diff options
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 5918 |
1 files changed, 0 insertions, 5918 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html deleted file mode 100644 index 346c2bc84d0..00000000000 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ /dev/null @@ -1,5918 +0,0 @@ -<HTML -><HEAD -><TITLE ->SAMBA Project Documentation</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="BOOK" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="BOOK" -><A -NAME="SAMBA-PROJECT-DOCUMENTATION" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="SAMBA-PROJECT-DOCUMENTATION" ->SAMBA Project Documentation</A -></H1 -><H3 -CLASS="AUTHOR" -><A -NAME="AEN4" ->SAMBA Team</A -></H3 -><HR></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="#AEN10" ->How to Install and Test SAMBA</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN12" ->Step 0: Read the man pages</A -></DT -><DT -><A -HREF="#AEN20" ->Step 1: Building the Binaries</A -></DT -><DT -><A -HREF="#AEN48" ->Step 2: The all important step</A -></DT -><DT -><A -HREF="#AEN52" ->Step 3: Create the smb configuration file.</A -></DT -><DT -><A -HREF="#AEN66" ->Step 4: Test your config file with - <B -CLASS="COMMAND" ->testparm</B -></A -></DT -><DT -><A -HREF="#AEN72" ->Step 5: Starting the smbd and nmbd</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN82" ->Step 5a: Starting from inetd.conf</A -></DT -><DT -><A -HREF="#AEN111" ->Step 5b. Alternative: starting it as a daemon</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN127" ->Step 6: Try listing the shares available on your - server</A -></DT -><DT -><A -HREF="#AEN136" ->Step 7: Try connecting with the unix client</A -></DT -><DT -><A -HREF="#AEN152" ->Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></DT -><DT -><A -HREF="#AEN166" ->What If Things Don't Work?</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN171" ->Diagnosing Problems</A -></DT -><DT -><A -HREF="#AEN175" ->Scope IDs</A -></DT -><DT -><A -HREF="#AEN178" ->Choosing the Protocol Level</A -></DT -><DT -><A -HREF="#AEN187" ->Printing from UNIX to a Client PC</A -></DT -><DT -><A -HREF="#AEN191" ->Locking</A -></DT -><DT -><A -HREF="#AEN201" ->Mapping Usernames</A -></DT -><DT -><A -HREF="#AEN204" ->Other Character Sets</A -></DT -></DL -></DD -></DL -></DD -><DT ->2. <A -HREF="#AEN207" ->LanMan and NT Password Encryption in Samba 2.x</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN218" ->Introduction</A -></DT -><DT -><A -HREF="#AEN222" ->How does it work?</A -></DT -><DT -><A -HREF="#AEN233" ->Important Notes About Security</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN252" ->Advantages of SMB Encryption</A -></DT -><DT -><A -HREF="#AEN259" ->Advantages of non-encrypted passwords</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN268" -><A -NAME="SMBPASSWDFILEFORMAT" -></A ->The smbpasswd file</A -></DT -><DT -><A -HREF="#AEN320" ->The smbpasswd Command</A -></DT -><DT -><A -HREF="#AEN359" ->Setting up Samba to support LanManager Encryption</A -></DT -></DL -></DD -><DT ->3. <A -HREF="#AEN374" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN385" ->Instructions</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN420" ->Notes</A -></DT -></DL -></DD -></DL -></DD -><DT ->4. <A -HREF="#AEN429" ->Printing Support in Samba 2.2.x</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN440" ->Introduction</A -></DT -><DT -><A -HREF="#AEN457" ->Configuration</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN511" ->Support a large number of printers</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN522" ->The Imprints Toolset</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN526" ->What is Imprints?</A -></DT -><DT -><A -HREF="#AEN536" ->Creating Printer Driver Packages</A -></DT -><DT -><A -HREF="#AEN539" ->The Imprints server</A -></DT -><DT -><A -HREF="#AEN543" ->The Installation Client</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN565" -><A -NAME="MIGRATION" -></A ->Migration to from Samba 2.0.x to - 2.2.x</A -></DT -></DL -></DD -><DT ->5. <A -HREF="#AEN594" ->security = domain in Samba 2.x</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN612" ->Joining an NT Domain with Samba 2.2</A -></DT -><DT -><A -HREF="#AEN676" ->Samba and Windows 2000 Domains</A -></DT -><DT -><A -HREF="#AEN681" ->Why is this better than security = server?</A -></DT -></DL -></DD -><DT ->6. <A -HREF="#AEN697" ->How to Configure Samba 2.2.x as a Primary Domain Controller</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN708" ->Background</A -></DT -><DT -><A -HREF="#AEN745" ->Configuring the Samba Domain Controller</A -></DT -><DT -><A -HREF="#AEN788" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A -></DT -><DT -><A -HREF="#AEN827" ->Common Problems and Errors</A -></DT -><DT -><A -HREF="#AEN855" ->System Policies and Profiles</A -></DT -><DT -><A -HREF="#AEN895" ->What other help can I get ?</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN942" ->URLs and similar</A -></DT -><DT -><A -HREF="#AEN966" ->Mailing Lists</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN1005" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></DT -></DL -></DD -><DT ->7. <A -HREF="#AEN1029" ->Unifed Logons between Windows NT and UNIX using Winbind</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1047" ->Abstract</A -></DT -><DT -><A -HREF="#AEN1051" ->Introduction</A -></DT -><DT -><A -HREF="#AEN1064" ->What Winbind Provides</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1071" ->Target Uses</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN1075" ->How Winbind Works</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1080" ->Microsoft Remote Procedure Calls</A -></DT -><DT -><A -HREF="#AEN1084" ->Name Service Switch</A -></DT -><DT -><A -HREF="#AEN1100" ->Pluggable Authentication Modules</A -></DT -><DT -><A -HREF="#AEN1108" ->User and Group ID Allocation</A -></DT -><DT -><A -HREF="#AEN1112" ->Result Caching</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN1115" ->Installation and Configuration</A -></DT -><DT -><A -HREF="#AEN1121" ->Limitations</A -></DT -><DT -><A -HREF="#AEN1133" ->Conclusion</A -></DT -></DL -></DD -><DT ->8. <A -HREF="#AEN1136" ->UNIX Permission Bits and WIndows NT Access Control Lists</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1147" ->Viewing and changing UNIX permissions using the NT - security dialogs</A -></DT -><DT -><A -HREF="#AEN1156" ->How to view file security on a Samba share</A -></DT -><DT -><A -HREF="#AEN1167" ->Viewing file ownership</A -></DT -><DT -><A -HREF="#AEN1187" ->Viewing file or directory permissions</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1202" ->File Permissions</A -></DT -><DT -><A -HREF="#AEN1216" ->Directory Permissions</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN1223" ->Modifying file or directory permissions</A -></DT -><DT -><A -HREF="#AEN1245" ->Interaction with the standard Samba create mask - parameters</A -></DT -><DT -><A -HREF="#AEN1309" ->Interaction with the standard Samba file attribute - mapping</A -></DT -></DL -></DD -><DT ->9. <A -HREF="#AEN1319" ->OS2 Client HOWTO</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1330" ->FAQs</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN1332" ->How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></DT -><DT -><A -HREF="#AEN1347" ->How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></DT -><DT -><A -HREF="#AEN1356" ->Are there any other issues when OS/2 (any version) - is used as a client?</A -></DT -><DT -><A -HREF="#AEN1360" ->How do I get printer driver download working - for OS/2 clients?</A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN10" ->Chapter 1. How to Install and Test SAMBA</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN12" ->Step 0: Read the man pages</A -></H1 -><P ->The man pages distributed with SAMBA contain - lots of useful info that will help to get you started. - If you don't know how to read man pages then try - something like:</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->nroff -man smbd.8 | more - </B -></TT -></P -><P ->Other sources of information are pointed to - by the Samba web site,<A -HREF="http://www.samba.org/" -TARGET="_top" -> http://www.samba.org</A -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN20" ->Step 1: Building the Binaries</A -></H1 -><P ->To do this, first run the program <B -CLASS="COMMAND" ->./configure - </B -> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->./configure --help - </B -></TT -></P -><P ->first to see what special options you can enable. - Then exectuting</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->make</B -></TT -></P -><P ->will create the binaries. Once it's successfully - compiled you can use </P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->make install</B -></TT -></P -><P ->to install the binaries and manual pages. You can - separately install the binaries and/or man pages using</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->make installbin - </B -></TT -></P -><P ->and</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->make installman - </B -></TT -></P -><P ->Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->make revert - </B -></TT -></P -><P ->if you find this version a disaster!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN48" ->Step 2: The all important step</A -></H1 -><P ->At this stage you must fetch yourself a - coffee or other drink you find stimulating. Getting the rest - of the install right can sometimes be tricky, so you will - probably need it.</P -><P ->If you have installed samba before then you can skip - this step.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN52" ->Step 3: Create the smb configuration file.</A -></H1 -><P ->There are sample configuration files in the examples - subdirectory in the distribution. I suggest you read them - carefully so you can see how the options go together in - practice. See the man page for all the options.</P -><P ->The simplest useful configuration file would be - something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [global] - workgroup = MYGROUP - - [homes] - guest ok = no - read only = no - </PRE -></P -><P ->which would allow connections by anyone with an - account on the server, using either their login name or - "homes" as the service name. (Note that I also set the - workgroup that Samba is part of. See BROWSING.txt for defails)</P -><P ->Note that <B -CLASS="COMMAND" ->make install</B -> will not install - a <TT -CLASS="FILENAME" ->smb.conf</TT -> file. You need to create it - yourself. </P -><P ->Make sure you put the smb.conf file in the same place - you specified in the<TT -CLASS="FILENAME" ->Makefile</TT -> (the default is to - look for it in <TT -CLASS="FILENAME" ->/usr/local/samba/lib/</TT ->).</P -><P ->For more information about security settings for the - [homes] share please refer to the document UNIX_SECURITY.txt.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN66" ->Step 4: Test your config file with - <B -CLASS="COMMAND" ->testparm</B -></A -></H1 -><P ->It's important that you test the validity of your - <TT -CLASS="FILENAME" ->smb.conf</TT -> file using the testparm program. - If testparm runs OK then it will list the loaded services. If - not it will give an error message.</P -><P ->Make sure it runs OK and that the services look - resonable before proceeding. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN72" ->Step 5: Starting the smbd and nmbd</A -></H1 -><P ->You must choose to start smbd and nmbd either - as daemons or from <B -CLASS="COMMAND" ->inetd</B ->. Don't try - to do both! Either you can put them in <TT -CLASS="FILENAME" -> inetd.conf</TT -> and have them started on demand - by <B -CLASS="COMMAND" ->inetd</B ->, or you can start them as - daemons either from the command line or in <TT -CLASS="FILENAME" -> /etc/rc.local</TT ->. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.</P -><P ->The main advantage of starting <B -CLASS="COMMAND" ->smbd</B -> - and <B -CLASS="COMMAND" ->nmbd</B -> as a daemon is that they will - respond slightly more quickly to an initial connection - request. This is, however, unlikely to be a problem.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN82" ->Step 5a: Starting from inetd.conf</A -></H2 -><P ->NOTE; The following will be different if - you use NIS or NIS+ to distributed services maps.</P -><P ->Look at your <TT -CLASS="FILENAME" ->/etc/services</TT ->. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:</P -><P -><TT -CLASS="USERINPUT" -><B ->netbios-ssn 139/tcp</B -></TT -></P -><P ->similarly for 137/udp you should have an entry like:</P -><P -><TT -CLASS="USERINPUT" -><B ->netbios-ns 137/udp</B -></TT -></P -><P ->Next edit your <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - and add two lines something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd - netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - </PRE -></P -><P ->The exact syntax of <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - varies between unixes. Look at the other entries in inetd.conf - for a guide.</P -><P ->NOTE: Some unixes already have entries like netbios_ns - (note the underscore) in <TT -CLASS="FILENAME" ->/etc/services</TT ->. - You must either edit <TT -CLASS="FILENAME" ->/etc/services</TT -> or - <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> to make them consistant.</P -><P ->NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run <B -CLASS="COMMAND" ->ifconfig</B -> - as root if you don't know what the broadcast is for your - net. <B -CLASS="COMMAND" ->nmbd</B -> tries to determine it at run - time, but fails on somunixes. See the section on "testing nmbd" - for a method of finding if you need to do this.</P -><P ->!!!WARNING!!! Many unixes only accept around 5 - parameters on the command line in <TT -CLASS="FILENAME" ->inetd.conf</TT ->. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from <B -CLASS="COMMAND" ->inetd</B ->.</P -><P ->Restart <B -CLASS="COMMAND" ->inetd</B ->, perhaps just send - it a HUP. If you have installed an earlier version of <B -CLASS="COMMAND" -> nmbd</B -> then you may need to kill nmbd as well.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN111" ->Step 5b. Alternative: starting it as a daemon</A -></H2 -><P ->To start the server as a daemon you should create - a script something like this one, perhaps calling - it <TT -CLASS="FILENAME" ->startsmb</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #!/bin/sh - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - </PRE -></P -><P ->then make it executable with <B -CLASS="COMMAND" ->chmod - +x startsmb</B -></P -><P ->You can then run <B -CLASS="COMMAND" ->startsmb</B -> by - hand or execute it from <TT -CLASS="FILENAME" ->/etc/rc.local</TT -> - </P -><P ->To kill it send a kill signal to the processes - <B -CLASS="COMMAND" ->nmbd</B -> and <B -CLASS="COMMAND" ->smbd</B ->.</P -><P ->NOTE: If you use the SVR4 style init system then - you may like to look at the <TT -CLASS="FILENAME" ->examples/svr4-startup</TT -> - script to make Samba fit into that system.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN127" ->Step 6: Try listing the shares available on your - server</A -></H1 -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->smbclient -L - <TT -CLASS="REPLACEABLE" -><I ->yourhostname</I -></TT -></B -></TT -></P -><P ->Your should get back a list of shares available on - your server. If you don't then something is incorrectly setup. - Note that this method can also be used to see what shares - are available on other LanManager clients (such as WfWg).</P -><P ->If you choose user level security then you may find - that Samba requests a password before it will list the shares. - See the <B -CLASS="COMMAND" ->smbclient</B -> man page for details. (you - can force it to list the shares without a password by - adding the option -U% to the command line. This will not work - with non-Samba servers)</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN136" ->Step 7: Try connecting with the unix client</A -></H1 -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->smbclient <TT -CLASS="REPLACEABLE" -><I -> //yourhostname/aservice</I -></TT -></B -></TT -></P -><P ->Typically the <TT -CLASS="REPLACEABLE" -><I ->yourhostname</I -></TT -> - would be the name of the host where you installed <B -CLASS="COMMAND" -> smbd</B ->. The <TT -CLASS="REPLACEABLE" -><I ->aservice</I -></TT -> is - any service you have defined in the <TT -CLASS="FILENAME" ->smb.conf</TT -> - file. Try your user name if you just have a [homes] section - in <TT -CLASS="FILENAME" ->smb.conf</TT ->.</P -><P ->For example if your unix host is bambi and your login - name is fred you would type:</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->smbclient //bambi/fred - </B -></TT -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN152" ->Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></H1 -><P ->Try mounting disks. eg:</P -><P -><TT -CLASS="PROMPT" ->C:\WINDOWS\> </TT -><TT -CLASS="USERINPUT" -><B ->net use d: \\servername\service - </B -></TT -></P -><P ->Try printing. eg:</P -><P -><TT -CLASS="PROMPT" ->C:\WINDOWS\> </TT -><TT -CLASS="USERINPUT" -><B ->net use lpt1: - \\servername\spoolservice</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->C:\WINDOWS\> </TT -><TT -CLASS="USERINPUT" -><B ->print filename - </B -></TT -></P -><P ->Celebrate, or send me a bug report!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN166" ->What If Things Don't Work?</A -></H1 -><P ->If nothing works and you start to think "who wrote - this pile of trash" then I suggest you do step 2 again (and - again) till you calm down.</P -><P ->Then you might read the file DIAGNOSIS.txt and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</P -><P ->When you fix the problem PLEASE send me some updates to the - documentation (or source code) so that the next person will find it - easier. </P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN171" ->Diagnosing Problems</A -></H2 -><P ->If you have instalation problems then go to - <TT -CLASS="FILENAME" ->DIAGNOSIS.txt</TT -> to try to find the - problem.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN175" ->Scope IDs</A -></H2 -><P ->By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the -i <scope> option to nmbd, smbd, and - smbclient. All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN178" ->Choosing the Protocol Level</A -></H2 -><P ->The SMB protocol has many dialects. Currently - Samba supports 5, called CORE, COREPLUS, LANMAN1, - LANMAN2 and NT1.</P -><P ->You can choose what maximum protocol to support - in the <TT -CLASS="FILENAME" ->smb.conf</TT -> file. The default is - NT1 and that is the best for the vast majority of sites.</P -><P ->In older versions of Samba you may have found it - necessary to use COREPLUS. The limitations that led to - this have mostly been fixed. It is now less likely that you - will want to use less than LANMAN1. The only remaining advantage - of COREPLUS is that for some obscure reason WfWg preserves - the case of passwords in this protocol, whereas under LANMAN1, - LANMAN2 or NT1 it uppercases all passwords before sending them, - forcing you to use the "password level=" option in some cases.</P -><P ->The main advantage of LANMAN2 and NT1 is support for - long filenames with some clients (eg: smbclient, Windows NT - or Win95). </P -><P ->See the smb.conf(5) manual page for more details.</P -><P ->Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN187" ->Printing from UNIX to a Client PC</A -></H2 -><P ->To use a printer that is available via a smb-based - server from a unix host you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. - </P -><P ->There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN191" ->Locking</A -></H2 -><P ->One area which sometimes causes trouble is locking.</P -><P ->There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.</P -><P ->Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</P -><P ->There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</P -><P ->Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write. </P -><P ->You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.</P -><P ->The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatability modes called - DENY_FCB and DENY_DOS.</P -><P ->You can disable share modes using "share modes = no". - This may be useful on a heavily loaded server as the share - modes code is very slow. See also the FAST_SHARE_MODES - option in the Makefile for a way to do full share modes - very fast using shared memory (if your OS supports it).</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN201" ->Mapping Usernames</A -></H2 -><P ->If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN204" ->Other Character Sets</A -></H2 -><P ->If you have problems using filenames with accented - characters in them (like the German, French or Scandinavian - character sets) then I recommmend you look at the "valid chars" - option in smb.conf and also take a look at the validchars - package in the examples directory.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN207" ->Chapter 2. LanMan and NT Password Encryption in Samba 2.x</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN218" ->Introduction</A -></H1 -><P ->With the development of LanManager and Windows NT - compatible password encryption for Samba, it is now able - to validate user connections in exactly the same way as - a LanManager or Windows NT server.</P -><P ->This document describes how the SMB password encryption - algorithm works and what issues there are in choosing whether - you want to use it. You should read it carefully, especially - the part about security and the "PROS and CONS" section.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN222" ->How does it work?</A -></H1 -><P ->LanManager encryption is somewhat similar to UNIX - password encryption. The server uses a file containing a - hashed value of a user's password. This is created by taking - the user's plaintext password, capitalising it, and either - truncating to 14 bytes or padding to 14 bytes with null bytes. - This 14 byte value is used as two 56 bit DES keys to encrypt - a 'magic' eight byte value, forming a 16 byte value which is - stored by the server and client. Let this value be known as - the "hashed password".</P -><P ->Windows NT encryption is a higher quality mechanism, - consisting of doing an MD4 hash on a Unicode version of the user's - password. This also produces a 16 byte hash value that is - non-reversible.</P -><P ->When a client (LanManager, Windows for WorkGroups, Windows - 95 or Windows NT) wishes to mount a Samba drive (or use a Samba - resource), it first requests a connection and negotiates the - protocol that the client and server will use. In the reply to this - request the Samba server generates and appends an 8 byte, random - value - this is stored in the Samba server after the reply is sent - and is known as the "challenge". The challenge is different for - every client connection.</P -><P ->The client then uses the hashed password (16 byte values - described above), appended with 5 null bytes, as three 56 bit - DES keys, each of which is used to encrypt the challenge 8 byte - value, forming a 24 byte value known as the "response".</P -><P ->In the SMB call SMBsessionsetupX (when user level security - is selected) or the call SMBtconX (when share level security is - selected), the 24 byte response is returned by the client to the - Samba server. For Windows NT protocol levels the above calculation - is done on both hashes of the user's password and both responses are - returned in the SMB call, giving two 24 byte values.</P -><P ->The Samba server then reproduces the above calculation, using - its own stored value of the 16 byte hashed password (read from the - <TT -CLASS="FILENAME" ->smbpasswd</TT -> file - described later) and the challenge - value that it kept from the negotiate protocol reply. It then checks - to see if the 24 byte value it calculates matches the 24 byte value - returned to it from the client.</P -><P ->If these values match exactly, then the client knew the - correct password (or the 16 byte hashed value - see security note - below) and is thus allowed access. If not, then the client did not - know the correct password and is denied access.</P -><P ->Note that the Samba server never knows or stores the cleartext - of the user's password - just the 16 byte hashed values derived from - it. Also note that the cleartext password or 16 byte hashed values - are never transmitted over the network - thus increasing security.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN233" ->Important Notes About Security</A -></H1 -><P ->The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the nextwork when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</P -><P ->Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <I -CLASS="EMPHASIS" ->never</I -> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</P -><P ->Other Microsoft operating systems which also exhibit - this behavior includes</P -><P -></P -><UL -><LI -><P ->MS DOS Network client 3.0 with - the basic network redirector installed</P -></LI -><LI -><P ->Windows 95 with the network redirector - update installed</P -></LI -><LI -><P ->Windows 98 [se]</P -></LI -><LI -><P ->Windows 2000</P -></LI -></UL -><P -><I -CLASS="EMPHASIS" ->Note :</I ->All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to particpate in encrypted authentication.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN252" ->Advantages of SMB Encryption</A -></H2 -><P -></P -><UL -><LI -><P ->plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</P -></LI -><LI -><P ->WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN259" ->Advantages of non-encrypted passwords</A -></H2 -><P -></P -><UL -><LI -><P ->plain text passwords are not kept - on disk. </P -></LI -><LI -><P ->uses same password file as other unix - services such as login and ftp</P -></LI -><LI -><P ->you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.</P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN268" -><A -NAME="SMBPASSWDFILEFORMAT" -></A ->The smbpasswd file</A -></H1 -><P ->In order for Samba to participate in the above protocol - it must be able to look up the 16 byte hashed values given a user name. - Unfortunately, as the UNIX password value is also a one way hash - function (ie. it is impossible to retrieve the cleartext of the user's - password given the UNIX hash of it), a separate password file - containing this 16 byte value must be kept. To minimise problems with - these two password files, getting out of sync, the UNIX <TT -CLASS="FILENAME" -> /etc/passwd</TT -> and the <TT -CLASS="FILENAME" ->smbpasswd</TT -> file, - a utility, <B -CLASS="COMMAND" ->mksmbpasswd.sh</B ->, is provided to generate - a smbpasswd file from a UNIX <TT -CLASS="FILENAME" ->/etc/passwd</TT -> file. - </P -><P ->To generate the smbpasswd file from your <TT -CLASS="FILENAME" ->/etc/passwd - </TT -> file use the following command :</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->cat /etc/passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd</B -></TT -></P -><P ->If you are running on a system that uses NIS, use</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->ypcat passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd</B -></TT -></P -><P ->The <B -CLASS="COMMAND" ->mksmbpasswd.sh</B -> program is found in - the Samba source directory. By default, the smbpasswd file is - stored in :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT -></P -><P ->The owner of the <TT -CLASS="FILENAME" ->/usr/local/samba/private/</TT -> - directory should be set to root, and the permissions on it should - be set to 0500 (<B -CLASS="COMMAND" ->chmod 500 /usr/local/samba/private</B ->). - </P -><P ->Likewise, the smbpasswd file inside the private directory should - be owned by root and the permissions on is should be set to 0600 - (<B -CLASS="COMMAND" ->chmod 600 smbpasswd</B ->).</P -><P ->The format of the smbpasswd file is (The line has been - wrapped here. It should appear as one entry per line in - your smbpasswd file.)</P -><P -><PRE -CLASS="PROGRAMLISTING" ->username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - [Account type]:LCT-<last-change-time>:Long name - </PRE -></P -><P ->Although only the <TT -CLASS="REPLACEABLE" -><I ->username</I -></TT ->, - <TT -CLASS="REPLACEABLE" -><I ->uid</I -></TT ->, <TT -CLASS="REPLACEABLE" -><I -> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</I -></TT ->, - [<TT -CLASS="REPLACEABLE" -><I ->Account type</I -></TT ->] and <TT -CLASS="REPLACEABLE" -><I -> last-change-time</I -></TT -> sections are significant - and are looked at in the Samba code.</P -><P ->It is <I -CLASS="EMPHASIS" ->VITALLY</I -> important that there by 32 - 'X' characters between the two ':' characters in the XXX sections - - the smbpasswd and Samba code will fail to validate any entries that - do not have 32 characters between ':' characters. The first XXX - section is for the Lanman password hash, the second is for the - Windows NT version.</P -><P ->When the password file is created all users have password entries - consisting of 32 'X' characters. By default this disallows any access - as this user. When a user has a password set, the 'X' characters change - to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii - representation of the 16 byte hashed value of a user's password.</P -><P ->To set a user to have no password (not recommended), edit the file - using vi, and replace the first 11 characters with the ascii text - <TT -CLASS="CONSTANT" ->"NO PASSWORD"</TT -> (minus the quotes).</P -><P ->For example, to clear the password for user bob, his smbpasswd file - entry would look like :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell - </PRE -></P -><P ->If you are allowing users to use the smbpasswd command to set - their own passwords, you may want to give users NO PASSWORD initially - so they do not have to enter a previous password when changing to their - new password (not recommended). In order for you to allow this the - <B -CLASS="COMMAND" ->smbpasswd</B -> program must be able to connect to the - <B -CLASS="COMMAND" ->smbd</B -> daemon as that user with no password. Enable this - by adding the line :</P -><P -><B -CLASS="COMMAND" ->null passwords = yes</B -></P -><P ->to the [global] section of the smb.conf file (this is why - the above scenario is not recommended). Preferably, allocate your - users a default password to begin with, so you do not have - to enable this on your server.</P -><P -><I -CLASS="EMPHASIS" ->Note : </I ->This file should be protected very - carefully. Anyone with access to this file can (with enough knowledge of - the protocols) gain access to your SMB server. The file is thus more - sensitive than a normal unix <TT -CLASS="FILENAME" ->/etc/passwd</TT -> file.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN320" ->The smbpasswd Command</A -></H1 -><P ->The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - <B -CLASS="COMMAND" ->passwd</B -> or <B -CLASS="COMMAND" ->yppasswd</B -> programs, - install it in <TT -CLASS="FILENAME" ->/usr/local/samba/bin/</TT -> (or your - main Samba binary directory).</P -><P ->Note that as of Samba 1.9.18p4 this program <I -CLASS="EMPHASIS" ->MUST NOT - BE INSTALLED</I -> setuid root (the new <B -CLASS="COMMAND" ->smbpasswd</B -> - code enforces this restriction so it cannot be run this way by - accident).</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> now works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</P -><P -></P -><UL -><LI -><P ->smbpasswd no longer has to be setuid root - - an enormous range of potential security problems is - eliminated.</P -></LI -><LI -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</P -></LI -></UL -><P ->To run smbpasswd as a normal user just type :</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->smbpasswd</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->Old SMB password: </TT -><TT -CLASS="USERINPUT" -><B -><type old value here - - or hit return if there was no old password></B -></TT -></P -><P -><TT -CLASS="PROMPT" ->New SMB Password: </TT -><TT -CLASS="USERINPUT" -><B -><type new value> - </B -></TT -></P -><P -><TT -CLASS="PROMPT" ->Repeat New SMB Password: </TT -><TT -CLASS="USERINPUT" -><B -><re-type new value - </B -></TT -></P -><P ->If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</P -><P ->If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</P -><P ->If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> is designed to work in the same way - and be familiar to UNIX users who use the <B -CLASS="COMMAND" ->passwd</B -> or - <B -CLASS="COMMAND" ->yppasswd</B -> commands.</P -><P ->For more details on using <B -CLASS="COMMAND" ->smbpasswd</B -> refer - to the man page which will always be the definitive reference.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN359" ->Setting up Samba to support LanManager Encryption</A -></H1 -><P ->This is a very brief description on how to setup samba to - support password encryption. </P -><P -></P -><OL -TYPE="1" -><LI -><P ->compile and install samba as usual</P -></LI -><LI -><P ->enable encrypted passwords in <TT -CLASS="FILENAME" -> smb.conf</TT -> by adding the line <B -CLASS="COMMAND" ->encrypt - passwords = yes</B -> in the [global] section</P -></LI -><LI -><P ->create the initial <TT -CLASS="FILENAME" ->smbpasswd</TT -> - password file in the place you specified in the Makefile - (--prefix=<dir>). See the notes under the <A -HREF="#SMBPASSWDFILEFORMAT" ->The smbpasswd File</A -> - section earlier in the document for details.</P -></LI -></OL -><P ->Note that you can test things using smbclient.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN374" ->Chapter 3. Hosting a Microsoft Distributed File System tree on Samba</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN385" ->Instructions</A -></H1 -><P ->The Distributed File System (or Dfs) provides a means of - separating the logical view of files and directories that users - see from the actual physical locations of these resources on the - network. It allows for higher availability, smoother storage expansion, - load balancing etc. For more information about Dfs, refer to <A -HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" -TARGET="_top" -> Microsoft documentation</A ->. </P -><P ->This document explains how to host a Dfs tree on a Unix - machine (for Dfs-aware clients to browse) using Samba.</P -><P ->To enable SMB-based DFS for Samba, configure it with the - <TT -CLASS="PARAMETER" -><I ->--with-msdfs</I -></TT -> option. Once built, a - Samba server can be made a Dfs server by setting the global - boolean <A -HREF="smb.conf.5.html#HOSTMSDFS" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> host msdfs</I -></TT -></A -> parameter in the <TT -CLASS="FILENAME" ->smb.conf - </TT -> file. You designate a share as a Dfs root using the share - level boolean <A -HREF="smb.conf.5.html#MSDFSROOT" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> msdfs root</I -></TT -></A -> parameter. A Dfs root directory on - Samba hosts Dfs links in the form of symbolic links that point - to other servers. For example, a symbolic link - <TT -CLASS="FILENAME" ->junction->msdfs:storage1\share1</TT -> in - the share directory acts as the Dfs junction. When Dfs-aware - clients attempt to access the junction link, they are redirected - to the storage location (in this case, \\storage1\share1).</P -><P ->Dfs trees on Samba work with all Dfs-aware clients ranging - from Windows 95 to 2000.</P -><P ->Here's an example of setting up a Dfs tree on a Samba - server.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># The smb.conf file: -[global] - netbios name = SAMBA - host msdfs = yes - -[dfs] - path = /export/dfsroot - msdfs root = yes - </PRE -></P -><P ->In the /export/dfsroot directory we set up our dfs links to - other servers on the network.</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->cd /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->chown root /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->chmod 755 /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->ln -s msdfs:storageA\\shareA linka</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->ln -s msdfs:serverB\\share,serverC\\share linkb</B -></TT -></P -><P ->You should set up the permissions and ownership of - the directory acting as the Dfs root such that only designated - users can create, delete or modify the msdfs links. Also note - that symlink names should be all lowercase. This limitation exists - to have Samba avoid trying all the case combinations to get at - the link name. Finally set up the symbolic links to point to the - network shares you want, and start Samba.</P -><P ->Users on Dfs-aware clients can now browse the Dfs tree - on the Samba server at \\samba\dfs. Accessing - links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN420" ->Notes</A -></H2 -><P -></P -><UL -><LI -><P ->Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P -></LI -><LI -><P ->Currently there's a restriction that msdfs - symlink names should all be lowercase.</P -></LI -><LI -><P ->For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P -></LI -></UL -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN429" ->Chapter 4. Printing Support in Samba 2.2.x</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN440" ->Introduction</A -></H1 -><P ->Beginning with the 2.2.0 release, Samba supports - the native Windows NT printing mechanisms implemented via - MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of - Samba only supported LanMan printing calls.</P -><P ->The additional functionality provided by the new - SPOOLSS support includes:</P -><P -></P -><UL -><LI -><P ->Support for downloading printer driver - files to Windows 95/98/NT/2000 clients upon demand. - </P -></LI -><LI -><P ->Uploading of printer drivers via the - Windows NT Add Printer Wizard (APW) or the <A -HREF="http://imprints.sourceforge.net" -TARGET="_top" ->Imprints tool set - </A -></P -></LI -><LI -><P ->Support for the native MS-RPC printing - calls such as StartDocPrinter, EnumJobs(), etc... (See - the <A -HREF="http://msdn.microsoft.com/" -TARGET="_top" ->MSDN documentation - </A -> for more information on the Win32 printing API) - </P -></LI -><LI -><P ->Support for NT Access Control Lists (ACL) - on printer objects</P -></LI -><LI -><P ->Improved support for printer queue manipulation - through the use of an internal databases for spooled job - information</P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN457" ->Configuration</A -></H1 -><P ->In order to support the uploading of printer driver - files, you must first configure a file share named [print$]. - The name of this share is hard coded in Samba's internals so - the name is very important (print$ is the service used by - Windows NT print servers to provide support for printer driver - download).</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->Previous versions of Samba recommended using - a share named [printer$]. This name was taken from the - printer$ service created by Windows 9x clients when a - printer was shared. Windows 9x printer servers always have - a printer$ service which provides read-only access via no - password in order to support printer driver downloads.</P -><P ->However, the initial implementation allowed for a - parameter named <TT -CLASS="PARAMETER" -><I ->printer driver location</I -></TT -> - to be used on a per share basis to specify the location of - the driver files associated with that printer. Another - parameter named <TT -CLASS="PARAMETER" -><I ->printer driver</I -></TT -> provided - a means of defining the printer driver name to be sent to - the client.</P -><P ->These parameters, including <TT -CLASS="PARAMETER" -><I ->printer driver - file</I -></TT -> parameter, are being depreciated and should not - be used in new installations. For more information on this change, - you should refer to the <A -HREF="#MIGRATION" ->Migration section - </A ->of this document.</P -></TD -></TR -></TABLE -></DIV -><P ->You should modify the server's smb.conf file to create the - following file share (of course, some of the parameter values, - such as 'path' are arbitrary and should be replaced with - appropriate values for your site):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[print$] - path = /usr/local/samba/printers - guest ok = yes - browseable = yes - read only = yes - write list = ntadmin - </PRE -></P -><P ->The <A -HREF="smb.conf.5.html#WRITELIST" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> write list</I -></TT -></A -> is used to allow administrative - level user accounts to have write access in order to update files - on the share. See the <A -HREF="smb./conf.5.html" -TARGET="_top" -> smb.conf(5) man page</A -> for more information on - configuring file shares.</P -><P ->The requirement for <A -HREF="smb.conf.5.html#GUESTOK" -TARGET="_top" -><B -CLASS="COMMAND" -> guest ok = yes</B -></A -> depends upon how your - site is configured. If users will be guaranteed to have - an account on the Samba host, then this is a non-issue.</P -><P -><I -CLASS="EMPHASIS" ->author's note: </I ->The non-issue is that - if all your Windows NT users are guarenteed to be authenticated - by the Samba server (such as a domain member server and the NT - user has already been validated by the Domain Controller in - order to logon to the Windows NT console), then guest access - is not necessary. Of course, in a workgroup environment where - you just want to be able to print without worrying about - silly accounts and security, then configure the share for - guest access. You'll probably want to add <A -HREF="smb.conf.5.html#MAPTOGUEST" -TARGET="_top" -><B -CLASS="COMMAND" ->map to guest = Bad User - </B -></A -> in the [global] section as well. Make sure - you understand what this parameter does before using it - though. --jerry]</P -><P ->In order for a Windows NT print server to support - the downloading of driver files by multiple client architectures, - it must create subdirectories within the [print$] service - which correspond to each of the supported client architectures. - Samba follows this model as well.</P -><P ->Next create the directory tree below the [print$] share - for each architecture you wish to support.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [print$]----- - |-W32X86 ; "Windows NT x86" - |-WIN40 ; "Windows 95/98" - |-W32ALPHA ; "Windows NT Alpha_AXP" - |-W32MIPS ; "Windows NT R4000" - |-W32PPC ; "Windows NT PowerPC" - </PRE -></P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -><I -CLASS="EMPHASIS" ->ATTENTION! REQUIRED PERMISSIONS</I -></P -><P ->In order to currently add a new driver to you Samba host, - one of two conditions must hold true:</P -><P -></P -><UL -><LI -><P ->The account used to connect to the Samba host - must have a uid of 0 (i.e. a root account)</P -></LI -><LI -><P ->The account used to connect to the Samba host - must be a member of the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> printer admin</I -></TT -></A -> list.</P -></LI -></UL -><P ->Of course, the connected account must still possess access - to add files to the subdirectories beneath [print$].</P -></TD -></TR -></TABLE -></DIV -><P ->Once you have created the required [print$] service and - associated subdirectories, simply log onto the Samba server using - a root (or <TT -CLASS="PARAMETER" -><I ->printer admin</I -></TT ->) account - from a Windows NT 4.0 client. Navigate to the "Printers" folder - on the Samba server. You should see an initial listing of printers - that matches the printer shares defined on your Samba host.</P -><P ->The initial listing of printers in the Samba host's - Printers folder will have no printer driver assigned to them. - The way assign a driver to a printer is to view the Properties - of the printer and either</P -><P -></P -><UL -><LI -><P ->Use the "New Driver..." button to install - a new printer driver, or</P -></LI -><LI -><P ->Select a driver from the popup list of - installed drivers. Initially this list will be empty.</P -></LI -></UL -><P ->If you wish to install printer drivers for client - operating systems other than "Windows NT x86", you will need - to use the "Sharing" tab of the printer properties dialog.</P -><P ->Assuming you have connected with a root account, you - will also be able modify other printer properties such as - ACLs and device settings using this dialog box.</P -><P ->A few closing comments for this section, it is possible - on a Windows NT print server to have printers - listed in the Printers folder which are not shared. Samba does - not make this distinction. By definition, the only printers of - which Samba is aware are those which are specified as shares in - <TT -CLASS="FILENAME" ->smb.conf</TT ->.</P -><P ->Another interesting side note is that Windows NT clients do - not use the SMB printer share, but rather can print directly - to any printer on another Windows NT host using MS-RPC. This - of course assumes that the printing client has the necessary - privileges on the remote host serving the printer. The default - permissions assigned by Windows NT to a printer gives the "Print" - permissions to the "Everyone" well-known group.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN511" ->Support a large number of printers</A -></H2 -><P ->One issue that has arisen during the development - phase of Samba 2.2 is the need to support driver downloads for - 100's of printers. Using the Windows NT APW is somewhat - awkward to say the list. If more than one printer are using the - same driver, the <A -HREF="rpcclient.1.html" -TARGET="_top" -><B -CLASS="COMMAND" ->rpcclient's - setdriver command</B -></A -> can be used to set the driver - associated with an installed driver. The following is example - of how this could be accomplished:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> - <TT -CLASS="PROMPT" ->$ </TT ->rpcclient pogo -U root%secret -c "enumdrivers" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] - -[Windows NT x86] -Printer Driver Info 1: - Driver Name: [HP LaserJet 4000 Series PS] - -Printer Driver Info 1: - Driver Name: [HP LaserJet 2100 Series PS] - -Printer Driver Info 1: - Driver Name: [HP LaserJet 4Si/4SiMX PS] - - <TT -CLASS="PROMPT" ->$ </TT ->rpcclient pogo -U root%secret -c "enumprinters" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] - flags:[0x800000] - name:[\\POGO\hp-print] - description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] - comment:[] - - <TT -CLASS="PROMPT" ->$ </TT ->rpcclient pogo -U root%bleaK.er \ - <TT -CLASS="PROMPT" ->> </TT -> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] -Succesfully set hp-print to driver HP LaserJet 4000 Series PS. - </PRE -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN522" ->The Imprints Toolset</A -></H1 -><P ->The Imprints tool set provides a UNIX equivalent of the - Windows NT Add Printer Wizard. For complete information, please - refer to the Imprints web site at <A -HREF="http://imprints.sourceforge.net/" -TARGET="_top" -> http://imprints.sourceforge.net/</A -> as well as the documentation - included with the imprints source distribution. This section will - only provide a brief introduction to the features of Imprints.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN526" ->What is Imprints?</A -></H2 -><P ->Imprints is a collection of tools for supporting the goals - of</P -><P -></P -><UL -><LI -><P ->Providing a central repository information - regarding Windows NT and 95/98 printer driver packages</P -></LI -><LI -><P ->Providing the tools necessary for creating - the Imprints printer driver packages.</P -></LI -><LI -><P ->Providing an installation client which - will obtain and install printer drivers on remote Samba - and Windows NT 4 print servers.</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN536" ->Creating Printer Driver Packages</A -></H2 -><P ->The process of creating printer driver packages is beyond - the scope of this document (refer to Imprints.txt also included - with the Samba distribution for more information). In short, - an Imprints driver package is a gzipped tarball containing the - driver files, related INF files, and a control file needed by the - installation client.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN539" ->The Imprints server</A -></H2 -><P ->The Imprints server is really a database server that - may be queried via standard HTTP mechanisms. Each printer - entry in the database has an associated URL for the actual - downloading of the package. Each package is digitally signed - via GnuPG which can be used to verify that package downloaded - is actually the one referred in the Imprints database. It is - <I -CLASS="EMPHASIS" ->not</I -> recommended that this security check - be disabled.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN543" ->The Installation Client</A -></H2 -><P ->More information regarding the Imprints installation client - is available in the <TT -CLASS="FILENAME" ->Imprints-Client-HOWTO.ps</TT -> - file included with the imprints source package.</P -><P ->The Imprints installation client comes in two forms.</P -><P -></P -><UL -><LI -><P ->a set of command line Perl scripts</P -></LI -><LI -><P ->a GTK+ based graphical interface to - the command line perl scripts</P -></LI -></UL -><P ->The installation client (in both forms) provides a means - of querying the Imprints database server for a matching - list of known printer model names as well as a means to - download and install the drivers on remote Samba and Windows - NT print servers.</P -><P ->The basic installation process is in four steps and - perl code is wrapped around <B -CLASS="COMMAND" ->smbclient</B -> - and <B -CLASS="COMMAND" ->rpcclient</B ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> - foreach (supported architecture for a given driver) - { - 1. rpcclient: Get the appropriate upload directory - on the remote server - 2. smbclient: Upload the driver files - 3. rpcclient: Issues an AddPrinterDriver() MS-RPC - } - - 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually - create the printer - </PRE -></P -><P ->One of the problems encountered when implementing - the Imprints tool set was the name space issues between - various supported client architectures. For example, Windows - NT includes a driver named "Apple LaserWriter II NTX v51.8" - and Windows 95 callsits version of this driver "Apple - LaserWriter II NTX"</P -><P ->The problem is how to know what client drivers have - been uploaded for a printer. As astute reader will remember - that the Windows NT Printer Properties dialog only includes - space for one printer driver name. A quick look in the - Windows NT 4.0 system registry at</P -><P -><TT -CLASS="FILENAME" ->HKLM\System\CurrentControlSet\Control\Print\Environment - </TT -></P -><P ->will reveal that Windows NT always uses the NT driver - name. The is ok as Windows NT always requires that at least - the Windows NT version of the printer driver is present. - However, Samba does not have the requirement internally. - Therefore, how can you use the NT driver name if is has not - already been installed?</P -><P ->The way of sidestepping this limitation is to require - that all Imprints printer driver packages include both the Intel - Windows NT and 95/98 printer drivers and that NT driver is - installed first.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN565" -><A -NAME="MIGRATION" -></A ->Migration to from Samba 2.0.x to - 2.2.x</A -></H1 -><P ->Given that printer driver management has changed - (we hope improved :) ) in 2.2.0 over prior releases, - migration from an existing setup to 2.2.0 can follow - several paths.</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->The following smb.conf parameters are considered to be - depreciated and will be removed soon. Do not use them - in new installations</P -><P -></P -><UL -><LI -><P -><TT -CLASS="PARAMETER" -><I ->printer driver file (G)</I -></TT -> - </P -></LI -><LI -><P -><TT -CLASS="PARAMETER" -><I ->printer driver (S)</I -></TT -> - </P -></LI -><LI -><P -><TT -CLASS="PARAMETER" -><I ->printer driver location (S)</I -></TT -> - </P -></LI -></UL -></TD -></TR -></TABLE -></DIV -><P ->Here are the possible scenarios for supporting migration:</P -><P -></P -><UL -><LI -><P ->If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.</P -></LI -><LI -><P ->If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The <B -CLASS="COMMAND" ->make_printerdef</B -> - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</P -></LI -><LI -><P ->If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).</P -></LI -><LI -><P ->If you want to migrate an existing <TT -CLASS="FILENAME" -> printers.def</TT -> file into the new setup, the current only - solution is to use the Windows NT APW to install the NT drivers - and the 9x drivers. This can be scripted using smbclient and - rpcclient. See the <A -HREF="http://imprints.sourceforge.net/" -TARGET="_top" -> Imprints insrallation client</A -> for an example. - </P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN594" ->Chapter 5. security = domain in Samba 2.x</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN612" ->Joining an NT Domain with Samba 2.2</A -></H1 -><P ->In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <I -CLASS="EMPHASIS" ->NOT</I -> as a Primary or backup domain controller.</P -><P ->Assume you have a Samba-2 server with a NetBIOS name of - <TT -CLASS="CONSTANT" ->SERV1</TT -> and are joining an NT domain called - <TT -CLASS="CONSTANT" ->DOM</TT ->, which has a PDC with a NetBIOS name - of <TT -CLASS="CONSTANT" ->DOMPDC</TT -> and two backup domain controllers - with NetBIOS names <TT -CLASS="CONSTANT" ->DOMBDC1</TT -> and <TT -CLASS="CONSTANT" ->DOMBDC2 - </TT ->.</P -><P ->In order to join the domain, first stop all Samba daemons - and run the command:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->smbpasswd -j DOM -r DOMPDC - </B -></TT -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</P -><P -><TT -CLASS="COMPUTEROUTPUT" ->smbpasswd: Joined domain DOM.</TT -> - </P -><P ->in your terminal window. See the <A -HREF="smbpasswd.8.html" -TARGET="_top" -> smbpasswd(8)</A -> man page for more details.</P -><P ->There is existing development code to join a domain - without having to create the machine trust account on the PDC - beforehand. This code will hopefully be available soon - in release branches as well.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private</TT -></P -><P ->In Samba 2.0.x, the filename looks like this:</P -><P -><TT -CLASS="FILENAME" -><TT -CLASS="REPLACEABLE" -><I -><NT DOMAIN NAME></I -></TT ->.<TT -CLASS="REPLACEABLE" -><I -><Samba - Server Name></I -></TT ->.mac</TT -></P -><P ->The <TT -CLASS="FILENAME" ->.mac</TT -> suffix stands for machine account - password file. So in our example above, the file would be called:</P -><P -><TT -CLASS="FILENAME" ->DOM.SERV1.mac</TT -></P -><P ->In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named <TT -CLASS="FILENAME" ->secrets.tdb</TT ->. - </P -><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P -><P ->Now, before restarting the Samba daemons you must - edit your <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -> - </A -> file to tell Samba it should now use domain security.</P -><P ->Change (or add) your <A -HREF="smb.conf.5.html#SECURITY" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->security =</I -></TT -></A -> line in the [global] section - of your smb.conf to read:</P -><P -><B -CLASS="COMMAND" ->security = domain</B -></P -><P ->Next change the <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> workgroup =</I -></TT -></A -> line in the [global] section to read: </P -><P -><B -CLASS="COMMAND" ->workgroup = DOM</B -></P -><P ->as this is the name of the domain we are joining. </P -><P ->You must also have the parameter <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->encrypt passwords</I -></TT -></A -> set to <TT -CLASS="CONSTANT" ->yes - </TT -> in order for your users to authenticate to the NT PDC.</P -><P ->Finally, add (or modify) a <A -HREF="smb.conf.5.html#PASSWORDSERVER" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->password server =</I -></TT -></A -> line in the [global] - section to read: </P -><P -><B -CLASS="COMMAND" ->password server = DOMPDC DOMBDC1 DOMBDC2</B -></P -><P ->These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers.</P -><P ->Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be :</P -><P -><B -CLASS="COMMAND" ->password server = *</B -></P -><P ->This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against.</P -><P ->Finally, restart your Samba daemons and get ready for - clients to begin using domain security!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN676" ->Samba and Windows 2000 Domains</A -></H1 -><P ->Many people have asked regarding the state of Samba's ability to participate in -a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode.</P -><P ->There is much confusion between the circumstances that require a "mixed" mode -Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode -Win2k domain controller is only needed if Windows NT BDCs must exist in the same -domain. By default, a Win2k DC in "native" mode will still support -NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and -NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P -><P ->The steps for adding a Samba 2.2 host to a Win2k domain are the same as those -for adding a Samba server to a Windows NT 4.0 domain. The only exception is that -the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and -Computers" MMC (Microsoft Management Console) plugin.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN681" ->Why is this better than security = server?</A -></H1 -><P ->Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user <TT -CLASS="CONSTANT" ->DOM\fred - </TT -> attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - <A -HREF="smb.conf.5.html#SECURITYEQUALSSERVER" -TARGET="_top" ->security = server</A ->, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - </P -><P ->Please refer to the <A -HREF="winbind.html" -TARGET="_top" ->Winbind - paper</A -> for information on a system to automatically - assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon.</P -><P ->The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC.</P -><P ->In addition, with <B -CLASS="COMMAND" ->security = server</B -> every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With <B -CLASS="COMMAND" ->security = domain</B ->, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources.</P -><P ->And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon.</P -><P -><I -CLASS="EMPHASIS" ->NOTE:</I -> Much of the text of this document - was first published in the Web magazine <A -HREF="http://www.linuxworld.com" -TARGET="_top" -> - LinuxWorld</A -> as the article <A -HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" -TARGET="_top" ->Doing - the NIS/NT Samba</A ->.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN697" ->Chapter 6. How to Configure Samba 2.2.x as a Primary Domain Controller</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN708" ->Background</A -></H1 -><P -><I -CLASS="EMPHASIS" ->Author's Note :</I -> This document -is a combination of David Bannon's Samba 2.2 PDC HOWTO -and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P -><P ->Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2.0:</P -><P -></P -><UL -><LI -><P ->domain logons for Windows NT 4.0/2000 clients</P -></LI -><LI -><P ->placing a Windows 9x client in user level security</P -></LI -><LI -><P ->retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients </P -></LI -><LI -><P ->roving user profiles</P -></LI -><LI -><P ->Windows NT 4.0 style system policies</P -></LI -></UL -><P ->The following pieces of functionality are not included in the 2.2 release:</P -><P -></P -><UL -><LI -><P ->Windows NT 4 domain trusts</P -></LI -><LI -><P ->Sam replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa) </P -></LI -><LI -><P ->Adding users via the User Manager for Domains</P -></LI -><LI -><P ->Acting as a Windows 2000 Domain Controller (i.e. Kerberos - and Active Directory)</P -></LI -></UL -><P ->Please note that Windows 9x clients are not true members of a domain -for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different -from NT4 domain logons and has been officially supported for some -time.</P -><P ->Beginning with Samba 2.2.0, we are proud to announce official -support for Windows NT 4.0 style domain logons from Windows NT -4.0 and Windows 2000 (including SP1) clients. This article -outlines the steps necessary for configuring Samba as a PDC. -Note that it is necessary to have a working Samba server -prior to implementing the PDC functionality. If you have not -followed the steps outlined in <A -HREF="UNIX_INSTALL.html" -TARGET="_top" ->UNIX_INSTALL.html</A ->, please make sure that your server -is configured correctly before proceeding. Another good -resource in the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5) man -page</A ->.</P -><P ->Implementing a Samba PDC can basically be divided into 2 broad -steps.</P -><P -></P -><OL -TYPE="1" -><LI -><P ->Configuring the Samba Domain Controller - </P -></LI -><LI -><P ->Creating machine trust accounts - and joining clients to the domain</P -></LI -></OL -><P ->There are other minor details such as user profiles, system -policies, etc... However, these are not necessarily specific -to a Samba PDC as much as they are related to Windows NT networking -concepts. They will be mentioned only briefly here.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN745" ->Configuring the Samba Domain Controller</A -></H1 -><P ->The first step in creating a working Samba PDC is to -understand the parameters necessary in smb.conf. I will not -attempt to re-explain the parameters here as they are more that -adequately covered in <A -HREF="smb.conf.5.html" -TARGET="_top" -> the smb.conf -man page</A ->. For convenience, the parameters have been -linked with the actual smb.conf description.</P -><P ->Here is an example smb.conf for acting as a PDC:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - ; Basic server settings - <A -HREF="smb.conf.5.html#NETBIOSNAME" -TARGET="_top" ->netbios name</A -> = <TT -CLASS="REPLACEABLE" -><I ->POGO</I -></TT -> - <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" ->workgroup</A -> = <TT -CLASS="REPLACEABLE" -><I ->NARNIA</I -></TT -> - - ; we should act as the domain and local master browser - <A -HREF="smb.conf.5.html#OSLEVEL" -TARGET="_top" ->os level</A -> = 64 - <A -HREF="smb.conf.5.html#PERFERREDMASTER" -TARGET="_top" ->preferred master</A -> = yes - <A -HREF="smb.conf.5.html#DOMAINMASTER" -TARGET="_top" ->domain master</A -> = yes - <A -HREF="smb.conf.5.html#LOCALMASTER" -TARGET="_top" ->local master</A -> = yes - - ; security settings (must user security = user) - <A -HREF="smb.conf.5.html#SECURITYEQUALSUSER" -TARGET="_top" ->security</A -> = user - - ; encrypted passwords are a requirement for a PDC - <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords</A -> = yes - - ; support domain logons - <A -HREF="smb.conf.5.html#DOMAINLOGONS" -TARGET="_top" ->domain logons</A -> = yes - - ; where to store user profiles? - <A -HREF="smb.conf.5.html#LOGONPATH" -TARGET="_top" ->logon path</A -> = \\%N\profiles\%u - - ; where is a user's home directory and where should it - ; be mounted at? - <A -HREF="smb.conf.5.html#LOGONDRIVE" -TARGET="_top" ->logon drive</A -> = H: - <A -HREF="smb.conf.5.html#LOGONHOME" -TARGET="_top" ->logon home</A -> = \\homeserver\%u - - ; specify a generic logon script for all users - ; this is a relative path to the [netlogon] share - <A -HREF="smb.conf.5.html#LOGONSCRIPT" -TARGET="_top" ->logon script</A -> = logon.cmd - -; necessary share for domain controller -[netlogon] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /usr/local/samba/lib/netlogon - <A -HREF="smb.conf.5.html#WRITEABLE" -TARGET="_top" ->writeable</A -> = no - <A -HREF="smb.conf.5.html#WRITELIST" -TARGET="_top" ->write list</A -> = <TT -CLASS="REPLACEABLE" -><I ->ntadmin</I -></TT -> - -; share for storing user profiles -[profiles] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /export/smb/ntprofile - <A -HREF="smb.conf.5.html#WRITEABLE" -TARGET="_top" ->writeable</A -> = yes - <A -HREF="smb.conf.5.html#CREATEMASK" -TARGET="_top" ->create mask</A -> = 0600 - <A -HREF="smb.conf.5.html#DIRECTORYMASK" -TARGET="_top" ->directory mask</A -> = 0700</PRE -></P -><P ->There are a couple of points to emphasize in the above -configuration.</P -><P -></P -><UL -><LI -><P ->encrypted passwords must be enabled. - For more details on how to do this, refer to - <A -HREF="ENCRYPTION.html" -TARGET="_top" ->ENCRYPTION.html</A ->. - </P -></LI -><LI -><P ->The server must support domain logons - and a <TT -CLASS="FILENAME" ->[netlogon]</TT -> share</P -></LI -><LI -><P ->The server must be the domain master browser - in order for Windows client to locate the server as a DC.</P -></LI -></UL -><P ->As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMONUSERS" -TARGET="_top" ->domain -admin users</A -> and <A -HREF="smb.conf.5.html#DOMAINADMINGROUP" -TARGET="_top" ->domain -admin group</A -> smb.conf parameters for information of creating a Domain Admins -style accounts.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN788" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A -></H1 -><P ->First you must understand what a machine trust account is and what -it is used for.</P -><P ->A machine trust account is a user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.</P -><P ->On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location -as user LanMan and NT password hashes (currently <TT -CLASS="FILENAME" ->smbpasswd</TT ->). -However, machine trust accounts only possess the NT password hash.</P -><P ->There are two means of creating machine trust accounts.</P -><P -></P -><UL -><LI -><P ->Manual creation before joining the client - to the domain. In this case, the password is set to a known - value -- the lower case of the machine's netbios name.</P -></LI -><LI -><P ->Creation of the account at the time of - joining the domain. In this case, the session key of the - administrative account used to join the client to the domain acts - as an encryption key for setting the password to a random value.</P -></LI -></UL -><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -will have an entry in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entries.</P -><P ->The <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry like this :</P -><P -><PRE -CLASS="PROGRAMLISTING" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE -></P -><P ->If you are manually creating the machine accounts, it is necessary -to add the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> (or NIS passwd -map) entry prior to adding the <TT -CLASS="FILENAME" ->smbpasswd</TT -> -entry. The following command will create a new machine account -ready for use.</P -><P -><TT -CLASS="PROMPT" ->root# </TT -> smbpasswd -a -m <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT -></P -><P ->where <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT -> is the machine's netbios -name.</P -><P -><I -CLASS="EMPHASIS" ->If you manually create a machine account, immediately join -the client to the domain.</I -> An open account like this -can allow intruders to gain access to user account information -in your domain.</P -><P ->The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the -<A -HREF="smb.conf.5.html#ADDUSERSCRIPT" -TARGET="_top" ->add user script</A -> -parameter. Below is an example I use on a RedHat 6.2 Linux system.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE -></P -><P ->In Samba 2.2.0, <I -CLASS="EMPHASIS" ->only the root account</I -> can be used to create -machine accounts on the fly like this. Therefore, it is required -to create an entry in smbpasswd for <I -CLASS="EMPHASIS" ->root</I ->. -The password <I -CLASS="EMPHASIS" ->SHOULD</I -> be set to s different -password that the associated <TT -CLASS="FILENAME" ->/etc/passwd</TT -> -entry for security reasons.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN827" ->Common Problems and Errors</A -></H1 -><P -></P -><P -><I -CLASS="EMPHASIS" ->I cannot include a '$' in a machine name.</I -></P -><P ->A 'machine name' in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.</P -><P ->The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use <B -CLASS="COMMAND" ->vipw</B -> to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !</P -><P -><I -CLASS="EMPHASIS" ->I get told "You already have a connection to the Domain...." -when creating a machine account.</I -></P -><P ->This happens if you try to create a machine account from the -machine itself and use a user name that does not work (for whatever -reason) and then try another (possibly valid) user name. -Exit out of the network applet to close the initial connection -and try again.</P -><P ->Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.</P -><P -><I -CLASS="EMPHASIS" ->I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."</I -></P -><P ->This is the same basic problem as mentioned above, "You already -have a connection..."</P -><P -><I -CLASS="EMPHASIS" ->"The system can not log you on (C000019B)...."</I -></P -><P ->I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.</P -><P ->This occurs when the domain SID stored in -<TT -CLASS="FILENAME" ->private/WORKGROUP.SID</TT -> is -changed. For example, you remove the file and <B -CLASS="COMMAND" ->smbd</B -> automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.</P -><P -><I -CLASS="EMPHASIS" ->"The machine account for this computer either does not -exist or is not accessible."</I -></P -><P ->When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?</P -><P ->This problem is caused by the PDC not having a suitable machine account. -If you are using the <B -CLASS="COMMAND" ->add user script =</B -> method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.</P -><P ->Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN855" ->System Policies and Profiles</A -></H1 -><P ->Much of the information necessary to implement System Policies and -Roving User Profiles in a Samba domain is the same as that for -implementing these same items in a Windows NT 4.0 domain. -You should read the white paper <A -HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" -TARGET="_top" ->Implementing -Profiles and Policies in Windows NT 4.0</A -> available from Microsoft.</P -><P ->Here are some additional details:</P -><P -><I -CLASS="EMPHASIS" ->What about Windows NT Policy Editor ?</I -></P -><P ->To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use -the NT Server Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which -is included with NT Server but <I -CLASS="EMPHASIS" ->not NT Workstation</I ->. -There is a Policy Editor on a NTws -but it is not suitable for creating <I -CLASS="EMPHASIS" ->Domain Policies</I ->. -Further, although the Windows 95 -Policy Editor can be installed on an NT Workstation/Server, it will not -work with NT policies because the registry key that are set by the policy templates. -However, the files from the NT Server will run happily enough on an NTws. -You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient -to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where -the binary will look for them unless told otherwise. Note also that that -directory is 'hidden'.</P -><P ->The Windows NT policy editor is also included with the -Service Pack 3 (and later) for Windows NT 4.0. Extract the files using -<B -CLASS="COMMAND" ->servicepackname /x</B ->, ie thats <B -CLASS="COMMAND" ->Nt4sp6ai.exe -/x</B -> for service pack 6a. The policy editor, <B -CLASS="COMMAND" ->poledit.exe</B -> and the -associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft.</P -><P -><I -CLASS="EMPHASIS" ->Can Win95 do Policies ?</I -></P -><P ->Install the group policy handler for Win9x to pick up group -policies. Look on the Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. -Install group policies on a Win9x client by double-clicking -<TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of -times and see if Win98 picks up group policies. Unfortunately this needs -to be done on every Win9x machine that uses group policies....</P -><P ->If group policies don't work one reports suggests getting the updated -(read: working) grouppol.dll for Windows 9x. The group list is grabbed -from /etc/group.</P -><P -><I -CLASS="EMPHASIS" ->How do I get 'User Manager' and 'Server Manager'</I -></P -><P ->Since I don't need to buy an NT Server CD now, how do I get -the 'User Manager for Domains', the 'Server Manager' ?</P -><P ->Microsoft distributes a version of -these tools called nexus for installation on Windows 95 systems. The -tools set includes</P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P ->Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -></P -><P ->The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN895" ->What other help can I get ?</A -></H1 -><P ->There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.</P -><P -><I -CLASS="EMPHASIS" ->What are some diagnostics tools I can use to debug the domain logon -process and where can I find them?</I -></P -><P -> One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specifiy what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </P -><P -> Another helpful method of debugging is to compile samba using the - <B -CLASS="COMMAND" ->gcc -g </B -> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </P -><P -> Some useful samba commands worth investigating: - </P -><P -></P -><UL -><LI -><P ->testparam | more</P -></LI -><LI -><P ->smbclient -L //{netbios name of server}</P -></LI -></UL -><P -> An SMB enabled version of tcpdump is available from - <A -HREF="http://www.tcpdump.org/" -TARGET="_top" ->http://www.tcpdup.org/</A ->. - Ethereal, another good packet sniffer for UNIX and Win32 - hosts, can be downloaded from <A -HREF="http://www.ethereal.com/" -TARGET="_top" ->http://www.ethereal.com</A ->. - </P -><P -> For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </P -><P -><I -CLASS="EMPHASIS" ->How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</I -></P -><P -> Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </P -><P -> Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD - when prompted.</P -></LI -></UL -><P -> At this point the Netmon files should exist in - <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> - which contains the necessary DLL's for parsing the netmon packet - dump, and <TT -CLASS="FILENAME" ->captures\</TT ->. - </P -><P -> In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click - on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install - CD when prompted.</P -></LI -></UL -><P -> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </P -><P -> To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN942" ->URLs and similar</A -></H2 -><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <I -CLASS="EMPHASIS" ->Development</I -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P ->See how Scott Merrill simulates a BDC behavior at - <A -HREF="http://www.skippy.net/linux/smb-howto.html" -TARGET="_top" -> http://www.skippy.net/linux/smb-howto.html</A ->. </P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN966" ->Mailing Lists</A -></H2 -><P -><I -CLASS="EMPHASIS" ->How do I get help from the mailing lists ?</I -></P -><P ->There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror -and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" ->Samba related mailing lists</B ->.</P -><P ->For questions relating to Samba TNG go to -<A -HREF="http://www.samba-tng.org/" -TARGET="_top" ->http://www.samba-tng.org/</A -> -It has been requested that you don't post questions about Samba-TNG to the -main stream Samba lists.</P -><P ->If you post a message to one of the lists please observe the following guide lines :</P -><P -></P -><UL -><LI -><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</P -></LI -><LI -><P -> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, ie don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P -></LI -><LI -><P ->You might include <I -CLASS="EMPHASIS" ->partial</I -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P -></LI -><LI -><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P -></LI -></UL -><P -><I -CLASS="EMPHASIS" ->How do I get off the mailing lists ?</I -></P -><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://lists.samba.org/" -TARGET="_top" ->http://lists.samba.org</A ->, click - on your nearest mirror and then click on <B -CLASS="COMMAND" ->Support</B -> and - then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" -TARGET="_top" ->here</A -></P -><P -> Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1005" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></H1 -><P ->This appendix was originally authored by John H Terpstra of the Samba Team -and is included here for posterity.</P -><P -><I -CLASS="EMPHASIS" ->NOTE :</I -> -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM.</P -><P ->Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P -><P ->The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licensed Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P -><P ->To many people these terms can be confusing, so let's try to clear the air.</P -><P ->Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialization information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system.</P -><P ->The registry files can be located on any Windows NT machine by opening a -command prompt and typing:</P -><P -><TT -CLASS="PROMPT" ->C:\WINNT\></TT -> dir %SystemRoot%\System32\config</P -><P ->The environment variable %SystemRoot% value can be obtained by typing:</P -><P -><TT -CLASS="PROMPT" ->C:\WINNT></TT ->echo %SystemRoot%</P -><P ->The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security.</P -><P ->In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each.</P -><P ->The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do.</P -><P ->The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on.</P -><P ->Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers.</P -><P ->The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (ie: to ensure that the service action a user has -requested is permitted within the limits of that user's privileges).</P -><P ->The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems.</P -><P ->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. At most every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC).</P -><P ->The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN1029" ->Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1047" ->Abstract</A -></H1 -><P ->Integration of UNIX and Microsoft Windows NT through - a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present <I -CLASS="EMPHASIS" ->winbind - </I ->, a component of the Samba suite of programs as a - solution to the unied logon problem. Winbind uses a UNIX implementation - of Microsoft RPC calls, Pluggable Authentication Modules, and the Name - Service Switch to allow Windows NT domain users to appear and operate - as UNIX users on a UNIX machine. This paper describes the winbind - system, explaining the functionality it provides, how it is configured, - and how it works internally.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1051" ->Introduction</A -></H1 -><P ->It is well known that UNIX and Microsoft Windows NT have - different models for representing user and group information and - use different technologies for implementing them. This fact has - made it difficult to integrate the two systems in a satisfactory - manner.</P -><P ->One common solution in use today has been to create - identically named user accounts on both the UNIX and Windows systems - and use the Samba suite of programs to provide file and print services - between the two. This solution is far from perfect however, as - adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which which - can lead to synchronization problems between the UNIX and Windows - systems and confusion for users.</P -><P ->We divide the unifed logon problem for UNIX machines into - three smaller problems:</P -><P -></P -><UL -><LI -><P ->Obtaining Windows NT user and group information - </P -></LI -><LI -><P ->Authenticating Windows NT users - </P -></LI -><LI -><P ->Password changing for Windows NT users - </P -></LI -></UL -><P ->Ideally, a prospective solution to the unified logon problem - would satisfy all the above components without duplication of - information on the UNIX machines and without creating additional - tasks for the system administrator when maintaining users and - groups on either system. The winbind system provides a simple - and elegant solution to all three components of the unifed logon - problem.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1064" ->What Winbind Provides</A -></H1 -><P ->Winbind unifies UNIX and Windows NT account management by - allowing a UNIX box to become a full member of a NT domain. Once - this is done the UNIX box will see NT users and groups as if - they were native UNIX users and groups, allowing the NT domain - to be used in much the same manner that NIS+ is used within - UNIX-only environments.</P -><P ->The end result is that whenever any - program on the UNIX machine asks the operating system to lookup - a user or group name, the query will be resolved by asking the - NT domain controller for the specied domain to do the lookup. - Because Winbind hooks into the operating system at a low level - (via the NSS name resolution modules in the C library) this - redirection to the NT domain controller is completely - transparent.</P -><P ->Users on the UNIX machine can then use NT user and group - names as they would use "native" UNIX names. They can chown files - so that they are owned by NT domain users or even login to the - UNIX machine and run a UNIX X-Window session as a domain user.</P -><P ->The only obvious indication that Winbind is being used is - that user and group names take the form DOMAIN\user and - DOMAIN\group. This is necessary as it allows Winbind to determine - that redirection to a domain controller is wanted for a particular - lookup and which trusted domain is being referenced.</P -><P ->Additionally, Winbind provides a authentication service - that hooks into the Pluggable Authentication Modules (PAM) system - to provide authentication via a NT domain to any PAM enabled - applications. This capability solves the problem of synchronizing - passwords between systems as all passwords are stored in a single - location (on the domain controller).</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1071" ->Target Uses</A -></H2 -><P ->Winbind is targeted at organizations that have an - existing NT based domain infrastructure into which they wish - to put UNIX workstations or servers. Winbind will allow these - organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly simplies - the administrative overhead of deploying UNIX workstations into - a NT based organization.</P -><P ->Another interesting way in which we expect Winbind to - be used is as a central part of UNIX based appliances. Appliances - that provide file and print services to Microsoft based networks - will be able to use Winbind to provide seamless integration of - the appliance into the domain.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1075" ->How Winbind Works</A -></H1 -><P ->The winbind system is designed around a client/server - architecture. A long running <B -CLASS="COMMAND" ->winbindd</B -> daemon - listens on a UNIX domain socket waiting for requests - to arrive. These requests are generated by the NSS and PAM - clients and processed sequentially.</P -><P ->The technologies used to implement winbind are described - in detail below.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1080" ->Microsoft Remote Procedure Calls</A -></H2 -><P ->Over the last two years, efforts have been underway - by various Samba Team members to decode various aspects of - the Microsoft Remote Procedure Call (MSRPC) system. This - system is used for most network related operations between - Windows NT machines including remote management, user authentication - and print spooling. Although initially this work was done - to aid the implementation of Primary Domain Controller (PDC) - functionality in Samba, it has also yielded a body of code which - can be used for other purposes.</P -><P ->Winbind uses various MSRPC calls to enumerate domain users - and groups and to obtain detailed information about individual - users or groups. Other MSRPC calls can be used to authenticate - NT domain users and to change user passwords. By directly querying - a Windows PDC for user and group information, winbind maps the - NT account information onto UNIX user and group names.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1084" ->Name Service Switch</A -></H2 -><P ->The Name Service Switch, or NSS, is a feature that is - present in many UNIX operating systems. It allows system - information such as hostnames, mail aliases and user information - to be resolved from dierent sources. For example, a standalone - UNIX workstation may resolve system information from a series of - flat files stored on the local lesystem. A networked workstation - may first attempt to resolve system information from local files, - then consult a NIS database for user information or a DNS server - for hostname information.</P -><P ->The NSS application programming interface allows winbind - to present itself as a source of system information when - resolving UNIX usernames and groups. Winbind uses this interface, - and information obtained from a Windows NT server using MSRPC - calls to provide a new source of account enumeration. Using standard - UNIX library calls, one can enumerate the users and groups on - a UNIX machine running winbind and see all users and groups in - a NT domain plus any trusted domain as though they were local - users and groups.</P -><P ->The primary control le for NSS is <TT -CLASS="FILENAME" ->/etc/nsswitch.conf - </TT ->. When a UNIX application makes a request to do a lookup - the C library looks in <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> - for a line which matches the service type being requested, for - example the "passwd" service type is used when user or group names - are looked up. This config line species which implementations - of that service should be tried andin what order. If the passwd - config line is:</P -><P -><B -CLASS="COMMAND" ->passwd: files example</B -></P -><P ->then the C library will first load a module called - <TT -CLASS="FILENAME" ->/lib/libnss_files.so</TT -> followed by - the module <TT -CLASS="FILENAME" ->/lib/libnss_example.so</TT ->. The - C library will dynamically load each of these modules in turn - and call resolver functions within the modules to try to resolve - the request. Once the request is resolved the C library returns the - result to the application.</P -><P ->This NSS interface provides a very easy way for Winbind - to hook into the operating system. All that needs to be done - is to put <TT -CLASS="FILENAME" ->libnss_winbind.so</TT -> in <TT -CLASS="FILENAME" ->/lib/</TT -> - then add "winbind" into <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> at - the appropriate place. The C library will then call Winbind to - resolve user and group names.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1100" ->Pluggable Authentication Modules</A -></H2 -><P ->Pluggable Authentication Modules, also known as PAM, - is a system for abstracting authentication and authorization - technologies. With a PAM module it is possible to specify different - authentication methods for dierent system applications without - having to recompile these applications. PAM is also useful - for implementing a particular policy for authorization. For example, - a system administrator may only allow console logins from users - stored in the local password file but only allow users resolved from - a NIS database to log in over the network.</P -><P ->Winbind uses the authentication management and password - management PAM interface to integrate Windows NT users into a - UNIX system. This allows Windows NT users to log in to a UNIX - machine and be authenticated against a suitable Primary Domain - Controller. These users can also change their passwords and have - this change take eect directly on the Primary Domain Controller. - </P -><P ->PAM is congured by providing control files in the directory - <TT -CLASS="FILENAME" ->/etc/pam.d/</TT -> for each of the services that - require authentication. When an authentication request is made - by an application the PAM code in the C library looks up this - control file to determine what modules to load to do the - authentication check and in what order. This interface makes adding - a new authentication service for Winbind very easy, all that needs - to be done is that the <TT -CLASS="FILENAME" ->pam_winbind.so</TT -> module - is copied to <TT -CLASS="FILENAME" ->/lib/security/</TT -> and the pam - control files for relevant services are updated to allow - authentication via winbind. See the PAM documentation - for more details.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1108" ->User and Group ID Allocation</A -></H2 -><P ->When a user or group is created under Windows NT - is it allocated a numerical relative identier (RID). This is - slightly dierent to UNIX which has a range of numbers which are - used to identify users, and the same range in which to identify - groups. It is winbind's job to convert RIDs to UNIX id numbers and - vice versa. When winbind is congured it is given part of the UNIX - user id space and a part of the UNIX group id space in which to - store Windows NT users and groups. If a Windows NT user is - resolved for the first time, it is allocated the next UNIX id from - the range. The same process applies for Windows NT groups. Over - time, winbind will have mapped all Windows NT users and groups - to UNIX user ids and group ids.</P -><P ->The results of this mapping are stored persistently in - a ID mapping database held in a tdb database). This ensures that - RIDs are mapped to UNIX IDs in a consistent way.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1112" ->Result Caching</A -></H2 -><P ->An active system can generate a lot of user and group - name lookups. To reduce the network cost of these lookups winbind - uses a caching scheme based on the SAM sequence number supplied - by NT domain controllers. User or group information returned - by a PDC is cached by winbind along with a sequence number also - returned by the PDC. This sequence number is incremented by - Windows NT whenever any user or group information is modied. If - a cached entry has expired, the sequence number is requested from - the PDC and compared against the sequence number of the cached entry. - If the sequence numbers do not match, then the cached information - is discarded and up to date information is requested directly - from the PDC.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1115" ->Installation and Configuration</A -></H1 -><P ->The easiest way to install winbind is by using the packages - provided in the <TT -CLASS="FILENAME" ->pub/samba/appliance/</TT -> - directory on your nearest - Samba mirror. These packages provide snapshots of the Samba source - code and binaries already setup to provide the full functionality - of winbind. This setup is a little more complex than a normal Samba - build as winbind needs a small amount of functionality from a - development code branch called SAMBA_TNG.</P -><P ->Once you have installed the packages you should read - the <B -CLASS="COMMAND" ->winbindd(8)</B -> man page which will provide you - with conguration information and give you sample conguration files. - You may also wish to update the main Samba daemons smbd and nmbd) - with a more recent development release, such as the recently - announced Samba 2.2 alpha release.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1121" ->Limitations</A -></H1 -><P ->Winbind has a number of limitations in its current - released version which we hope to overcome in future - releases:</P -><P -></P -><UL -><LI -><P ->Winbind is currently only available for - the Linux operating system, although ports to other operating - systems are certainly possible. For such ports to be feasible, - we require the C library of the target operating system to - support the Name Service Switch and Pluggable Authentication - Modules systems. This is becoming more common as NSS and - PAM gain support among UNIX vendors.</P -></LI -><LI -><P ->The mappings of Windows NT RIDs to UNIX ids - is not made algorithmically and depends on the order in which - unmapped users or groups are seen by winbind. It may be difficult - to recover the mappings of rid to UNIX id mapping if the file - containing this information is corrupted or destroyed.</P -></LI -><LI -><P ->Currently the winbind PAM module does not take - into account possible workstation and logon time restrictions - that may be been set for Windows NT users.</P -></LI -><LI -><P ->Building winbind from source is currently - quite tedious as it requires combining source code from two Samba - branches. Work is underway to solve this by providing all - the necessary functionality in the main Samba code branch.</P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1133" ->Conclusion</A -></H1 -><P ->The winbind system, through the use of the Name Service - Switch, Pluggable Authentication Modules, and appropriate - Microsoft RPC calls have allowed us to provide seamless - integration of Microsoft Windows NT domain users on a - UNIX system. The result is a great reduction in the administrative - cost of running a mixed UNIX and NT network.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN1136" ->Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1147" ->Viewing and changing UNIX permissions using the NT - security dialogs</A -></H1 -><P ->New in the Samba 2.0.4 release is the ability for Windows - NT clients to use their native security settings dialog box to - view and modify the underlying UNIX permissions.</P -><P ->Note that this ability is careful not to compromise - the security of the UNIX host Samba is running on, and - still obeys all the file permission rules that a Samba - administrator can set.</P -><P ->In Samba 2.0.4 and above the default value of the - parameter <A -HREF="smb.conf.5.html#NTACLSUPPOR" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> nt acl support</I -></TT -></A -> has been changed from - <TT -CLASS="CONSTANT" ->false</TT -> to <TT -CLASS="CONSTANT" ->true</TT ->, so - manipulation of permissions is turned on by default.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1156" ->How to view file security on a Samba share</A -></H1 -><P ->From an NT 4.0 client, single-click with the right - mouse button on any file or directory in a Samba mounted - drive letter or UNC path. When the menu pops-up, click - on the <I -CLASS="EMPHASIS" ->Properties</I -> entry at the bottom of - the menu. This brings up the normal file properties dialog - box, but with Samba 2.0.4 this will have a new tab along the top - marked <I -CLASS="EMPHASIS" ->Security</I ->. Click on this tab and you - will see three buttons, <I -CLASS="EMPHASIS" ->Permissions</I ->, - <I -CLASS="EMPHASIS" ->Auditing</I ->, and <I -CLASS="EMPHASIS" ->Ownership</I ->. - The <I -CLASS="EMPHASIS" ->Auditing</I -> button will cause either - an error message <SPAN -CLASS="ERRORNAME" ->A requested privilege is not held - by the client</SPAN -> to appear if the user is not the - NT Administrator, or a dialog which is intended to allow an - Administrator to add auditing requirements to a file if the - user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only - useful button, the <B -CLASS="COMMAND" ->Add</B -> button will not currently - allow a list of users to be seen.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1167" ->Viewing file ownership</A -></H1 -><P ->Clicking on the <B -CLASS="COMMAND" ->"Ownership"</B -> button - brings up a dialog box telling you who owns the given file. The - owner name will be of the form :</P -><P -><B -CLASS="COMMAND" ->"SERVER\user (Long name)"</B -></P -><P ->Where <TT -CLASS="REPLACEABLE" -><I ->SERVER</I -></TT -> is the NetBIOS name of - the Samba server, <TT -CLASS="REPLACEABLE" -><I ->user</I -></TT -> is the user name of - the UNIX user who owns the file, and <TT -CLASS="REPLACEABLE" -><I ->(Long name)</I -></TT -> - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the <B -CLASS="COMMAND" ->Close - </B -> button to remove this dialog.</P -><P ->If the parameter <TT -CLASS="PARAMETER" -><I ->nt acl support</I -></TT -> - is set to <TT -CLASS="CONSTANT" ->false</TT -> then the file owner will - be shown as the NT user <B -CLASS="COMMAND" ->"Everyone"</B ->.</P -><P ->The <B -CLASS="COMMAND" ->Take Ownership</B -> button will not allow - you to change the ownership of this file to yourself (clicking on - it will display a dialog box complaining that the user you are - currently logged onto the NT client cannot be found). The reason - for this is that changing the ownership of a file is a privilaged - operation in UNIX, available only to the <I -CLASS="EMPHASIS" ->root</I -> - user. As clicking on this button causes NT to attempt to change - the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time.</P -><P ->There is an NT chown command that will work with Samba - and allow a user with Administrator privillage connected - to a Samba 2.0.4 server as root to change the ownership of - files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the <I -CLASS="EMPHASIS" ->Seclib - </I -> NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1187" ->Viewing file or directory permissions</A -></H1 -><P ->The third button is the <B -CLASS="COMMAND" ->"Permissions"</B -> - button. Clicking on this brings up a dialog box that shows both - the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form :</P -><P -><B -CLASS="COMMAND" ->"SERVER\user (Long name)"</B -></P -><P ->Where <TT -CLASS="REPLACEABLE" -><I ->SERVER</I -></TT -> is the NetBIOS name of - the Samba server, <TT -CLASS="REPLACEABLE" -><I ->user</I -></TT -> is the user name of - the UNIX user who owns the file, and <TT -CLASS="REPLACEABLE" -><I ->(Long name)</I -></TT -> - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database).</P -><P ->If the parameter <TT -CLASS="PARAMETER" -><I ->nt acl support</I -></TT -> - is set to <TT -CLASS="CONSTANT" ->false</TT -> then the file owner will - be shown as the NT user <B -CLASS="COMMAND" ->"Everyone"</B -> and the - permissions will be shown as NT "Full Control".</P -><P ->The permissions field is displayed differently for files - and directories, so I'll describe the way file permissions - are displayed first.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1202" ->File Permissions</A -></H2 -><P ->The standard UNIX user/group/world triple and - the correspinding "read", "write", "execute" permissions - triples are mapped by Samba into a three element NT ACL - with the 'r', 'w', and 'x' bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into - the global NT group <B -CLASS="COMMAND" ->Everyone</B ->, followed - by the list of permissions allowed for UNIX world. The UNIX - owner and group permissions are displayed as an NT - <B -CLASS="COMMAND" ->user</B -> icon and an NT <B -CLASS="COMMAND" ->local - group</B -> icon respectively followed by the list - of permissions allowed for the UNIX user and group.</P -><P ->As many UNIX permission sets don't map into common - NT names such as <B -CLASS="COMMAND" ->"read"</B ->, <B -CLASS="COMMAND" -> "change"</B -> or <B -CLASS="COMMAND" ->"full control"</B -> then - usually the permissions will be prefixed by the words <B -CLASS="COMMAND" -> "Special Access"</B -> in the NT display list.</P -><P ->But what happens if the file has no permissions allowed - for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT <B -CLASS="COMMAND" ->"Take Ownership"</B -> ACL attribute - (which has no meaning in UNIX) and reports a component with - no permissions as having the NT <B -CLASS="COMMAND" ->"O"</B -> bit set. - This was chosen of course to make it look like a zero, meaning - zero permissions. More details on the decision behind this will - be given below.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1216" ->Directory Permissions</A -></H2 -><P ->Directories on an NT NTFS file system have two - different sets of permissions. The first set of permissions - is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal <B -CLASS="COMMAND" ->"RW"</B -> - NT style. This first set of permissions is created by Samba in - exactly the same way as normal file permissions are, described - above, and is displayed in the same way.</P -><P ->The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the <B -CLASS="COMMAND" -> "inherited"</B -> permissions that any file created within - this directory would inherit.</P -><P ->Samba synthesises these inherited permissions for NT by - returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1223" ->Modifying file or directory permissions</A -></H1 -><P ->Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking the <B -CLASS="COMMAND" ->OK</B -> button. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account.</P -><P ->If the parameter <TT -CLASS="PARAMETER" -><I ->nt acl support</I -></TT -> - is set to <TT -CLASS="CONSTANT" ->false</TT -> then any attempt to set - security permissions will fail with an <B -CLASS="COMMAND" ->"Access Denied" - </B -> message.</P -><P ->The first thing to note is that the <B -CLASS="COMMAND" ->"Add"</B -> - button will not return a list of users in Samba 2.0.4 (it will give - an error message of <B -CLASS="COMMAND" ->"The remote proceedure call failed - and did not execute"</B ->). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has.</P -><P ->If a permission triple (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the <B -CLASS="COMMAND" ->"OK"</B -> button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT <B -CLASS="COMMAND" ->"O"</B -> flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triple component.</P -><P ->As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server.</P -><P ->When setting permissions on a directory the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want you must uncheck the <B -CLASS="COMMAND" ->"Replace - permissions on existing files"</B -> checkbox in the NT - dialog before clicking <B -CLASS="COMMAND" ->"OK"</B ->.</P -><P ->If you wish to remove all permissions from a - user/group/world component then you may either highlight the - component and click the <B -CLASS="COMMAND" ->"Remove"</B -> button, - or set the component to only have the special <B -CLASS="COMMAND" ->"Take - Ownership"</B -> permission (dsplayed as <B -CLASS="COMMAND" ->"O" - </B ->) highlighted.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1245" ->Interaction with the standard Samba create mask - parameters</A -></H1 -><P ->Note that with Samba 2.0.5 there are four new parameters - to control this interaction. These are :</P -><P -><TT -CLASS="PARAMETER" -><I ->security mask</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force security mode</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->directory security mask</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force directory security mode</I -></TT -></P -><P ->Once a user clicks <B -CLASS="COMMAND" ->"OK"</B -> to apply the - permissions Samba maps the given permissions into a user/group/world - r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the <A -HREF="smb.conf.5.html#SECURITYMASK" -TARGET="_top" -> - <TT -CLASS="PARAMETER" -><I ->security mask</I -></TT -></A -> parameter. Any bits that - were changed that are not set to '1' in this parameter are left alone - in the file permissions.</P -><P ->Essentially, zero bits in the <TT -CLASS="PARAMETER" -><I ->security mask</I -></TT -> - mask may be treated as a set of bits the user is <I -CLASS="EMPHASIS" ->not</I -> - allowed to change, and one bits are those the user is allowed to change. - </P -><P ->If not set explicitly this parameter is set to the same value as - the <A -HREF="smb.conf.5.html#CREATEMASK" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I ->create mask - </I -></TT -></A -> parameter to provide compatibility with Samba 2.0.4 - where this permission change facility was introduced. To allow a user to - modify all the user/group/world permissions on a file, set this parameter - to 0777.</P -><P ->Next Samba checks the changed permissions for a file against - the bits set in the <A -HREF="smb.conf.5.html#FORCESECURITYMODE" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->force security mode</I -></TT -></A -> parameter. Any bits - that were changed that correspond to bits set to '1' in this parameter - are forced to be set.</P -><P ->Essentially, bits set in the <TT -CLASS="PARAMETER" -><I ->force security mode - </I -></TT -> parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'.</P -><P ->If not set explicitly this parameter is set to the same value - as the <A -HREF="smb.conf.5.html#FORCECREATEMODE" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I ->force - create mode</I -></TT -></A -> parameter to provide compatibility - with Samba 2.0.4 where the permission change facility was introduced. - To allow a user to modify all the user/group/world permissions on a file, - with no restrictions set this parameter to 000.</P -><P ->The <TT -CLASS="PARAMETER" -><I ->security mask</I -></TT -> and <TT -CLASS="PARAMETER" -><I ->force - security mode</I -></TT -> parameters are applied to the change - request in that order.</P -><P ->For a directory Samba will perform the same operations as - described above for a file except using the parameter <TT -CLASS="PARAMETER" -><I -> directory security mask</I -></TT -> instead of <TT -CLASS="PARAMETER" -><I ->security - mask</I -></TT ->, and <TT -CLASS="PARAMETER" -><I ->force directory security mode - </I -></TT -> parameter instead of <TT -CLASS="PARAMETER" -><I ->force security mode - </I -></TT ->.</P -><P ->The <TT -CLASS="PARAMETER" -><I ->directory security mask</I -></TT -> parameter - by default is set to the same value as the <TT -CLASS="PARAMETER" -><I ->directory mask - </I -></TT -> parameter and the <TT -CLASS="PARAMETER" -><I ->force directory security - mode</I -></TT -> parameter by default is set to the same value as - the <TT -CLASS="PARAMETER" -><I ->force directory mode</I -></TT -> parameter to provide - compatibility with Samba 2.0.4 where the permission change facility - was introduced.</P -><P ->In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction.</P -><P ->If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - doesn't force any particular bits to be set 'on', then set the following - parameters in the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5) - </TT -></A -> file in that share specific section :</P -><P -><TT -CLASS="PARAMETER" -><I ->security mask = 0777</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force security mode = 0</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->directory security mask = 0777</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force directory security mode = 0</I -></TT -></P -><P ->As described, in Samba 2.0.4 the parameters :</P -><P -><TT -CLASS="PARAMETER" -><I ->create mask</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force create mode</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->directory mask</I -></TT -></P -><P -><TT -CLASS="PARAMETER" -><I ->force directory mode</I -></TT -></P -><P ->were used instead of the parameters discussed here.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN1309" ->Interaction with the standard Samba file attribute - mapping</A -></H1 -><P ->Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - </P -><P ->One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard - file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab.</P -><P ->What this can mean is that if the owner changes the permissions - to allow themselves read access using the security dialog, clicks - <B -CLASS="COMMAND" ->"OK"</B -> to get back to the standard attributes tab - dialog, and then clicks <B -CLASS="COMMAND" ->"OK"</B -> on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking <B -CLASS="COMMAND" ->"OK"</B -> to get back to the - attributes dialog you should always hit <B -CLASS="COMMAND" ->"Cancel"</B -> - rather than <B -CLASS="COMMAND" ->"OK"</B -> to ensure that your changes - are not overridden.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN1319" ->Chapter 9. OS2 Client HOWTO</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1330" ->FAQs</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN1332" ->How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></H2 -><P ->A more complete answer to this question can be - found on <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A ->.</P -><P ->Basically, you need three components:</P -><P -></P -><UL -><LI -><P ->The File and Print Client ('IBM Peer') - </P -></LI -><LI -><P ->TCP/IP ('Internet support') - </P -></LI -><LI -><P ->The "NetBIOS over TCP/IP" driver ('TCPBEUI') - </P -></LI -></UL -><P ->Installing the first two together with the base operating - system on a blank system is explained in the Warp manual. If Warp - has already been installed, but you now want to install the - networking support, use the "Selective Install for Networking" - object in the "System Setup" folder.</P -><P ->Adding the "NetBIOS over TCP/IP" driver is not described - in the manual and just barely in the online documentation. Start - MPTS.EXE, click on OK, click on "Configure LAPS" and click - on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line - is then moved to 'Current Configuration'. Select that line, - click on "Change number" and increase it from 0 to 1. Save this - configuration.</P -><P ->If the Samba server(s) is not on your local subnet, you - can optionally add IP names and addresses of these servers - to the "Names List", or specify a WINS server ('NetBIOS - Nameserver' in IBM and RFC terminology). For Warp Connect you - may need to download an update for 'IBM Peer' to bring it on - the same level as Warp 4. See the webpage mentioned above.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1347" ->How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></H2 -><P ->You can use the free Microsoft LAN Manager 2.2c Client - for OS/2 from - <A -HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" -TARGET="_top" -> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A ->. - See <A -HREF="http://carol.wins.uva.nl/~leeuw/lanman.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/lanman.html</A -> for - more information on how to install and use this client. In - a nutshell, edit the file \OS2VER in the root directory of - the OS/2 boot partition and add the lines:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 20=setup.exe - 20=netwksta.sys - 20=netvdd.sys - </PRE -></P -><P ->before you install the client. Also, don't use the - included NE2000 driver because it is buggy. Try the NE2000 - or NS2000 driver from - <A -HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/" -TARGET="_top" -> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A -> instead. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1356" ->Are there any other issues when OS/2 (any version) - is used as a client?</A -></H2 -><P ->When you do a NET VIEW or use the "File and Print - Client Resource Browser", no Samba servers show up. This can - be fixed by a patch from <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A ->. - The patch will be included in a later version of Samba. It also - fixes a couple of other problems, such as preserving long - filenames when objects are dragged from the Workplace Shell - to the Samba server. </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN1360" ->How do I get printer driver download working - for OS/2 clients?</A -></H2 -><P ->First, create a share called [PRINTDRV] that is - world-readable. Copy your OS/2 driver files there. Note - that the .EA_ files must still be separate, so you will need - to use the original install files, and not copy an installed - driver from an OS/2 system.</P -><P ->Install the NT driver first for that printer. Then, - add to your smb.conf a paramater, "os2 driver map = - <TT -CLASS="REPLACEABLE" -><I ->filename</I -></TT ->". Then, in the file - specified by <TT -CLASS="REPLACEABLE" -><I ->filename</I -></TT ->, map the - name of the NT driver name to the OS/2 driver name as - follows:</P -><P -><nt driver name> = <os2 driver - name>.<device name>, e.g.: - HP LaserJet 5L = LASERJET.HP LaserJet 5L</P -><P ->You can have multiple drivers mapped in this file.</P -><P ->If you only specify the OS/2 driver name, and not the - device name, the first attempt to download the driver will - actually download the files, but the OS/2 client will tell - you the driver is not available. On the second attempt, it - will work. This is fixed simply by adding the device name - to the mapping, after which it will work on the first attempt. - </P -></DIV -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file |