diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 642 |
1 files changed, 361 insertions, 281 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 4bd9e671978..b6ba4770ada 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -199,7 +199,7 @@ HREF="#AEN245" ><DL ><DT >2.2.1. <A -HREF="#AEN248" +HREF="#AEN261" ><TT CLASS="FILENAME" >/etc/hosts</TT @@ -207,7 +207,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.2. <A -HREF="#AEN264" +HREF="#AEN277" ><TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -215,7 +215,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.3. <A -HREF="#AEN275" +HREF="#AEN288" ><TT CLASS="FILENAME" >/etc/host.conf</TT @@ -223,7 +223,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.4. <A -HREF="#AEN283" +HREF="#AEN296" ><TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -233,47 +233,47 @@ CLASS="FILENAME" ></DD ><DT >2.3. <A -HREF="#AEN295" +HREF="#AEN308" >Name resolution as used within MS Windows networking</A ></DT ><DD ><DL ><DT >2.3.1. <A -HREF="#AEN307" +HREF="#AEN320" >The NetBIOS Name Cache</A ></DT ><DT >2.3.2. <A -HREF="#AEN312" +HREF="#AEN325" >The LMHOSTS file</A ></DT ><DT >2.3.3. <A -HREF="#AEN320" +HREF="#AEN333" >HOSTS file</A ></DT ><DT >2.3.4. <A -HREF="#AEN325" +HREF="#AEN338" >DNS Lookup</A ></DT ><DT >2.3.5. <A -HREF="#AEN328" +HREF="#AEN341" >WINS Lookup</A ></DT ></DL ></DD ><DT >2.4. <A -HREF="#AEN341" +HREF="#AEN353" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT >2.5. <A -HREF="#AEN351" +HREF="#AEN363" >MS Windows security options and how to configure Samba for seemless integration</A ></DT @@ -281,29 +281,29 @@ Samba for seemless integration</A ><DL ><DT >2.5.1. <A -HREF="#AEN368" +HREF="#AEN391" >Use MS Windows NT as an authentication server</A ></DT ><DT >2.5.2. <A -HREF="#AEN376" +HREF="#AEN399" >Make Samba a member of an MS Windows NT security domain</A ></DT ><DT >2.5.3. <A -HREF="#AEN390" +HREF="#AEN416" >Configure Samba as an authentication server</A ></DT ><DD ><DL ><DT >2.5.3.1. <A -HREF="#AEN397" +HREF="#AEN423" >Users</A ></DT ><DT >2.5.3.2. <A -HREF="#AEN404" +HREF="#AEN428" >MS Windows NT Machine Accounts</A ></DT ></DL @@ -312,50 +312,50 @@ HREF="#AEN404" ></DD ><DT >2.6. <A -HREF="#AEN409" ->Configuration of Samba as ...</A +HREF="#AEN433" +>Conclusions</A ></DT ></DL ></DD ><DT >3. <A -HREF="#AEN420" +HREF="#AEN443" >LanMan and NT Password Encryption in Samba 2.x</A ></DT ><DD ><DL ><DT >3.1. <A -HREF="#AEN431" +HREF="#AEN454" >Introduction</A ></DT ><DT >3.2. <A -HREF="#AEN435" +HREF="#AEN458" >How does it work?</A ></DT ><DT >3.3. <A -HREF="#AEN446" +HREF="#AEN469" >Important Notes About Security</A ></DT ><DD ><DL ><DT >3.3.1. <A -HREF="#AEN465" +HREF="#AEN488" >Advantages of SMB Encryption</A ></DT ><DT >3.3.2. <A -HREF="#AEN472" +HREF="#AEN495" >Advantages of non-encrypted passwords</A ></DT ></DL ></DD ><DT >3.4. <A -HREF="#AEN481" +HREF="#AEN504" ><A NAME="SMBPASSWDFILEFORMAT" ></A @@ -363,33 +363,33 @@ NAME="SMBPASSWDFILEFORMAT" ></DT ><DT >3.5. <A -HREF="#AEN533" +HREF="#AEN556" >The smbpasswd Command</A ></DT ><DT >3.6. <A -HREF="#AEN572" +HREF="#AEN595" >Setting up Samba to support LanManager Encryption</A ></DT ></DL ></DD ><DT >4. <A -HREF="#AEN587" +HREF="#AEN610" >Hosting a Microsoft Distributed File System tree on Samba</A ></DT ><DD ><DL ><DT >4.1. <A -HREF="#AEN598" +HREF="#AEN621" >Instructions</A ></DT ><DD ><DL ><DT >4.1.1. <A -HREF="#AEN633" +HREF="#AEN656" >Notes</A ></DT ></DL @@ -398,82 +398,82 @@ HREF="#AEN633" ></DD ><DT >5. <A -HREF="#AEN642" +HREF="#AEN665" >Printing Support in Samba 2.2.x</A ></DT ><DD ><DL ><DT >5.1. <A -HREF="#AEN653" +HREF="#AEN676" >Introduction</A ></DT ><DT >5.2. <A -HREF="#AEN675" +HREF="#AEN698" >Configuration</A ></DT ><DD ><DL ><DT >5.2.1. <A -HREF="#AEN686" +HREF="#AEN709" >Creating [print$]</A ></DT ><DT >5.2.2. <A -HREF="#AEN721" +HREF="#AEN744" >Setting Drivers for Existing Printers</A ></DT ><DT >5.2.3. <A -HREF="#AEN738" +HREF="#AEN761" >Support a large number of printers</A ></DT ><DT >5.2.4. <A -HREF="#AEN749" +HREF="#AEN772" >Adding New Printers via the Windows NT APW</A ></DT ><DT >5.2.5. <A -HREF="#AEN774" +HREF="#AEN797" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >5.3. <A -HREF="#AEN782" +HREF="#AEN805" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >5.3.1. <A -HREF="#AEN786" +HREF="#AEN809" >What is Imprints?</A ></DT ><DT >5.3.2. <A -HREF="#AEN796" +HREF="#AEN819" >Creating Printer Driver Packages</A ></DT ><DT >5.3.3. <A -HREF="#AEN799" +HREF="#AEN822" >The Imprints server</A ></DT ><DT >5.3.4. <A -HREF="#AEN803" +HREF="#AEN826" >The Installation Client</A ></DT ></DL ></DD ><DT >5.4. <A -HREF="#AEN825" +HREF="#AEN848" ><A NAME="MIGRATION" ></A @@ -483,53 +483,53 @@ NAME="MIGRATION" ></DD ><DT >6. <A -HREF="#AEN869" +HREF="#AEN892" >security = domain in Samba 2.x</A ></DT ><DD ><DL ><DT >6.1. <A -HREF="#AEN887" +HREF="#AEN910" >Joining an NT Domain with Samba 2.2</A ></DT ><DT >6.2. <A -HREF="#AEN951" +HREF="#AEN974" >Samba and Windows 2000 Domains</A ></DT ><DT >6.3. <A -HREF="#AEN956" +HREF="#AEN979" >Why is this better than security = server?</A ></DT ></DL ></DD ><DT >7. <A -HREF="#AEN972" +HREF="#AEN995" >How to Configure Samba 2.2 as a Primary Domain Controller</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN989" +HREF="#AEN1012" >Prerequisite Reading</A ></DT ><DT >7.2. <A -HREF="#AEN995" +HREF="#AEN1018" >Background</A ></DT ><DT >7.3. <A -HREF="#AEN1035" +HREF="#AEN1058" >Configuring the Samba Domain Controller</A ></DT ><DT >7.4. <A -HREF="#AEN1078" +HREF="#AEN1101" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT @@ -537,83 +537,83 @@ to the Domain</A ><DL ><DT >7.4.1. <A -HREF="#AEN1092" +HREF="#AEN1115" >Manually creating machine trust accounts</A ></DT ><DT >7.4.2. <A -HREF="#AEN1120" +HREF="#AEN1143" >Creating machine trust accounts "on the fly"</A ></DT ></DL ></DD ><DT >7.5. <A -HREF="#AEN1131" +HREF="#AEN1154" >Common Problems and Errors</A ></DT ><DT >7.6. <A -HREF="#AEN1179" +HREF="#AEN1202" >System Policies and Profiles</A ></DT ><DT >7.7. <A -HREF="#AEN1223" +HREF="#AEN1246" >What other help can I get ?</A ></DT ><DT >7.8. <A -HREF="#AEN1337" +HREF="#AEN1360" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >7.8.1. <A -HREF="#AEN1367" +HREF="#AEN1390" >Configuration Instructions: Network Logons</A ></DT ><DT >7.8.2. <A -HREF="#AEN1401" +HREF="#AEN1424" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >7.8.2.1. <A -HREF="#AEN1409" +HREF="#AEN1432" >Windows NT Configuration</A ></DT ><DT >7.8.2.2. <A -HREF="#AEN1417" +HREF="#AEN1440" >Windows 9X Configuration</A ></DT ><DT >7.8.2.3. <A -HREF="#AEN1425" +HREF="#AEN1448" >Win9X and WinNT Configuration</A ></DT ><DT >7.8.2.4. <A -HREF="#AEN1432" +HREF="#AEN1455" >Windows 9X Profile Setup</A ></DT ><DT >7.8.2.5. <A -HREF="#AEN1468" +HREF="#AEN1491" >Windows NT Workstation 4.0</A ></DT ><DT >7.8.2.6. <A -HREF="#AEN1481" +HREF="#AEN1504" >Windows NT Server</A ></DT ><DT >7.8.2.7. <A -HREF="#AEN1484" +HREF="#AEN1507" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -622,149 +622,149 @@ HREF="#AEN1484" ></DD ><DT >7.9. <A -HREF="#AEN1494" +HREF="#AEN1517" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >8. <A -HREF="#AEN1519" +HREF="#AEN1542" >Unified Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT >8.1. <A -HREF="#AEN1537" +HREF="#AEN1560" >Abstract</A ></DT ><DT >8.2. <A -HREF="#AEN1541" +HREF="#AEN1564" >Introduction</A ></DT ><DT >8.3. <A -HREF="#AEN1554" +HREF="#AEN1577" >What Winbind Provides</A ></DT ><DD ><DL ><DT >8.3.1. <A -HREF="#AEN1561" +HREF="#AEN1584" >Target Uses</A ></DT ></DL ></DD ><DT >8.4. <A -HREF="#AEN1565" +HREF="#AEN1588" >How Winbind Works</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1570" +HREF="#AEN1593" >Microsoft Remote Procedure Calls</A ></DT ><DT >8.4.2. <A -HREF="#AEN1574" +HREF="#AEN1597" >Name Service Switch</A ></DT ><DT >8.4.3. <A -HREF="#AEN1590" +HREF="#AEN1613" >Pluggable Authentication Modules</A ></DT ><DT >8.4.4. <A -HREF="#AEN1598" +HREF="#AEN1621" >User and Group ID Allocation</A ></DT ><DT >8.4.5. <A -HREF="#AEN1602" +HREF="#AEN1625" >Result Caching</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1605" +HREF="#AEN1628" >Installation and Configuration</A ></DT ><DT >8.6. <A -HREF="#AEN1611" +HREF="#AEN1634" >Limitations</A ></DT ><DT >8.7. <A -HREF="#AEN1623" +HREF="#AEN1646" >Conclusion</A ></DT ></DL ></DD ><DT >9. <A -HREF="#AEN1626" +HREF="#AEN1649" >UNIX Permission Bits and Windows NT Access Control Lists</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1637" +HREF="#AEN1660" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >9.2. <A -HREF="#AEN1646" +HREF="#AEN1669" >How to view file security on a Samba share</A ></DT ><DT >9.3. <A -HREF="#AEN1657" +HREF="#AEN1680" >Viewing file ownership</A ></DT ><DT >9.4. <A -HREF="#AEN1677" +HREF="#AEN1700" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >9.4.1. <A -HREF="#AEN1692" +HREF="#AEN1715" >File Permissions</A ></DT ><DT >9.4.2. <A -HREF="#AEN1706" +HREF="#AEN1729" >Directory Permissions</A ></DT ></DL ></DD ><DT >9.5. <A -HREF="#AEN1713" +HREF="#AEN1736" >Modifying file or directory permissions</A ></DT ><DT >9.6. <A -HREF="#AEN1735" +HREF="#AEN1758" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >9.7. <A -HREF="#AEN1799" +HREF="#AEN1822" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -772,39 +772,39 @@ HREF="#AEN1799" ></DD ><DT >10. <A -HREF="#AEN1809" +HREF="#AEN1832" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT >10.1. <A -HREF="#AEN1820" +HREF="#AEN1843" >FAQs</A ></DT ><DD ><DL ><DT >10.1.1. <A -HREF="#AEN1822" +HREF="#AEN1845" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >10.1.2. <A -HREF="#AEN1837" +HREF="#AEN1860" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >10.1.3. <A -HREF="#AEN1846" +HREF="#AEN1869" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >10.1.4. <A -HREF="#AEN1850" +HREF="#AEN1873" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -814,31 +814,31 @@ HREF="#AEN1850" ></DD ><DT >11. <A -HREF="#AEN1859" +HREF="#AEN1882" >HOWTO Access Samba source code via CVS</A ></DT ><DD ><DL ><DT >11.1. <A -HREF="#AEN1866" +HREF="#AEN1889" >Introduction</A ></DT ><DT >11.2. <A -HREF="#AEN1871" +HREF="#AEN1894" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT >11.2.1. <A -HREF="#AEN1874" +HREF="#AEN1897" >Access via CVSweb</A ></DT ><DT >11.2.2. <A -HREF="#AEN1879" +HREF="#AEN1902" >Access via cvs</A ></DT ></DL @@ -1751,13 +1751,45 @@ NAME="AEN245" >2.2. Name Resolution in a pure Unix/Linux world</A ></H1 ><P ->The key configuration files : </P +>The key configuration files covered in this section are:</P +><P +></P +><UL +><LI +><P +><TT +CLASS="FILENAME" +>/etc/hosts</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/resolv.conf</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/host.conf</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +></P +></LI +></UL ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN248" +NAME="AEN261" >2.2.1. <TT CLASS="FILENAME" >/etc/hosts</TT @@ -1847,7 +1879,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN264" +NAME="AEN277" >2.2.2. <TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -1885,7 +1917,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN275" +NAME="AEN288" >2.2.3. <TT CLASS="FILENAME" >/etc/host.conf</TT @@ -1923,7 +1955,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN283" +NAME="AEN296" >2.2.4. <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -2001,7 +2033,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN295" +NAME="AEN308" >2.3. Name resolution as used within MS Windows networking</A ></H1 ><P @@ -2095,7 +2127,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN307" +NAME="AEN320" >2.3.1. The NetBIOS Name Cache</A ></H2 ><P @@ -2122,7 +2154,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN312" +NAME="AEN325" >2.3.2. The LMHOSTS file</A ></H2 ><P @@ -2234,7 +2266,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN320" +NAME="AEN333" >2.3.3. HOSTS file</A ></H2 ><P @@ -2256,7 +2288,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN325" +NAME="AEN338" >2.3.4. DNS Lookup</A ></H2 ><P @@ -2276,14 +2308,11 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN328" +NAME="AEN341" >2.3.5. WINS Lookup</A ></H2 ><P ->Refer to above details for section <EM ->DNS Lookups</EM ->. A -WINS (Windows Internet Name Server) service is the equivaent of the +>A WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores the names and IP addresses that are registered by a Windows client if the TCP/IP setup has been given at least one WINS Server IP Address.</P @@ -2340,7 +2369,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN341" +NAME="AEN353" >2.4. How browsing functions and how to deploy stable and dependable browsing using Samba</A ></H1 @@ -2407,35 +2436,47 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN351" +NAME="AEN363" >2.5. MS Windows security options and how to configure Samba for seemless integration</A ></H1 ><P ->MS Windows clients may use encrypted passwords alone, or encrypted -as well as plain text passwords in the authentication process. It -should be realized that with the SMB protocol the password is passed -over the network either in plain text or encrypted. When encrypted -passwords are used a password that has been entered by the user is -encrypted in two ways:</P +>MS Windows clients may use encrypted passwords as part of a +challenege/response authentication model (a.k.a. NTLMv1) or +alone, or clear text strings for simple password based +authentication. It should be realized that with the SMB +protocol the password is passed over the network either +in plain text or encrypted, but not both in the same +authentication requets.</P +><P +>When encrypted passwords are used a password that has been +entered by the user is encrypted in two ways:</P ><P ></P ><UL ><LI ><P ->The case preserved password is encrypted - using an MD5/DES one way hash +>An MD4 hash of the UNICODE of the password + string. This is known as the NT hash. </P ></LI ><LI ><P ->The case is converted to upper case and then - encrypted using an MD5/DES one way hash</P +>The password is converted to upper case, + and then padded or trucated to 14 bytes. This string is + then appended with 5 bytes of NULL characters and split to + form two 56 bit DES keys to encrypt a "magic" 8 byte value. + The resulting 16 bytes for the LanMan hash. + </P ></LI ></UL ><P ->Both of these enrypted passwords are sent over the network -in the one authentication datagram.</P +>You should refer to the <A +HREF="ENCRYPTION.html" +TARGET="_top" +>Password Encryption</A +> chapter in this HOWTO collection +for more details on the inner workings</P ><P >MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use either mode of @@ -2456,8 +2497,10 @@ the remote authentication server does not support encrypted passwords. This means that it is definitely not a good idea to re-enable plain text password support in such clients.</P ><P ->It is recommended that the following parameters be added to the -smb.conf file:</P +>The following parameters can be used to work around the +issue of Windows 9x client upper casing usernames and +password before transmitting them to the SMB server +when using clear text authentication.</P ><P ><TABLE BORDER="0" @@ -2467,19 +2510,65 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> passsword level = 8 - username level = 8</PRE +> <A +HREF="smb.conf.5.html#PASSWORDLEVEL" +TARGET="_top" +>passsword level</A +> = <TT +CLASS="REPLACEABLE" +><I +>integer</I +></TT +> + <A +HREF="smb.conf.5.html#USERNAMELEVEL" +TARGET="_top" +>username level</A +> = <TT +CLASS="REPLACEABLE" +><I +>integer</I +></TT +></PRE ></TD ></TR ></TABLE ></P ><P ->these configuration parameters will compensate for the fact that -in some circumstances MS Windows and MS DOS clients may twiddle the -password that has been supplied by the user by converting characters to -upper case. The above entries will try every combination of upper and -lower case for the first 8 characters. Please refer to the man page -for smb.conf for more information on use of these parameters.</P +>By default Samba will lower case the username before attempting +to lookup the user in the database of local system accounts. +Because UNIX usernames conventionally only contain lower case +character, the <TT +CLASS="PARAMETER" +><I +>username level</I +></TT +> parameter +is rarely even needed.</P +><P +>However, password on UNIX systems often make use of mixed case +characters. This means that in order for a user on a Windows 9x +client to connect to a Samba server using clear text authentication, +the <TT +CLASS="PARAMETER" +><I +>password level</I +></TT +> must be set to the maximum +number of upper case letter which <EM +>could</EM +> appear +is a password. Note that is the server OS uses the traditional +DES version of crypt(), then a <TT +CLASS="PARAMETER" +><I +>password level</I +></TT +> +of 8 will result in case insensitive passwords as seen from Windows +users. This will also result in longer login times as Samba +hash to compute the permutations of the password string and +try them one by one until a match is located (or all combinations fail).</P ><P >The best option to adopt is to enable support for encrypted passwords where ever Samba is used. There are three configuration possibilities @@ -2489,7 +2578,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN368" +NAME="AEN391" >2.5.1. Use MS Windows NT as an authentication server</A ></H2 ><P @@ -2534,7 +2623,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN376" +NAME="AEN399" >2.5.2. Make Samba a member of an MS Windows NT security domain</A ></H2 ><P @@ -2584,15 +2673,29 @@ CLASS="COMMAND" ></UL ><P >Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be -blocked to prevent logons by other than MS Windows clients.</P +a standard Unix account for the user in order to assign +a uid once the account has been authenticated by the remote +Windows DC. This account can be blocked to prevent logons by +other than MS Windows clients by things such as setting an invalid +shell in the <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry.</P +><P +>An alternative to assigning UIDs to Windows users on a +Samba member server is presented in the <A +HREF="winbind.html" +TARGET="_top" +>Winbind Overview</A +> chapter in +this HOWTO collection.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN390" +NAME="AEN416" >2.5.3. Configure Samba as an authentication server</A ></H2 ><P @@ -2613,8 +2716,18 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = user</PRE +>## please refer to the Samba PDC HOWTO chapter later in +## this collection for more details +[global] + encrypt passwords = Yes + security = user + domain logons = Yes + ; an OS level of 33 or more is recommended + os level = 33 + +[NETLOGON] + path = /somewhare/in/file/system + read only = yes</PRE ></TD ></TR ></TABLE @@ -2628,7 +2741,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN397" +NAME="AEN423" >2.5.3.1. Users</A ></H3 ><P @@ -2646,20 +2759,10 @@ WIDTH="100%" CLASS="PROGRAMLISTING" > # useradd -s /bin/bash -d /home/"userid" -m # passwd "userid" - Enter Password: <TT -CLASS="USERINPUT" -><B ->pass</B -></TT -> + Enter Password: <pw> # smbpasswd -a "userid" - Enter Password: <TT -CLASS="USERINPUT" -><B ->pass</B -></TT -></PRE + Enter Password: <pw></PRE ></TD ></TR ></TABLE @@ -2670,7 +2773,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN404" +NAME="AEN428" >2.5.3.2. MS Windows NT Machine Accounts</A ></H3 ><P @@ -2700,10 +2803,12 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN409" ->2.6. Configuration of Samba as ...</A +NAME="AEN433" +>2.6. Conclusions</A ></H1 ><P +>Samba provides a flexible means to operate as...</P +><P ></P ><UL ><LI @@ -2718,48 +2823,23 @@ NAME="AEN409" ></LI ><LI ><P ->An MS Windows NT 3.x/4.0 security domain member - - Refer to the previous section(s) above. +>An MS Windows NT 3.x/4.0 security domain member. </P ></LI ><LI ><P >An alternative to an MS Windows NT 3.x/4.0 - Domain Controller - In the smb.conf file the following parameters - should be added:</P + Domain Controller. + </P ></LI ></UL -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="100%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->## please refer to the Samba PDC HOWTO chapter later in -## this collection for more details -[global] - domain logons = Yes - ; an OS level of 33 or more is recommended - os level = 33 - - [NETLOGON] - path = /somewhare/in/file/system - read only = yes - available = yes</PRE -></TD -></TR -></TABLE -></P ></DIV ></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN420" +NAME="AEN443" >Chapter 3. LanMan and NT Password Encryption in Samba 2.x</A ></H1 ><DIV @@ -2767,7 +2847,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN431" +NAME="AEN454" >3.1. Introduction</A ></H1 ><P @@ -2786,7 +2866,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN435" +NAME="AEN458" >3.2. How does it work?</A ></H1 ><P @@ -2851,7 +2931,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN446" +NAME="AEN469" >3.3. Important Notes About Security</A ></H1 ><P @@ -2943,7 +3023,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN465" +NAME="AEN488" >3.3.1. Advantages of SMB Encryption</A ></H2 ><P @@ -2972,7 +3052,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN472" +NAME="AEN495" >3.3.2. Advantages of non-encrypted passwords</A ></H2 ><P @@ -3003,7 +3083,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN481" +NAME="AEN504" >3.4. <A NAME="SMBPASSWDFILEFORMAT" ></A @@ -3222,7 +3302,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN533" +NAME="AEN556" >3.5. The smbpasswd Command</A ></H1 ><P @@ -3360,7 +3440,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN572" +NAME="AEN595" >3.6. Setting up Samba to support LanManager Encryption</A ></H1 ><P @@ -3407,7 +3487,7 @@ HREF="#SMBPASSWDFILEFORMAT" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN587" +NAME="AEN610" >Chapter 4. Hosting a Microsoft Distributed File System tree on Samba</A ></H1 ><DIV @@ -3415,7 +3495,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN598" +NAME="AEN621" >4.1. Instructions</A ></H1 ><P @@ -3572,7 +3652,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN633" +NAME="AEN656" >4.1.1. Notes</A ></H2 ><P @@ -3605,7 +3685,7 @@ NAME="AEN633" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN642" +NAME="AEN665" >Chapter 5. Printing Support in Samba 2.2.x</A ></H1 ><DIV @@ -3613,7 +3693,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN653" +NAME="AEN676" >5.1. Introduction</A ></H1 ><P @@ -3697,7 +3777,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN675" +NAME="AEN698" >5.2. Configuration</A ></H1 ><DIV @@ -3765,7 +3845,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN686" +NAME="AEN709" >5.2.1. Creating [print$]</A ></H2 ><P @@ -3959,7 +4039,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN721" +NAME="AEN744" >5.2.2. Setting Drivers for Existing Printers</A ></H2 ><P @@ -4031,7 +4111,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN738" +NAME="AEN761" >5.2.3. Support a large number of printers</A ></H2 ><P @@ -4106,7 +4186,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN749" +NAME="AEN772" >5.2.4. Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -4212,7 +4292,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN774" +NAME="AEN797" >5.2.5. Samba and Printer Ports</A ></H2 ><P @@ -4249,7 +4329,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN782" +NAME="AEN805" >5.3. The Imprints Toolset</A ></H1 ><P @@ -4267,7 +4347,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN786" +NAME="AEN809" >5.3.1. What is Imprints?</A ></H2 ><P @@ -4299,7 +4379,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN796" +NAME="AEN819" >5.3.2. Creating Printer Driver Packages</A ></H2 ><P @@ -4315,7 +4395,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN799" +NAME="AEN822" >5.3.3. The Imprints server</A ></H2 ><P @@ -4335,7 +4415,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN803" +NAME="AEN826" >5.3.4. The Installation Client</A ></H2 ><P @@ -4438,7 +4518,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN825" +NAME="AEN848" >5.4. <A NAME="MIGRATION" ></A @@ -4615,7 +4695,7 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN869" +NAME="AEN892" >Chapter 6. security = domain in Samba 2.x</A ></H1 ><DIV @@ -4623,7 +4703,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN887" +NAME="AEN910" >6.1. Joining an NT Domain with Samba 2.2</A ></H1 ><P @@ -4850,7 +4930,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN951" +NAME="AEN974" >6.2. Samba and Windows 2000 Domains</A ></H1 ><P @@ -4875,7 +4955,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN956" +NAME="AEN979" >6.3. Why is this better than security = server?</A ></H1 ><P @@ -4961,7 +5041,7 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN972" +NAME="AEN995" >Chapter 7. How to Configure Samba 2.2 as a Primary Domain Controller</A ></H1 ><DIV @@ -4969,7 +5049,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN989" +NAME="AEN1012" >7.1. Prerequisite Reading</A ></H1 ><P @@ -4997,7 +5077,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN995" +NAME="AEN1018" >7.2. Background</A ></H1 ><DIV @@ -5154,7 +5234,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1035" +NAME="AEN1058" >7.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5376,7 +5456,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1078" +NAME="AEN1101" >7.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 @@ -5434,7 +5514,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1092" +NAME="AEN1115" >7.4.1. Manually creating machine trust accounts</A ></H2 ><P @@ -5574,7 +5654,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1120" +NAME="AEN1143" >7.4.2. Creating machine trust accounts "on the fly"</A ></H2 ><P @@ -5622,7 +5702,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1131" +NAME="AEN1154" >7.5. Common Problems and Errors</A ></H1 ><P @@ -5821,7 +5901,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1179" +NAME="AEN1202" >7.6. System Policies and Profiles</A ></H1 ><P @@ -5978,7 +6058,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1223" +NAME="AEN1246" >7.7. What other help can I get ?</A ></H1 ><P @@ -6374,7 +6454,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1337" +NAME="AEN1360" >7.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -6510,7 +6590,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1367" +NAME="AEN1390" >7.8.1. Configuration Instructions: Network Logons</A ></H2 ><P @@ -6699,7 +6779,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1401" +NAME="AEN1424" >7.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -6746,7 +6826,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1409" +NAME="AEN1432" >7.8.2.1. Windows NT Configuration</A ></H3 ><P @@ -6790,7 +6870,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1417" +NAME="AEN1440" >7.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -6830,7 +6910,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1425" +NAME="AEN1448" >7.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -6868,7 +6948,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1432" +NAME="AEN1455" >7.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7024,7 +7104,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1468" +NAME="AEN1491" >7.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7106,7 +7186,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1481" +NAME="AEN1504" >7.8.2.6. Windows NT Server</A ></H3 ><P @@ -7120,7 +7200,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1484" +NAME="AEN1507" >7.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7185,7 +7265,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1494" +NAME="AEN1517" >7.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7306,7 +7386,7 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1519" +NAME="AEN1542" >Chapter 8. Unified Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV @@ -7314,7 +7394,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1537" +NAME="AEN1560" >8.1. Abstract</A ></H1 ><P @@ -7336,7 +7416,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1541" +NAME="AEN1564" >8.2. Introduction</A ></H1 ><P @@ -7390,7 +7470,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1554" +NAME="AEN1577" >8.3. What Winbind Provides</A ></H1 ><P @@ -7432,7 +7512,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1561" +NAME="AEN1584" >8.3.1. Target Uses</A ></H2 ><P @@ -7456,7 +7536,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1565" +NAME="AEN1588" >8.4. How Winbind Works</A ></H1 ><P @@ -7476,7 +7556,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1570" +NAME="AEN1593" >8.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -7502,7 +7582,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1574" +NAME="AEN1597" >8.4.2. Name Service Switch</A ></H2 ><P @@ -7581,7 +7661,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1590" +NAME="AEN1613" >8.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -7630,7 +7710,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1598" +NAME="AEN1621" >8.4.4. User and Group ID Allocation</A ></H2 ><P @@ -7656,7 +7736,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1602" +NAME="AEN1625" >8.4.5. Result Caching</A ></H2 ><P @@ -7679,7 +7759,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1605" +NAME="AEN1628" >8.5. Installation and Configuration</A ></H1 ><P @@ -7710,7 +7790,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1611" +NAME="AEN1634" >8.6. Limitations</A ></H1 ><P @@ -7758,7 +7838,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1623" +NAME="AEN1646" >8.7. Conclusion</A ></H1 ><P @@ -7774,7 +7854,7 @@ NAME="AEN1623" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1626" +NAME="AEN1649" >Chapter 9. UNIX Permission Bits and Windows NT Access Control Lists</A ></H1 ><DIV @@ -7782,7 +7862,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1637" +NAME="AEN1660" >9.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -7821,7 +7901,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1646" +NAME="AEN1669" >9.2. How to view file security on a Samba share</A ></H1 ><P @@ -7867,7 +7947,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1657" +NAME="AEN1680" >9.3. Viewing file ownership</A ></H1 ><P @@ -7953,7 +8033,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1677" +NAME="AEN1700" >9.4. Viewing file or directory permissions</A ></H1 ><P @@ -8015,7 +8095,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1692" +NAME="AEN1715" >9.4.1. File Permissions</A ></H2 ><P @@ -8077,7 +8157,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1706" +NAME="AEN1729" >9.4.2. Directory Permissions</A ></H2 ><P @@ -8109,7 +8189,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1713" +NAME="AEN1736" >9.5. Modifying file or directory permissions</A ></H1 ><P @@ -8207,7 +8287,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1735" +NAME="AEN1758" >9.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -8480,7 +8560,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1799" +NAME="AEN1822" >9.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -8527,7 +8607,7 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1809" +NAME="AEN1832" >Chapter 10. OS2 Client HOWTO</A ></H1 ><DIV @@ -8535,7 +8615,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1820" +NAME="AEN1843" >10.1. FAQs</A ></H1 ><DIV @@ -8543,7 +8623,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1822" +NAME="AEN1845" >10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -8602,7 +8682,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1837" +NAME="AEN1860" >10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -8655,7 +8735,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1846" +NAME="AEN1869" >10.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -8677,7 +8757,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1850" +NAME="AEN1873" >10.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 @@ -8725,7 +8805,7 @@ CLASS="REPLACEABLE" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1859" +NAME="AEN1882" >Chapter 11. HOWTO Access Samba source code via CVS</A ></H1 ><DIV @@ -8733,7 +8813,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1866" +NAME="AEN1889" >11.1. Introduction</A ></H1 ><P @@ -8755,7 +8835,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1871" +NAME="AEN1894" >11.2. CVS Access to samba.org</A ></H1 ><P @@ -8768,7 +8848,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1874" +NAME="AEN1897" >11.2.1. Access via CVSweb</A ></H2 ><P @@ -8789,7 +8869,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1879" +NAME="AEN1902" >11.2.2. Access via cvs</A ></H2 ><P |