANMAN2 and NT1 is support for - long filenames with some clients (eg: smbclient, Windows NT - or Win95). </para> - - <para>See the smb.conf(5) manual page for more details.</para> - - <para>Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.</para> - </sect2> - - <sect2> - <title>PRINTING FROM UNIX TO A CLIENT PC</title> - - <para>To use a printer that is available via a smb-based - server from a unix host you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. - </para> - - <para>There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.</para> - </sect2> - - <sect2> - <title>LOCKING</title> - - <para>One area which sometimes causes trouble is locking.</para> - - <para>There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.</para> - - <para>Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</para> - - <para>There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</para> - - <para>Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write. </para> - - <para>You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.</para> - - <para>The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatability modes called - DENY_FCB and DENY_DOS.</para> - - <para>You can disable share modes using "share modes = no". - This may be useful on a heavily loaded server as the share - modes code is very slow. See also the FAST_SHARE_MODES - option in the Makefile for a way to do full share modes - very fast using shared memory (if your OS supports it).</para> - </sect2> - - <sect2> - <title>MAPPING USERNAMES</title> - - <para>If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.</para> - </sect2> - - <sect2> - <title>OTHER CHARACTER SETS</title> - - <para>If you have problems using filenames with accented - characters in them (like the German, French or Scandinavian - character sets) then I recommmend you look at the "valid chars" - option in smb.conf and also take a look at the validchars - package in the examples directory.</para> - </sect2> - -</sect1> -</chapter> diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index b496f30dd74..8ea419d758f 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -16,6 +16,13 @@ <address><email>tridge@linuxcare.com.au</email></address> </affiliation> </author> + <author> + <firstname>John</firstname><surname>Trostel</surname> + <affiliation> + <orgname>Snapserver</orgname> + <address><email>jtrostel@snapserver.com</email></address> + </affiliation> + </author> <pubdate>16 Oct 2000</pubdate> @@ -372,9 +379,10 @@ somewhat to fit the way your distribution works. <para> If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <filename>/etc/pam.d</filename> directory contents! If you -haven't already made a boot disk, MAKE ON NOW! +using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM, +<emphasis>back up the <filename>/etc/pam.d</filename> directory +contents!</emphasis> If you haven't already made a boot disk, +<emphasis>MAKE ONE NOW!</emphasis> </para> <para> @@ -386,10 +394,11 @@ you get frustrated with the way things are going. ;-) </para> <para> -The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code. +The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<ulink url="http://samba.org/">main SAMBA web page</ulink> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code. </para> <para> @@ -399,8 +408,8 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'. +means <filename>pam-0.74-22</filename>. For best results, it is helpful to also +install the development packages in <filename>pam-devel-0.74-22</filename>. </para> </sect2> @@ -419,8 +428,9 @@ directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed. +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <filename>pam-0.74-22</filename> and +<filename>pam-devel-0.74-22</filename> RPMs installed. </para> <sect3> @@ -428,38 +438,39 @@ system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed. <para> The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries. </para> <para><programlisting> -<prompt>root# </prompt> autoconf -<prompt>root# </prompt> make clean -<prompt>root# </prompt> rm config.cache -<prompt>root# </prompt> ./configure --with-winbind -<prompt>root# </prompt> make -<prompt>root# </prompt> make install +<prompt>root#</prompt> <command>autoconf</command> +<prompt>root#</prompt> <command>make clean</command> +<prompt>root#</prompt> <command>rm config.cache</command> +<prompt>root#</prompt> <command>./configure --with-winbind</command> +<prompt>root#</prompt> <command>make</command> +<prompt>root#</prompt> <command>make install</command> </programlisting></para> <para> -This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +This will, by default, install SAMBA in <filename>/usr/local/samba</filename>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </para> </sect3> <sect3> -<title>Configure nsswitch.conf and the winbind libraries</title> +<title>Configure <filename>nsswitch.conf</filename> and the +winbind libraries</title> <para> -The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so +The libraries needed to run the <command>winbindd</command> daemon +through nsswitch need to be copied to their proper locations, so </para> <para> -<prompt>root# </prompt> cp ../samba/source/nsswitch/libnss_winbind.so /lib +<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command> </para> <para> @@ -467,30 +478,31 @@ I also found it necessary to make the following symbolic link: </para> <para> -<prompt>root# </prompt> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 +<prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command> </para> <para> Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to allow user and group entries to be visible from the <command>winbindd</command> -daemon, as well as from your /etc/hosts files and NIS servers. My -<filename>/etc/nsswitch.conf</filename> file look like this after editing: +daemon. My <filename>/etc/nsswitch.conf</filename> file look like +this after editing: </para> <para><programlisting> passwd: files winbind - shadow: files winbind + shadow: files group: files winbind </programlisting></para> <para> The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <command>ldconfig</command> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually: </para> <para> -<prompt>root# </prompt> /sbin/ldconfig -v | grep winbind +<prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command> </para> <para> @@ -517,16 +529,17 @@ include the following entries in the [global] section: [global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes + <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash + <ulink url="winbindd.8.html#TEMPLATEHOMEDIR">template homedir</ulink> = /home/winnt/%D/%U + <ulink url="winbindd.8.html#TEMPLATESHELL">template shell</ulink> = /bin/bash </programlisting></para> </sect3> @@ -544,7 +557,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root# </prompt>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator +<prompt>root#</prompt> <command>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</command> </para> @@ -569,7 +582,7 @@ command as root: </para> <para> -<prompt>root# </prompt>/usr/local/samba/bin/winbindd +<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command> </para> <para> @@ -578,7 +591,12 @@ is really running... </para> <para> -<prompt>root# </prompt> ps -ae | grep winbindd +<prompt>root#</prompt> <command>ps -ae | grep winbindd</command> +</para> +<para> +This command should produce output like this, if the daemon is running +</para> +<para> 3025 ? 00:00:00 winbindd </para> @@ -588,7 +606,7 @@ users on your PDC </para> <para> -<prompt>root# </prompt> # /usr/local/samba/bin/wbinfo -u +<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command> </para> <para> @@ -606,7 +624,8 @@ CEO+TsInternetUser </programlisting></para> <para> -Obviously, I have named my domain 'CEO' and my winbindd separator is '+'. +Obviously, I have named my domain 'CEO' and my <parameter>winbindd +separator</parameter> is '+'. </para> <para> @@ -615,7 +634,7 @@ the PDC: </para> <para><programlisting> -<prompt>root# </prompt>/usr/local/samba/bin/wbinfo -g +<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -634,7 +653,7 @@ Try the following command: </para> <para> -<prompt>root# </prompt> getent passwd +<prompt>root#</prompt> <command>getent passwd</command> </para> <para> @@ -648,14 +667,14 @@ The same thing can be done for groups with the command </para> <para> -<prompt>root# </prompt> getent group +<prompt>root#</prompt> <command>getent group</command> </para> </sect3> <sect3> -<title>Fix the /etc/rc.d/init.d/smb startup files</title> +<title>Fix the <filename>/etc/rc.d/init.d/smb</filename> startup files</title> <para> The <command>winbindd</command> daemon needs to start up after the @@ -718,6 +737,13 @@ stop() { } </programlisting></para> +<para> +If you restart the <command>smbd</command>, <command>nmbd</command>, +and <command>winbindd</command> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user. +</para> + </sect3> @@ -726,32 +752,42 @@ stop() { <title>Configure Winbind and PAM</title> <para> -If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <filename>/etc/pam.d</filename> files? If not, do it now.) </para> <para> -To get samba to allow domain users and groups, I modified the -<filename>/etc/pam.d/samba</filename> file from +You will need a pam module to use winbindd with these other services. This +module will be compiled in the <filename>../source/nsswitch</filename> directory +by invoking the command </para> +<para> +<prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command> +</para> -<para><programlisting> -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth -</programlisting></para> +<para> +from the <filename>../source</filename> directory. The +<filename>pam_winbind.so</filename> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<filename>/lib/security</filename> directory. +</para> <para> -to +<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command> </para> +<para> +The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I +just left this fileas it was: +</para> + + <para><programlisting> -auth required /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth </programlisting></para> @@ -795,10 +831,11 @@ changed to look like this: </para> <para><programlisting> -auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth </programlisting></para> @@ -830,15 +867,6 @@ line after the <command>winbind.so</command> line to get rid of annoying double prompts for passwords. </para> -<para> -Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it: -</para> - -<para> -<prompt>root# </prompt> cp ../samba/source/nsswitch/pam_winbind.so /lib/security -</para> </sect3> |