diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/DOMAIN_MEMBER.html | 29 | ||||
| -rw-r--r-- | docs/htmldocs/PAM-Authentication-And-Samba.html | 29 | ||||
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 1283 | ||||
| -rw-r--r-- | docs/htmldocs/nmbd.8.html | 23 | ||||
| -rw-r--r-- | docs/htmldocs/rpcclient.1.html | 2 | ||||
| -rw-r--r-- | docs/htmldocs/samba-pdc-faq.html | 122 | ||||
| -rw-r--r-- | docs/htmldocs/smb.conf.5.html | 856 | ||||
| -rw-r--r-- | docs/htmldocs/smbd.8.html | 47 | ||||
| -rw-r--r-- | docs/htmldocs/smbpasswd.8.html | 55 | ||||
| -rw-r--r-- | docs/htmldocs/smbrun.1.html | 215 | ||||
| -rw-r--r-- | docs/htmldocs/using_samba/licenseinfo.html | 12 | ||||
| -rw-r--r-- | docs/htmldocs/using_samba/this_edition.html | 4 | ||||
| -rw-r--r-- | docs/htmldocs/winbind.html | 28 | ||||
| -rw-r--r-- | docs/htmldocs/winbindd.8.html | 44 |
14 files changed, 1744 insertions, 1005 deletions
diff --git a/docs/htmldocs/DOMAIN_MEMBER.html b/docs/htmldocs/DOMAIN_MEMBER.html index bb29c416eb4..b7ef4c9a61b 100644 --- a/docs/htmldocs/DOMAIN_MEMBER.html +++ b/docs/htmldocs/DOMAIN_MEMBER.html @@ -32,17 +32,7 @@ NAME="AEN3" >Joining an NT Domain with Samba 2.2</A ></H1 ><P ->In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <I -CLASS="EMPHASIS" ->NOT</I -> as a Primary or backup domain controller.</P -><P ->Assume you have a Samba-2 server with a NetBIOS name of +>Assume you have a Samba 2.x server with a NetBIOS name of <TT CLASS="CONSTANT" >SERV1</TT @@ -74,13 +64,26 @@ CLASS="PROMPT" CLASS="USERINPUT" ><B >smbpasswd -j DOM -r DOMPDC - </B + -U<TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +></B ></TT ></P ><P >as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</P + is DOMPDC. The <TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P ><P ><TT CLASS="COMPUTEROUTPUT" diff --git a/docs/htmldocs/PAM-Authentication-And-Samba.html b/docs/htmldocs/PAM-Authentication-And-Samba.html index 332a8a73499..6dc815b87bf 100644 --- a/docs/htmldocs/PAM-Authentication-And-Samba.html +++ b/docs/htmldocs/PAM-Authentication-And-Samba.html @@ -157,15 +157,24 @@ Samba implementation for your Unix/Linux system. The CLASS="FILENAME" >pam_smbpass.so</TT > module is provided by -Samba version 2.2.1 or later. It can be compiled only if the -<TT -CLASS="CONSTANT" ->--with-pam --with-pam_smbpass</TT -> options are both -provided to the Samba <B +Samba version 2.2.1 or later. It can be compiled by specifying the +<B CLASS="COMMAND" ->configure</B -> program.</P +>--with-pam_smbpass</B +> options when running Samba's +<TT +CLASS="FILENAME" +>configure</TT +> script. For more information +on the <TT +CLASS="FILENAME" +>pam_smbpass</TT +> module, see the documentation +in the <TT +CLASS="FILENAME" +>source/pam_smbpass</TT +> directory of the Samba +source distribution.</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -235,7 +244,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN45" +NAME="AEN47" >Distributed Authentication</A ></H1 ><P @@ -268,7 +277,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN52" +NAME="AEN54" >PAM Configuration in smb.conf</A ></H1 ><P diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index c4e4b2c74b5..a7f23ace5ba 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -336,12 +336,12 @@ HREF="#AEN455" ></DT ><DT >3.2. <A -HREF="#AEN497" +HREF="#AEN499" >Distributed Authentication</A ></DT ><DT >3.3. <A -HREF="#AEN504" +HREF="#AEN506" >PAM Configuration in smb.conf</A ></DT ></DL @@ -355,14 +355,14 @@ HREF="#MSDFS" ><DL ><DT >4.1. <A -HREF="#AEN524" +HREF="#AEN526" >Instructions</A ></DT ><DD ><DL ><DT >4.1.1. <A -HREF="#AEN559" +HREF="#AEN561" >Notes</A ></DT ></DL @@ -378,53 +378,53 @@ HREF="#UNIX-PERMISSIONS" ><DL ><DT >5.1. <A -HREF="#AEN579" +HREF="#AEN581" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >5.2. <A -HREF="#AEN588" +HREF="#AEN590" >How to view file security on a Samba share</A ></DT ><DT >5.3. <A -HREF="#AEN599" +HREF="#AEN601" >Viewing file ownership</A ></DT ><DT >5.4. <A -HREF="#AEN619" +HREF="#AEN621" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >5.4.1. <A -HREF="#AEN634" +HREF="#AEN636" >File Permissions</A ></DT ><DT >5.4.2. <A -HREF="#AEN648" +HREF="#AEN650" >Directory Permissions</A ></DT ></DL ></DD ><DT >5.5. <A -HREF="#AEN655" +HREF="#AEN657" >Modifying file or directory permissions</A ></DT ><DT >5.6. <A -HREF="#AEN677" +HREF="#AEN679" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >5.7. <A -HREF="#AEN741" +HREF="#AEN743" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -439,75 +439,75 @@ HREF="#PRINTING" ><DL ><DT >6.1. <A -HREF="#AEN762" +HREF="#AEN764" >Introduction</A ></DT ><DT >6.2. <A -HREF="#AEN784" +HREF="#AEN786" >Configuration</A ></DT ><DD ><DL ><DT >6.2.1. <A -HREF="#AEN795" +HREF="#AEN797" >Creating [print$]</A ></DT ><DT >6.2.2. <A -HREF="#AEN830" +HREF="#AEN832" >Setting Drivers for Existing Printers</A ></DT ><DT >6.2.3. <A -HREF="#AEN847" +HREF="#AEN849" >Support a large number of printers</A ></DT ><DT >6.2.4. <A -HREF="#AEN858" +HREF="#AEN860" >Adding New Printers via the Windows NT APW</A ></DT ><DT >6.2.5. <A -HREF="#AEN883" +HREF="#AEN885" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >6.3. <A -HREF="#AEN891" +HREF="#AEN893" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >6.3.1. <A -HREF="#AEN895" +HREF="#AEN897" >What is Imprints?</A ></DT ><DT >6.3.2. <A -HREF="#AEN905" +HREF="#AEN907" >Creating Printer Driver Packages</A ></DT ><DT >6.3.3. <A -HREF="#AEN908" +HREF="#AEN910" >The Imprints server</A ></DT ><DT >6.3.4. <A -HREF="#AEN912" +HREF="#AEN914" >The Installation Client</A ></DT ></DL ></DD ><DT >6.4. <A -HREF="#AEN934" +HREF="#AEN936" ><A NAME="MIGRATION" ></A @@ -524,17 +524,17 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >7.1. <A -HREF="#AEN988" +HREF="#AEN990" >Joining an NT Domain with Samba 2.2</A ></DT ><DT >7.2. <A -HREF="#AEN1052" +HREF="#AEN1054" >Samba and Windows 2000 Domains</A ></DT ><DT >7.3. <A -HREF="#AEN1057" +HREF="#AEN1059" >Why is this better than security = server?</A ></DT ></DL @@ -548,106 +548,111 @@ HREF="#SAMBA-PDC" ><DL ><DT >8.1. <A -HREF="#AEN1090" +HREF="#AEN1092" >Prerequisite Reading</A ></DT ><DT >8.2. <A -HREF="#AEN1096" +HREF="#AEN1098" >Background</A ></DT ><DT >8.3. <A -HREF="#AEN1138" +HREF="#AEN1137" >Configuring the Samba Domain Controller</A ></DT ><DT >8.4. <A HREF="#AEN1180" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1194" ->Manually creating machine trust accounts</A +HREF="#AEN1199" +>Manual Creation of Machine Trust Accounts</A ></DT ><DT >8.4.2. <A -HREF="#AEN1225" ->Creating machine trust accounts "on the fly"</A +HREF="#AEN1234" +>"On-the-Fly" Creation of Machine Trust Accounts</A +></DT +><DT +>8.4.3. <A +HREF="#AEN1243" +>Joining the Client to the Domain</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1236" +HREF="#AEN1258" >Common Problems and Errors</A ></DT ><DT >8.6. <A -HREF="#AEN1284" +HREF="#AEN1306" >System Policies and Profiles</A ></DT ><DT >8.7. <A -HREF="#AEN1328" ->What other help can I get ?</A +HREF="#AEN1350" +>What other help can I get?</A ></DT ><DT >8.8. <A -HREF="#AEN1442" +HREF="#AEN1464" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >8.8.1. <A -HREF="#AEN1472" +HREF="#AEN1490" >Configuration Instructions: Network Logons</A ></DT ><DT >8.8.2. <A -HREF="#AEN1506" +HREF="#AEN1509" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >8.8.2.1. <A -HREF="#AEN1514" +HREF="#AEN1517" >Windows NT Configuration</A ></DT ><DT >8.8.2.2. <A -HREF="#AEN1522" +HREF="#AEN1525" >Windows 9X Configuration</A ></DT ><DT >8.8.2.3. <A -HREF="#AEN1530" +HREF="#AEN1533" >Win9X and WinNT Configuration</A ></DT ><DT >8.8.2.4. <A -HREF="#AEN1537" +HREF="#AEN1540" >Windows 9X Profile Setup</A ></DT ><DT >8.8.2.5. <A -HREF="#AEN1573" +HREF="#AEN1576" >Windows NT Workstation 4.0</A ></DT ><DT >8.8.2.6. <A -HREF="#AEN1586" +HREF="#AEN1589" >Windows NT Server</A ></DT ><DT >8.8.2.7. <A -HREF="#AEN1589" +HREF="#AEN1592" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -656,7 +661,7 @@ HREF="#AEN1589" ></DD ><DT >8.9. <A -HREF="#AEN1599" +HREF="#AEN1602" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL @@ -670,119 +675,126 @@ HREF="#WINBIND" ><DL ><DT >9.1. <A -HREF="#AEN1642" +HREF="#AEN1652" >Abstract</A ></DT ><DT >9.2. <A -HREF="#AEN1646" +HREF="#AEN1656" >Introduction</A ></DT ><DT >9.3. <A -HREF="#AEN1659" +HREF="#AEN1669" >What Winbind Provides</A ></DT ><DD ><DL ><DT >9.3.1. <A -HREF="#AEN1666" +HREF="#AEN1676" >Target Uses</A ></DT ></DL ></DD ><DT >9.4. <A -HREF="#AEN1670" +HREF="#AEN1680" >How Winbind Works</A ></DT ><DD ><DL ><DT >9.4.1. <A -HREF="#AEN1675" +HREF="#AEN1685" >Microsoft Remote Procedure Calls</A ></DT ><DT >9.4.2. <A -HREF="#AEN1679" +HREF="#AEN1689" >Name Service Switch</A ></DT ><DT >9.4.3. <A -HREF="#AEN1695" +HREF="#AEN1705" >Pluggable Authentication Modules</A ></DT ><DT >9.4.4. <A -HREF="#AEN1703" +HREF="#AEN1713" >User and Group ID Allocation</A ></DT ><DT >9.4.5. <A -HREF="#AEN1707" +HREF="#AEN1717" >Result Caching</A ></DT ></DL ></DD ><DT >9.5. <A -HREF="#AEN1710" +HREF="#AEN1720" >Installation and Configuration</A ></DT ><DD ><DL ><DT >9.5.1. <A -HREF="#AEN1715" +HREF="#AEN1725" >Introduction</A ></DT ><DT >9.5.2. <A -HREF="#AEN1728" +HREF="#AEN1738" >Requirements</A ></DT ><DT >9.5.3. <A -HREF="#AEN1736" +HREF="#AEN1752" >Testing Things Out</A ></DT ><DD ><DL ><DT >9.5.3.1. <A -HREF="#AEN1745" +HREF="#AEN1763" >Configure and compile SAMBA</A ></DT ><DT >9.5.3.2. <A -HREF="#AEN1757" ->Configure nsswitch.conf and the winbind libraries</A +HREF="#AEN1782" +>Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></DT ><DT >9.5.3.3. <A -HREF="#AEN1776" +HREF="#AEN1807" >Configure smb.conf</A ></DT ><DT >9.5.3.4. <A -HREF="#AEN1785" +HREF="#AEN1823" >Join the SAMBA server to the PDC domain</A ></DT ><DT >9.5.3.5. <A -HREF="#AEN1795" +HREF="#AEN1834" >Start up the winbindd daemon and test it!</A ></DT ><DT >9.5.3.6. <A -HREF="#AEN1822" ->Fix the /etc/rc.d/init.d/smb startup files</A +HREF="#AEN1870" +>Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></DT ><DT >9.5.3.7. <A -HREF="#AEN1839" +HREF="#AEN1892" >Configure Winbind and PAM</A ></DT ></DL @@ -791,12 +803,12 @@ HREF="#AEN1839" ></DD ><DT >9.6. <A -HREF="#AEN1880" +HREF="#AEN1939" >Limitations</A ></DT ><DT >9.7. <A -HREF="#AEN1890" +HREF="#AEN1949" >Conclusion</A ></DT ></DL @@ -810,32 +822,32 @@ HREF="#OS2" ><DL ><DT >10.1. <A -HREF="#AEN1904" +HREF="#AEN1963" >FAQs</A ></DT ><DD ><DL ><DT >10.1.1. <A -HREF="#AEN1906" +HREF="#AEN1965" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >10.1.2. <A -HREF="#AEN1921" +HREF="#AEN1980" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >10.1.3. <A -HREF="#AEN1930" +HREF="#AEN1989" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >10.1.4. <A -HREF="#AEN1934" +HREF="#AEN1993" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -852,24 +864,24 @@ HREF="#CVS-ACCESS" ><DL ><DT >11.1. <A -HREF="#AEN1950" +HREF="#AEN2009" >Introduction</A ></DT ><DT >11.2. <A -HREF="#AEN1955" +HREF="#AEN2014" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT >11.2.1. <A -HREF="#AEN1958" +HREF="#AEN2017" >Access via CVSweb</A ></DT ><DT >11.2.2. <A -HREF="#AEN1963" +HREF="#AEN2022" >Access via cvs</A ></DT ></DL @@ -878,7 +890,7 @@ HREF="#AEN1963" ></DD ><DT ><A -HREF="#AEN1991" +HREF="#AEN2050" >Index</A ></DT ></DL @@ -3034,15 +3046,24 @@ Samba implementation for your Unix/Linux system. The CLASS="FILENAME" >pam_smbpass.so</TT > module is provided by -Samba version 2.2.1 or later. It can be compiled only if the -<TT -CLASS="CONSTANT" ->--with-pam --with-pam_smbpass</TT -> options are both -provided to the Samba <B +Samba version 2.2.1 or later. It can be compiled by specifying the +<B CLASS="COMMAND" ->configure</B -> program.</P +>--with-pam_smbpass</B +> options when running Samba's +<TT +CLASS="FILENAME" +>configure</TT +> script. For more information +on the <TT +CLASS="FILENAME" +>pam_smbpass</TT +> module, see the documentation +in the <TT +CLASS="FILENAME" +>source/pam_smbpass</TT +> directory of the Samba +source distribution.</P ><P ><TABLE BORDER="0" @@ -3139,7 +3160,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN497" +NAME="AEN499" >3.2. Distributed Authentication</A ></H1 ><P @@ -3172,7 +3193,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN504" +NAME="AEN506" >3.3. PAM Configuration in smb.conf</A ></H1 ><P @@ -3220,7 +3241,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN524" +NAME="AEN526" >4.1. Instructions</A ></H1 ><P @@ -3377,7 +3398,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN559" +NAME="AEN561" >4.1.1. Notes</A ></H2 ><P @@ -3418,7 +3439,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN579" +NAME="AEN581" >5.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -3457,7 +3478,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN588" +NAME="AEN590" >5.2. How to view file security on a Samba share</A ></H1 ><P @@ -3503,7 +3524,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN599" +NAME="AEN601" >5.3. Viewing file ownership</A ></H1 ><P @@ -3589,7 +3610,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN619" +NAME="AEN621" >5.4. Viewing file or directory permissions</A ></H1 ><P @@ -3651,7 +3672,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN634" +NAME="AEN636" >5.4.1. File Permissions</A ></H2 ><P @@ -3713,7 +3734,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN648" +NAME="AEN650" >5.4.2. Directory Permissions</A ></H2 ><P @@ -3745,7 +3766,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN655" +NAME="AEN657" >5.5. Modifying file or directory permissions</A ></H1 ><P @@ -3843,7 +3864,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN677" +NAME="AEN679" >5.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -4116,7 +4137,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN741" +NAME="AEN743" >5.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -4171,7 +4192,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN762" +NAME="AEN764" >6.1. Introduction</A ></H1 ><P @@ -4255,7 +4276,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN784" +NAME="AEN786" >6.2. Configuration</A ></H1 ><DIV @@ -4323,7 +4344,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN795" +NAME="AEN797" >6.2.1. Creating [print$]</A ></H2 ><P @@ -4524,7 +4545,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN830" +NAME="AEN832" >6.2.2. Setting Drivers for Existing Printers</A ></H2 ><P @@ -4596,7 +4617,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN847" +NAME="AEN849" >6.2.3. Support a large number of printers</A ></H2 ><P @@ -4671,7 +4692,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN858" +NAME="AEN860" >6.2.4. Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -4777,7 +4798,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN883" +NAME="AEN885" >6.2.5. Samba and Printer Ports</A ></H2 ><P @@ -4814,7 +4835,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN891" +NAME="AEN893" >6.3. The Imprints Toolset</A ></H1 ><P @@ -4832,7 +4853,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN895" +NAME="AEN897" >6.3.1. What is Imprints?</A ></H2 ><P @@ -4864,7 +4885,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN905" +NAME="AEN907" >6.3.2. Creating Printer Driver Packages</A ></H2 ><P @@ -4880,7 +4901,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN908" +NAME="AEN910" >6.3.3. The Imprints server</A ></H2 ><P @@ -4900,7 +4921,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN912" +NAME="AEN914" >6.3.4. The Installation Client</A ></H2 ><P @@ -5003,7 +5024,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN934" +NAME="AEN936" >6.4. <A NAME="MIGRATION" ></A @@ -5167,20 +5188,11 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN988" +NAME="AEN990" >7.1. Joining an NT Domain with Samba 2.2</A ></H1 ><P ->In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <EM ->NOT</EM -> as a Primary or backup domain controller.</P -><P ->Assume you have a Samba-2 server with a NetBIOS name of +>Assume you have a Samba 2.x server with a NetBIOS name of <TT CLASS="CONSTANT" >SERV1</TT @@ -5212,13 +5224,26 @@ CLASS="PROMPT" CLASS="USERINPUT" ><B >smbpasswd -j DOM -r DOMPDC - </B + -U<TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +></B ></TT ></P ><P >as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</P + is DOMPDC. The <TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P ><P ><TT CLASS="COMPUTEROUTPUT" @@ -5394,7 +5419,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1052" +NAME="AEN1054" >7.2. Samba and Windows 2000 Domains</A ></H1 ><P @@ -5419,7 +5444,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1057" +NAME="AEN1059" >7.3. Why is this better than security = server?</A ></H1 ><P @@ -5513,7 +5538,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1090" +NAME="AEN1092" >8.1. Prerequisite Reading</A ></H1 ><P @@ -5541,7 +5566,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1096" +NAME="AEN1098" >8.2. Background</A ></H1 ><DIV @@ -5552,32 +5577,33 @@ CLASS="NOTE" ><B >Note: </B ><EM ->Author's Note :</EM +>Author's Note:</EM > This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.</P ></BLOCKQUOTE ></DIV ><P ->Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A +>Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <A HREF="UNIX_INSTALL.html" TARGET="_top" > UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A +>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <A HREF="smb.conf.5.html" TARGET="_top" ->smb.conf(5) man +>smb.conf(5) man page</A ->. The following functionality should work in 2.2:</P +>. The following functionality should work in 2.2:</P ><P ></P ><UL @@ -5604,36 +5630,10 @@ page</A ></LI ><LI ><P -> Windows NT 4.0 style system policies +> Windows NT 4.0-style system policies </P ></LI ></UL -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Windows 2000 Service Pack 2 Clients</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </P -></TD -></TR -></TABLE -></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -5665,7 +5665,7 @@ ALIGN="LEFT" ><P >Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P @@ -5698,7 +5698,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1138" +NAME="AEN1137" >8.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5713,7 +5713,10 @@ man page</A >. For convenience, the parameters have been linked with the actual smb.conf description.</P ><P ->Here is an example smb.conf for acting as a PDC:</P +>Here is an example <TT +CLASS="FILENAME" +>smb.conf</TT +> for acting as a PDC:</P ><P ><TABLE BORDER="0" @@ -5825,10 +5828,10 @@ TARGET="_top" >path</A > = /usr/local/samba/lib/netlogon <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = no +>read only</A +> = yes <A HREF="smb.conf.5.html#WRITELIST" TARGET="_top" @@ -5848,10 +5851,10 @@ TARGET="_top" >path</A > = /export/smb/ntprofile <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = yes +>read only</A +> = no <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" @@ -5900,15 +5903,16 @@ CLASS="FILENAME" ></LI ></UL ><P ->As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <A +>As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" ->domain -admin group</A -> smb.conf parameter for information of creating "Domain Admins" -style accounts.</P +>domain admin +group</A +> smb.conf parameter for information of creating "Domain +Admins" style accounts.</P ></DIV ><DIV CLASS="SECT1" @@ -5916,56 +5920,72 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="AEN1180" ->8.4. Creating Machine Trust Accounts and Joining Clients -to the Domain</A +>8.4. Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></H1 ><P ->A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC.</P +>A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</P +><P +>The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.</P +><P +>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<P +></P +><UL +><LI ><P ->On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <TT +>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <TT CLASS="FILENAME" >smbpasswd</TT ->). -However, machine trust accounts only possess and use the NT password hash.</P +>). The Samba account + possesses and uses only the NT password hash.</P +></LI +><LI ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <TT +>A corresponding Unix account, typically stored in + <TT CLASS="FILENAME" >/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT +>. (Future releases will alleviate the need to + create <TT CLASS="FILENAME" >/etc/passwd</TT -> entries. </P +> entries.) </P +></LI +></UL +></P ><P ->There are two means of creating machine trust accounts.</P +>There are two ways to create machine trust accounts:</P ><P ></P ><UL ><LI ><P -> Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </P +> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</P ></LI ><LI ><P -> Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </P +> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </P ></LI ></UL ><DIV @@ -5973,22 +5993,28 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1194" ->8.4.1. Manually creating machine trust accounts</A +NAME="AEN1199" +>8.4.1. Manual Creation of Machine Trust Accounts</A ></H2 ><P ->The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <B +>The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<TT +CLASS="FILENAME" +>/etc/passwd</TT +>. This can be done using +<B CLASS="COMMAND" >vipw</B -> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server:</P +> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:</P ><P -><TT +> <TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I @@ -6000,28 +6026,32 @@ CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$ </P +>$ </B +></P ><P ><TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$</P +>$</B +></P ><P >The <TT CLASS="FILENAME" >/etc/passwd</TT > entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an <TT CLASS="FILENAME" >/etc/passwd</TT -> entry like this :</P +> entry like this:</P ><P ><TABLE BORDER="0" @@ -6047,19 +6077,21 @@ CLASS="REPLACEABLE" ><I >machine_nickname</I ></TT -> can be any descriptive name for the -pc i.e. BasementComputer. The <TT +> can be any +descriptive name for the client, i.e., BasementComputer. +<TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT -> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account</P -><P ->Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <A +> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.</P +><P +>Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <A HREF="smbpasswd.6.html" TARGET="_top" ><B @@ -6072,11 +6104,14 @@ as shown here:</P ><TT CLASS="PROMPT" >root# </TT -> smbpasswd -a -m <TT +><B +CLASS="COMMAND" +>smbpasswd -a -m <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT +></B ></P ><P >where <TT @@ -6085,7 +6120,8 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's NetBIOS -name. </P +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account.</P ><DIV CLASS="WARNING" ><P @@ -6106,9 +6142,9 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -6124,18 +6160,30 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1225" ->8.4.2. Creating machine trust accounts "on the fly"</A +NAME="AEN1234" +>8.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H2 ><P ->The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <A +>The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </P +><P +>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A -> -parameter. Below is an example from a RedHat 6.2 Linux system.</P +> +option in <TT +CLASS="FILENAME" +>smb.conf</TT +>. This +method is not required, however; corresponding Unix accounts may also +be created manually.</P +><P +>Below is an example for a RedHat 6.2 Linux system.</P ><P ><TABLE BORDER="0" @@ -6145,26 +6193,72 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE +>[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE ></TD ></TR ></TABLE ></P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1243" +>8.4.3. Joining the Client to the Domain</A +></H2 +><P +>The procedure for joining a client to the domain varies with the +version of Windows.</P +><P +></P +><UL +><LI ><P ->In Samba 2.2.1, <EM ->only the root account</EM -> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <EM ->root</EM ->. The password -<EM ->SHOULD</EM -> be set to a different password that the -associated <TT +><EM +>Windows 2000</EM +></P +><P +> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <TT CLASS="FILENAME" >/etc/passwd</TT -> entry for security reasons.</P +> entry, for security + reasons. </P +><P +>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</P +></LI +><LI +><P +><EM +>Windows NT</EM +></P +><P +> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</P +><P +> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</P +></LI +></UL ></DIV ></DIV ><DIV @@ -6172,7 +6266,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1236" +NAME="AEN1258" >8.5. Common Problems and Errors</A ></H1 ><P @@ -6192,7 +6286,7 @@ CLASS="FILENAME" >/etc/passwd</TT > of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </P ><P > The problem is only in the program used to make the entry, once @@ -6202,7 +6296,7 @@ CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </P ></LI ><LI @@ -6210,11 +6304,11 @@ CLASS="COMMAND" > <EM >I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</EM + existing set.." when creating a machine trust account.</EM > </P ><P -> This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -6266,17 +6360,17 @@ CLASS="COMMAND" ><LI ><P > <EM ->The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.</EM > </P ><P > When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </P ><P -> This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the <TT CLASS="PARAMETER" ><I @@ -6289,7 +6383,7 @@ CLASS="PARAMETER" ><P > Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -6371,7 +6465,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1284" +NAME="AEN1306" >8.6. System Policies and Profiles</A ></H1 ><P @@ -6392,7 +6486,7 @@ Profiles and Policies in Windows NT 4.0</A ><LI ><P > <EM ->What about Windows NT Policy Editor ?</EM +>What about Windows NT Policy Editor?</EM > </P ><P @@ -6451,7 +6545,7 @@ CLASS="COMMAND" ><LI ><P > <EM ->Can Win95 do Policies ?</EM +>Can Win95 do Policies?</EM > </P ><P @@ -6482,7 +6576,7 @@ CLASS="FILENAME" </P ><P > Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </P ><P > Microsoft distributes a version of these tools called nexus for @@ -6528,8 +6622,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1328" ->8.7. What other help can I get ?</A +NAME="AEN1350" +>8.7. What other help can I get?</A ></H1 ><P >There are many sources of information available in the form @@ -6592,7 +6686,7 @@ HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A >. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <A HREF="http://www.ethereal.com/" TARGET="_top" @@ -6789,7 +6883,7 @@ TARGET="_top" ><LI ><P > <EM ->How do I get help from the mailing lists ?</EM +>How do I get help from the mailing lists?</EM > </P ><P @@ -6881,14 +6975,14 @@ TARGET="_top" >Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P + smb.conf in their attach directory?</P ></LI ></UL ></LI ><LI ><P > <EM ->How do I get off the mailing lists ?</EM +>How do I get off the mailing lists?</EM > </P ><P @@ -6924,7 +7018,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1442" +NAME="AEN1464" >8.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -6936,8 +7030,10 @@ CLASS="NOTE" >Note: </B >The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe)</P +the material is based on what went into the book <EM +>Special +Edition, Using Samba</EM +>, by Richard Sharpe.</P ></BLOCKQUOTE ></DIV ><P @@ -6952,11 +7048,12 @@ other systems based on NT server support this, as does at least Samba TNG now).< server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support.</P +is totally orthogonal to logon support.</P ><P >Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.</P +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section.</P ><P >When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -6967,37 +7064,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.</P ><P ->Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.</P -><P ->Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. </P -><P ->Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.</P -><P ->With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).</P -><P ->With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.</P -><P >Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.</P ><P ->Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:</P +>Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:</P ><P ></P ><OL @@ -7005,7 +7077,7 @@ TYPE="1" ><LI ><P > The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -7060,122 +7132,27 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1472" +NAME="AEN1490" >8.8.1. Configuration Instructions: Network Logons</A ></H2 ><P ->To use domain logons and profiles you need to do the following:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </P -><P -> For example I have used: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no</PRE -></TD -></TR -></TABLE -></P -><P -> Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </P -></LI -><LI -><P -> in the [global] section of smb.conf set the following: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->domain logons = yes -logon script = %U.bat - </PRE -></TD -></TR -></TABLE -></P -><P -> The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </P +>The main difference between a PDC and a Windows 9x logon +server configuration is that</P ><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->logon script = scripts\%U.bat - </PRE -></TD -></TR -></TABLE ></P -></LI +><UL ><LI ><P -> create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </P -><P -> In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </P +>Password encryption is not required for a Windows 9x logon server.</P ></LI ><LI ><P -> Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </P +>Windows 9x/ME clients do not possess machine trust accounts.</P ></LI -><LI +></UL ><P -> you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </P -></LI -></OL +>Therefore, a Samba PDC will also act as a Windows 9x logon +server.</P ><DIV CLASS="WARNING" ><P @@ -7215,7 +7192,7 @@ CLASS="CONSTANT" > mode security is really just a variation on SMB user level security.</P ><P ->Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -7249,7 +7226,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1506" +NAME="AEN1509" >8.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -7296,11 +7273,11 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1514" +NAME="AEN1517" >8.8.2.1. Windows NT Configuration</A ></H3 ><P ->To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):</P ><P ><TABLE @@ -7340,7 +7317,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1522" +NAME="AEN1525" >8.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -7380,7 +7357,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1530" +NAME="AEN1533" >8.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -7418,7 +7395,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1537" +NAME="AEN1540" >8.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7490,7 +7467,7 @@ the newest folders and short-cuts from each set.</P >If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.</P ><P @@ -7574,7 +7551,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1573" +NAME="AEN1576" >8.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7656,7 +7633,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1586" +NAME="AEN1589" >8.8.2.6. Windows NT Server</A ></H3 ><P @@ -7670,7 +7647,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1589" +NAME="AEN1592" >8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7735,7 +7712,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1599" +NAME="AEN1602" >8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7864,7 +7841,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1642" +NAME="AEN1652" >9.1. Abstract</A ></H1 ><P @@ -7887,7 +7864,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1646" +NAME="AEN1656" >9.2. Introduction</A ></H1 ><P @@ -7941,7 +7918,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1659" +NAME="AEN1669" >9.3. What Winbind Provides</A ></H1 ><P @@ -7983,7 +7960,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1666" +NAME="AEN1676" >9.3.1. Target Uses</A ></H2 ><P @@ -8007,7 +7984,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1670" +NAME="AEN1680" >9.4. How Winbind Works</A ></H1 ><P @@ -8027,7 +8004,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1675" +NAME="AEN1685" >9.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -8053,7 +8030,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1679" +NAME="AEN1689" >9.4.2. Name Service Switch</A ></H2 ><P @@ -8133,7 +8110,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1695" +NAME="AEN1705" >9.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -8182,7 +8159,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1703" +NAME="AEN1713" >9.4.4. User and Group ID Allocation</A ></H2 ><P @@ -8208,7 +8185,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1707" +NAME="AEN1717" >9.4.5. Result Caching</A ></H2 ><P @@ -8231,7 +8208,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1710" +NAME="AEN1720" >9.5. Installation and Configuration</A ></H1 ><P @@ -8250,7 +8227,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1715" +NAME="AEN1725" >9.5.1. Introduction</A ></H2 ><P @@ -8301,17 +8278,24 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1728" +NAME="AEN1738" >9.5.2. Requirements</A ></H2 ><P >If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <TT +using... <EM +>BACK IT UP!</EM +> If your system already uses PAM, +<EM +>back up the <TT CLASS="FILENAME" >/etc/pam.d</TT -> directory contents! If you -haven't already made a boot disk, MAKE ON NOW!</P +> directory +contents!</EM +> If you haven't already made a boot disk, +<EM +>MAKE ONE NOW!</EM +></P ><P >Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -8322,10 +8306,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)</P ><P ->The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.</P +>The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<A +HREF="http://samba.org/" +TARGET="_top" +>main SAMBA web page</A +> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.</P ><P >To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -8333,15 +8322,21 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.</P +means <TT +CLASS="FILENAME" +>pam-0.74-22</TT +>. For best results, it is helpful to also +install the development packages in <TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +>.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1736" +NAME="AEN1752" >9.5.3. Testing Things Out</A ></H2 ><P @@ -8372,19 +8367,26 @@ CLASS="FILENAME" >/usr/man</TT > entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <TT +CLASS="FILENAME" +>pam-0.74-22</TT +> and +<TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +> RPMs installed.</P ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1745" +NAME="AEN1763" >9.5.3.1. Configure and compile SAMBA</A ></H3 ><P >The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.</P ><P ><TABLE @@ -8397,35 +8399,56 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT -> autoconf +>root#</TT +> <B +CLASS="COMMAND" +>autoconf</B +> <TT CLASS="PROMPT" ->root# </TT -> make clean +>root#</TT +> <B +CLASS="COMMAND" +>make clean</B +> <TT CLASS="PROMPT" ->root# </TT -> rm config.cache +>root#</TT +> <B +CLASS="COMMAND" +>rm config.cache</B +> <TT CLASS="PROMPT" ->root# </TT -> ./configure --with-winbind +>root#</TT +> <B +CLASS="COMMAND" +>./configure --with-winbind</B +> <TT CLASS="PROMPT" ->root# </TT -> make +>root#</TT +> <B +CLASS="COMMAND" +>make</B +> <TT CLASS="PROMPT" ->root# </TT -> make install</PRE +>root#</TT +> <B +CLASS="COMMAND" +>make install</B +></PRE ></TD ></TR ></TABLE ></P ><P ->This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in <TT +CLASS="FILENAME" +>/usr/local/samba</TT +>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </P ></DIV ><DIV @@ -8433,24 +8456,37 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1757" ->9.5.3.2. Configure nsswitch.conf and the winbind libraries</A +NAME="AEN1782" +>9.5.3.2. Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></H3 ><P ->The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so</P +>The libraries needed to run the <B +CLASS="COMMAND" +>winbindd</B +> daemon +through nsswitch need to be copied to their proper locations, so</P ><P ><TT CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/libnss_winbind.so /lib</B +></P ><P >I also found it necessary to make the following symbolic link:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +>root#</TT +> <B +CLASS="COMMAND" +>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B +></P ><P >Now, as root you need to edit <TT CLASS="FILENAME" @@ -8460,11 +8496,11 @@ allow user and group entries to be visible from the <B CLASS="COMMAND" >winbindd</B > -daemon, as well as from your /etc/hosts files and NIS servers. My -<TT +daemon. My <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT -> file look like this after editing:</P +> file look like +this after editing:</P ><P ><TABLE BORDER="0" @@ -8475,7 +8511,7 @@ WIDTH="100%" ><PRE CLASS="PROGRAMLISTING" > passwd: files winbind - shadow: files winbind + shadow: files group: files winbind</PRE ></TD ></TR @@ -8484,13 +8520,20 @@ CLASS="PROGRAMLISTING" ><P > The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <B +CLASS="COMMAND" +>ldconfig</B +> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> /sbin/ldconfig -v | grep winbind</P +>root#</TT +> <B +CLASS="COMMAND" +>/sbin/ldconfig -v | grep winbind</B +></P ><P >This makes <TT CLASS="FILENAME" @@ -8503,7 +8546,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1776" +NAME="AEN1807" >9.5.3.3. Configure smb.conf</A ></H3 ><P @@ -8538,16 +8581,45 @@ CLASS="PROGRAMLISTING" >[global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <A +HREF="winbindd.8.html#WINBINDSEPARATOR" +TARGET="_top" +>winbind separator</A +> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDUID" +TARGET="_top" +>winbind uid</A +> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDGID" +TARGET="_top" +>winbind gid</A +> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <A +HREF="winbindd.8.html#WINBINDENUMUSERS" +TARGET="_top" +>winbind enum users</A +> = yes + <A +HREF="winbindd.8.html#WINBINDENUMGROUP" +TARGET="_top" +>winbind enum groups</A +> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash</PRE + <A +HREF="winbindd.8.html#TEMPLATEHOMEDIR" +TARGET="_top" +>template homedir</A +> = /home/winnt/%D/%U + <A +HREF="winbindd.8.html#TEMPLATESHELL" +TARGET="_top" +>template shell</A +> = /bin/bash</PRE ></TD ></TR ></TABLE @@ -8558,7 +8630,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1785" +NAME="AEN1823" >9.5.3.4. Join the SAMBA server to the PDC domain</A ></H3 ><P @@ -8579,8 +8651,11 @@ a domain user who has administrative privileges in the domain.</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</B +></P ><P >The proper response to the command should be: "Joined the domain <TT @@ -8601,7 +8676,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1795" +NAME="AEN1834" >9.5.3.5. Start up the winbindd daemon and test it!</A ></H3 ><P @@ -8613,25 +8688,37 @@ command as root:</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/winbindd</B +></P ><P >I'm always paranoid and like to make sure the daemon is really running...</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ps -ae | grep winbindd -3025 ? 00:00:00 winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>ps -ae | grep winbindd</B +></P +><P +>This command should produce output like this, if the daemon is running</P +><P +>3025 ? 00:00:00 winbindd</P ><P >Now... for the real test, try to get some information about the users on your PDC</P ><P ><TT CLASS="PROMPT" ->root# </TT -> # /usr/local/samba/bin/wbinfo -u</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -u</B +></P ><P > This should echo back a list of users on your Windows users on @@ -8656,7 +8743,13 @@ CEO+TsInternetUser</PRE ></TABLE ></P ><P ->Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +>Obviously, I have named my domain 'CEO' and my <TT +CLASS="PARAMETER" +><I +>winbindd +separator</I +></TT +> is '+'.</P ><P >You can do the same sort of thing to get group information from the PDC:</P @@ -8671,8 +8764,11 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/wbinfo -g +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -g</B +> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -8693,8 +8789,11 @@ Try the following command:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent passwd</P +>root#</TT +> <B +CLASS="COMMAND" +>getent passwd</B +></P ><P >You should get a list that looks like your <TT CLASS="FILENAME" @@ -8707,16 +8806,22 @@ directories and default shells.</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent group</P +>root#</TT +> <B +CLASS="COMMAND" +>getent group</B +></P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1822" ->9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files</A +NAME="AEN1870" +>9.5.3.6. Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></H3 ><P >The <B @@ -8822,47 +8927,81 @@ CLASS="PROGRAMLISTING" ></TR ></TABLE ></P +><P +>If you restart the <B +CLASS="COMMAND" +>smbd</B +>, <B +CLASS="COMMAND" +>nmbd</B +>, +and <B +CLASS="COMMAND" +>winbindd</B +> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.</P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1839" +NAME="AEN1892" >9.5.3.7. Configure Winbind and PAM</A ></H3 ><P ->If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <TT CLASS="FILENAME" >/etc/pam.d</TT > files? If not, do it now.)</P ><P ->To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the <TT +CLASS="FILENAME" +>../source/nsswitch</TT +> directory +by invoking the command</P +><P +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>make nsswitch/pam_winbind.so</B +></P +><P +>from the <TT +CLASS="FILENAME" +>../source</TT +> directory. The <TT CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file from</P +>pam_winbind.so</TT +> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<TT +CLASS="FILENAME" +>/lib/security</TT +> directory.</P ><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="100%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth</PRE -></TD -></TR -></TABLE +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B ></P ><P ->to</P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file does not need to be changed. I +just left this fileas it was:</P ><P ><TABLE BORDER="0" @@ -8872,9 +9011,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so +>auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth</PRE ></TD ></TR @@ -8965,10 +9102,11 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +>auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth</PRE ></TD @@ -9023,15 +9161,6 @@ CLASS="COMMAND" >winbind.so</B > line to get rid of annoying double prompts for passwords.</P -><P ->Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P ></DIV ></DIV ></DIV @@ -9040,7 +9169,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1880" +NAME="AEN1939" >9.6. Limitations</A ></H1 ><P @@ -9081,7 +9210,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1890" +NAME="AEN1949" >9.7. Conclusion</A ></H1 ><P @@ -9105,7 +9234,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1904" +NAME="AEN1963" >10.1. FAQs</A ></H1 ><DIV @@ -9113,7 +9242,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1906" +NAME="AEN1965" >10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -9172,7 +9301,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1921" +NAME="AEN1980" >10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -9225,7 +9354,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1930" +NAME="AEN1989" >10.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -9247,7 +9376,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1934" +NAME="AEN1993" >10.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 @@ -9303,7 +9432,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1950" +NAME="AEN2009" >11.1. Introduction</A ></H1 ><P @@ -9325,7 +9454,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1955" +NAME="AEN2014" >11.2. CVS Access to samba.org</A ></H1 ><P @@ -9338,7 +9467,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1958" +NAME="AEN2017" >11.2.1. Access via CVSweb</A ></H2 ><P @@ -9359,7 +9488,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1963" +NAME="AEN2022" >11.2.2. Access via cvs</A ></H2 ><P @@ -9465,14 +9594,14 @@ CLASS="COMMAND" ></DIV ><HR><H1 ><A -NAME="AEN1991" +NAME="AEN2050" >Index</A ></H1 ><DL ><DT ->Primary Domain Controller, +>Primary Domain Controller, <A -HREF="x1096.htm" +HREF="x1098.htm" >Background</A > </DT diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html index 31afa11cf89..ad8c7c61ab7 100644 --- a/docs/htmldocs/nmbd.8.html +++ b/docs/htmldocs/nmbd.8.html @@ -37,7 +37,7 @@ NAME="AEN8" ><B CLASS="COMMAND" >nmbd</B -> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log file>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P +> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P ></DIV ><DIV CLASS="REFSECT1" @@ -275,22 +275,19 @@ CLASS="FILENAME" > file.</P ></DD ><DT ->-l <log file></DT +>-l <log directory></DT ><DD ><P ->The -l parameter specifies a path - and base filename into which operational data from - the running <B +>The -l parameter specifies a directory + into which the "log.nmbd" log file will be created + for operational data from the running + <B CLASS="COMMAND" >nmbd</B -> server will - be logged. The actual log file name is generated by - appending the extension ".nmb" to the specified base - name. For example, if the name specified was "log" - then the file log.nmb would contain the debugging data.</P -><P ->The default log file path is compiled into Samba as - part of the build process. Common defaults are <TT +> server.</P +><P +>The default log directory is compiled into Samba + as part of the build process. Common defaults are <TT CLASS="FILENAME" > /usr/local/samba/var/log.nmb</TT >, <TT diff --git a/docs/htmldocs/rpcclient.1.html b/docs/htmldocs/rpcclient.1.html index 53a0ea98dd2..98a19c6ea2d 100644 --- a/docs/htmldocs/rpcclient.1.html +++ b/docs/htmldocs/rpcclient.1.html @@ -197,7 +197,7 @@ CLASS="FILENAME" ><P >Sets the SMB username or username and password. </P ><P ->If %password is not specified, The user will be prompted. The +>If %password is not specified, the user will be prompted. The client will first check the <TT CLASS="ENVAR" >USER</TT diff --git a/docs/htmldocs/samba-pdc-faq.html b/docs/htmldocs/samba-pdc-faq.html index 058a5d5f518..d9c204bf1b5 100644 --- a/docs/htmldocs/samba-pdc-faq.html +++ b/docs/htmldocs/samba-pdc-faq.html @@ -45,9 +45,9 @@ NAME="AEN12" ></H1 ><P > This is the FAQ for Samba 2.2 as an NTDomain controller. - This document is derived from the origional FAQ that was built and + This document is derived from the original FAQ that was built and maintained by Gerald Carter from the early days of Samba NTDomain development - up until recently. It is now being updated as significent changes are + up until recently. It is now being updated as significant changes are made to 2.2.0. </P ><P @@ -165,7 +165,7 @@ HREF="#AEN103" ><A HREF="#AEN110" >"The machine account for this computer either does not -exist or is not accessable."</A +exist or is not accessible."</A ></DT ><DT ><A @@ -256,7 +256,7 @@ HREF="#AEN180" ><DT ><A HREF="#AEN182" ->What are 'Policies' ?.</A +>What are 'Policies' ?</A ></DT ><DT ><A @@ -314,12 +314,12 @@ HREF="#AEN248" ><A HREF="#AEN250" >What editor can I use in DOS/Windows that won't -mess with my unix EOF</A +mess with my unix EOF ?</A ></DT ><DT ><A HREF="#AEN263" ->How do I get 'User Manager' and 'Server Manager'</A +>How do I get 'User Manager' and 'Server Manager' ?</A ></DT ><DT ><A @@ -334,7 +334,7 @@ HREF="#AEN282" ><DT ><A HREF="#AEN286" ->How do I get my samba server to become a member ( not PDC ) of an NT domain?</A +>How do I get my samba server to become a member ( not PDC ) of an NT domain ?</A ></DT ></DL ></DD @@ -358,13 +358,13 @@ HREF="#AEN292" ><A HREF="#AEN294" >What are some diagnostics tools I can use to debug the domain logon process and where can I - find them?</A + find them ?</A ></DT ><DT ><A HREF="#AEN309" >How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</A +or a Windows 9x box ?</A ></DT ></DL ></DD @@ -419,13 +419,13 @@ CLASS="FILENAME" > dialog will let you reset the smbpasswd. That is you don't need to do it from the unix box. However, at the present, you do need to have root as an - administrator and use the root user name and password.</P + administrator and use the root username and password.</P ><P ><B CLASS="COMMAND" >Policies</B > do work on a W2K machine. MS says that recent - builds of W2K dont observe an NT policy but it appears it does in 'legacy' + builds of W2K don't observe an NT policy but it appears it does in 'legacy' mode.</P ></DIV ><DIV @@ -437,7 +437,7 @@ NAME="AEN27" >Introduction</A ></H1 ><P -> This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing +> This FAQ was originally compiled by Jerry Carter (gc) chiefly dealing with the 'old HEAD' version of Samba and its NTDomain facilities. It is being rewritten by David Bannon (drb) so that it addresses more accurately the Samba 2.2.x release. @@ -454,7 +454,7 @@ TARGET="_top" </P ><P >Hopefully, as we all become familiar with the Samba 2.2 as a - PDC this document will become much more usefull.</P + PDC this document will become much more useful.</P ></DIV ></DIV ><DIV @@ -532,7 +532,7 @@ NAME="AEN37" ></LI ></UL ><P -> These things are note expected to work in the forseeable future: +> These things are not expected to work in the foreseeable future: </P ><P ></P @@ -558,7 +558,7 @@ controlled domain?</A ></H2 ><P > The 2.2 release branch of Samba supports Windows 2000 domain - clients in legacy mode, ie as if the PDC is a NTServer, not a + clients in legacy mode, i.e. as if the PDC is a NTServer, not a W2K server. </P ></DIV @@ -572,7 +572,7 @@ NAME="AEN65" >CVS</A ></H1 ><P -> CVS is a programme (publically available) that the Samba developers +> CVS is a program (publicly available) that the Samba developers use to maintain the central source code. Non developers can get access to the source in a read only capacity. Many flavours of unix now arrive with cvs installed.</P @@ -606,7 +606,7 @@ CLASS="VARIABLELIST" ><P >Samba 3.0 ? This code boasts all the main development work in Samba. Due to its developmental - nature, its not really suitable for production work. + nature, it's not really suitable for production work. </P ></DD ><DT @@ -693,7 +693,7 @@ controlled Domain?</A HREF="samba-pdc-howto.html" TARGET="_top" >HOWTO</A -> accessable from the samba web +> accessible from the samba web site under 'Documentation'. Read it. </P ></DIV @@ -734,11 +734,11 @@ CLASS="SECT2" ><A NAME="AEN110" >"The machine account for this computer either does not -exist or is not accessable."</A +exist or is not accessible."</A ></H2 ><P > When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessable". Whats + for this computer either does not exist or is not accessible". Whats wrong ? </P ><P @@ -802,7 +802,7 @@ CLASS="COMMAND" path to the <B CLASS="COMMAND" >smbpasswd</B -> programme, do this : +> program, do this : </P ><P > <B @@ -812,7 +812,7 @@ CLASS="COMMAND" </P ><P > The entry will be created with a well known password, so any machine that - says its doppy could join the domain as long as it gets in first. So + says it's doppy could join the domain as long as it gets in first. So don't create the accounts any earlier than you need them. </P ></DIV @@ -854,7 +854,7 @@ when creating a machine account.</A ><P > This happens if you try to create a machine account from the machine itself and use a user name that does not work (for whatever - reason) and then try another (possibly valid) user name. + reason) and then try another (possibly valid) username. Exit out of the network applet to close the initial connection and try again. </P @@ -891,7 +891,7 @@ NAME="AEN143" ><P >I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your + can not log you on (C000019B), Please try again or consult your system administrator" when attempting to logon. </P ><P @@ -1029,14 +1029,14 @@ HREF="#AEN278" > </P ><P -> Make sure that the "logon path" is writeable by the user and make sure +> Make sure that the "logon path" is writable by the user and make sure that the connection to the logon path location is by the current user. - Sometimes Windows client do not drop the connection immediately upon + Sometimes Windows clients do not drop the connection immediately upon logoff. </P ><P > Some people have reported that the logon path location should - also be browseable. I (GC) have yet to emperically verify this, + also be browseable. I (GC) have yet to empirically verify this, but you can try.</P ></DIV ></DIV @@ -1054,13 +1054,13 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN182" ->What are 'Policies' ?.</A +>What are 'Policies' ?</A ></H2 ><P > When a user logs onto the domain via a client machine, the PDC sends the client machine a list of things contained in the 'policy' (if it exists). This list may do things like suppress - a splach screen, format the dates the way you like them or perhaps + a splash screen, format the dates the way you like them or perhaps remove locally stored profiles. </P ><P @@ -1070,7 +1070,7 @@ CLASS="FILENAME" >ntconfig.pol</TT > and located in the [netlogon] share. The file is created with a policy editor and must be readable - by anyone and writeable by only root. See <A + by anyone and writable by only root. See <A HREF="#AEN203" > below</A > for how to get a suitable editor. @@ -1102,7 +1102,7 @@ CLASS="PROGRAMLISTING" ></P ><P > A policy file must be in the [netlogon] share and must be - readable by everyone and writeable by only root. The file + readable by everyone and writable by only root. The file must be created by an NTServer <A HREF="#AEN203" >Policy @@ -1170,7 +1170,7 @@ CLASS="EMPHASIS" >. Further, although the Windows 95 Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. + work with NT policies because of the registry keys that are set by the policy templates. However, the files from the NT Server will run happily enough on an NTws. You need <TT CLASS="FILENAME" @@ -1192,7 +1192,7 @@ CLASS="FILENAME" <B CLASS="COMMAND" >servicepackname /x</B ->, ie thats <B +>, i.e. that's <B CLASS="COMMAND" >Nt4sp6ai.exe /x</B @@ -1201,7 +1201,7 @@ CLASS="COMMAND" >poledt.exe</B > and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template + be extracted as well. It is also possible to download the policy template files for Office97 and get a copy of the policy editor. Another possible location is with the Zero Administration Kit available for download from Microsoft. </P @@ -1261,7 +1261,7 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/shadow</TT >). - In lots of situations thats OK, for example : + In lots of situations that's OK, for example : </P ><P ></P @@ -1278,10 +1278,10 @@ CLASS="FILENAME" ></LI ></UL ><P -> But sometimes you really do need to maintain two seperate password +> But sometimes you really do need to maintain two separate password databases and there are good reasons to keep then in sync. Trying to explain to users that they need to change their passwords in two - seperate places or use two seperate passwords is not fun. + separate places or use two separate passwords is not fun. </P ><P > However do understand that setting up password sync is not without @@ -1358,11 +1358,11 @@ CLASS="SECT2" ><A NAME="AEN250" >What editor can I use in DOS/Windows that won't -mess with my unix EOF</A +mess with my unix EOF ?</A ></H2 ><P >There are a number of Windows or DOS based editors that will - understand, and leave intact, the unix eof (as opposed to a DOS CL/LF). + understand, and leave intact, the unix eof (as opposed to a DOS CR/LF). List members suggested : </P ><P @@ -1390,7 +1390,7 @@ TARGET="_top" HREF="http://www.lancs.ac.uk/people/cpaap/pfe/" TARGET="_top" > www.lancs.ac.uk/people/cpaap/pfe/</A -> but its no longer being developed...</P +> but it's no longer being developed...</P ></LI ></UL ></DIV @@ -1400,7 +1400,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN263" ->How do I get 'User Manager' and 'Server Manager'</A +>How do I get 'User Manager' and 'Server Manager' ?</A ></H2 ><P > Since I don't need to buy an NT Server CD now, how do I get @@ -1409,7 +1409,7 @@ NAME="AEN263" ><P > Microsoft distributes a version of these tools called nexus for installation on Windows 95 systems. The - tools set includes + tool set includes </P ><P ></P @@ -1482,7 +1482,7 @@ CLASS="SECT2" CLASS="SECT2" ><A NAME="AEN286" ->How do I get my samba server to become a member ( not PDC ) of an NT domain?</A +>How do I get my samba server to become a member ( not PDC ) of an NT domain ?</A ></H2 ><P > Please refer to the <A @@ -1517,11 +1517,11 @@ CLASS="SECT2" ><A NAME="AEN294" >What are some diagnostics tools I can use to debug the domain logon process and where can I - find them?</A + find them ?</A ></H2 ><P > One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specifiy what + You can use the -d option for both smbd and nmbd to specify what 'debug level' at which to run. See the man pages on smbd, nmbd and smb.conf for more information on debugging options. The debug level can range from 1 (the default) to 10 (100 for debugging passwords). @@ -1532,19 +1532,19 @@ NAME="AEN294" CLASS="COMMAND" >gcc -g </B > flag. This will include debug - information in the binaries and allow you to attch gdb to the + information in the binaries and allow you to attach gdb to the running smbd / nmbd process. In order to attach gdb to an smbd process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box + connection. Pressing Ctrl-Alt-Del and going down to the domain box is sufficient (at least, on the first time you join the domain) to generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open connection, and therefore there will be an smbd process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually + idle timeout) So, in between pressing Ctrl-Alt-Del, and actually typing in your password, you can gdb attach and continue. </P ><P -> Some usefull samba commands worth investigating: +> Some useful samba commands worth investigating: </P ><P ></P @@ -1563,7 +1563,7 @@ CLASS="COMMAND" <A HREF="http://www.tcpdump.org/" TARGET="_top" ->http://www.tcpdup.org/</A +>http://www.tcpdump.org/</A >. Ethereal, another good packet sniffer for UNIX and Win32 hosts, can be downloaded from <A @@ -1573,11 +1573,11 @@ TARGET="_top" >. </P ><P -> For tracing things on the Microsoft Windows NT, Network Monitor +> For tracing things on Microsoft Windows NT, Network Monitor (aka. netmon) is available on the Microsoft Developer Network CD's, the Windows NT Server install CD and the SMS CD's. The version of netmon that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). + computers (i.e. placing the network interface in promiscuous mode). The version on the NT Server install CD will only allow monitoring of network traffic directed to the local NT box and broadcasts on the local subnet. Be aware that Ethereal can read and write netmon @@ -1591,7 +1591,7 @@ CLASS="SECT2" ><A NAME="AEN309" >How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</A +or a Windows 9x box ?</A ></H2 ><P > Installing netmon on an NT workstation requires a couple @@ -1732,13 +1732,13 @@ CLASS="EMPHASIS" ></LI ><LI ><P -> Ignacio Coupeau has a very comprehesive look at LDAP with Samba at +> Ignacio Coupeau has a very comprehensive look at LDAP with Samba at <A HREF="http://www.unav.es/cti/ldap-smb-howto.html" TARGET="_top" > http://www.unav.es/cti/ldap-smb-howto.html</A > - Be a little carefull however, I suspect that it does not specificly + Be a little careful however, I suspect that it does not specifically address samba 2.2.x. The HEAD pre-2.1 may possibly be the best stream to look at.</P ></LI @@ -1754,7 +1754,7 @@ HREF="http://www.kneschke.de/projekte/samba_tng" TARGET="_top" > http://www.kneschke.de/projekte/samba_tng</A >, but again, a - lot of it does not apply to the main stream Samba.</P + lot of it does not apply to the mainstream Samba.</P ></LI ><LI ><P @@ -1839,7 +1839,7 @@ TARGET="_top" >http://www.samba-tng.org/</A > It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</P + mainstream Samba lists.</P ><P ></P ><P @@ -1872,18 +1872,18 @@ TARGET="_top" > Try and make your question clear and brief, lots of long, convoluted questions get deleted before they are completely read ! Don't post html encoded messages (if you can select colour or font - size its html).</P + size it's html).</P ></LI ><LI ><P -> If you run one of those niffy 'I'm on holidays' things when +> If you run one of those nifty 'I'm on holidays' things when you are away, make sure its configured to not answer mailing lists. </P ></LI ><LI ><P > Don't cross post. Work out which is the best list to post to - and see what happens, ie don't post to both samba-ntdom and samba-technical. + and see what happens, i.e. don't post to both samba-ntdom and samba-technical. Many people active on the lists subscribe to more than one list and get annoyed to see the same message two or more times. Often someone will see a message and thinking it would be better dealt @@ -1943,7 +1943,7 @@ TARGET="_top" ></P ><P > Please don't post messages to the list asking to be removed, you will just - be refered to the above address (unless that process failed in some way...) + be referred to the above address (unless that process failed in some way...) </P ></DIV ></DIV diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 5fe4f3cf977..29d0e2553ba 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -1461,6 +1461,78 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#LDAPADMINDN" +><TT +CLASS="PARAMETER" +><I +>ldap admin dn</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPFILTER" +><TT +CLASS="PARAMETER" +><I +>ldap filter</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPPORT" +><TT +CLASS="PARAMETER" +><I +>ldap port</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSSL" +><TT +CLASS="PARAMETER" +><I +>ldap ssl</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSUFFIX" +><TT +CLASS="PARAMETER" +><I +>ldap suffix</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#LMANNOUNCE" ><TT CLASS="PARAMETER" @@ -1881,18 +1953,6 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#NTACLSUPPORT" -><TT -CLASS="PARAMETER" -><I ->nt acl support</I -></TT -></A -></P -></LI -><LI -><P -><A HREF="#NTPIPESUPPORT" ><TT CLASS="PARAMETER" @@ -2433,6 +2493,42 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#SSLEGDSOCKET" +><TT +CLASS="PARAMETER" +><I +>ssl egd socket</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#SSLENTROPYBYTES" +><TT +CLASS="PARAMETER" +><I +>ssl entropy bytes</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy file</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#SSLHOSTS" ><TT CLASS="PARAMETER" @@ -2673,6 +2769,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#USEMMAP" +><TT +CLASS="PARAMETER" +><I +>use mmap</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#USERHOSTS" ><TT CLASS="PARAMETER" @@ -2891,7 +2999,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN934" +NAME="AEN970" ></A ><H2 >COMPLETE LIST OF SERVICE PARAMETERS</H2 @@ -3684,6 +3792,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#NTACLSUPPORT" +><TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#ONLYGUEST" ><TT CLASS="PARAMETER" @@ -4068,6 +4188,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#STRICTALLOCATE" +><TT +CLASS="PARAMETER" +><I +>strict allocate</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#STRICTLOCKING" ><TT CLASS="PARAMETER" @@ -4298,7 +4430,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN1402" +NAME="AEN1446" ></A ><H2 >EXPLANATION OF EACH PARAMETER</H2 @@ -7500,11 +7632,11 @@ CLASS="PARAMETER" > it is in. Samba 2.2 also has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see - the file DOMAINS.txt in the Samba documentation directory <TT + the Samba-PDC-HOWTO included in the <TT CLASS="FILENAME" ->docs/ - </TT -> shipped with the source code.</P +>htmldocs/</TT +> + directory shipped with the source code.</P ><P >Default: <B CLASS="COMMAND" @@ -8055,22 +8187,6 @@ CLASS="PARAMETER" > parameter is applied.</P ><P ->Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <A -HREF="#RESTRICTACLWITHMASK" -><TT -CLASS="PARAMETER" -><I ->restrict acl with - mask</I -></TT -></A -> to <TT -CLASS="CONSTANT" ->true</TT ->.</P -><P >See also the parameter <A HREF="#CREATEMASK" ><TT @@ -8130,22 +8246,6 @@ CLASS="PARAMETER" > is applied.</P ><P ->Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <A -HREF="#RESTRICTACLWITHMASK" -><TT -CLASS="PARAMETER" -><I ->restrict acl with - mask</I -></TT -></A -> to <TT -CLASS="CONSTANT" ->true</TT ->.</P -><P >See also the parameter <A HREF="#DIRECTORYMASK" ><TT @@ -9569,6 +9669,250 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="LDAPADMINDN" +></A +>ldap admin dn (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> The <TT +CLASS="PARAMETER" +><I +>ldap admin dn</I +></TT +> defines the Distinguished + Name (DN) name used by Samba to contact the <A +HREF="#LDAPSERVER" +>ldap + server</A +> when retreiving user account information. The <TT +CLASS="PARAMETER" +><I +>ldap + admin dn</I +></TT +> is used in conjunction with the admin dn password + stored in the <TT +CLASS="FILENAME" +>private/secrets.tdb</TT +> file. See the + <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> man + page for more information on how to accmplish this. + </P +><P +>Default : <EM +>none</EM +></P +></DD +><DT +><A +NAME="LDAPFILTER" +></A +>ldap filter (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This parameter specifies the RFC 2254 compliant LDAP search filter. + The default is to match the login name with the <TT +CLASS="CONSTANT" +>uid</TT +> + attribute for all entries matching the <TT +CLASS="CONSTANT" +>sambaAccount</TT +> + objectclass. Note that this filter should only return one entry. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</B +></P +></DD +><DT +><A +NAME="LDAPPORT" +></A +>ldap port (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This option is used to control the tcp port number used to contact + the <A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +></A +>. + The default is to use the stand LDAP port 389. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap port = 389</B +></P +></DD +><DT +><A +NAME="LDAPSERVER" +></A +>ldap server (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This parameter should contains the FQDN of the ldap directory + server which should be queried to locate user account information. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap server = localhost</B +></P +></DD +><DT +><A +NAME="LDAPSSL" +></A +>ldap ssl (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This option is used to define whether or not Samba should + use SSL when connecting to the <A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap + server</I +></TT +></A +>. This is <EM +>NOT</EM +> related to + Samba SSL support which is enabled by specifying the + <B +CLASS="COMMAND" +>--with-ssl</B +> option to the <TT +CLASS="FILENAME" +>configure</TT +> + script (see <A +HREF="#SSL" +><TT +CLASS="PARAMETER" +><I +>ssl</I +></TT +></A +>). + </P +><P +> The <TT +CLASS="PARAMETER" +><I +>ldap ssl</I +></TT +> can be set to one of three values: + (a) <B +CLASS="COMMAND" +>on</B +> - Always use SSL when contacting the + <TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +>, (b) <B +CLASS="COMMAND" +>off</B +> - + Never use SSL when querying the directory, or (c) <B +CLASS="COMMAND" +>start + tls</B +> - Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap ssl = off</B +></P +></DD +><DT +><A +NAME="LDAPSUFFIX" +></A +>ldap suffix (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +>Default : <EM +>none</EM +></P +></DD +><DT +><A NAME="LEVEL2OPLOCKS" ></A >level2 oplocks (S)</DT @@ -11958,7 +12302,7 @@ CLASS="COMMAND" > --with-msdfs</B > option. If set to <TT CLASS="CONSTANT" ->yes></TT +>yes</TT >, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. @@ -12038,7 +12382,7 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/nsswitch.conf</TT > - file). Note that this method is only used if the NetBIOS name + file. Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored.</P ></LI @@ -12228,7 +12572,7 @@ CLASS="COMMAND" ><A NAME="NTACLSUPPORT" ></A ->nt acl support (G)</DT +>nt acl support (S)</DT ><DD ><P >This boolean parameter controls whether @@ -12237,7 +12581,9 @@ HREF="smbd.8.html" TARGET="_top" >smbd(8)</A > will attempt to map - UNIX permissions into Windows NT access control lists.</P + UNIX permissions into Windows NT access control lists. + This parameter was formally a global parameter in releases + prior to 2.2.2.</P ><P >Default: <B CLASS="COMMAND" @@ -12825,7 +13171,7 @@ CLASS="PARAMETER" ></TT ></A > parameter is set to true, the chat pairs - may be matched in any order, and sucess is determined by the PAM result, + may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. </P ><P @@ -13811,7 +14157,7 @@ CLASS="COMMAND" ><P >For <B CLASS="COMMAND" ->printing = SYS or HPUX :</B +>printing = SYSV or HPUX :</B ></P ><P ><B @@ -14294,7 +14640,7 @@ CLASS="PARAMETER" > if specified in the [global] section.</P ><P ->Currently eight printing styles are supported. They are +>Currently nine printing styles are supported. They are <TT CLASS="CONSTANT" >BSD</TT @@ -14773,108 +15119,6 @@ CLASS="COMMAND" ></DD ><DT ><A -NAME="RESTRICTACLWITHMASK" -></A ->restrict acl with mask (S)</DT -><DD -><P ->This is a boolean parameter. If set to <TT -CLASS="CONSTANT" ->false</TT -> (default), then - creation of files with access control lists (ACLS) and modification of ACLs - using the Windows NT/2000 ACL editor will be applied directly to the file - or directory.</P -><P ->If set to <TT -CLASS="CONSTANT" ->true</TT ->, then all requests to set an ACL on a file will have the - parameters <A -HREF="#CREATEMASK" -><TT -CLASS="PARAMETER" -><I ->create mask</I -></TT -></A ->, - <A -HREF="#FORCECREATEMODE" -><TT -CLASS="PARAMETER" -><I ->force create mode</I -></TT -></A -> - applied before setting the ACL, and all requests to set an ACL on a directory will - have the parameters <A -HREF="#DIRECTORYMASK" -><TT -CLASS="PARAMETER" -><I ->directory - mask</I -></TT -></A ->, <A -HREF="#FORCEDIRECTORYMODE" -><TT -CLASS="PARAMETER" -><I ->force - directory mode</I -></TT -></A -> applied before setting the ACL. - </P -><P ->See also <A -HREF="#CREATEMASK" -><TT -CLASS="PARAMETER" -><I ->create mask</I -></TT -></A ->, - <A -HREF="#FORCECREATEMODE" -><TT -CLASS="PARAMETER" -><I ->force create mode</I -></TT -></A ->, - <A -HREF="#DIRECTORYMASK" -><TT -CLASS="PARAMETER" -><I ->directory mask</I -></TT -></A ->, - <A -HREF="#FORCEDIRECTORYMODE" -><TT -CLASS="PARAMETER" -><I ->force directory mode</I -></TT -></A -> - </P -><P ->Default: <B -CLASS="COMMAND" ->restrict acl with mask = no</B -></P -></DD -><DT -><A NAME="RESTRICTANONYMOUS" ></A >restrict anonymous (G)</DT @@ -15176,7 +15420,7 @@ CLASS="COMMAND" </B >.</P ><P ->In versions of Samba prior to 2..0, the default was +>In versions of Samba prior to 2.0.0, the default was <B CLASS="COMMAND" >security = share</B @@ -16290,14 +16534,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable enables or disables the entire SSL mode. If it is set to <TT CLASS="CONSTANT" @@ -16346,14 +16582,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable defines where to look up the Certification Authorities. The given directory should contain one file for each CA that Samba will trust. The file name must be the hash @@ -16383,14 +16611,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable is a second way to define the trusted CAs. The certificates of the trusted CAs are collected in one big file and this variable points to the file. You will probably @@ -16421,14 +16641,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable defines the ciphers that should be offered during SSL negotiation. You should not set this variable unless you know what you are doing.</P @@ -16448,14 +16660,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >The certificate in this file is used by <A HREF="smbclient.1.html" TARGET="_top" @@ -16487,14 +16691,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This is the private key for <A HREF="smbclient.1.html" TARGET="_top" @@ -16526,18 +16722,10 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P ->This variable defines whether SSLeay should be configured +>This variable defines whether OpenSSL should be configured for bug compatibility with other SSL implementations. This is probably not desirable because currently no clients with SSL - implementations other than SSLeay exist.</P + implementations other than OpenSSL exist.</P ><P >Default: <B CLASS="COMMAND" @@ -16546,6 +16734,104 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="SSLEGDSOCKET" +></A +>ssl egd socket (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This option is used to define the location of the communiation socket of + an EGD or PRNGD daemon, from which entropy can be retrieved. This option + can be used instead of or together with the <A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy file</I +></TT +></A +> + directive. 255 bytes of entropy will be retrieved from the daemon. + </P +><P +>Default: <EM +>none</EM +></P +></DD +><DT +><A +NAME="SSLENTROPYBYTES" +></A +>ssl entropy bytes (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This parameter is used to define the number of bytes which should + be read from the <A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy + file</I +></TT +></A +> If a -1 is specified, the entire file will + be read. + </P +><P +>Default: <B +CLASS="COMMAND" +>ssl entropy bytes = 255</B +></P +></DD +><DT +><A +NAME="SSLENTROPYFILE" +></A +>ssl entropy file (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This parameter is used to specify a file from which processes will + read "random bytes" on startup. In order to seed the internal pseudo + random number generator, entropy must be provided. On system with a + <TT +CLASS="FILENAME" +>/dev/urandom</TT +> device file, the processes + will retrieve its entropy from the kernel. On systems without kernel + entropy support, a file can be supplied that will be read on startup + and that will be used to seed the PRNG. + </P +><P +>Default: <EM +>none</EM +></P +></DD +><DT +><A NAME="SSLHOSTS" ></A >ssl hosts (G)</DT @@ -16576,14 +16862,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >These two variables define whether Samba will go into SSL mode or not. If none of them is defined, Samba will allow only SSL connections. If the <A @@ -16658,14 +16936,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >If this variable is set to <TT CLASS="CONSTANT" >yes</TT @@ -16724,14 +16994,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >If this variable is set to <TT CLASS="CONSTANT" >yes</TT @@ -16777,14 +17039,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This is the file containing the server's certificate. The server <EM >must</EM @@ -16813,14 +17067,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This file contains the private key of the server. If this variable is not defined, the key is looked up in the certificate file (it may be appended to the certificate). @@ -16853,14 +17099,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This enumeration variable defines the versions of the SSL protocol that will be used. <TT CLASS="CONSTANT" @@ -16955,6 +17193,43 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="STRICTALLOCATE" +></A +>strict allocate (S)</DT +><DD +><P +>This is a boolean that controls the handling of + disk space allocation in the server. When this is set to <TT +CLASS="CONSTANT" +>yes</TT +> + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.</P +><P +>When strict allocate is <TT +CLASS="CONSTANT" +>no</TT +> the server does sparse + disk block allocation when a file is extended.</P +><P +>Setting this to <TT +CLASS="CONSTANT" +>yes</TT +> can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.</P +><P +>Default: <B +CLASS="COMMAND" +>strict allocate = no</B +></P +></DD +><DT +><A NAME="STRICTLOCKING" ></A >strict locking (S)</DT @@ -17458,6 +17733,30 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="USEMMAP" +></A +>use mmap (G)</DT +><DD +><P +>This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to <TT +CLASS="CONSTANT" +>false</TT +> by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + </P +><P +>Default: <B +CLASS="COMMAND" +>use mmap = yes</B +></P +></DD +><DT +><A NAME="USERHOSTS" ></A >use rhosts (G)</DT @@ -18152,15 +18451,14 @@ WIDTH="90%" ><TD ><PRE CLASS="PROGRAMLISTING" -> ; Veto any files containing the word Security, - ; any ending in .tmp, and any directory containing the - ; word root. - veto files = /*Security*/*.tmp/*root*/ +>; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ - ; Veto the Apple specific files that a NetAtalk server - ; creates. - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - </PRE +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/</PRE ></TD ></TR ></TABLE @@ -18416,7 +18714,7 @@ CLASS="COMMAND" ><P >Default: <B CLASS="COMMAND" ->winbind enum groups = no </B +>winbind enum groups = yes </B > </P ></DD @@ -18883,7 +19181,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5953" +NAME="AEN6051" ></A ><H2 >WARNINGS</H2 @@ -18913,7 +19211,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5959" +NAME="AEN6057" ></A ><H2 >VERSION</H2 @@ -18924,7 +19222,7 @@ NAME="AEN5959" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5962" +NAME="AEN6060" ></A ><H2 >SEE ALSO</H2 @@ -19003,7 +19301,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5982" +NAME="AEN6080" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbd.8.html b/docs/htmldocs/smbd.8.html index be82ef6d4ec..e093a05f646 100644 --- a/docs/htmldocs/smbd.8.html +++ b/docs/htmldocs/smbd.8.html @@ -36,7 +36,7 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbd</B -> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-l <log file>] [-p <port number>] [-O <socket option>] [-s <configuration file>]</P +> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>]</P ></DIV ><DIV CLASS="REFSECT1" @@ -228,17 +228,19 @@ CLASS="FILENAME" > file.</P ></DD ><DT ->-l <log file></DT +>-l <log directory></DT ><DD ><P ->If specified, <TT +>If specified, + <TT CLASS="REPLACEABLE" ><I ->log file</I +>log directory</I ></TT > - specifies a log filename into which informational and debug - messages from the running server will be logged. The log + specifies a log directory into which the "log.smbd" log + file will be created for informational and debug + messages from the running server. The log file generated is never removed by the server although its size may be controlled by the <A HREF="smb.conf.5.html#maxlogsize" @@ -252,8 +254,11 @@ TARGET="_top" CLASS="FILENAME" > smb.conf(5)</TT ></A -> file. The default log - file name is specified at compile time.</P +> file. + </P +><P +>The default log directory is specified at + compile time.</P ></DD ><DT >-O <socket options></DT @@ -331,7 +336,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN109" +NAME="AEN110" ></A ><H2 >FILES</H2 @@ -429,7 +434,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN142" +NAME="AEN143" ></A ><H2 >LIMITATIONS</H2 @@ -448,7 +453,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN146" +NAME="AEN147" ></A ><H2 >ENVIRONMENTVARIABLES</H2 @@ -479,7 +484,7 @@ CLASS="CONSTANT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN155" +NAME="AEN156" ></A ><H2 >INSTALLATION</H2 @@ -601,7 +606,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN188" +NAME="AEN189" ></A ><H2 >RUNNING THE SERVER AS A DAEMON</H2 @@ -656,7 +661,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN201" +NAME="AEN202" ></A ><H2 >RUNNING THE SERVER ON REQUEST</H2 @@ -792,7 +797,7 @@ CLASS="COMPUTEROUTPUT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN233" +NAME="AEN234" ></A ><H2 >PAM INTERACTION</H2 @@ -837,7 +842,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN244" +NAME="AEN245" ></A ><H2 >TESTING THE INSTALLATION</H2 @@ -895,7 +900,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN258" +NAME="AEN259" ></A ><H2 >VERSION</H2 @@ -906,7 +911,7 @@ NAME="AEN258" ><DIV CLASS="REFSECT1" ><A -NAME="AEN261" +NAME="AEN262" ></A ><H2 >DIAGNOSTICS</H2 @@ -929,7 +934,7 @@ NAME="AEN261" ><DIV CLASS="REFSECT1" ><A -NAME="AEN266" +NAME="AEN267" ></A ><H2 >SIGNALS</H2 @@ -994,7 +999,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN283" +NAME="AEN284" ></A ><H2 >SEE ALSO</H2 @@ -1060,7 +1065,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN300" +NAME="AEN301" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index be82bc88098..c8f97c89d13 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -36,12 +36,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbpasswd</B -> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [username]</P +> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [-w pass] [username]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN25" +NAME="AEN26" ></A ><H2 >DESCRIPTION</H2 @@ -110,7 +110,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN41" +NAME="AEN42" ></A ><H2 >OPTIONS</H2 @@ -512,6 +512,47 @@ CLASS="COMMAND" is to aid people writing scripts to drive smbpasswd</P ></DD ><DT +>-w password</DT +><DD +><P +>This parameter is only available is Samba + has been configured to use the experiemental + <B +CLASS="COMMAND" +>--with-ldapsam</B +> option. The <TT +CLASS="PARAMETER" +><I +>-w</I +></TT +> + switch is used to specify the password to be used with the + <A +HREF="smb.conf.5.html#LDAPADMINDN" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>ldap admin + dn</I +></TT +></A +>. Note that the password is stored in + the <TT +CLASS="FILENAME" +>private/secrets.tdb</TT +> and is keyed off + of the admin's DN. This means that if the value of <TT +CLASS="PARAMETER" +><I +>ldap + admin dn</I +></TT +> ever changes, the password will beed to be + manually updated as well. + </P +></DD +><DT >username</DT ><DD ><P @@ -529,7 +570,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN171" +NAME="AEN182" ></A ><H2 >NOTES</H2 @@ -572,7 +613,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN181" +NAME="AEN192" ></A ><H2 >VERSION</H2 @@ -583,7 +624,7 @@ NAME="AEN181" ><DIV CLASS="REFSECT1" ><A -NAME="AEN184" +NAME="AEN195" ></A ><H2 >SEE ALSO</H2 @@ -606,7 +647,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN190" +NAME="AEN201" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbrun.1.html b/docs/htmldocs/smbrun.1.html new file mode 100644 index 00000000000..95de5bebdf5 --- /dev/null +++ b/docs/htmldocs/smbrun.1.html @@ -0,0 +1,215 @@ +<HTML +><HEAD +><TITLE +>smbrun</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbrun</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbrun -- interface program between smbd and external + programs</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbrun</B +> {<shell command>}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN12" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbrun</B +> is a very small 'glue' program, + which runs shell commands for the <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> smbd(8)</B +></A +> daemon.</P +><P +>It first changes to the highest effective user and group + ID that it can, then runs the command line provided using the + system() call. This program is necessary to allow some operating + systems to run external programs as non-root.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN21" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>shell command</DT +><DD +><P +>The shell command to execute. The + command should have a fully-qualified path.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN28" +></A +><H2 +>ENVIRONMENT VARIABLES</H2 +><P +>The <TT +CLASS="PARAMETER" +><I +>PATH</I +></TT +> variable set for the + environment in which <B +CLASS="COMMAND" +>smbrun</B +> is executed will affect + what executables are located and executed if a fully-qualified path + is not given in the command.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN33" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>If <B +CLASS="COMMAND" +>smbrun</B +> cannot be located or cannot + be executed by <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +> + </A +>, then appropriate messages will be found in the <B +CLASS="COMMAND" +> smbd</B +> logs. Other diagnostics are dependent on the shell-command + being run. It is advisable for your shell commands to issue suitable + diagnostics to aid trouble-shooting.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN40" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN43" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, and <A +HREF="nmblookup.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>nmblookup(1)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN52" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/using_samba/licenseinfo.html b/docs/htmldocs/using_samba/licenseinfo.html index 71bc74def8b..7e8962a8325 100644 --- a/docs/htmldocs/using_samba/licenseinfo.html +++ b/docs/htmldocs/using_samba/licenseinfo.html @@ -38,8 +38,8 @@ should read: O'Reilly & Associates. This material may be distributed only subject to the terms and conditions set forth in the license, which is presently available at - <a href="http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html"> - http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html</a>. + <a href="http://www.oreilly.com/catalog/samba/licenseinfo.html"> + http://www.oreilly.com/catalog/samba/licenseinfo.html</a>. </blockquote> <p> For an excerpt, the reference should read: @@ -50,8 +50,8 @@ For an excerpt, the reference should read: and published by O'Reilly & Associates. This material may be distributed only subject to the terms and conditions set forth in the license, which is presently available at - <a href="http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html"> - http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html</a>. + <a href="http://www.oreilly.com/catalog/samba/licenseinfo.html"> + http://www.oreilly.com/catalog/samba/licenseinfo.html</a>. </blockquote> <p> Translations must contain similar references in the target @@ -64,8 +64,8 @@ the following: published by O'Reilly & Associates. This material may be distributed only subject to the terms and conditions set forth in the license, which is presently available at - <a href="http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html"> - http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html</a>. + <a href="http://www.oreilly.com/catalog/samba/licenseinfo.html"> + http://www.oreilly.com/catalog/samba/licenseinfo.html</a>. </blockquote> <p> Both commercial and noncommercial redistribution of material diff --git a/docs/htmldocs/using_samba/this_edition.html b/docs/htmldocs/using_samba/this_edition.html index 839f65737a0..71522ac31e1 100644 --- a/docs/htmldocs/using_samba/this_edition.html +++ b/docs/htmldocs/using_samba/this_edition.html @@ -31,8 +31,8 @@ By Robert Eckstein, David Collier-Brown & Peter Kelly O'Reilly & Associates. This material may be distributed only subject to the terms and conditions set forth in the license, which is presently available at - <a href="http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html"> - http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html</a>. + <a href="http://www.oreilly.com/catalog/samba/licenseinfo.html"> + http://www.oreilly.com/catalog/samba/licenseinfo.html</a>. </blockquote> <hr size=1 noshade> diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index addf74935c1..8ab39e5903d 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -759,11 +759,29 @@ CLASS="PROMPT" >I'm always paranoid and like to make sure the daemon is really running...</P ><P +><PRE +CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" >root# </TT > ps -ae | grep winbindd -3025 ? 00:00:00 winbindd</P +3025 ? 00:00:00 winbindd</PRE +></P +><P +>The reply <B +CLASS="COMMAND" +>3025 ? 00:00:00 winbind</B +>' indicates that +I have <B +CLASS="COMMAND" +>winbindd</B +> running as process #3025 on my system. You will get a +different process number, but you should see the <B +CLASS="COMMAND" +>winbindd</B +> +daemon. If it is NOT running, you will get no response from your system and will +simply be returned the command prompt.</P ><P >Now... for the real test, try to get some information about the users on your PDC</P @@ -837,7 +855,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN183" +NAME="AEN188" >Fix the /etc/rc.d/init.d/smb startup files</A ></H3 ><P @@ -932,7 +950,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN200" +NAME="AEN205" >Configure Winbind and PAM</A ></H3 ><P @@ -1090,7 +1108,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN241" +NAME="AEN246" >Limitations</A ></H1 ><P @@ -1131,7 +1149,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN251" +NAME="AEN256" >Conclusion</A ></H1 ><P diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index ad54228a6f4..0147861284f 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -77,6 +77,30 @@ CLASS="COMMAND" Windows NT server. The service can also provide authentication services via an associated PAM module. </P ><P +> The <TT +CLASS="FILENAME" +>pam_winbind</TT +> module in the 2.2.2 release only + supports the <TT +CLASS="PARAMETER" +><I +>auth</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>account</I +></TT +> + module-types. The latter is simply + performs a getpwnam() to verify that the system can obtain a uid for the + user. If the <TT +CLASS="FILENAME" +>libnss_winbind</TT +> library has been correctly + installed, this should always suceed. + </P +><P >The following nsswitch databases are implemented by the winbindd service: </P ><P @@ -149,7 +173,7 @@ group: files winbind ><DIV CLASS="REFSECT1" ><A -NAME="AEN43" +NAME="AEN48" ></A ><H2 >OPTIONS</H2 @@ -188,7 +212,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN56" +NAME="AEN61" ></A ><H2 >NAME AND ID RESOLUTION</H2 @@ -219,7 +243,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN62" +NAME="AEN67" ></A ><H2 >CONFIGURATION</H2 @@ -484,7 +508,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN144" +NAME="AEN149" ></A ><H2 >EXAMPLE SETUP</H2 @@ -662,7 +686,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN183" +NAME="AEN188" ></A ><H2 >NOTES</H2 @@ -720,7 +744,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN199" +NAME="AEN204" ></A ><H2 >SIGNALS</H2 @@ -771,7 +795,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN216" +NAME="AEN221" ></A ><H2 >FILES</H2 @@ -847,7 +871,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN245" +NAME="AEN250" ></A ><H2 >VERSION</H2 @@ -858,7 +882,7 @@ NAME="AEN245" ><DIV CLASS="REFSECT1" ><A -NAME="AEN248" +NAME="AEN253" ></A ><H2 >SEE ALSO</H2 @@ -886,7 +910,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN255" +NAME="AEN260" ></A ><H2 >AUTHOR</H2 |