diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/CVS-Access.html | 193 | ||||
| -rw-r--r-- | docs/htmldocs/ENCRYPTION.html | 656 | ||||
| -rw-r--r-- | docs/htmldocs/Integrating-with-Windows.html | 1072 | ||||
| -rw-r--r-- | docs/htmldocs/OS2-Client-HOWTO.html | 210 | ||||
| -rw-r--r-- | docs/htmldocs/PAM-Authentication-And-Samba.html | 318 | ||||
| -rw-r--r-- | docs/htmldocs/Samba-PDC-HOWTO.html | 2284 | ||||
| -rw-r--r-- | docs/htmldocs/make_unicodemap.1.html | 276 | ||||
| -rw-r--r-- | docs/htmldocs/msdfs_setup.html | 210 | ||||
| -rw-r--r-- | docs/htmldocs/smbmnt.8.html | 178 | ||||
| -rw-r--r-- | docs/htmldocs/smbumount.8.html | 140 |
10 files changed, 0 insertions, 5537 deletions
diff --git a/docs/htmldocs/CVS-Access.html b/docs/htmldocs/CVS-Access.html deleted file mode 100644 index 1329433f1a1..00000000000 --- a/docs/htmldocs/CVS-Access.html +++ /dev/null @@ -1,193 +0,0 @@ -<HTML -><HEAD -><TITLE ->HOWTO Access Samba source code via CVS</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="CVS-ACCESS" ->HOWTO Access Samba source code via CVS</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Introduction</A -></H1 -><P ->Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter.</P -><P ->This document is a modified version of the instructions found at -<A -HREF="http://samba.org/samba/cvs.html" -TARGET="_top" ->http://samba.org/samba/cvs.html</A -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN8" ->CVS Access to samba.org</A -></H1 -><P ->The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN11" ->Access via CVSweb</A -></H2 -><P ->You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository.</P -><P ->Use the URL : <A -HREF="http://samba.org/cgi-bin/cvsweb" -TARGET="_top" ->http://samba.org/cgi-bin/cvsweb</A -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN16" ->Access via cvs</A -></H2 -><P ->You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser.</P -><P ->To download the latest cvs source code, point your -browser at the URL : <A -HREF="http://www.cyclic.com/" -TARGET="_top" ->http://www.cyclic.com/</A ->. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com.</P -><P ->To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot login</B -> - </P -><P -> When it asks you for a password type <TT -CLASS="USERINPUT" -><B ->cvs</B -></TT ->. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B -> - </P -><P -> This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. - </P -><P -> CVS branches other HEAD can be obtained by using the <TT -CLASS="PARAMETER" -><I ->-r</I -></TT -> - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B -> - </P -></LI -><LI -><P -> Whenever you want to merge in the latest code changes use - the following command from within the samba directory: - </P -><P -> <B -CLASS="COMMAND" ->cvs update -d -P</B -> - </P -></LI -></OL -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/ENCRYPTION.html b/docs/htmldocs/ENCRYPTION.html deleted file mode 100644 index e4d3ef5fed2..00000000000 --- a/docs/htmldocs/ENCRYPTION.html +++ /dev/null @@ -1,656 +0,0 @@ -<HTML -><HEAD -><TITLE ->LanMan and NT Password Encryption in Samba 2.x</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="PWENCRYPT" ->LanMan and NT Password Encryption in Samba 2.x</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Introduction</A -></H1 -><P ->With the development of LanManager and Windows NT - compatible password encryption for Samba, it is now able - to validate user connections in exactly the same way as - a LanManager or Windows NT server.</P -><P ->This document describes how the SMB password encryption - algorithm works and what issues there are in choosing whether - you want to use it. You should read it carefully, especially - the part about security and the "PROS and CONS" section.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN7" ->How does it work?</A -></H1 -><P ->LanManager encryption is somewhat similar to UNIX - password encryption. The server uses a file containing a - hashed value of a user's password. This is created by taking - the user's plaintext password, capitalising it, and either - truncating to 14 bytes or padding to 14 bytes with null bytes. - This 14 byte value is used as two 56 bit DES keys to encrypt - a 'magic' eight byte value, forming a 16 byte value which is - stored by the server and client. Let this value be known as - the "hashed password".</P -><P ->Windows NT encryption is a higher quality mechanism, - consisting of doing an MD4 hash on a Unicode version of the user's - password. This also produces a 16 byte hash value that is - non-reversible.</P -><P ->When a client (LanManager, Windows for WorkGroups, Windows - 95 or Windows NT) wishes to mount a Samba drive (or use a Samba - resource), it first requests a connection and negotiates the - protocol that the client and server will use. In the reply to this - request the Samba server generates and appends an 8 byte, random - value - this is stored in the Samba server after the reply is sent - and is known as the "challenge". The challenge is different for - every client connection.</P -><P ->The client then uses the hashed password (16 byte values - described above), appended with 5 null bytes, as three 56 bit - DES keys, each of which is used to encrypt the challenge 8 byte - value, forming a 24 byte value known as the "response".</P -><P ->In the SMB call SMBsessionsetupX (when user level security - is selected) or the call SMBtconX (when share level security is - selected), the 24 byte response is returned by the client to the - Samba server. For Windows NT protocol levels the above calculation - is done on both hashes of the user's password and both responses are - returned in the SMB call, giving two 24 byte values.</P -><P ->The Samba server then reproduces the above calculation, using - its own stored value of the 16 byte hashed password (read from the - <TT -CLASS="FILENAME" ->smbpasswd</TT -> file - described later) and the challenge - value that it kept from the negotiate protocol reply. It then checks - to see if the 24 byte value it calculates matches the 24 byte value - returned to it from the client.</P -><P ->If these values match exactly, then the client knew the - correct password (or the 16 byte hashed value - see security note - below) and is thus allowed access. If not, then the client did not - know the correct password and is denied access.</P -><P ->Note that the Samba server never knows or stores the cleartext - of the user's password - just the 16 byte hashed values derived from - it. Also note that the cleartext password or 16 byte hashed values - are never transmitted over the network - thus increasing security.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN18" ->Important Notes About Security</A -></H1 -><P ->The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</P -><P ->Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <I -CLASS="EMPHASIS" ->never</I -> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</P -><P ->Other Microsoft operating systems which also exhibit - this behavior includes</P -><P -></P -><UL -><LI -><P ->MS DOS Network client 3.0 with - the basic network redirector installed</P -></LI -><LI -><P ->Windows 95 with the network redirector - update installed</P -></LI -><LI -><P ->Windows 98 [se]</P -></LI -><LI -><P ->Windows 2000</P -></LI -></UL -><P -><I -CLASS="EMPHASIS" ->Note :</I ->All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN37" ->Advantages of SMB Encryption</A -></H2 -><P -></P -><UL -><LI -><P ->plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</P -></LI -><LI -><P ->WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN44" ->Advantages of non-encrypted passwords</A -></H2 -><P -></P -><UL -><LI -><P ->plain text passwords are not kept - on disk. </P -></LI -><LI -><P ->uses same password file as other unix - services such as login and ftp</P -></LI -><LI -><P ->you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.</P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN53" -><A -NAME="SMBPASSWDFILEFORMAT" -></A ->The smbpasswd file</A -></H1 -><P ->In order for Samba to participate in the above protocol - it must be able to look up the 16 byte hashed values given a user name. - Unfortunately, as the UNIX password value is also a one way hash - function (ie. it is impossible to retrieve the cleartext of the user's - password given the UNIX hash of it), a separate password file - containing this 16 byte value must be kept. To minimise problems with - these two password files, getting out of sync, the UNIX <TT -CLASS="FILENAME" -> /etc/passwd</TT -> and the <TT -CLASS="FILENAME" ->smbpasswd</TT -> file, - a utility, <B -CLASS="COMMAND" ->mksmbpasswd.sh</B ->, is provided to generate - a smbpasswd file from a UNIX <TT -CLASS="FILENAME" ->/etc/passwd</TT -> file. - </P -><P ->To generate the smbpasswd file from your <TT -CLASS="FILENAME" ->/etc/passwd - </TT -> file use the following command :</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->cat /etc/passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd</B -></TT -></P -><P ->If you are running on a system that uses NIS, use</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->ypcat passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd</B -></TT -></P -><P ->The <B -CLASS="COMMAND" ->mksmbpasswd.sh</B -> program is found in - the Samba source directory. By default, the smbpasswd file is - stored in :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT -></P -><P ->The owner of the <TT -CLASS="FILENAME" ->/usr/local/samba/private/</TT -> - directory should be set to root, and the permissions on it should - be set to 0500 (<B -CLASS="COMMAND" ->chmod 500 /usr/local/samba/private</B ->). - </P -><P ->Likewise, the smbpasswd file inside the private directory should - be owned by root and the permissions on is should be set to 0600 - (<B -CLASS="COMMAND" ->chmod 600 smbpasswd</B ->).</P -><P ->The format of the smbpasswd file is (The line has been - wrapped here. It should appear as one entry per line in - your smbpasswd file.)</P -><P -><PRE -CLASS="PROGRAMLISTING" ->username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - [Account type]:LCT-<last-change-time>:Long name - </PRE -></P -><P ->Although only the <TT -CLASS="REPLACEABLE" -><I ->username</I -></TT ->, - <TT -CLASS="REPLACEABLE" -><I ->uid</I -></TT ->, <TT -CLASS="REPLACEABLE" -><I -> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</I -></TT ->, - [<TT -CLASS="REPLACEABLE" -><I ->Account type</I -></TT ->] and <TT -CLASS="REPLACEABLE" -><I -> last-change-time</I -></TT -> sections are significant - and are looked at in the Samba code.</P -><P ->It is <I -CLASS="EMPHASIS" ->VITALLY</I -> important that there by 32 - 'X' characters between the two ':' characters in the XXX sections - - the smbpasswd and Samba code will fail to validate any entries that - do not have 32 characters between ':' characters. The first XXX - section is for the Lanman password hash, the second is for the - Windows NT version.</P -><P ->When the password file is created all users have password entries - consisting of 32 'X' characters. By default this disallows any access - as this user. When a user has a password set, the 'X' characters change - to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii - representation of the 16 byte hashed value of a user's password.</P -><P ->To set a user to have no password (not recommended), edit the file - using vi, and replace the first 11 characters with the ascii text - <TT -CLASS="CONSTANT" ->"NO PASSWORD"</TT -> (minus the quotes).</P -><P ->For example, to clear the password for user bob, his smbpasswd file - entry would look like :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell - </PRE -></P -><P ->If you are allowing users to use the smbpasswd command to set - their own passwords, you may want to give users NO PASSWORD initially - so they do not have to enter a previous password when changing to their - new password (not recommended). In order for you to allow this the - <B -CLASS="COMMAND" ->smbpasswd</B -> program must be able to connect to the - <B -CLASS="COMMAND" ->smbd</B -> daemon as that user with no password. Enable this - by adding the line :</P -><P -><B -CLASS="COMMAND" ->null passwords = yes</B -></P -><P ->to the [global] section of the smb.conf file (this is why - the above scenario is not recommended). Preferably, allocate your - users a default password to begin with, so you do not have - to enable this on your server.</P -><P -><I -CLASS="EMPHASIS" ->Note : </I ->This file should be protected very - carefully. Anyone with access to this file can (with enough knowledge of - the protocols) gain access to your SMB server. The file is thus more - sensitive than a normal unix <TT -CLASS="FILENAME" ->/etc/passwd</TT -> file.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN105" ->The smbpasswd Command</A -></H1 -><P ->The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - <B -CLASS="COMMAND" ->passwd</B -> or <B -CLASS="COMMAND" ->yppasswd</B -> programs, - install it in <TT -CLASS="FILENAME" ->/usr/local/samba/bin/</TT -> (or your - main Samba binary directory).</P -><P ->Note that as of Samba 1.9.18p4 this program <I -CLASS="EMPHASIS" ->MUST NOT - BE INSTALLED</I -> setuid root (the new <B -CLASS="COMMAND" ->smbpasswd</B -> - code enforces this restriction so it cannot be run this way by - accident).</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> now works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</P -><P -></P -><UL -><LI -><P ->smbpasswd no longer has to be setuid root - - an enormous range of potential security problems is - eliminated.</P -></LI -><LI -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</P -></LI -></UL -><P ->To run smbpasswd as a normal user just type :</P -><P -><TT -CLASS="PROMPT" ->$ </TT -><TT -CLASS="USERINPUT" -><B ->smbpasswd</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->Old SMB password: </TT -><TT -CLASS="USERINPUT" -><B -><type old value here - - or hit return if there was no old password></B -></TT -></P -><P -><TT -CLASS="PROMPT" ->New SMB Password: </TT -><TT -CLASS="USERINPUT" -><B -><type new value> - </B -></TT -></P -><P -><TT -CLASS="PROMPT" ->Repeat New SMB Password: </TT -><TT -CLASS="USERINPUT" -><B -><re-type new value - </B -></TT -></P -><P ->If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</P -><P ->If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</P -><P ->If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> is designed to work in the same way - and be familiar to UNIX users who use the <B -CLASS="COMMAND" ->passwd</B -> or - <B -CLASS="COMMAND" ->yppasswd</B -> commands.</P -><P ->For more details on using <B -CLASS="COMMAND" ->smbpasswd</B -> refer - to the man page which will always be the definitive reference.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN144" ->Setting up Samba to support LanManager Encryption</A -></H1 -><P ->This is a very brief description on how to setup samba to - support password encryption. </P -><P -></P -><OL -TYPE="1" -><LI -><P ->compile and install samba as usual</P -></LI -><LI -><P ->enable encrypted passwords in <TT -CLASS="FILENAME" -> smb.conf</TT -> by adding the line <B -CLASS="COMMAND" ->encrypt - passwords = yes</B -> in the [global] section</P -></LI -><LI -><P ->create the initial <TT -CLASS="FILENAME" ->smbpasswd</TT -> - password file in the place you specified in the Makefile - (--prefix=<dir>). See the notes under the <A -HREF="#SMBPASSWDFILEFORMAT" ->The smbpasswd File</A -> - section earlier in the document for details.</P -></LI -></OL -><P ->Note that you can test things using smbclient.</P -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/Integrating-with-Windows.html b/docs/htmldocs/Integrating-with-Windows.html deleted file mode 100644 index 7c5fe316272..00000000000 --- a/docs/htmldocs/Integrating-with-Windows.html +++ /dev/null @@ -1,1072 +0,0 @@ -<HTML -><HEAD -><TITLE ->Integrating MS Windows networks with Samba</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Agenda</A -></H1 -><P ->To identify the key functional mechanisms of MS Windows networking -to enable the deployment of Samba as a means of extending and/or -replacing MS Windows NT/2000 technology.</P -><P ->We will examine:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->Name resolution in a pure Unix/Linux TCP/IP - environment - </P -></LI -><LI -><P ->Name resolution as used within MS Windows - networking - </P -></LI -><LI -><P ->How browsing functions and how to deploy stable - and dependable browsing using Samba - </P -></LI -><LI -><P ->MS Windows security options and how to - configure Samba for seemless integration - </P -></LI -><LI -><P ->Configuration of Samba as:</P -><P -></P -><OL -TYPE="a" -><LI -><P ->A stand-alone server</P -></LI -><LI -><P ->An MS Windows NT 3.x/4.0 security domain member - </P -></LI -><LI -><P ->An alternative to an MS Windows NT 3.x/4.0 Domain Controller - </P -></LI -></OL -></LI -></OL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN25" ->Name Resolution in a pure Unix/Linux world</A -></H1 -><P ->The key configuration files covered in this section are:</P -><P -></P -><UL -><LI -><P -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></P -></LI -></UL -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN41" -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></A -></H2 -><P ->Contains a static list of IP Addresses and names. -eg:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 127.0.0.1 localhost localhost.localdomain - 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE -></P -><P ->The purpose of <TT -CLASS="FILENAME" ->/etc/hosts</TT -> is to provide a -name resolution mechanism so that uses do not need to remember -IP addresses.</P -><P ->Network packets that are sent over the physical network transport -layer communicate not via IP addresses but rather using the Media -Access Control address, or MAC address. IP Addresses are currently -32 bits in length and are typically presented as four (4) decimal -numbers that are separated by a dot (or period). eg: 168.192.1.1</P -><P ->MAC Addresses use 48 bits (or 6 bytes) and are typically represented -as two digit hexadecimal numbers separated by colons. eg: -40:8e:0a:12:34:56</P -><P ->Every network interfrace must have an MAC address. Associated with -a MAC address there may be one or more IP addresses. There is NO -relationship between an IP address and a MAC address, all such assignments -are arbitary or discretionary in nature. At the most basic level all -network communications takes place using MAC addressing. Since MAC -addresses must be globally unique, and generally remains fixed for -any particular interface, the assignment of an IP address makes sense -from a network management perspective. More than one IP address can -be assigned per MAC address. One address must be the primary IP address, -this is the address that will be returned in the ARP reply.</P -><P ->When a user or a process wants to communicate with another machine -the protocol implementation ensures that the "machine name" or "host -name" is resolved to an IP address in a manner that is controlled -by the TCP/IP configuration control files. The file -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> is one such file.</P -><P ->When the IP address of the destination interface has been -determined a protocol called ARP/RARP isused to identify -the MAC address of the target interface. ARP stands for Address -Resolution Protocol, and is a broadcast oriented method that -uses UDP (User Datagram Protocol) to send a request to all -interfaces on the local network segment using the all 1's MAC -address. Network interfaces are programmed to respond to two -MAC addresses only; their own unique address and the address -ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will -contain the MAC address and the primary IP address for each -interface.</P -><P ->The <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file is foundational to all -Unix/Linux TCP/IP installations and as a minumum will contain -the localhost and local network interface IP addresses and the -primary names by which they are known within the local machine. -This file helps to prime the pump so that a basic level of name -resolution can exist before any other method of name resolution -becomes available.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN57" -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A -></H2 -><P ->This file tells the name resolution libraries:</P -><P -></P -><UL -><LI -><P ->The name of the domain to which the machine - belongs - </P -></LI -><LI -><P ->The name(s) of any domains that should be - automatically searched when trying to resolve unqualified - host names to their IP address - </P -></LI -><LI -><P ->The name or IP address of available Domain - Name Servers that may be asked to perform name to address - translation lookups - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN68" -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A -></H2 -><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -> is the primary means by -which the setting in /etc/resolv.conf may be affected. It is a -critical configuration file. This file controls the order by -which name resolution may procede. The typical structure is:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> order hosts,bind - multi on</PRE -></P -><P ->then both addresses should be returned. Please refer to the -man page for host.conf for further details.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN76" -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A -></H2 -><P ->This file controls the actual name resolution targets. The -file typically has resolver object specifications as follows:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # /etc/nsswitch.conf - # - # Name Service Switch configuration file. - # - - passwd: compat - # Alternative entries for password authentication are: - # passwd: compat files nis ldap winbind - shadow: compat - group: compat - - hosts: files nis dns - # Alternative entries for host name resolution are: - # hosts: files dns nis nis+ hesoid db compat ldap wins - networks: nis files dns - - ethers: nis files - protocols: nis files - rpc: nis files - services: nis files</PRE -></P -><P ->Of course, each of these mechanisms requires that the appropriate -facilities and/or services are correctly configured.</P -><P ->It should be noted that unless a network request/message must be -sent, TCP/IP networks are silent. All TCP/IP communications assumes a -principal of speaking only when necessary.</P -><P ->Samba version 2.2.0 will add Linux support for extensions to -the name service switch infrastructure so that linux clients will -be able to obtain resolution of MS Windows NetBIOS names to IP -Addresses. To gain this functionality Samba needs to be compiled -with appropriate arguments to the make command (ie: <B -CLASS="COMMAND" ->make -nsswitch/libnss_wins.so</B ->). The resulting library should -then be installed in the <TT -CLASS="FILENAME" ->/lib</TT -> directory and -the "wins" parameter needs to be added to the "hosts:" line in -the <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> file. At this point it -will be possible to ping any MS Windows machine by it's NetBIOS -machine name, so long as that machine is within the workgroup to -which both the samba machine and the MS Windows machine belong.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN88" ->Name resolution as used within MS Windows networking</A -></H1 -><P ->MS Windows networking is predicated about the name each machine -is given. This name is known variously (and inconsistently) as -the "computer name", "machine name", "networking name", "netbios name", -"SMB name". All terms mean the same thing with the exception of -"netbios name" which can apply also to the name of the workgroup or the -domain name. The terms "workgroup" and "domain" are really just a -simply name with which the machine is associated. All NetBIOS names -are exactly 16 characters in length. The 16th character is reserved. -It is used to store a one byte value that indicates service level -information for the NetBIOS name that is registered. A NetBIOS machine -name is therefore registered for each service type that is provided by -the client/server.</P -><P ->The following are typical NetBIOS name/service type registrations:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser - - Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers</PRE -></P -><P ->It should be noted that all NetBIOS machines register their own -names as per the above. This is in vast contrast to TCP/IP -installations where traditionally the system administrator will -determine in the /etc/hosts or in the DNS database what names -are associated with each IP address.</P -><P ->One further point of clarification should be noted, the <TT -CLASS="FILENAME" ->/etc/hosts</TT -> -file and the DNS records do not provide the NetBIOS name type information -that MS Windows clients depend on to locate the type of service that may -be needed. An example of this is what happens when an MS Windows client -wants to locate a domain logon server. It find this service and the IP -address of a server that provides it by performing a lookup (via a -NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each -IP address that is returned in the enumerated list of IP addresses. Which -ever machine first replies then ends up providing the logon services.</P -><P ->The name "workgroup" or "domain" really can be confusing since these -have the added significance of indicating what is the security -architecture of the MS Windows network. The term "workgroup" indicates -that the primary nature of the network environment is that of a -peer-to-peer design. In a WORKGROUP all machines are responsible for -their own security, and generally such security is limited to use of -just a password (known as SHARE MORE security). In most situations -with peer-to-peer networking the users who control their own machines -will simply opt to have no security at all. It is possible to have -USER MODE security in a WORKGROUP environment, thus requiring use -of a user name and a matching password.</P -><P ->MS Windows networking is thus predetermined to use machine names -for all local and remote machine message passing. The protocol used is -called Server Message Block (SMB) and this is implemented using -the NetBIOS protocol (Network Basic Input Output System). NetBIOS can -be encapsulated using LLC (Logical Link Control) protocol - in which case -the resulting protocol is called NetBEUI (Network Basic Extended User -Interface). NetBIOS can also be run over IPX (Internetworking Packet -Exchange) protocol as used by Novell NetWare, and it can be run -over TCP/IP protocols - in which case the resulting protocol is called -NBT or NetBT, the NetBIOS over TCP/IP.</P -><P ->MS Windows machines use a complex array of name resolution mechanisms. -Since we are primarily concerned with TCP/IP this demonstration is -limited to this area.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN100" ->The NetBIOS Name Cache</A -></H2 -><P ->All MS Windows machines employ an in memory buffer in which is -stored the NetBIOS names and their IP addresses for all external -machines that that the local machine has communicated with over the -past 10-15 minutes. It is more efficient to obtain an IP address -for a machine from the local cache than it is to go through all the -configured name resolution mechanisms.</P -><P ->If a machine whose name is in the local name cache has been shut -down before the name had been expired and flushed from the cache, then -an attempt to exchange a message with that machine will be subject -to time-out delays. ie: It's name is in the cache, so a name resolution -lookup will succeed, but the machine can not respond. This can be -frustrating for users - but it is a characteristic of the protocol.</P -><P ->The MS Windows utility that allows examination of the NetBIOS -name cache is called "nbtstat". The Samba equivalent of this -is called "nmblookup".</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN105" ->The LMHOSTS file</A -></H2 -><P ->This file is usually located in MS Windows NT 4.0 or -2000 in <TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the machine name in matched pairs. The -<TT -CLASS="FILENAME" ->LMHOSTS</TT -> file performs NetBIOS name -to IP address mapping oriented.</P -><P ->It typically looks like:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # Copyright (c) 1998 Microsoft Corp. - # - # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS - # over TCP/IP) stack for Windows98 - # - # This file contains the mappings of IP addresses to NT computernames - # (NetBIOS) names. Each entry should be kept on an individual line. - # The IP address should be placed in the first column followed by the - # corresponding computername. The address and the comptername - # should be separated by at least one space or tab. The "#" character - # is generally used to denote the start of a comment (see the exceptions - # below). - # - # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts - # files and offers the following extensions: - # - # #PRE - # #DOM:<domain> - # #INCLUDE <filename> - # #BEGIN_ALTERNATE - # #END_ALTERNATE - # \0xnn (non-printing character support) - # - # Following any entry in the file with the characters "#PRE" will cause - # the entry to be preloaded into the name cache. By default, entries are - # not preloaded, but are parsed only after dynamic name resolution fails. - # - # Following an entry with the "#DOM:<domain>" tag will associate the - # entry with the domain specified by <domain>. This affects how the - # browser and logon services behave in TCP/IP environments. To preload - # the host name associated with #DOM entry, it is necessary to also add a - # #PRE to the line. The <domain> is always preloaded although it will not - # be shown when the name cache is viewed. - # - # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) - # software to seek the specified <filename> and parse it as if it were - # local. <filename> is generally a UNC-based name, allowing a - # centralized lmhosts file to be maintained on a server. - # It is ALWAYS necessary to provide a mapping for the IP address of the - # server prior to the #INCLUDE. This mapping must use the #PRE directive. - # In addtion the share "public" in the example below must be in the - # LanManServer list of "NullSessionShares" in order for client machines to - # be able to read the lmhosts file successfully. This key is under - # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares - # in the registry. Simply add "public" to the list found there. - # - # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE - # statements to be grouped together. Any single successful include - # will cause the group to succeed. - # - # Finally, non-printing characters can be embedded in mappings by - # first surrounding the NetBIOS name in quotations, then using the - # \0xnn notation to specify a hex value for a non-printing character. - # - # The following example illustrates all of these extensions: - # - # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC - # 102.54.94.102 "appname \0x14" #special app server - # 102.54.94.123 popular #PRE #source server - # 102.54.94.117 localsrv #PRE #needed for the include - # - # #BEGIN_ALTERNATE - # #INCLUDE \\localsrv\public\lmhosts - # #INCLUDE \\rhino\public\lmhosts - # #END_ALTERNATE - # - # In the above example, the "appname" server contains a special - # character in its name, the "popular" and "localsrv" server names are - # preloaded, and the "rhino" server name is specified so it can be used - # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" - # system is unavailable. - # - # Note that the whole file is parsed including comments on each lookup, - # so keeping the number of comments to a minimum will improve performance. - # Therefore it is not advisable to simply add lmhosts file entries onto the - # end of this file.</PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN113" ->HOSTS file</A -></H2 -><P ->This file is usually located in MS Windows NT 4.0 or 2000 in -<TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the IP hostname in matched pairs. It can be -used by the name resolution infrastructure in MS Windows, depending -on how the TCP/IP environment is configured. This file is in -every way the equivalent of the Unix/Linux <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN118" ->DNS Lookup</A -></H2 -><P ->This capability is configured in the TCP/IP setup area in the network -configuration facility. If enabled an elaborate name resolution sequence -is followed the precise nature of which isdependant on what the NetBIOS -Node Type parameter is configured to. A Node Type of 0 means use -NetBIOS broadcast (over UDP broadcast) is first used if the name -that is the subject of a name lookup is not found in the NetBIOS name -cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to -Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the -WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast -lookup is used.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN121" ->WINS Lookup</A -></H2 -><P ->A WINS (Windows Internet Name Server) service is the equivaent of the -rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores -the names and IP addresses that are registered by a Windows client -if the TCP/IP setup has been given at least one WINS Server IP Address.</P -><P ->To configure Samba to be a WINS server the following parameter needs -to be added to the <TT -CLASS="FILENAME" ->smb.conf</TT -> file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = Yes</PRE -></P -><P ->To configure Samba to use a WINS server the following parameters are -needed in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = No - wins server = xxx.xxx.xxx.xxx</PRE -></P -><P ->where <TT -CLASS="REPLACEABLE" -><I ->xxx.xxx.xxx.xxx</I -></TT -> is the IP address -of the WINS server.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN133" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></H1 -><P ->As stated above, MS Windows machines register their NetBIOS names -(ie: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P -><P ->In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter).</P -><P ->Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks.</P -><P ->During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser.</P -><P ->Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses. </P -><P ->Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services.</P -><P ->Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, <TT -CLASS="FILENAME" ->/etc/hosts</TT ->, -and so on.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN143" ->MS Windows security options and how to configure -Samba for seemless integration</A -></H1 -><P ->MS Windows clients may use encrypted passwords as part of a -challenege/response authentication model (a.k.a. NTLMv1) or -alone, or clear text strings for simple password based -authentication. It should be realized that with the SMB -protocol the password is passed over the network either -in plain text or encrypted, but not both in the same -authentication requets.</P -><P ->When encrypted passwords are used a password that has been -entered by the user is encrypted in two ways:</P -><P -></P -><UL -><LI -><P ->An MD4 hash of the UNICODE of the password - string. This is known as the NT hash. - </P -></LI -><LI -><P ->The password is converted to upper case, - and then padded or trucated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56 bit DES keys to encrypt a "magic" 8 byte value. - The resulting 16 bytes for the LanMan hash. - </P -></LI -></UL -><P ->You should refer to the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->Password Encryption</A -> chapter in this HOWTO collection -for more details on the inner workings</P -><P ->MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x -and version 4.0 pre-service pack 3 will use either mode of -password authentication. All versions of MS Windows that follow -these versions no longer support plain text passwords by default.</P -><P ->MS Windows clients have a habit of dropping network mappings that -have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped the SMB protocol -has a mechanism by which the connection can be re-established using -a cached copy of the password.</P -><P ->When Microsoft changed the default password mode, they dropped support for -caching of the plain text password. This means that when the registry -parameter is changed to re-enable use of plain text passwords it appears to -work, but when a dropped mapping attempts to revalidate it will fail if -the remote authentication server does not support encrypted passwords. -This means that it is definitely not a good idea to re-enable plain text -password support in such clients.</P -><P ->The following parameters can be used to work around the -issue of Windows 9x client upper casing usernames and -password before transmitting them to the SMB server -when using clear text authentication.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> <A -HREF="smb.conf.5.html#PASSWORDLEVEL" -TARGET="_top" ->passsword level</A -> = <TT -CLASS="REPLACEABLE" -><I ->integer</I -></TT -> - <A -HREF="smb.conf.5.html#USERNAMELEVEL" -TARGET="_top" ->username level</A -> = <TT -CLASS="REPLACEABLE" -><I ->integer</I -></TT -></PRE -></P -><P ->By default Samba will lower case the username before attempting -to lookup the user in the database of local system accounts. -Because UNIX usernames conventionally only contain lower case -character, the <TT -CLASS="PARAMETER" -><I ->username level</I -></TT -> parameter -is rarely even needed.</P -><P ->However, password on UNIX systems often make use of mixed case -characters. This means that in order for a user on a Windows 9x -client to connect to a Samba server using clear text authentication, -the <TT -CLASS="PARAMETER" -><I ->password level</I -></TT -> must be set to the maximum -number of upper case letter which <I -CLASS="EMPHASIS" ->could</I -> appear -is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a <TT -CLASS="PARAMETER" -><I ->password level</I -></TT -> -of 8 will result in case insensitive passwords as seen from Windows -users. This will also result in longer login times as Samba -hash to compute the permutations of the password string and -try them one by one until a match is located (or all combinations fail).</P -><P ->The best option to adopt is to enable support for encrypted passwords -where ever Samba is used. There are three configuration possibilities -for support of encrypted passwords:</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN171" ->Use MS Windows NT as an authentication server</A -></H2 -><P ->This method involves the additions of the following parameters -in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = server - password server = "NetBIOS_name_of_PDC"</PRE -></P -><P ->There are two ways of identifying whether or not a username and -password pair was valid or not. One uses the reply information provided -as part of the authentication messaging process, the other uses -just and error code.</P -><P ->The down-side of this mode of configuration is the fact that -for security reasons Samba will send the password server a bogus -username and a bogus password and if the remote server fails to -reject the username and password pair then an alternative mode -of identification of validation is used. Where a site uses password -lock out after a certain number of failed authentication attempts -this will result in user lockouts.</P -><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be blocked -to prevent logons by other than MS Windows clients.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN179" ->Make Samba a member of an MS Windows NT security domain</A -></H2 -><P ->This method involves additon of the following paramters in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = domain - workgroup = "name of NT domain" - password server = *</PRE -></P -><P ->The use of the "*" argument to "password server" will cause samba -to locate the domain controller in a way analogous to the way -this is done within MS Windows NT.</P -><P ->In order for this method to work the Samba server needs to join the -MS Windows NT security domain. This is done as follows:</P -><P -></P -><UL -><LI -><P ->On the MS Windows NT domain controller using - the Server Manager add a machine account for the Samba server. - </P -></LI -><LI -><P ->Next, on the Linux system execute: - <B -CLASS="COMMAND" ->smbpasswd -r PDC_NAME -j DOMAIN_NAME</B -> - </P -></LI -></UL -><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user in order to assign -a uid once the account has been authenticated by the remote -Windows DC. This account can be blocked to prevent logons by -other than MS Windows clients by things such as setting an invalid -shell in the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry.</P -><P ->An alternative to assigning UIDs to Windows users on a -Samba member server is presented in the <A -HREF="winbind.html" -TARGET="_top" ->Winbind Overview</A -> chapter in -this HOWTO collection.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN196" ->Configure Samba as an authentication server</A -></H2 -><P ->This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as and -smbpasswd entry for the user. The Unix system account can be -locked if required as only the encrypted password will be -used for SMB client authentication.</P -><P ->This method involves addition of the following parameters to -the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## please refer to the Samba PDC HOWTO chapter later in -## this collection for more details -[global] - encrypt passwords = Yes - security = user - domain logons = Yes - ; an OS level of 33 or more is recommended - os level = 33 - -[NETLOGON] - path = /somewhare/in/file/system - read only = yes</PRE -></P -><P ->in order for this method to work a Unix system account needs -to be created for each user, as well as for each MS Windows NT/2000 -machine. The following structure is required.</P -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN203" ->Users</A -></H3 -><P ->A user account that may provide a home directory should be -created. The following Linux system commands are typical of -the procedure for creating an account.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m "userid" - # passwd "userid" - Enter Password: <pw> - - # smbpasswd -a "userid" - Enter Password: <pw></PRE -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN208" ->MS Windows NT Machine Accounts</A -></H3 -><P ->These are required only when Samba is used as a domain -controller. Refer to the Samba-PDC-HOWTO for more details.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/false -d /dev/null "machine_name"\$ - # passwd -l "machine_name"\$ - # smbpasswd -a -m "machine_name"</PRE -></P -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN213" ->Conclusions</A -></H1 -><P ->Samba provides a flexible means to operate as...</P -><P -></P -><UL -><LI -><P ->A Stand-alone server - No special action is needed - other than to create user accounts. Stand-alone servers do NOT - provide network logon services, meaning that machines that use this - server do NOT perform a domain logon but instead make use only of - the MS Windows logon which is local to the MS Windows - workstation/server. - </P -></LI -><LI -><P ->An MS Windows NT 3.x/4.0 security domain member. - </P -></LI -><LI -><P ->An alternative to an MS Windows NT 3.x/4.0 - Domain Controller. - </P -></LI -></UL -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/OS2-Client-HOWTO.html b/docs/htmldocs/OS2-Client-HOWTO.html deleted file mode 100644 index 90f62306e82..00000000000 --- a/docs/htmldocs/OS2-Client-HOWTO.html +++ /dev/null @@ -1,210 +0,0 @@ -<HTML -><HEAD -><TITLE ->OS2 Client HOWTO</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="OS2" ->OS2 Client HOWTO</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->FAQs</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN5" ->How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></H2 -><P ->A more complete answer to this question can be - found on <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A ->.</P -><P ->Basically, you need three components:</P -><P -></P -><UL -><LI -><P ->The File and Print Client ('IBM Peer') - </P -></LI -><LI -><P ->TCP/IP ('Internet support') - </P -></LI -><LI -><P ->The "NetBIOS over TCP/IP" driver ('TCPBEUI') - </P -></LI -></UL -><P ->Installing the first two together with the base operating - system on a blank system is explained in the Warp manual. If Warp - has already been installed, but you now want to install the - networking support, use the "Selective Install for Networking" - object in the "System Setup" folder.</P -><P ->Adding the "NetBIOS over TCP/IP" driver is not described - in the manual and just barely in the online documentation. Start - MPTS.EXE, click on OK, click on "Configure LAPS" and click - on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line - is then moved to 'Current Configuration'. Select that line, - click on "Change number" and increase it from 0 to 1. Save this - configuration.</P -><P ->If the Samba server(s) is not on your local subnet, you - can optionally add IP names and addresses of these servers - to the "Names List", or specify a WINS server ('NetBIOS - Nameserver' in IBM and RFC terminology). For Warp Connect you - may need to download an update for 'IBM Peer' to bring it on - the same level as Warp 4. See the webpage mentioned above.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN20" ->How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></H2 -><P ->You can use the free Microsoft LAN Manager 2.2c Client - for OS/2 from - <A -HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" -TARGET="_top" -> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A ->. - See <A -HREF="http://carol.wins.uva.nl/~leeuw/lanman.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/lanman.html</A -> for - more information on how to install and use this client. In - a nutshell, edit the file \OS2VER in the root directory of - the OS/2 boot partition and add the lines:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 20=setup.exe - 20=netwksta.sys - 20=netvdd.sys - </PRE -></P -><P ->before you install the client. Also, don't use the - included NE2000 driver because it is buggy. Try the NE2000 - or NS2000 driver from - <A -HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/" -TARGET="_top" -> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A -> instead. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN29" ->Are there any other issues when OS/2 (any version) - is used as a client?</A -></H2 -><P ->When you do a NET VIEW or use the "File and Print - Client Resource Browser", no Samba servers show up. This can - be fixed by a patch from <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A ->. - The patch will be included in a later version of Samba. It also - fixes a couple of other problems, such as preserving long - filenames when objects are dragged from the Workplace Shell - to the Samba server. </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN33" ->How do I get printer driver download working - for OS/2 clients?</A -></H2 -><P ->First, create a share called [PRINTDRV] that is - world-readable. Copy your OS/2 driver files there. Note - that the .EA_ files must still be separate, so you will need - to use the original install files, and not copy an installed - driver from an OS/2 system.</P -><P ->Install the NT driver first for that printer. Then, - add to your smb.conf a parameter, "os2 driver map = - <TT -CLASS="REPLACEABLE" -><I ->filename</I -></TT ->". Then, in the file - specified by <TT -CLASS="REPLACEABLE" -><I ->filename</I -></TT ->, map the - name of the NT driver name to the OS/2 driver name as - follows:</P -><P -><nt driver name> = <os2 driver - name>.<device name>, e.g.: - HP LaserJet 5L = LASERJET.HP LaserJet 5L</P -><P ->You can have multiple drivers mapped in this file.</P -><P ->If you only specify the OS/2 driver name, and not the - device name, the first attempt to download the driver will - actually download the files, but the OS/2 client will tell - you the driver is not available. On the second attempt, it - will work. This is fixed simply by adding the device name - to the mapping, after which it will work on the first attempt. - </P -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/PAM-Authentication-And-Samba.html b/docs/htmldocs/PAM-Authentication-And-Samba.html deleted file mode 100644 index 6dc815b87bf..00000000000 --- a/docs/htmldocs/PAM-Authentication-And-Samba.html +++ /dev/null @@ -1,318 +0,0 @@ -<HTML -><HEAD -><TITLE ->Configuring PAM for distributed but centrally -managed authentication</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="PAM" ->Configuring PAM for distributed but centrally -managed authentication</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Samba and PAM</A -></H1 -><P ->A number of Unix systems (eg: Sun Solaris), as well as the -xxxxBSD family and Linux, now utilize the Pluggable Authentication -Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the -introduction of PAM, a decision to use an alternative to -the system password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->) -would require the provision of alternatives for all programs that provide -security services. Such a choice would involve provision of -alternatives to such programs as: <B -CLASS="COMMAND" ->login</B ->, -<B -CLASS="COMMAND" ->passwd</B ->, <B -CLASS="COMMAND" ->chown</B ->, etc.</P -><P ->PAM provides a mechanism that disconnects these security programs -from the underlying authentication/authorization infrastructure. -PAM is configured either through one file <TT -CLASS="FILENAME" ->/etc/pam.conf</TT -> (Solaris), -or by editing individual files that are located in <TT -CLASS="FILENAME" ->/etc/pam.d</TT ->.</P -><P ->The following is an example <TT -CLASS="FILENAME" ->/etc/pam.d/login</TT -> configuration file. -This example had all options been uncommented is probably not usable -as it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out except the calls to <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5</PRE -></P -><P ->PAM allows use of replacable modules. Those available on a -sample system include:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->$ /bin/ls /lib/security -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so</PRE -></P -><P ->The following example for the login program replaces the use of -the <TT -CLASS="FILENAME" ->pam_pwdb.so</TT -> module which uses the system -password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->, -<TT -CLASS="FILENAME" ->/etc/shadow</TT ->, <TT -CLASS="FILENAME" ->/etc/group</TT ->) with -the module <TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -<TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->, -<TT -CLASS="FILENAME" ->/etc/samba/smbpasswd</TT ->, or in -<TT -CLASS="FILENAME" ->/etc/samba.d/smbpasswd</TT ->, depending on the -Samba implementation for your Unix/Linux system. The -<TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the -<B -CLASS="COMMAND" ->--with-pam_smbpass</B -> options when running Samba's -<TT -CLASS="FILENAME" ->configure</TT -> script. For more information -on the <TT -CLASS="FILENAME" ->pam_smbpass</TT -> module, see the documentation -in the <TT -CLASS="FILENAME" ->source/pam_smbpass</TT -> directory of the Samba -source distribution.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay</PRE -></P -><P ->The following is the PAM configuration file for a particular -Linux system. The default condition uses <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_pwdb.so shadow md5</PRE -></P -><P ->In the following example the decision has been made to use the -smbpasswd database even for basic samba authentication. Such a -decision could also be made for the passwd program and would -thus allow the smbpasswd passwords to be changed using the passwd -program.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_smbpass.so nodelay -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE -></P -><P ->Note: PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within on PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implmentations also -provide the <TT -CLASS="FILENAME" ->pam_stack.so</TT -> module that allows all -authentication to be configured in a single central file. The -<TT -CLASS="FILENAME" ->pam_stack.so</TT -> method has some very devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want examine the -PAM documentation for further helpful information.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN47" ->Distributed Authentication</A -></H1 -><P ->The astute administrator will realize from this that the -combination of <TT -CLASS="FILENAME" ->pam_smbpass.so</TT ->, -<B -CLASS="COMMAND" ->winbindd</B ->, and <B -CLASS="COMMAND" ->rsync</B -> (see -<A -HREF="http://rsync.samba.org/" -TARGET="_top" ->http://rsync.samba.org/</A ->) -will allow the establishment of a centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN54" ->PAM Configuration in smb.conf</A -></H1 -><P ->There is an option in smb.conf called <A -HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS" -TARGET="_top" ->obey pam restrictions</A ->. -The following is from the on-line help for this option in SWAT;</P -><P ->When Samba 2.2 is configure to enable PAM support (i.e. -<TT -CLASS="CONSTANT" ->--with-pam</TT ->), this parameter will -control whether or not Samba should obey PAM's account -and session management directives. The default behavior -is to use PAM for clear text authentication only and to -ignore any account or session management. Note that Samba always -ignores PAM for authentication in the case of -<A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords = yes</A ->. -The reason is that PAM modules cannot support the challenge/response -authentication mechanism needed in the presence of SMB -password encryption. </P -><P ->Default: <B -CLASS="COMMAND" ->obey pam restrictions = no</B -></P -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html deleted file mode 100644 index 58f3989b4f0..00000000000 --- a/docs/htmldocs/Samba-PDC-HOWTO.html +++ /dev/null @@ -1,2284 +0,0 @@ -<HTML -><HEAD -><TITLE ->How to Configure Samba 2.2 as a Primary Domain Controller</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="SAMBA-PDC" ->How to Configure Samba 2.2 as a Primary Domain Controller</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Prerequisite Reading</A -></H1 -><P ->Before you continue reading in this chapter, please make sure -that you are comfortable with configuring basic files services -in smb.conf and how to enable and administer password -encryption in Samba. Theses two topics are covered in the -<A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -></A -> -manpage and the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->Encryption chapter</A -> -of this HOWTO Collection.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN9" ->Background</A -></H1 -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -><I -CLASS="EMPHASIS" ->Author's Note:</I -> This document is a combination -of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". -Both documents are superseded by this one.</P -></BLOCKQUOTE -></DIV -><P ->Versions of Samba prior to release 2.2 had marginal capabilities to act -as a Windows NT 4.0 Primary Domain Controller - -(PDC). With Samba 2.2.0, we are proud to announce official support for -Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows -2000 clients. This article outlines the steps -necessary for configuring Samba as a PDC. It is necessary to have a -working Samba server prior to implementing the PDC functionality. If -you have not followed the steps outlined in <A -HREF="UNIX_INSTALL.html" -TARGET="_top" -> UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another -good resource in the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5) man -page</A ->. The following functionality should work in 2.2:</P -><P -></P -><UL -><LI -><P -> domain logons for Windows NT 4.0/2000 clients. - </P -></LI -><LI -><P -> placing a Windows 9x client in user level security - </P -></LI -><LI -><P -> retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients - </P -></LI -><LI -><P -> roving (roaming) user profiles - </P -></LI -><LI -><P -> Windows NT 4.0-style system policies - </P -></LI -></UL -><P ->The following pieces of functionality are not included in the 2.2 release:</P -><P -></P -><UL -><LI -><P -> Windows NT 4 domain trusts - </P -></LI -><LI -><P -> SAM replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa) - </P -></LI -><LI -><P -> Adding users via the User Manager for Domains - </P -></LI -><LI -><P -> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and - Active Directory) - </P -></LI -></UL -><P ->Please note that Windows 9x clients are not true members of a domain -for reasons outlined in this article. Therefore the protocol for -support Windows 9x-style domain logons is completely different -from NT4 domain logons and has been officially supported for some -time.</P -><P ->Implementing a Samba PDC can basically be divided into 2 broad -steps.</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Configuring the Samba PDC - </P -></LI -><LI -><P -> Creating machine trust accounts and joining clients - to the domain - </P -></LI -></OL -><P ->There are other minor details such as user profiles, system -policies, etc... However, these are not necessarily specific -to a Samba PDC as much as they are related to Windows NT networking -concepts. They will be mentioned only briefly here.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN48" ->Configuring the Samba Domain Controller</A -></H1 -><P ->The first step in creating a working Samba PDC is to -understand the parameters necessary in smb.conf. I will not -attempt to re-explain the parameters here as they are more that -adequately covered in <A -HREF="smb.conf.5.html" -TARGET="_top" -> the smb.conf -man page</A ->. For convenience, the parameters have been -linked with the actual smb.conf description.</P -><P ->Here is an example <TT -CLASS="FILENAME" ->smb.conf</TT -> for acting as a PDC:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - ; Basic server settings - <A -HREF="smb.conf.5.html#NETBIOSNAME" -TARGET="_top" ->netbios name</A -> = <TT -CLASS="REPLACEABLE" -><I ->POGO</I -></TT -> - <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" ->workgroup</A -> = <TT -CLASS="REPLACEABLE" -><I ->NARNIA</I -></TT -> - - ; we should act as the domain and local master browser - <A -HREF="smb.conf.5.html#OSLEVEL" -TARGET="_top" ->os level</A -> = 64 - <A -HREF="smb.conf.5.html#PERFERREDMASTER" -TARGET="_top" ->preferred master</A -> = yes - <A -HREF="smb.conf.5.html#DOMAINMASTER" -TARGET="_top" ->domain master</A -> = yes - <A -HREF="smb.conf.5.html#LOCALMASTER" -TARGET="_top" ->local master</A -> = yes - - ; security settings (must user security = user) - <A -HREF="smb.conf.5.html#SECURITYEQUALSUSER" -TARGET="_top" ->security</A -> = user - - ; encrypted passwords are a requirement for a PDC - <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords</A -> = yes - - ; support domain logons - <A -HREF="smb.conf.5.html#DOMAINLOGONS" -TARGET="_top" ->domain logons</A -> = yes - - ; where to store user profiles? - <A -HREF="smb.conf.5.html#LOGONPATH" -TARGET="_top" ->logon path</A -> = \\%N\profiles\%u - - ; where is a user's home directory and where should it - ; be mounted at? - <A -HREF="smb.conf.5.html#LOGONDRIVE" -TARGET="_top" ->logon drive</A -> = H: - <A -HREF="smb.conf.5.html#LOGONHOME" -TARGET="_top" ->logon home</A -> = \\homeserver\%u - - ; specify a generic logon script for all users - ; this is a relative **DOS** path to the [netlogon] share - <A -HREF="smb.conf.5.html#LOGONSCRIPT" -TARGET="_top" ->logon script</A -> = logon.cmd - -; necessary share for domain controller -[netlogon] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /usr/local/samba/lib/netlogon - <A -HREF="smb.conf.5.html#READONLY" -TARGET="_top" ->read only</A -> = yes - <A -HREF="smb.conf.5.html#WRITELIST" -TARGET="_top" ->write list</A -> = <TT -CLASS="REPLACEABLE" -><I ->ntadmin</I -></TT -> - -; share for storing user profiles -[profiles] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /export/smb/ntprofile - <A -HREF="smb.conf.5.html#READONLY" -TARGET="_top" ->read only</A -> = no - <A -HREF="smb.conf.5.html#CREATEMASK" -TARGET="_top" ->create mask</A -> = 0600 - <A -HREF="smb.conf.5.html#DIRECTORYMASK" -TARGET="_top" ->directory mask</A -> = 0700</PRE -></P -><P ->There are a couple of points to emphasize in the above configuration.</P -><P -></P -><UL -><LI -><P -> Encrypted passwords must be enabled. For more details on how - to do this, refer to <A -HREF="ENCRYPTION.html" -TARGET="_top" ->ENCRYPTION.html</A ->. - </P -></LI -><LI -><P -> The server must support domain logons and a - <TT -CLASS="FILENAME" ->[netlogon]</TT -> share - </P -></LI -><LI -><P -> The server must be the domain master browser in order for Windows - client to locate the server as a DC. Please refer to the various - Network Browsing documentation included with this distribution for - details. - </P -></LI -></UL -><P ->As Samba 2.2 does not offer a complete implementation of group mapping -between Windows NT groups and Unix groups (this is really quite -complicated to explain in a short space), you should refer to the -<A -HREF="smb.conf.5.html#DOMAINADMINGROUP" -TARGET="_top" ->domain admin -group</A -> smb.conf parameter for information of creating "Domain -Admins" style accounts.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN91" ->Creating Machine Trust Accounts and Joining Clients to the -Domain</A -></H1 -><P ->A machine trust account is a Samba account that is used to -authenticate a client machine (rather than a user) to the Samba -server. In Windows terminology, this is known as a "Computer -Account."</P -><P ->The password of a machine trust account acts as the shared secret for -secure communication with the Domain Controller. This is a security -feature to prevent an unauthorized machine with the same NetBIOS name -from joining the domain and gaining access to domain user/group -accounts. Windows NT and 2000 clients use machine trust accounts, but -Windows 9x clients do not. Hence, a Windows 9x client is never a true -member of a domain because it does not possess a machine trust -account, and thus has no shared secret with the domain controller.</P -><P ->A Windows PDC stores each machine trust account in the Windows -Registry. A Samba PDC, however, stores each machine trust account -in two parts, as follows: - -<P -></P -><UL -><LI -><P ->A Samba account, stored in the same location as user - LanMan and NT password hashes (currently - <TT -CLASS="FILENAME" ->smbpasswd</TT ->). The Samba account - possesses and uses only the NT password hash.</P -></LI -><LI -><P ->A corresponding Unix account, typically stored in - <TT -CLASS="FILENAME" ->/etc/passwd</TT ->. (Future releases will alleviate the need to - create <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entries.) </P -></LI -></UL -></P -><P ->There are two ways to create machine trust accounts:</P -><P -></P -><UL -><LI -><P -> Manual creation. Both the Samba and corresponding - Unix account are created by hand.</P -></LI -><LI -><P -> "On-the-fly" creation. The Samba machine trust - account is automatically created by Samba at the time the client - is joined to the domain. (For security, this is the - recommended method.) The corresponding Unix account may be - created automatically or manually. </P -></LI -></UL -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN110" ->Manual Creation of Machine Trust Accounts</A -></H2 -><P ->The first step in manually creating a machine trust account is to -manually create the corresponding Unix account in -<TT -CLASS="FILENAME" ->/etc/passwd</TT ->. This can be done using -<B -CLASS="COMMAND" ->vipw</B -> or other 'add user' command that is normally -used to create new Unix accounts. The following is an example for a -Linux based Samba server:</P -><P -> <TT -CLASS="PROMPT" ->root# </TT -><B -CLASS="COMMAND" ->/usr/sbin/useradd -g 100 -d /dev/null -c <TT -CLASS="REPLACEABLE" -><I ->"machine -nickname"</I -></TT -> -s /bin/false <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT ->$ </B -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><B -CLASS="COMMAND" ->passwd -l <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT ->$</B -></P -><P ->The <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry will list the machine name -with a "$" appended, won't have a password, will have a null shell and no -home directory. For example a machine named 'doppy' would have an -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->doppy$:x:505:501:<TT -CLASS="REPLACEABLE" -><I ->machine_nickname</I -></TT ->:/dev/null:/bin/false</PRE -></P -><P ->Above, <TT -CLASS="REPLACEABLE" -><I ->machine_nickname</I -></TT -> can be any -descriptive name for the client, i.e., BasementComputer. -<TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT -> absolutely must be the NetBIOS -name of the client to be joined to the domain. The "$" must be -appended to the NetBIOS name of the client or Samba will not recognize -this as a machine trust account.</P -><P ->Now that the corresponding Unix account has been created, the next step is to create -the Samba account for the client containing the well-known initial -machine trust account password. This can be done using the <A -HREF="smbpasswd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbpasswd(8)</B -></A -> command -as shown here:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><B -CLASS="COMMAND" ->smbpasswd -a -m <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT -></B -></P -><P ->where <TT -CLASS="REPLACEABLE" -><I ->machine_name</I -></TT -> is the machine's NetBIOS -name. The RID of the new machine account is generated from the UID of -the corresponding Unix account.</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Join the client to the domain immediately</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> Manually creating a machine trust account using this method is the - equivalent of creating a machine trust account on a Windows NT PDC using - the "Server Manager". From the time at which the account is created - to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using a - a machine with the same NetBIOS name. A PDC inherently trusts - members of the domain and will serve out a large degree of user - information to such clients. You have been warned! - </P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN145" ->"On-the-Fly" Creation of Machine Trust Accounts</A -></H2 -><P ->The second (and recommended) way of creating machine trust accounts is -simply to allow the Samba server to create them as needed when the client -is joined to the domain. </P -><P ->Since each Samba machine trust account requires a corresponding -Unix account, a method for automatically creating the -Unix account is usually supplied; this requires configuration of the -<A -HREF="smb.conf.5.html#ADDUSERSCRIPT" -TARGET="_top" ->add user script</A -> -option in <TT -CLASS="FILENAME" ->smb.conf</TT ->. This -method is not required, however; corresponding Unix accounts may also -be created manually.</P -><P ->Below is an example for a RedHat 6.2 Linux system.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - # <...remainder of parameters...> - add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN154" ->Joining the Client to the Domain</A -></H2 -><P ->The procedure for joining a client to the domain varies with the -version of Windows.</P -><P -></P -><UL -><LI -><P -><I -CLASS="EMPHASIS" ->Windows 2000</I -></P -><P -> When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A - Samba administrative account (i.e., a Samba account that has root - privileges on the Samba server) must be entered here; the - operation will fail if an ordinary user account is given. - The password for this account should be - set to a different password than the associated - <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry, for security - reasons. </P -><P ->The session key of the Samba administrative account acts as an - encryption key for setting the password of the machine trust - account. The machine trust account will be created on-the-fly, or - updated if it already exists.</P -></LI -><LI -><P -><I -CLASS="EMPHASIS" ->Windows NT</I -></P -><P -> If the machine trust account was created manually, on the - Identification Changes menu enter the domain name, but do not - check the box "Create a Computer Account in the Domain." In this case, - the existing machine trust account is used to join the machine to - the domain.</P -><P -> If the machine trust account is to be created - on-the-fly, on the Identification Changes menu enter the domain - name, and check the box "Create a Computer Account in the Domain." In - this case, joining the domain proceeds as above for Windows 2000 - (i.e., you must supply a Samba administrative account when - prompted).</P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN169" ->Common Problems and Errors</A -></H1 -><P -></P -><P -></P -><UL -><LI -><P -> <I -CLASS="EMPHASIS" ->I cannot include a '$' in a machine name.</I -> - </P -><P -> A 'machine name' in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> - of the machine name with a '$' appended. FreeBSD (and other BSD - systems?) won't create a user with a '$' in their name. - </P -><P -> The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <B -CLASS="COMMAND" ->vipw</B -> to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique User ID ! - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->I get told "You already have a connection to the Domain...." - or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine trust account.</I -> - </P -><P -> This happens if you try to create a machine trust account from the - machine itself and already have a connection (e.g. mapped drive) - to a share (or IPC$) on the Samba PDC. The following command - will remove all network drive connections: - </P -><P -> <TT -CLASS="PROMPT" ->C:\WINNT\></TT -> <B -CLASS="COMMAND" ->net use * /d</B -> - </P -><P -> Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->The system can not log you on (C000019B)....</I -> - </P -><P ->I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your - system administrator" when attempting to logon. - </P -><P -> This occurs when the domain SID stored in - <TT -CLASS="FILENAME" ->private/WORKGROUP.SID</TT -> is - changed. For example, you remove the file and <B -CLASS="COMMAND" ->smbd</B -> automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->The machine trust account for this computer either does not - exist or is not accessible.</I -> - </P -><P -> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". What's - wrong? - </P -><P -> This problem is caused by the PDC not having a suitable machine trust account. - If you are using the <TT -CLASS="PARAMETER" -><I ->add user script</I -></TT -> method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </P -><P -> Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine trust account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine NetBIOS name - with a '$' appended to it ( i.e. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->When I attempt to login to a Samba Domain from a NT4/W2K workstation, - I get a message about my account being disabled.</I -> - </P -><P -> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is - fixed in 2.2.1. Other symptoms could be unaccessible shares on - NT/W2K member servers in the domain or the following error in your smbd.log: - passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% - </P -><P -> At first be ensure to enable the useraccounts with <B -CLASS="COMMAND" ->smbpasswd -e - %user%</B ->, this is normally done, when you create an account. - </P -><P -> In order to work around this problem in 2.2.0, configure the - <TT -CLASS="PARAMETER" -><I ->account</I -></TT -> control flag in - <TT -CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file as follows: - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> account required pam_permit.so - </PRE -></P -><P -> If you want to remain backward compatibility to samba 2.0.x use - <TT -CLASS="FILENAME" ->pam_permit.so</TT ->, it's also possible to use - <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->. There are some bugs if you try to - use <TT -CLASS="FILENAME" ->pam_unix.so</TT ->, if you need this, be ensure to use - the most recent version of this file. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN217" ->System Policies and Profiles</A -></H1 -><P ->Much of the information necessary to implement System Policies and -Roving User Profiles in a Samba domain is the same as that for -implementing these same items in a Windows NT 4.0 domain. -You should read the white paper <A -HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" -TARGET="_top" ->Implementing -Profiles and Policies in Windows NT 4.0</A -> available from Microsoft.</P -><P ->Here are some additional details:</P -><P -></P -><UL -><LI -><P -> <I -CLASS="EMPHASIS" ->What about Windows NT Policy Editor?</I -> - </P -><P -> To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use - the NT Server Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which - is included with NT Server but <I -CLASS="EMPHASIS" ->not NT Workstation</I ->. - There is a Policy Editor on a NTws - but it is not suitable for creating <I -CLASS="EMPHASIS" ->Domain Policies</I ->. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient - to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </P -><P -> The Windows NT policy editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using <B -CLASS="COMMAND" ->servicepackname /x</B ->, - i.e. that's <B -CLASS="COMMAND" ->Nt4sp6ai.exe /x</B -> for service pack 6a. The policy editor, - <B -CLASS="COMMAND" ->poledit.exe</B -> and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->Can Win95 do Policies?</I -> - </P -><P -> Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. - Install group policies on a Win9x client by double-clicking - <TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </P -><P -> If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->How do I get 'User Manager' and 'Server Manager'</I -> - </P -><P -> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager'? - </P -><P -> Microsoft distributes a version of these tools called nexus for - installation on Windows 95 systems. The tools set includes - </P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P -> Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -> - </P -><P -> The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -> - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN261" ->What other help can I get?</A -></H1 -><P ->There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.</P -><P -></P -><UL -><LI -><P -> <I -CLASS="EMPHASIS" ->What are some diagnostics tools I can use to debug the domain logon - process and where can I find them?</I -> - </P -><P -> One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specify what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </P -><P -> Another helpful method of debugging is to compile samba using the - <B -CLASS="COMMAND" ->gcc -g </B -> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </P -><P -> Some useful samba commands worth investigating: - </P -><P -></P -><UL -><LI -><P ->testparam | more</P -></LI -><LI -><P ->smbclient -L //{netbios name of server}</P -></LI -></UL -><P -> An SMB enabled version of tcpdump is available from - <A -HREF="http://www.tcpdump.org/" -TARGET="_top" ->http://www.tcpdup.org/</A ->. - Ethereal, another good packet sniffer for Unix and Win32 - hosts, can be downloaded from <A -HREF="http://www.ethereal.com/" -TARGET="_top" ->http://www.ethereal.com</A ->. - </P -><P -> For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (i.e. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->How do I install 'Network Monitor' on an NT Workstation - or a Windows 9x box?</I -> - </P -><P -> Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </P -><P -> Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD - when prompted.</P -></LI -></UL -><P -> At this point the Netmon files should exist in - <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> - which contains the necessary DLL's for parsing the netmon packet - dump, and <TT -CLASS="FILENAME" ->captures\</TT ->. - </P -><P -> In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click - on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install - CD when prompted.</P -></LI -></UL -><P -> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </P -><P -> To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </P -></LI -><LI -><P -> The following is a list if helpful URLs and other links: - </P -><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <I -CLASS="EMPHASIS" ->Development</I -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P ->See how Scott Merrill simulates a BDC behavior at - <A -HREF="http://www.skippy.net/linux/smb-howto.html" -TARGET="_top" -> http://www.skippy.net/linux/smb-howto.html</A ->. </P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL -></LI -></UL -><P -></P -><UL -><LI -><P -> <I -CLASS="EMPHASIS" ->How do I get help from the mailing lists?</I -> - </P -><P -> There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. - </P -><P -> For questions relating to Samba TNG go to - <A -HREF="http://www.samba-tng.org/" -TARGET="_top" ->http://www.samba-tng.org/</A -> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</P -><P -> If you post a message to one of the lists please observe the following guide lines : - </P -><P -></P -><UL -><LI -><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</P -></LI -><LI -><P -> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, i.e. don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P -></LI -><LI -><P ->You might include <I -CLASS="EMPHASIS" ->partial</I -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P -></LI -><LI -><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory?</P -></LI -></UL -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->How do I get off the mailing lists?</I -> - </P -><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://lists.samba.org/" -TARGET="_top" ->http://lists.samba.org</A ->, - click on your nearest mirror and then click on <B -CLASS="COMMAND" ->Support</B -> and - then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" -TARGET="_top" ->here</A -> - </P -><P -> Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN375" ->Domain Control for Windows 9x/ME</A -></H1 -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->The following section contains much of the original -DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book <I -CLASS="EMPHASIS" ->Special -Edition, Using Samba</I ->, by Richard Sharpe.</P -></BLOCKQUOTE -></DIV -><P ->A domain and a workgroup are exactly the same thing in terms of network -browsing. The difference is that a distributable authentication -database is associated with a domain, for secure login access to a -network. Also, different access rights can be granted to users if they -successfully authenticate against a domain logon server (NT server and -other systems based on NT server support this, as does at least Samba TNG now).</P -><P ->The SMB client logging on to a domain has an expectation that every other -server in the domain should accept the same authentication information. -Network browsing functionality of domains and workgroups is -identical and is explained in BROWSING.txt. It should be noted, that browsing -is totally orthogonal to logon support.</P -><P ->Issues related to the single-logon network model are discussed in this -section. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X/ME clients -which will be the focus of this section.</P -><P ->When an SMB client in a domain wishes to logon it broadcast requests for a -logon server. The first one to reply gets the job, and validates its -password using whatever mechanism the Samba administrator has installed. -It is possible (but very stupid) to create a domain where the user -database is not shared between servers, i.e. they are effectively workgroup -servers advertising themselves as participating in a domain. This -demonstrates how authentication is quite different from but closely -involved with domains.</P -><P ->Using these features you can make your clients verify their logon via -the Samba server; make clients run a batch file when they logon to -the network and download their preferences, desktop and start menu.</P -><P ->Before launching into the configuration instructions, it is -worthwhile lookingat how a Windows 9x/ME client performs a logon:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the - NetBIOS layer. The client chooses the first response it receives, which - contains the NetBIOS name of the logon server to use in the format of - \\SERVER. - </P -></LI -><LI -><P -> The client then connects to that server, logs on (does an SMBsessetupX) and - then connects to the IPC$ share (using an SMBtconX). - </P -></LI -><LI -><P -> The client then does a NetWkstaUserLogon request, which retrieves the name - of the user's logon script. - </P -></LI -><LI -><P -> The client then connects to the NetLogon share and searches for this - and if it is found and can be read, is retrieved and executed by the client. - After this, the client disconnects from the NetLogon share. - </P -></LI -><LI -><P -> The client then sends a NetUserGetInfo request to the server, to retrieve - the user's home share, which is used to search for profiles. Since the - response to the NetUserGetInfo request does not contain much more - the user's home share, profiles for Win9X clients MUST reside in the user - home directory. - </P -></LI -><LI -><P -> The client then connects to the user's home share and searches for the - user's profile. As it turns out, you can specify the user's home share as - a sharename and path. For example, \\server\fred\.profile. - If the profiles are found, they are implemented. - </P -></LI -><LI -><P -> The client then disconnects from the user's home share, and reconnects to - the NetLogon share and looks for CONFIG.POL, the policies file. If this is - found, it is read and implemented. - </P -></LI -></OL -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN401" ->Configuration Instructions: Network Logons</A -></H2 -><P ->The main difference between a PDC and a Windows 9x logon -server configuration is that</P -><P -></P -><UL -><LI -><P ->Password encryption is not required for a Windows 9x logon server.</P -></LI -><LI -><P ->Windows 9x/ME clients do not possess machine trust accounts.</P -></LI -></UL -><P ->Therefore, a Samba PDC will also act as a Windows 9x logon -server.</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->security mode and master browsers</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->There are a few comments to make in order to tie up some -loose ends. There has been much debate over the issue of whether -or not it is ok to configure Samba as a Domain Controller in security -modes other than <TT -CLASS="CONSTANT" ->USER</TT ->. The only security mode -which will not work due to technical reasons is <TT -CLASS="CONSTANT" ->SHARE</TT -> -mode security. <TT -CLASS="CONSTANT" ->DOMAIN</TT -> and <TT -CLASS="CONSTANT" ->SERVER</TT -> -mode security is really just a variation on SMB user level security.</P -><P ->Actually, this issue is also closely tied to the debate on whether -or not Samba must be the domain master browser for its workgroup -when operating as a DC. While it may technically be possible -to configure a server as such (after all, browsing and domain logons -are two distinctly different functions), it is not a good idea to -so. You should remember that the DC must register the DOMAIN#1b NetBIOS -name. This is the name used by Windows clients to locate the DC. -Windows clients do not distinguish between the DC and the DMB. -For this reason, it is very wise to configure the Samba DC as the DMB.</P -><P ->Now back to the issue of configuring a Samba DC to use a mode other -than "security = user". If a Samba host is configured to use -another SMB server or DC in order to validate user connection -requests, then it is a fact that some other machine on the network -(the "password server") knows more about user than the Samba host. -99% of the time, this other host is a domain controller. Now -in order to operate in domain mode security, the "workgroup" parameter -must be set to the name of the Windows NT domain (which already -has a domain controller, right?)</P -><P ->Therefore configuring a Samba box as a DC for a domain that -already by definition has a PDC is asking for trouble. -Therefore, you should always configure the Samba DC to be the DMB -for its domain.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN420" ->Configuration Instructions: Setting up Roaming User Profiles</A -></H2 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -><I -CLASS="EMPHASIS" ->NOTE!</I -> Roaming profiles support is different -for Win9X and WinNT.</P -></TD -></TR -></TABLE -></DIV -><P ->Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features.</P -><P ->Win9X clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory.</P -><P ->WinNT clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT.</P -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN428" ->Windows NT Configuration</A -></H3 -><P ->To support WinNT clients, in the [global] section of smb.conf set the -following (for example):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE -></P -><P ->The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable. </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->[lkcl 26aug96 - we have discovered a problem where Windows clients can -maintain a connection to the [homes] share in between logins. The -[homes] share must NOT therefore be used in a profile path.]</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN436" ->Windows 9X Configuration</A -></H3 -><P ->To support Win9X clients, you must use the "logon home" parameter. Samba has -now been fixed so that "net use/home" now works as well, and it, too, relies -on the "logon home" parameter.</P -><P ->By using the logon home parameter, you are restricted to putting Win9X -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles</PRE -></P -><P ->then your Win9X clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden).</P -><P ->Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for "logon home".</P -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN444" ->Win9X and WinNT Configuration</A -></H3 -><P ->You can support profiles for both Win9X and WinNT clients by setting both the -"logon home" and "logon path" parameters. For example:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U</PRE -></P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->I have not checked what 'net use /home' does on NT when "logon home" is -set as above.</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN451" ->Windows 9X Profile Setup</A -></H3 -><P ->When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders "Start Menu", "Desktop", "Programs" and "Nethood". -These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short preserve case = yes" and -"case sensitive = no" in order to maintain capital letters in shortcuts -in any of the profile folders.</P -><P ->The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file.</P -><P -></P -><OL -TYPE="1" -><LI -><P -> On the Windows 95 machine, go to Control Panel | Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer - to reboot. - </P -></LI -><LI -><P -> On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to - NT Domain'. Then, ensure that the Primary Logon is 'Client for - Microsoft Networks'. Press OK, and this time allow the computer - to reboot. - </P -></LI -></OL -><P ->Under Windows 95, Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me.</P -><P ->You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password.</P -><P ->Once the user has been successfully validated, the Windows 95 machine -will inform you that 'The user has not logged on before' and asks you -if you wish to save the user's preferences? Select 'yes'.</P -><P ->Once the Windows 95 client comes up with the desktop, you should be able -to examine the contents of the directory specified in the "logon path" -on the samba server and verify that the "Desktop", "Start Menu", -"Programs" and "Nethood" folders have been created.</P -><P ->These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set.</P -><P ->If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file -permissions and ownership rights on the profile directory contents, -on the samba server.</P -><P ->If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time".</P -><P -></P -><OL -TYPE="1" -><LI -><P -> instead of logging in under the [user, password, domain] dialog, - press escape. - </P -></LI -><LI -><P -> run the regedit.exe program, and look in: - </P -><P -> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList - </P -><P -> you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), - then delete the key ProfilePath for the required user. - </P -><P -> [Exit the registry editor]. - </P -></LI -><LI -><P -> <I -CLASS="EMPHASIS" ->WARNING</I -> - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). - </P -><P -> This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. - </P -></LI -><LI -><P -> search for the user's .PWL password-caching file in the c:\windows - directory, and delete it. - </P -></LI -><LI -><P -> log off the windows 95 client. - </P -></LI -><LI -><P -> check the contents of the profile path (see "logon path" described - above), and delete the user.DAT or user.MAN file for the user, - making a backup if required. - </P -></LI -></OL -><P ->If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports.</P -><P ->If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the -differences are with the equivalent samba trace.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN487" ->Windows NT Workstation 4.0</A -></H3 -><P ->When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the "logon path" parameter. </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->[lkcl 10aug97 - i tried setting the path to -\\samba-server\homes\profile, and discovered that this fails because -a background process maintains the connection to the [homes] share -which does _not_ close down in between user logins. you have to -have \\samba-server\%L\profile, where user is the username created -from the [homes] share].</P -></BLOCKQUOTE -></DIV -><P ->There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and -should be used in conjunction with the new "logon home" parameter.</P -><P ->The entry for the NT 4.0 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension) -[lkcl 10aug97 - i found that the creation of the .PDS directory failed, -and had to create these manually for each user, with a shell script. -also, i presume, but have not tested, that the full profile path must -be browseable just as it is for w95, due to the manner in which they -attempt to create the full profile path: test existence of each path -component; create path component].</P -><P ->In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", -"Start Menu" and "Programs". The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown.</P -><P ->You can use the System Control Panel to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN -turns a profile into a mandatory one.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->[lkcl 10aug97 - i notice that NT Workstation tells me that it is -downloading a profile from a slow link. whether this is actually the -case, or whether there is some configuration issue, as yet unknown, -that makes NT Workstation _think_ that the link is a slow one is a -matter to be resolved].</P -><P ->[lkcl 20aug97 - after samba digest correspondence, one user found, and -another confirmed, that profiles cannot be loaded from a samba server -unless "security = user" and "encrypt passwords = yes" (see the file -ENCRYPTION.txt) or "security = server" and "password server = ip.address. -of.yourNTserver" are used. Either of these options will allow the NT -workstation to access the samba server using LAN manager encrypted -passwords, without the user intervention normally required by NT -workstation for clear-text passwords].</P -><P ->[lkcl 25aug97 - more comments received about NT profiles: the case of -the profile _matters_. the file _must_ be called NTuser.DAT or, for -a mandatory profile, NTuser.MAN].</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN500" ->Windows NT Server</A -></H3 -><P ->There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H3 -CLASS="SECT3" -><A -NAME="AEN503" ->Sharing Profiles between W95 and NT Workstation 4.0</A -></H3 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Potentially outdated or incorrect material follows</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->I think this is all bogus, but have not deleted it. (Richard Sharpe)</P -></TD -></TR -></TABLE -></DIV -><P ->The default logon path is \\%N\U%. NT Workstation will attempt to create -a directory "\\samba-server\username.PDS" if you specify the logon path -as "\\samba-server\username" with the NT User Manager. Therefore, you -will need to specify (for example) "\\samba-server\username\profile". -NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which -is more likely to succeed.</P -><P ->If you then want to share the same Start Menu / Desktop with W95, you will -need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 -this has its drawbacks: i created a shortcut to telnet.exe, which attempts -to run from the c:\winnt\system32 directory. this directory is obviously -unlikely to exist on a Win95-only host].</P -><P -> If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->[lkcl 25aug97 - there are some issues to resolve with downloading of -NT profiles, probably to do with time/date stamps. i have found that -NTuser.DAT is never updated on the workstation after the first time that -it is copied to the local workstation profile directory. this is in -contrast to w95, where it _does_ transfer / update profiles correctly].</P -></BLOCKQUOTE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN513" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></H1 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Possibly Outdated Material</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This appendix was originally authored by John H Terpstra of - the Samba Team and is included here for posterity. - </P -></TD -></TR -></TABLE -></DIV -><P -><I -CLASS="EMPHASIS" ->NOTE :</I -> -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM.</P -><P ->Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT.</P -><P ->To many people these terms can be confusing, so let's try to clear the air.</P -><P ->Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialization information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system.</P -><P ->The registry files can be located on any Windows NT machine by opening a -command prompt and typing:</P -><P -><TT -CLASS="PROMPT" ->C:\WINNT\></TT -> dir %SystemRoot%\System32\config</P -><P ->The environment variable %SystemRoot% value can be obtained by typing:</P -><P -><TT -CLASS="PROMPT" ->C:\WINNT></TT ->echo %SystemRoot%</P -><P ->The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security.</P -><P ->In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each.</P -><P ->The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do.</P -><P ->The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on.</P -><P ->Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers.</P -><P ->The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (i.e. to ensure that the service action a user has -requested is permitted within the limits of that user's privileges).</P -><P ->The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems.</P -><P ->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. Almost every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC).</P -><P ->The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry.</P -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/make_unicodemap.1.html b/docs/htmldocs/make_unicodemap.1.html deleted file mode 100644 index b8b768ce40d..00000000000 --- a/docs/htmldocs/make_unicodemap.1.html +++ /dev/null @@ -1,276 +0,0 @@ -<HTML -><HEAD -><TITLE ->make_unicodemap</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="MAKE-UNICODEMAP" ->make_unicodemap</A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN5" -></A -><H2 ->Name</H2 ->make_unicodemap -- construct a unicode map file for Samba</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN8" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->make_unicodemap</B -> {codepage} {inputfile} {outputfile}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN14" -></A -><H2 ->DESCRIPTION</H2 -><P -> This tool is part of the <A -HREF="samba.7.html" -TARGET="_top" ->Samba</A -> - suite. - </P -><P -> <B -CLASS="COMMAND" ->make_unicodemap</B -> compiles text unicode map - files into binary unicode map files for use with the - internationalization features of Samba 2.2. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN20" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->codepage</DT -><DD -><P ->This is the codepage or UNIX character - set we are processing (a number, e.g. 850). - </P -></DD -><DT ->inputfile</DT -><DD -><P ->This is the input file to process. This is a - text unicode map file such as the ones found in the Samba - <TT -CLASS="FILENAME" ->source/codepages</TT -> directory. - </P -></DD -><DT ->outputfile</DT -><DD -><P ->This is the binary output file to produce. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN36" -></A -><H2 ->Samba Unicode Map Files</H2 -><P -> A text Samba unicode map file is a description that tells Samba - how to map characters from a specified DOS code page or UNIX character - set to 16 bit unicode. - </P -><P ->A binary Samba unicode map file is a binary representation - of the same information, including a value that specifies what - codepage or UNIX character set this file is describing. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN40" -></A -><H2 ->Files</H2 -><P -><TT -CLASS="FILENAME" ->CP<codepage>.TXT</TT -></P -><P -> These are the input (text) unicode map files provided - in the Samba <TT -CLASS="FILENAME" ->source/codepages</TT -> - directory. - </P -><P -> A text unicode map file consists of multiple lines - containing two fields. These fields are : - </P -><P -></P -><UL -><LI -><P -><TT -CLASS="PARAMETER" -><I ->character</I -></TT -> - which is - the (hex) character mapped on this line. - </P -></LI -><LI -><P -><TT -CLASS="PARAMETER" -><I ->unicode</I -></TT -> - which - is the (hex) 16 bit unicode character that the character - will map to. - </P -></LI -></UL -><P -> <TT -CLASS="FILENAME" ->unicode_map.<codepage></TT -> - These are - the output (binary) unicode map files produced and placed in - the Samba destination <TT -CLASS="FILENAME" ->lib/codepage</TT -> - directory. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->Installation</H2 -><P -> The location of the server and its support files is a matter - for individual system administrators. The following are thus - suggestions only. - </P -><P -> It is recommended that the <B -CLASS="COMMAND" ->make_unicodemap</B -> - program be installed under the - <TT -CLASS="FILENAME" ->$prefix/samba</TT -> hierarchy, - in a directory readable by all, writeable only by root. The - program itself should be executable by all. The program - should NOT be setuid or setgid! - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN63" -></A -><H2 ->VERSION</H2 -><P ->This man page is correct for version 2.2 of - the Samba suite.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN66" -></A -><H2 ->SEE ALSO</H2 -><P -><A -HREF="smbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbd(8)</B -></A ->, - <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5)</A -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN72" -></A -><H2 ->AUTHOR</H2 -><P ->The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</P -><P ->The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - <A -HREF="ftp://ftp.icce.rug.nl/pub/unix/" -TARGET="_top" -> ftp://ftp.icce.rug.nl/pub/unix/</A ->) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter</P -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/msdfs_setup.html b/docs/htmldocs/msdfs_setup.html deleted file mode 100644 index 36b9911baec..00000000000 --- a/docs/htmldocs/msdfs_setup.html +++ /dev/null @@ -1,210 +0,0 @@ -<HTML -><HEAD -><TITLE ->Hosting a Microsoft Distributed File System tree on Samba</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="ARTICLE" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="ARTICLE" -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></H1 -><HR></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3" ->Instructions</A -></H1 -><P ->The Distributed File System (or Dfs) provides a means of - separating the logical view of files and directories that users - see from the actual physical locations of these resources on the - network. It allows for higher availability, smoother storage expansion, - load balancing etc. For more information about Dfs, refer to <A -HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" -TARGET="_top" -> Microsoft documentation</A ->. </P -><P ->This document explains how to host a Dfs tree on a Unix - machine (for Dfs-aware clients to browse) using Samba.</P -><P ->To enable SMB-based DFS for Samba, configure it with the - <TT -CLASS="PARAMETER" -><I ->--with-msdfs</I -></TT -> option. Once built, a - Samba server can be made a Dfs server by setting the global - boolean <A -HREF="smb.conf.5.html#HOSTMSDFS" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> host msdfs</I -></TT -></A -> parameter in the <TT -CLASS="FILENAME" ->smb.conf - </TT -> file. You designate a share as a Dfs root using the share - level boolean <A -HREF="smb.conf.5.html#MSDFSROOT" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I -> msdfs root</I -></TT -></A -> parameter. A Dfs root directory on - Samba hosts Dfs links in the form of symbolic links that point - to other servers. For example, a symbolic link - <TT -CLASS="FILENAME" ->junction->msdfs:storage1\share1</TT -> in - the share directory acts as the Dfs junction. When Dfs-aware - clients attempt to access the junction link, they are redirected - to the storage location (in this case, \\storage1\share1).</P -><P ->Dfs trees on Samba work with all Dfs-aware clients ranging - from Windows 95 to 2000.</P -><P ->Here's an example of setting up a Dfs tree on a Samba - server.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># The smb.conf file: -[global] - netbios name = SAMBA - host msdfs = yes - -[dfs] - path = /export/dfsroot - msdfs root = yes - </PRE -></P -><P ->In the /export/dfsroot directory we set up our dfs links to - other servers on the network.</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->cd /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->chown root /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->chmod 755 /export/dfsroot</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->ln -s msdfs:storageA\\shareA linka</B -></TT -></P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->ln -s msdfs:serverB\\share,serverC\\share linkb</B -></TT -></P -><P ->You should set up the permissions and ownership of - the directory acting as the Dfs root such that only designated - users can create, delete or modify the msdfs links. Also note - that symlink names should be all lowercase. This limitation exists - to have Samba avoid trying all the case combinations to get at - the link name. Finally set up the symbolic links to point to the - network shares you want, and start Samba.</P -><P ->Users on Dfs-aware clients can now browse the Dfs tree - on the Samba server at \\samba\dfs. Accessing - links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN38" ->Notes</A -></H2 -><P -></P -><UL -><LI -><P ->Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P -></LI -><LI -><P ->Currently there's a restriction that msdfs - symlink names should all be lowercase.</P -></LI -><LI -><P ->For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P -></LI -></UL -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/smbmnt.8.html b/docs/htmldocs/smbmnt.8.html deleted file mode 100644 index a7d10b6e191..00000000000 --- a/docs/htmldocs/smbmnt.8.html +++ /dev/null @@ -1,178 +0,0 @@ -<HTML -><HEAD -><TITLE ->smbmnt</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="SMBMNT" ->smbmnt</A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN5" -></A -><H2 ->Name</H2 ->smbmnt -- helper utility for mounting SMB filesystems</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN8" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->smbmnt</B -> {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN19" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->smbmnt</B -> is a helper application used - by the smbmount program to do the actual mounting of SMB shares. - <B -CLASS="COMMAND" ->smbmnt</B -> can be installed setuid root if you want - normal users to be able to mount their SMB shares.</P -><P ->A setuid smbmnt will only allow mounts on directories owned - by the user, and that the user has write permission on.</P -><P ->The <B -CLASS="COMMAND" ->smbmnt</B -> program is normally invoked - by <A -HREF="smbmount.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbmount(8)</B -> - </A ->. It should not be invoked directly by users. </P -><P ->smbmount searches the normal PATH for smbmnt. You must ensure - that the smbmnt version in your path matches the smbmount used.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN30" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-r</DT -><DD -><P ->mount the filesystem read-only - </P -></DD -><DT ->-u uid</DT -><DD -><P ->specify the uid that the files will - be owned by </P -></DD -><DT ->-g gid</DT -><DD -><P ->specify the gid that the files will be - owned by </P -></DD -><DT ->-f mask</DT -><DD -><P ->specify the octal file mask applied - </P -></DD -><DT ->-d mask</DT -><DD -><P ->specify the octal directory mask - applied </P -></DD -><DT ->-o options</DT -><DD -><P -> list of options that are passed as-is to smbfs, if this - command is run on a 2.4 or higher Linux kernel. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->AUTHOR</H2 -><P ->Volker Lendecke, Andrew Tridgell, Michael H. Warfield - and others.</P -><P ->The current maintainer of smbfs and the userspace - tools <B -CLASS="COMMAND" ->smbmount</B ->, <B -CLASS="COMMAND" ->smbumount</B ->, - and <B -CLASS="COMMAND" ->smbmnt</B -> is <A -HREF="mailto:urban@teststation.com" -TARGET="_top" ->Urban Widmark</A ->. - The <A -HREF="mailto:samba@samba.org" -TARGET="_top" ->SAMBA Mailing list</A -> - is the preferred place to ask questions regarding these programs. - </P -><P ->The conversion of this manpage for Samba 2.2 was performed - by Gerald Carter</P -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/smbumount.8.html b/docs/htmldocs/smbumount.8.html deleted file mode 100644 index 68929fd5f91..00000000000 --- a/docs/htmldocs/smbumount.8.html +++ /dev/null @@ -1,140 +0,0 @@ -<HTML -><HEAD -><TITLE ->smbumount</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="SMBUMOUNT" ->smbumount</A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN5" -></A -><H2 ->Name</H2 ->smbumount -- smbfs umount for normal users</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN8" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->smbumount</B -> {mount-point}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN12" -></A -><H2 ->DESCRIPTION</H2 -><P ->With this program, normal users can unmount smb-filesystems, - provided that it is suid root. <B -CLASS="COMMAND" ->smbumount</B -> has - been written to give normal Linux users more control over their - resources. It is safe to install this program suid root, because only - the user who has mounted a filesystem is allowed to unmount it again. - For root it is not necessary to use smbumount. The normal umount - program works perfectly well, but it would certainly be problematic - to make umount setuid root.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN16" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->mount-point</DT -><DD -><P ->The directory to unmount.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN23" -></A -><H2 ->SEE ALSO</H2 -><P -><A -HREF="smbmount.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbmount(8)</B -> - </A -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN28" -></A -><H2 ->AUTHOR</H2 -><P ->Volker Lendecke, Andrew Tridgell, Michael H. Warfield - and others.</P -><P ->The current maintainer of smbfs and the userspace - tools <B -CLASS="COMMAND" ->smbmount</B ->, <B -CLASS="COMMAND" ->smbumount</B ->, - and <B -CLASS="COMMAND" ->smbmnt</B -> is <A -HREF="mailto:urban@teststation.com" -TARGET="_top" ->Urban Widmark</A ->. - The <A -HREF="mailto:samba@samba.org" -TARGET="_top" ->SAMBA Mailing list</A -> - is the preferred place to ask questions regarding these programs. - </P -><P ->The conversion of this manpage for Samba 2.2 was performed - by Gerald Carter</P -></DIV -></BODY -></HTML ->
\ No newline at end of file |