diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 584 |
1 files changed, 346 insertions, 238 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 2d9f53d64a8..db8161436e5 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -271,299 +271,298 @@ HREF="#AEN445" ></DT ><DT >4.2. <A -HREF="#AEN462" +HREF="#AEN463" >Configuration</A ></DT ><DD ><DL ><DT >4.2.1. <A -HREF="#AEN472" +HREF="#AEN474" >Creating [print$]</A ></DT ><DT >4.2.2. <A -HREF="#AEN507" +HREF="#AEN509" >Setting Drivers for Existing Printers</A ></DT ><DT >4.2.3. <A -HREF="#AEN520" +HREF="#AEN526" >Support a large number of printers</A ></DT ><DT >4.2.4. <A -HREF="#AEN531" +HREF="#AEN537" >Adding New Printers via the Windows NT APW</A ></DT ><DT >4.2.5. <A -HREF="#AEN556" +HREF="#AEN562" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >4.3. <A -HREF="#AEN564" +HREF="#AEN570" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >4.3.1. <A -HREF="#AEN568" +HREF="#AEN574" >What is Imprints?</A ></DT ><DT >4.3.2. <A -HREF="#AEN578" +HREF="#AEN584" >Creating Printer Driver Packages</A ></DT ><DT >4.3.3. <A -HREF="#AEN581" +HREF="#AEN587" >The Imprints server</A ></DT ><DT >4.3.4. <A -HREF="#AEN585" +HREF="#AEN591" >The Installation Client</A ></DT ></DL ></DD ><DT >4.4. <A -HREF="#AEN607" +HREF="#AEN613" ><A NAME="MIGRATION" ></A ->Migration to from Samba 2.0.x to - 2.2.x</A +>Migration to from Samba 2.0.x to 2.2.x</A ></DT ></DL ></DD ><DT >5. <A -HREF="#AEN639" +HREF="#AEN657" >security = domain in Samba 2.x</A ></DT ><DD ><DL ><DT >5.1. <A -HREF="#AEN657" +HREF="#AEN675" >Joining an NT Domain with Samba 2.2</A ></DT ><DT >5.2. <A -HREF="#AEN721" +HREF="#AEN739" >Samba and Windows 2000 Domains</A ></DT ><DT >5.3. <A -HREF="#AEN726" +HREF="#AEN744" >Why is this better than security = server?</A ></DT ></DL ></DD ><DT >6. <A -HREF="#AEN742" ->How to Configure Samba 2.2.x as a Primary Domain Controller</A +HREF="#AEN760" +>How to Configure Samba 2.2 as a Primary Domain Controller</A ></DT ><DD ><DL ><DT >6.1. <A -HREF="#AEN753" +HREF="#AEN777" >Background</A ></DT ><DT >6.2. <A -HREF="#AEN790" +HREF="#AEN815" >Configuring the Samba Domain Controller</A ></DT ><DT >6.3. <A -HREF="#AEN833" +HREF="#AEN858" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DT >6.4. <A -HREF="#AEN872" +HREF="#AEN896" >Common Problems and Errors</A ></DT ><DT >6.5. <A -HREF="#AEN900" +HREF="#AEN924" >System Policies and Profiles</A ></DT ><DT >6.6. <A -HREF="#AEN940" +HREF="#AEN964" >What other help can I get ?</A ></DT ><DD ><DL ><DT >6.6.1. <A -HREF="#AEN987" +HREF="#AEN1011" >URLs and similar</A ></DT ><DT >6.6.2. <A -HREF="#AEN1011" +HREF="#AEN1035" >Mailing Lists</A ></DT ></DL ></DD ><DT >6.7. <A -HREF="#AEN1050" +HREF="#AEN1074" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >7. <A -HREF="#AEN1074" +HREF="#AEN1098" >Unifed Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN1092" +HREF="#AEN1116" >Abstract</A ></DT ><DT >7.2. <A -HREF="#AEN1096" +HREF="#AEN1120" >Introduction</A ></DT ><DT >7.3. <A -HREF="#AEN1109" +HREF="#AEN1133" >What Winbind Provides</A ></DT ><DD ><DL ><DT >7.3.1. <A -HREF="#AEN1116" +HREF="#AEN1140" >Target Uses</A ></DT ></DL ></DD ><DT >7.4. <A -HREF="#AEN1120" +HREF="#AEN1144" >How Winbind Works</A ></DT ><DD ><DL ><DT >7.4.1. <A -HREF="#AEN1125" +HREF="#AEN1149" >Microsoft Remote Procedure Calls</A ></DT ><DT >7.4.2. <A -HREF="#AEN1129" +HREF="#AEN1153" >Name Service Switch</A ></DT ><DT >7.4.3. <A -HREF="#AEN1145" +HREF="#AEN1169" >Pluggable Authentication Modules</A ></DT ><DT >7.4.4. <A -HREF="#AEN1153" +HREF="#AEN1177" >User and Group ID Allocation</A ></DT ><DT >7.4.5. <A -HREF="#AEN1157" +HREF="#AEN1181" >Result Caching</A ></DT ></DL ></DD ><DT >7.5. <A -HREF="#AEN1160" +HREF="#AEN1184" >Installation and Configuration</A ></DT ><DT >7.6. <A -HREF="#AEN1166" +HREF="#AEN1190" >Limitations</A ></DT ><DT >7.7. <A -HREF="#AEN1178" +HREF="#AEN1202" >Conclusion</A ></DT ></DL ></DD ><DT >8. <A -HREF="#AEN1181" +HREF="#AEN1205" >UNIX Permission Bits and WIndows NT Access Control Lists</A ></DT ><DD ><DL ><DT >8.1. <A -HREF="#AEN1192" +HREF="#AEN1216" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >8.2. <A -HREF="#AEN1201" +HREF="#AEN1225" >How to view file security on a Samba share</A ></DT ><DT >8.3. <A -HREF="#AEN1212" +HREF="#AEN1236" >Viewing file ownership</A ></DT ><DT >8.4. <A -HREF="#AEN1232" +HREF="#AEN1256" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1247" +HREF="#AEN1271" >File Permissions</A ></DT ><DT >8.4.2. <A -HREF="#AEN1261" +HREF="#AEN1285" >Directory Permissions</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1268" +HREF="#AEN1292" >Modifying file or directory permissions</A ></DT ><DT >8.6. <A -HREF="#AEN1290" +HREF="#AEN1314" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >8.7. <A -HREF="#AEN1354" +HREF="#AEN1378" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -571,39 +570,39 @@ HREF="#AEN1354" ></DD ><DT >9. <A -HREF="#AEN1364" +HREF="#AEN1388" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1375" +HREF="#AEN1399" >FAQs</A ></DT ><DD ><DL ><DT >9.1.1. <A -HREF="#AEN1377" +HREF="#AEN1401" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >9.1.2. <A -HREF="#AEN1392" +HREF="#AEN1416" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >9.1.3. <A -HREF="#AEN1401" +HREF="#AEN1425" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >9.1.4. <A -HREF="#AEN1405" +HREF="#AEN1429" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -2347,22 +2346,48 @@ TARGET="_top" information</P ></LI ></UL +><P +>There has been some initial confusion about what all this means +and whether or not it is a requirement for printer drivers to be +installed on a Samba host in order to support printing from Windows +clients. Windows NT/2000 clients require that the Samba server +possesses a valid driver for the printer. This requirement is +the price to pay for support MSRPC printing calls and the design +requirements laid out for Samba. Windows 9x clients do not require +that the Samba host has a driver installed for the given printer. +Samba does not use these drivers in any way to process spooled files. +They are utilized entirely by the clients.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN462" +NAME="AEN463" >4.2. Configuration</A ></H1 +><DIV +CLASS="WARNING" ><P -><EM ->WARNING!!!</EM -> Previous versions of Samba -recommended using a share named [printer$]. This name was taken from the -printer$ service created by Windows 9x clients when a -printer was shared. Windows 9x printer servers always have +></P +><TABLE +CLASS="WARNING" +BORDER="1" +WIDTH="100%" +><TR +><TD +ALIGN="CENTER" +><B +>[print$] vs. [printer$]</B +></TD +></TR +><TR +><TD +ALIGN="LEFT" +><P +>Previous versions of Samba recommended using a share named [printer$]. +This name was taken from the printer$ service created by Windows 9x +clients when a printer was shared. Windows 9x printer servers always have a printer$ service which provides read-only access via no password in order to support printer driver downloads.</P ><P @@ -2387,21 +2412,26 @@ the client.</P >These parameters, including <TT CLASS="PARAMETER" ><I ->printer driver +>printer driver file</I ></TT > parameter, are being depreciated and should not be used in new installations. For more information on this change, you should refer to the <A HREF="#MIGRATION" ->Migration section </A ->of this document.</P +>Migration section</A +> +of this document.</P +></TD +></TR +></TABLE +></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN472" +NAME="AEN474" >4.2.1. Creating [print$]</A ></H2 ><P @@ -2430,6 +2460,11 @@ CLASS="PROGRAMLISTING" guest ok = yes browseable = yes read only = yes + ; since this share is configured as read only, then we need + ; a 'write list'. Check the file system permissions to make + ; sure this account can copy files to the share. If this + ; is setup to a non-root account, then it should also exist + ; as a 'printer admin' write list = ntadmin</PRE ></TD ></TR @@ -2450,16 +2485,17 @@ level user accounts to have write access in order to update files on the share. See the <A HREF="smb./conf.5.html" TARGET="_top" ->smb.conf(5) man page</A -> for more information on -configuring file shares.</P +>smb.conf(5) +man page</A +> for more information on configuring file shares.</P ><P >The requirement for <A HREF="smb.conf.5.html#GUESTOK" TARGET="_top" ><B CLASS="COMMAND" ->guest ok = yes</B +>guest +ok = yes</B ></A > depends upon how your site is configured. If users will be guaranteed to have @@ -2538,26 +2574,26 @@ ALIGN="CENTER" ALIGN="LEFT" ><P >In order to currently add a new driver to you Samba host, - one of two conditions must hold true:</P +one of two conditions must hold true:</P ><P ></P ><UL ><LI ><P >The account used to connect to the Samba host - must have a uid of 0 (i.e. a root account)</P + must have a uid of 0 (i.e. a root account)</P ></LI ><LI ><P >The account used to connect to the Samba host - must be a member of the <A + must be a member of the <A HREF="smb.conf.5.html#PRINTERADMIN" TARGET="_top" ><TT CLASS="PARAMETER" ><I >printer - admin</I + admin</I ></TT ></A > list.</P @@ -2565,7 +2601,8 @@ CLASS="PARAMETER" ></UL ><P >Of course, the connected account must still possess access - to add files to the subdirectories beneath [print$].</P +to add files to the subdirectories beneath [print$]. Remember +that all file shares are set to 'read only' by default.</P ></TD ></TR ></TABLE @@ -2588,14 +2625,30 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN507" +NAME="AEN509" >4.2.2. Setting Drivers for Existing Printers</A ></H2 ><P >The initial listing of printers in the Samba host's -Printers folder will have no printer driver assigned to them. -The way assign a driver to a printer is to view the Properties -of the printer and either</P +Printers folder will have no real printer driver assigned +to them. By default, Samba set the driver name to +<EM +>NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</EM +>. +Attempting to view the printer properties for a printer +which has this default driver assigned will result in +the error message:</P +><P +><EM +>Device settings cannot be displayed. The driver +for the specified printer is not installed, only spooler +properties will be displayed. Do you want to install the +driver now?</EM +></P +><P +>Click "No" in the error dialog and you will be presented with +the printer properties window. The way assign a driver to a +printer is to either</P ><P ></P ><UL @@ -2642,7 +2695,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN520" +NAME="AEN526" >4.2.3. Support a large number of printers</A ></H2 ><P @@ -2700,7 +2753,7 @@ Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] <TT CLASS="PROMPT" >$ </TT ->rpcclient pogo -U root%bleaK.er \ +>rpcclient pogo -U root%secret \ <TT CLASS="PROMPT" >> </TT @@ -2717,7 +2770,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN531" +NAME="AEN537" >4.2.4. Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -2739,7 +2792,7 @@ CLASS="PARAMETER" ><I >printer admin</I ></TT ->. +>). </P ></LI ><LI @@ -2766,8 +2819,8 @@ TARGET="_top" ><TT CLASS="PARAMETER" ><I ->addprinter -command</I +>add +printer command</I ></TT ></A > must have a defined value. The program @@ -2789,7 +2842,7 @@ CLASS="COMMAND" CLASS="PARAMETER" ><I >add printer -program</I +command</I ></TT > and reparse to the <TT CLASS="FILENAME" @@ -2802,7 +2855,7 @@ CLASS="PARAMETER" ><I >add printer program</I ></TT -> is executed undet the context +> is executed under the context of the connected user, not necessarily a root account.</P ><P >There is a complementing <A @@ -2811,8 +2864,8 @@ TARGET="_top" ><TT CLASS="PARAMETER" ><I ->deleteprinter -command</I +>delete +printer command</I ></TT ></A > for removing entries from the "Printers..." @@ -2823,7 +2876,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN556" +NAME="AEN562" >4.2.5. Samba and Printer Ports</A ></H2 ><P @@ -2860,7 +2913,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN564" +NAME="AEN570" >4.3. The Imprints Toolset</A ></H1 ><P @@ -2878,7 +2931,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN568" +NAME="AEN574" >4.3.1. What is Imprints?</A ></H2 ><P @@ -2910,7 +2963,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN578" +NAME="AEN584" >4.3.2. Creating Printer Driver Packages</A ></H2 ><P @@ -2926,7 +2979,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN581" +NAME="AEN587" >4.3.3. The Imprints server</A ></H2 ><P @@ -2946,7 +2999,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN585" +NAME="AEN591" >4.3.4. The Installation Client</A ></H2 ><P @@ -3049,18 +3102,60 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN607" +NAME="AEN613" >4.4. <A NAME="MIGRATION" ></A ->Migration to from Samba 2.0.x to - 2.2.x</A +>Migration to from Samba 2.0.x to 2.2.x</A ></H1 ><P ->Given that printer driver management has changed - (we hope improved :) ) in 2.2.0 over prior releases, - migration from an existing setup to 2.2.0 can follow - several paths.</P +>Given that printer driver management has changed (we hope improved) in +2.2 over prior releases, migration from an existing setup to 2.2 can +follow several paths.</P +><P +>Windows clients have a tendency to remember things for quite a while. +For example, if a Windows NT client has attached to a Samba 2.0 server, +it will remember the server as a LanMan printer server. Upgrading +the Samba host to 2.2 makes support for MSRPC printing possible, but +the NT client will still remember the previous setting.</P +><P +>In order to give an NT client printing "amesia" (only necessary if you +want to use the newer MSRPC printing functionality in Samba), delete +the registry keys associated with the print server contained in +<TT +CLASS="CONSTANT" +>[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT +>. The +spooler service on the client should be stopped prior to doing this:</P +><P +><TT +CLASS="PROMPT" +>C:\WINNT\ ></TT +> <TT +CLASS="USERINPUT" +><B +>net stop spooler</B +></TT +></P +><P +><EM +>All the normal disclaimers about editing the registry go +here.</EM +> Be careful, and know what you are doing.</P +><P +>The spooler service should be restarted after you have finished +removing the appropriate registry entries by replacing the +<B +CLASS="COMMAND" +>stop</B +> command above with <B +CLASS="COMMAND" +>start</B +>.</P +><P +>Windows 9x clients will continue to use LanMan printing calls +with a 2.2 Samba server so there is no need to perform any of these +modifications on non-NT clients.</P ><DIV CLASS="WARNING" ><P @@ -3080,9 +3175,8 @@ ALIGN="CENTER" ><TD ALIGN="LEFT" ><P ->The following smb.conf parameters are considered to be - depreciated and will be removed soon. Do not use them - in new installations</P +>The following smb.conf parameters are considered to be depreciated and will +be removed soon. Do not use them in new installations</P ><P ></P ><UL @@ -3094,7 +3188,7 @@ CLASS="PARAMETER" >printer driver file (G)</I ></TT > - </P + </P ></LI ><LI ><P @@ -3104,7 +3198,7 @@ CLASS="PARAMETER" >printer driver (S)</I ></TT > - </P + </P ></LI ><LI ><P @@ -3114,7 +3208,7 @@ CLASS="PARAMETER" >printer driver location (S)</I ></TT > - </P + </P ></LI ></UL ></TD @@ -3129,31 +3223,31 @@ CLASS="PARAMETER" ><LI ><P >If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.</P + print driver support, nothing needs to be done. + All existing parameters work the same.</P ></LI ><LI ><P >If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The <B + driver support but do not want to migrate the + 9x drivers to the new setup, the leave the existing + printers.def file. When smbd attempts to locate a + 9x driver for the printer in the TDB and fails it + will drop down to using the printers.def (and all + associated parameters). The <B CLASS="COMMAND" >make_printerdef</B > - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</P + tool will also remain for backwards compatibility but will + be moved to the "this tool is the old way of doing it" + pile.</P ></LI ><LI ><P >If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).</P + on your Samba host (in the printing TDB), this information will + take precedence and the three old printing parameters + will be ignored (including print driver location).</P ></LI ><LI ><P @@ -3161,23 +3255,22 @@ CLASS="COMMAND" CLASS="FILENAME" >printers.def</TT > - file into the new setup, the current only - solution is to use the Windows NT APW to install the NT drivers - and the 9x drivers. This can be scripted using <B + file into the new setup, the current only solution is to use the Windows + NT APW to install the NT drivers and the 9x drivers. This can be scripted + using <B CLASS="COMMAND" >smbclient</B -> - and <B +> and <B CLASS="COMMAND" >rpcclient</B >. See the - Imprints installation client at <A + Imprints installation client at <A HREF="http://imprints.sourceforge.net/" TARGET="_top" >http://imprints.sourceforge.net/</A > - for an example. - </P + for an example. + </P ></LI ></UL ></DIV @@ -3186,7 +3279,7 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN639" +NAME="AEN657" >Chapter 5. security = domain in Samba 2.x</A ></H1 ><DIV @@ -3194,7 +3287,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN657" +NAME="AEN675" >5.1. Joining an NT Domain with Samba 2.2</A ></H1 ><P @@ -3421,7 +3514,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN721" +NAME="AEN739" >5.2. Samba and Windows 2000 Domains</A ></H1 ><P @@ -3446,7 +3539,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN726" +NAME="AEN744" >5.3. Why is this better than security = server?</A ></H1 ><P @@ -3532,50 +3625,63 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN742" ->Chapter 6. How to Configure Samba 2.2.x as a Primary Domain Controller</A +NAME="AEN760" +>Chapter 6. How to Configure Samba 2.2 as a Primary Domain Controller</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN753" +NAME="AEN777" >6.1. Background</A ></H1 +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" ><P +><B +>Note: </B ><EM >Author's Note :</EM -> This document -is a combination of David Bannon's Samba 2.2 PDC HOWTO -and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P +> This document is a combination +of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +Both documents are superceeded by this one.</P +></BLOCKQUOTE +></DIV ><P >Version of Samba prior to release 2.2 had marginal capabilities to act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2.0:</P +functionality should work in 2.2:</P ><P ></P ><UL ><LI ><P ->domain logons for Windows NT 4.0/2000 clients</P +> domain logons for Windows NT 4.0/2000 clients + </P ></LI ><LI ><P ->placing a Windows 9x client in user level security</P +> placing a Windows 9x client in user level security + </P ></LI ><LI ><P ->retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients </P +> retrieving a list of users and groups from a Samba PDC to + Windows 9x/NT/2000 clients + </P ></LI ><LI ><P ->roving user profiles</P +> roving (roaming) user profiles + </P ></LI ><LI ><P ->Windows NT 4.0 style system policies</P +> Windows NT 4.0 style system policies + </P ></LI ></UL ><P @@ -3585,21 +3691,25 @@ functionality should work in 2.2.0:</P ><UL ><LI ><P ->Windows NT 4 domain trusts</P +> Windows NT 4 domain trusts + </P ></LI ><LI ><P ->Sam replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa) </P +> SAM replication with Windows NT 4.0 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa) + </P ></LI ><LI ><P ->Adding users via the User Manager for Domains</P +> Adding users via the User Manager for Domains + </P ></LI ><LI ><P ->Acting as a Windows 2000 Domain Controller (i.e. Kerberos - and Active Directory)</P +> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and + Active Directory) + </P ></LI ></UL ><P @@ -3613,14 +3723,14 @@ time.</P support for Windows NT 4.0 style domain logons from Windows NT 4.0 and Windows 2000 (including SP1) clients. This article outlines the steps necessary for configuring Samba as a PDC. -Note that it is necessary to have a working Samba server -prior to implementing the PDC functionality. If you have not -followed the steps outlined in <A +It is necessary to have a working Samba server prior to implementing the +PDC functionality. If you have not followed the steps outlined in +<A HREF="UNIX_INSTALL.html" TARGET="_top" ->UNIX_INSTALL.html</A ->, please make sure that your server -is configured correctly before proceeding. Another good +> UNIX_INSTALL.html</A +>, please make sure +that your server is configured correctly before proceeding. Another good resource in the <A HREF="smb.conf.5.html" TARGET="_top" @@ -3636,13 +3746,14 @@ steps.</P TYPE="1" ><LI ><P ->Configuring the Samba Domain Controller +> Configuring the Samba PDC </P ></LI ><LI ><P ->Creating machine trust accounts - and joining clients to the domain</P +> Creating machine trust accounts and joining clients + to the domain + </P ></LI ></OL ><P @@ -3656,7 +3767,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN790" +NAME="AEN815" >6.2. Configuring the Samba Domain Controller</A ></H1 ><P @@ -3768,7 +3879,7 @@ TARGET="_top" > = \\homeserver\%u ; specify a generic logon script for all users - ; this is a relative path to the [netlogon] share + ; this is a relative **DOS** path to the [netlogon] share <A HREF="smb.conf.5.html#LOGONSCRIPT" TARGET="_top" @@ -3825,16 +3936,14 @@ TARGET="_top" ></TABLE ></P ><P ->There are a couple of points to emphasize in the above -configuration.</P +>There are a couple of points to emphasize in the above configuration.</P ><P ></P ><UL ><LI ><P ->encrypted passwords must be enabled. - For more details on how to do this, refer to - <A +> Encrypted passwords must be enabled. For more details on how + to do this, refer to <A HREF="ENCRYPTION.html" TARGET="_top" >ENCRYPTION.html</A @@ -3843,23 +3952,25 @@ TARGET="_top" ></LI ><LI ><P ->The server must support domain logons - and a <TT +> The server must support domain logons and a + <TT CLASS="FILENAME" >[netlogon]</TT -> share</P +> share + </P ></LI ><LI ><P ->The server must be the domain master browser - in order for Windows client to locate the server as a DC.</P +> The server must be the domain master browser in order for Windows + client to locate the server as a DC. + </P ></LI ></UL ><P >As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMONUSERS" +HREF="smb.conf.5.html#DOMAINADMINUSERS" TARGET="_top" >domain admin users</A @@ -3876,14 +3987,11 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN833" +NAME="AEN858" >6.3. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 ><P ->First you must understand what a machine trust account is and what -it is used for.</P -><P >A machine trust account is a user account owned by a computer. The account password acts as the shared secret for secure communication with the Domain Controller. Hence the reason that @@ -3897,7 +4005,7 @@ as user LanMan and NT password hashes (currently <TT CLASS="FILENAME" >smbpasswd</TT >). -However, machine trust accounts only possess the NT password hash.</P +However, machine trust accounts only possess and use the NT password hash.</P ><P >There are two means of creating machine trust accounts.</P ><P @@ -3905,16 +4013,18 @@ However, machine trust accounts only possess the NT password hash.</P ><UL ><LI ><P ->Manual creation before joining the client - to the domain. In this case, the password is set to a known - value -- the lower case of the machine's netbios name.</P +> Manual creation before joining the client to the domain. In this case, + the password is set to a known value -- the lower case of the + machine's netbios name. + </P ></LI ><LI ><P ->Creation of the account at the time of - joining the domain. In this case, the session key of the - administrative account used to join the client to the domain acts - as an encryption key for setting the password to a random value.</P +> Creation of the account at the time of joining the domain. In + this case, the session key of the administrative account used to join + the client to the domain acts as an encryption key for setting the + password to a random value. + </P ></LI ></UL ><P @@ -3994,8 +4104,7 @@ in your domain.</P ><P >The second way of creating machine trust accounts is to add them on the fly at the time the client is joined to the domain. -You will need to include a value for the -<A +You will need to include a value for the <A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A @@ -4016,28 +4125,27 @@ CLASS="PROGRAMLISTING" ></TABLE ></P ><P ->In Samba 2.2.0, <EM +>In Samba 2.2, <EM >only the root account</EM > can be used to create -machine accounts on the fly like this. Therefore, it is required -to create an entry in smbpasswd for <EM +machine accounts on the fly like this. Therefore, it is required to create +an entry in smbpasswd for <EM >root</EM ->. -The password <EM +>. The password +<EM >SHOULD</EM -> be set to s different -password that the associated <TT +> be set to s different password that the +associated <TT CLASS="FILENAME" >/etc/passwd</TT -> -entry for security reasons.</P +> entry for security reasons.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN872" +NAME="AEN896" >6.4. Common Problems and Errors</A ></H1 ><P @@ -4143,7 +4251,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN900" +NAME="AEN924" >6.5. System Policies and Profiles</A ></H1 ><P @@ -4281,7 +4389,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN940" +NAME="AEN964" >6.6. What other help can I get ?</A ></H1 ><P @@ -4462,7 +4570,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN987" +NAME="AEN1011" >6.6.1. URLs and similar</A ></H2 ><P @@ -4535,7 +4643,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1011" +NAME="AEN1035" >6.6.2. Mailing Lists</A ></H2 ><P @@ -4667,7 +4775,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1050" +NAME="AEN1074" >6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><P @@ -4768,7 +4876,7 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1074" +NAME="AEN1098" >Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV @@ -4776,7 +4884,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1092" +NAME="AEN1116" >7.1. Abstract</A ></H1 ><P @@ -4798,7 +4906,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1096" +NAME="AEN1120" >7.2. Introduction</A ></H1 ><P @@ -4852,7 +4960,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1109" +NAME="AEN1133" >7.3. What Winbind Provides</A ></H1 ><P @@ -4894,7 +5002,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1116" +NAME="AEN1140" >7.3.1. Target Uses</A ></H2 ><P @@ -4918,7 +5026,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1120" +NAME="AEN1144" >7.4. How Winbind Works</A ></H1 ><P @@ -4938,7 +5046,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1125" +NAME="AEN1149" >7.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -4964,7 +5072,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1129" +NAME="AEN1153" >7.4.2. Name Service Switch</A ></H2 ><P @@ -5043,7 +5151,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1145" +NAME="AEN1169" >7.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -5092,7 +5200,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1153" +NAME="AEN1177" >7.4.4. User and Group ID Allocation</A ></H2 ><P @@ -5118,7 +5226,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1157" +NAME="AEN1181" >7.4.5. Result Caching</A ></H2 ><P @@ -5141,7 +5249,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1160" +NAME="AEN1184" >7.5. Installation and Configuration</A ></H1 ><P @@ -5172,7 +5280,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1166" +NAME="AEN1190" >7.6. Limitations</A ></H1 ><P @@ -5220,7 +5328,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1178" +NAME="AEN1202" >7.7. Conclusion</A ></H1 ><P @@ -5236,7 +5344,7 @@ NAME="AEN1178" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1181" +NAME="AEN1205" >Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A ></H1 ><DIV @@ -5244,7 +5352,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1192" +NAME="AEN1216" >8.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -5283,7 +5391,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1201" +NAME="AEN1225" >8.2. How to view file security on a Samba share</A ></H1 ><P @@ -5329,7 +5437,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1212" +NAME="AEN1236" >8.3. Viewing file ownership</A ></H1 ><P @@ -5415,7 +5523,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1232" +NAME="AEN1256" >8.4. Viewing file or directory permissions</A ></H1 ><P @@ -5477,7 +5585,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1247" +NAME="AEN1271" >8.4.1. File Permissions</A ></H2 ><P @@ -5539,7 +5647,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1261" +NAME="AEN1285" >8.4.2. Directory Permissions</A ></H2 ><P @@ -5571,7 +5679,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1268" +NAME="AEN1292" >8.5. Modifying file or directory permissions</A ></H1 ><P @@ -5669,7 +5777,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1290" +NAME="AEN1314" >8.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -5942,7 +6050,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1354" +NAME="AEN1378" >8.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -5989,7 +6097,7 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN1364" +NAME="AEN1388" >Chapter 9. OS2 Client HOWTO</A ></H1 ><DIV @@ -5997,7 +6105,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1375" +NAME="AEN1399" >9.1. FAQs</A ></H1 ><DIV @@ -6005,7 +6113,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1377" +NAME="AEN1401" >9.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -6064,7 +6172,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1392" +NAME="AEN1416" >9.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -6117,7 +6225,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1401" +NAME="AEN1425" >9.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -6139,7 +6247,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1405" +NAME="AEN1429" >9.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 |