diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 1979 | ||||
| -rw-r--r-- | docs/htmldocs/Samba-PDC-HOWTO.html | 545 | ||||
| -rw-r--r-- | docs/htmldocs/nmbd.8.html | 159 | ||||
| -rw-r--r-- | docs/htmldocs/rpcclient.1.html | 2 | ||||
| -rw-r--r-- | docs/htmldocs/samba-pdc-faq.html | 1954 | ||||
| -rw-r--r-- | docs/htmldocs/samba-pdc-howto.html | 1558 | ||||
| -rw-r--r-- | docs/htmldocs/smb.conf.5.html | 337 | ||||
| -rw-r--r-- | docs/htmldocs/smbclient.1.html | 105 | ||||
| -rw-r--r-- | docs/htmldocs/smbcontrol.1.html | 24 | ||||
| -rw-r--r-- | docs/htmldocs/smbd.8.html | 531 | ||||
| -rw-r--r-- | docs/htmldocs/smbrun.1.html | 215 | ||||
| -rw-r--r-- | docs/htmldocs/smbsh.1.html | 229 | ||||
| -rw-r--r-- | docs/htmldocs/wbinfo.1.html | 88 | ||||
| -rw-r--r-- | docs/htmldocs/winbind.html | 362 | ||||
| -rw-r--r-- | docs/htmldocs/winbindd.8.html | 71 |
15 files changed, 2745 insertions, 5414 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 988766d5340..870b0ec6e82 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -558,96 +558,101 @@ HREF="#AEN1098" ></DT ><DT >8.3. <A -HREF="#AEN1140" +HREF="#AEN1137" >Configuring the Samba Domain Controller</A ></DT ><DT >8.4. <A -HREF="#AEN1182" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +HREF="#AEN1180" +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1196" ->Manually creating machine trust accounts</A +HREF="#AEN1199" +>Manual Creation of Machine Trust Accounts</A ></DT ><DT >8.4.2. <A -HREF="#AEN1227" ->Creating machine trust accounts "on the fly"</A +HREF="#AEN1234" +>"On-the-Fly" Creation of Machine Trust Accounts</A +></DT +><DT +>8.4.3. <A +HREF="#AEN1243" +>Joining the Client to the Domain</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1238" +HREF="#AEN1258" >Common Problems and Errors</A ></DT ><DT >8.6. <A -HREF="#AEN1286" +HREF="#AEN1306" >System Policies and Profiles</A ></DT ><DT >8.7. <A -HREF="#AEN1330" ->What other help can I get ?</A +HREF="#AEN1350" +>What other help can I get?</A ></DT ><DT >8.8. <A -HREF="#AEN1444" +HREF="#AEN1464" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >8.8.1. <A -HREF="#AEN1474" +HREF="#AEN1490" >Configuration Instructions: Network Logons</A ></DT ><DT >8.8.2. <A -HREF="#AEN1508" +HREF="#AEN1509" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >8.8.2.1. <A -HREF="#AEN1516" +HREF="#AEN1517" >Windows NT Configuration</A ></DT ><DT >8.8.2.2. <A -HREF="#AEN1524" +HREF="#AEN1525" >Windows 9X Configuration</A ></DT ><DT >8.8.2.3. <A -HREF="#AEN1532" +HREF="#AEN1533" >Win9X and WinNT Configuration</A ></DT ><DT >8.8.2.4. <A -HREF="#AEN1539" +HREF="#AEN1540" >Windows 9X Profile Setup</A ></DT ><DT >8.8.2.5. <A -HREF="#AEN1575" +HREF="#AEN1576" >Windows NT Workstation 4.0</A ></DT ><DT >8.8.2.6. <A -HREF="#AEN1588" +HREF="#AEN1589" >Windows NT Server</A ></DT ><DT >8.8.2.7. <A -HREF="#AEN1591" +HREF="#AEN1592" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -656,133 +661,194 @@ HREF="#AEN1591" ></DD ><DT >8.9. <A -HREF="#AEN1601" +HREF="#AEN1602" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >9. <A -HREF="#WINBIND" ->Unified Logons between Windows NT and UNIX using Winbind</A +HREF="#SAMBA-LDAP-HOWTO" +>Storing Samba's User/Machine Account information in an LDAP Directory</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1644" ->Abstract</A +HREF="#AEN1638" +>Purpose</A ></DT ><DT >9.2. <A -HREF="#AEN1648" +HREF="#AEN1652" >Introduction</A ></DT ><DT >9.3. <A -HREF="#AEN1661" +HREF="#AEN1677" +>Supported LDAP Servers</A +></DT +><DT +>9.4. <A +HREF="#AEN1682" +>Schema and Relationship to the RFC 2307 posixAccount</A +></DT +><DT +>9.5. <A +HREF="#AEN1706" +>smb.conf LDAP parameters</A +></DT +><DT +>9.6. <A +HREF="#AEN1734" +>Security and sambaAccount</A +></DT +><DT +>9.7. <A +HREF="#AEN1753" +></A +></DT +><DT +>9.8. <A +HREF="#AEN1773" +>Example LDIF Entries for a sambaAccount</A +></DT +><DT +>9.9. <A +HREF="#AEN1781" +>Comments</A +></DT +></DL +></DD +><DT +>10. <A +HREF="#WINBIND" +>Unified Logons between Windows NT and UNIX using Winbind</A +></DT +><DD +><DL +><DT +>10.1. <A +HREF="#AEN1810" +>Abstract</A +></DT +><DT +>10.2. <A +HREF="#AEN1814" +>Introduction</A +></DT +><DT +>10.3. <A +HREF="#AEN1827" >What Winbind Provides</A ></DT ><DD ><DL ><DT ->9.3.1. <A -HREF="#AEN1668" +>10.3.1. <A +HREF="#AEN1834" >Target Uses</A ></DT ></DL ></DD ><DT ->9.4. <A -HREF="#AEN1672" +>10.4. <A +HREF="#AEN1838" >How Winbind Works</A ></DT ><DD ><DL ><DT ->9.4.1. <A -HREF="#AEN1677" +>10.4.1. <A +HREF="#AEN1843" >Microsoft Remote Procedure Calls</A ></DT ><DT ->9.4.2. <A -HREF="#AEN1681" +>10.4.2. <A +HREF="#AEN1847" >Name Service Switch</A ></DT ><DT ->9.4.3. <A -HREF="#AEN1697" +>10.4.3. <A +HREF="#AEN1863" >Pluggable Authentication Modules</A ></DT ><DT ->9.4.4. <A -HREF="#AEN1705" +>10.4.4. <A +HREF="#AEN1871" >User and Group ID Allocation</A ></DT ><DT ->9.4.5. <A -HREF="#AEN1709" +>10.4.5. <A +HREF="#AEN1875" >Result Caching</A ></DT ></DL ></DD ><DT ->9.5. <A -HREF="#AEN1712" +>10.5. <A +HREF="#AEN1878" >Installation and Configuration</A ></DT ><DD ><DL ><DT ->9.5.1. <A -HREF="#AEN1717" +>10.5.1. <A +HREF="#AEN1883" >Introduction</A ></DT ><DT ->9.5.2. <A -HREF="#AEN1730" +>10.5.2. <A +HREF="#AEN1896" >Requirements</A ></DT ><DT ->9.5.3. <A -HREF="#AEN1738" +>10.5.3. <A +HREF="#AEN1910" >Testing Things Out</A ></DT ><DD ><DL ><DT ->9.5.3.1. <A -HREF="#AEN1747" +>10.5.3.1. <A +HREF="#AEN1921" >Configure and compile SAMBA</A ></DT ><DT ->9.5.3.2. <A -HREF="#AEN1759" ->Configure nsswitch.conf and the winbind libraries</A +>10.5.3.2. <A +HREF="#AEN1940" +>Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></DT ><DT ->9.5.3.3. <A -HREF="#AEN1778" +>10.5.3.3. <A +HREF="#AEN1965" >Configure smb.conf</A ></DT ><DT ->9.5.3.4. <A -HREF="#AEN1787" +>10.5.3.4. <A +HREF="#AEN1981" >Join the SAMBA server to the PDC domain</A ></DT ><DT ->9.5.3.5. <A -HREF="#AEN1797" +>10.5.3.5. <A +HREF="#AEN1992" >Start up the winbindd daemon and test it!</A ></DT ><DT ->9.5.3.6. <A -HREF="#AEN1824" ->Fix the /etc/rc.d/init.d/smb startup files</A +>10.5.3.6. <A +HREF="#AEN2028" +>Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></DT ><DT ->9.5.3.7. <A -HREF="#AEN1841" +>10.5.3.7. <A +HREF="#AEN2050" >Configure Winbind and PAM</A ></DT ></DL @@ -790,52 +856,52 @@ HREF="#AEN1841" ></DL ></DD ><DT ->9.6. <A -HREF="#AEN1882" +>10.6. <A +HREF="#AEN2097" >Limitations</A ></DT ><DT ->9.7. <A -HREF="#AEN1892" +>10.7. <A +HREF="#AEN2107" >Conclusion</A ></DT ></DL ></DD ><DT ->10. <A +>11. <A HREF="#OS2" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT ->10.1. <A -HREF="#AEN1906" +>11.1. <A +HREF="#AEN2121" >FAQs</A ></DT ><DD ><DL ><DT ->10.1.1. <A -HREF="#AEN1908" +>11.1.1. <A +HREF="#AEN2123" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT ->10.1.2. <A -HREF="#AEN1923" +>11.1.2. <A +HREF="#AEN2138" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT ->10.1.3. <A -HREF="#AEN1932" +>11.1.3. <A +HREF="#AEN2147" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT ->10.1.4. <A -HREF="#AEN1936" +>11.1.4. <A +HREF="#AEN2151" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -844,32 +910,32 @@ HREF="#AEN1936" ></DL ></DD ><DT ->11. <A +>12. <A HREF="#CVS-ACCESS" >HOWTO Access Samba source code via CVS</A ></DT ><DD ><DL ><DT ->11.1. <A -HREF="#AEN1952" +>12.1. <A +HREF="#AEN2167" >Introduction</A ></DT ><DT ->11.2. <A -HREF="#AEN1957" +>12.2. <A +HREF="#AEN2172" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT ->11.2.1. <A -HREF="#AEN1960" +>12.2.1. <A +HREF="#AEN2175" >Access via CVSweb</A ></DT ><DT ->11.2.2. <A -HREF="#AEN1965" +>12.2.2. <A +HREF="#AEN2180" >Access via cvs</A ></DT ></DL @@ -878,7 +944,7 @@ HREF="#AEN1965" ></DD ><DT ><A -HREF="#AEN1993" +HREF="#AEN2208" >Index</A ></DT ></DL @@ -5565,32 +5631,33 @@ CLASS="NOTE" ><B >Note: </B ><EM ->Author's Note :</EM +>Author's Note:</EM > This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.</P ></BLOCKQUOTE ></DIV ><P ->Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A +>Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <A HREF="UNIX_INSTALL.html" TARGET="_top" > UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A +>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <A HREF="smb.conf.5.html" TARGET="_top" ->smb.conf(5) man +>smb.conf(5) man page</A ->. The following functionality should work in 2.2:</P +>. The following functionality should work in 2.2:</P ><P ></P ><UL @@ -5617,36 +5684,10 @@ page</A ></LI ><LI ><P -> Windows NT 4.0 style system policies +> Windows NT 4.0-style system policies </P ></LI ></UL -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Windows 2000 Service Pack 2 Clients</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </P -></TD -></TR -></TABLE -></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -5678,7 +5719,7 @@ ALIGN="LEFT" ><P >Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P @@ -5711,7 +5752,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1140" +NAME="AEN1137" >8.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5726,7 +5767,10 @@ man page</A >. For convenience, the parameters have been linked with the actual smb.conf description.</P ><P ->Here is an example smb.conf for acting as a PDC:</P +>Here is an example <TT +CLASS="FILENAME" +>smb.conf</TT +> for acting as a PDC:</P ><P ><TABLE BORDER="0" @@ -5838,10 +5882,10 @@ TARGET="_top" >path</A > = /usr/local/samba/lib/netlogon <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = no +>read only</A +> = yes <A HREF="smb.conf.5.html#WRITELIST" TARGET="_top" @@ -5861,10 +5905,10 @@ TARGET="_top" >path</A > = /export/smb/ntprofile <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = yes +>read only</A +> = no <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" @@ -5913,72 +5957,89 @@ CLASS="FILENAME" ></LI ></UL ><P ->As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <A +>As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" ->domain -admin group</A -> smb.conf parameter for information of creating "Domain Admins" -style accounts.</P +>domain admin +group</A +> smb.conf parameter for information of creating "Domain +Admins" style accounts.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1182" ->8.4. Creating Machine Trust Accounts and Joining Clients -to the Domain</A +NAME="AEN1180" +>8.4. Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></H1 ><P ->A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC.</P +>A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</P +><P +>The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.</P +><P +>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<P +></P +><UL +><LI ><P ->On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <TT +>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <TT CLASS="FILENAME" >smbpasswd</TT ->). -However, machine trust accounts only possess and use the NT password hash.</P +>). The Samba account + possesses and uses only the NT password hash.</P +></LI +><LI ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <TT +>A corresponding Unix account, typically stored in + <TT CLASS="FILENAME" >/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT +>. (Future releases will alleviate the need to + create <TT CLASS="FILENAME" >/etc/passwd</TT -> entries. </P +> entries.) </P +></LI +></UL +></P ><P ->There are two means of creating machine trust accounts.</P +>There are two ways to create machine trust accounts:</P ><P ></P ><UL ><LI ><P -> Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </P +> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</P ></LI ><LI ><P -> Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </P +> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </P ></LI ></UL ><DIV @@ -5986,22 +6047,28 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1196" ->8.4.1. Manually creating machine trust accounts</A +NAME="AEN1199" +>8.4.1. Manual Creation of Machine Trust Accounts</A ></H2 ><P ->The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <B +>The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<TT +CLASS="FILENAME" +>/etc/passwd</TT +>. This can be done using +<B CLASS="COMMAND" >vipw</B -> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server:</P +> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:</P ><P -><TT +> <TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I @@ -6013,28 +6080,32 @@ CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$ </P +>$ </B +></P ><P ><TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$</P +>$</B +></P ><P >The <TT CLASS="FILENAME" >/etc/passwd</TT > entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an <TT CLASS="FILENAME" >/etc/passwd</TT -> entry like this :</P +> entry like this:</P ><P ><TABLE BORDER="0" @@ -6060,20 +6131,22 @@ CLASS="REPLACEABLE" ><I >machine_nickname</I ></TT -> can be any descriptive name for the -pc i.e. BasementComputer. The <TT +> can be any +descriptive name for the client, i.e., BasementComputer. +<TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT -> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account</P -><P ->Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <A -HREF="smbpasswd.6.html" +> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.</P +><P +>Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <A +HREF="smbpasswd.8.html" TARGET="_top" ><B CLASS="COMMAND" @@ -6085,11 +6158,14 @@ as shown here:</P ><TT CLASS="PROMPT" >root# </TT -> smbpasswd -a -m <TT +><B +CLASS="COMMAND" +>smbpasswd -a -m <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT +></B ></P ><P >where <TT @@ -6098,7 +6174,8 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's NetBIOS -name. </P +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account.</P ><DIV CLASS="WARNING" ><P @@ -6119,9 +6196,9 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -6137,18 +6214,30 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1227" ->8.4.2. Creating machine trust accounts "on the fly"</A +NAME="AEN1234" +>8.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H2 ><P ->The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <A +>The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </P +><P +>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A -> -parameter. Below is an example from a RedHat 6.2 Linux system.</P +> +option in <TT +CLASS="FILENAME" +>smb.conf</TT +>. This +method is not required, however; corresponding Unix accounts may also +be created manually.</P +><P +>Below is an example for a RedHat 6.2 Linux system.</P ><P ><TABLE BORDER="0" @@ -6158,26 +6247,72 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE +>[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE ></TD ></TR ></TABLE ></P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1243" +>8.4.3. Joining the Client to the Domain</A +></H2 ><P ->In Samba 2.2.1, <EM ->only the root account</EM -> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <EM ->root</EM ->. The password -<EM ->SHOULD</EM -> be set to a different password that the -associated <TT +>The procedure for joining a client to the domain varies with the +version of Windows.</P +><P +></P +><UL +><LI +><P +><EM +>Windows 2000</EM +></P +><P +> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <TT CLASS="FILENAME" >/etc/passwd</TT -> entry for security reasons.</P +> entry, for security + reasons. </P +><P +>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</P +></LI +><LI +><P +><EM +>Windows NT</EM +></P +><P +> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</P +><P +> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</P +></LI +></UL ></DIV ></DIV ><DIV @@ -6185,7 +6320,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1238" +NAME="AEN1258" >8.5. Common Problems and Errors</A ></H1 ><P @@ -6205,7 +6340,7 @@ CLASS="FILENAME" >/etc/passwd</TT > of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </P ><P > The problem is only in the program used to make the entry, once @@ -6215,7 +6350,7 @@ CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </P ></LI ><LI @@ -6223,11 +6358,11 @@ CLASS="COMMAND" > <EM >I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</EM + existing set.." when creating a machine trust account.</EM > </P ><P -> This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -6279,17 +6414,17 @@ CLASS="COMMAND" ><LI ><P > <EM ->The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.</EM > </P ><P > When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </P ><P -> This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the <TT CLASS="PARAMETER" ><I @@ -6302,7 +6437,7 @@ CLASS="PARAMETER" ><P > Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -6384,7 +6519,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1286" +NAME="AEN1306" >8.6. System Policies and Profiles</A ></H1 ><P @@ -6405,7 +6540,7 @@ Profiles and Policies in Windows NT 4.0</A ><LI ><P > <EM ->What about Windows NT Policy Editor ?</EM +>What about Windows NT Policy Editor?</EM > </P ><P @@ -6464,7 +6599,7 @@ CLASS="COMMAND" ><LI ><P > <EM ->Can Win95 do Policies ?</EM +>Can Win95 do Policies?</EM > </P ><P @@ -6495,7 +6630,7 @@ CLASS="FILENAME" </P ><P > Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </P ><P > Microsoft distributes a version of these tools called nexus for @@ -6541,8 +6676,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1330" ->8.7. What other help can I get ?</A +NAME="AEN1350" +>8.7. What other help can I get?</A ></H1 ><P >There are many sources of information available in the form @@ -6605,7 +6740,7 @@ HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A >. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <A HREF="http://www.ethereal.com/" TARGET="_top" @@ -6802,7 +6937,7 @@ TARGET="_top" ><LI ><P > <EM ->How do I get help from the mailing lists ?</EM +>How do I get help from the mailing lists?</EM > </P ><P @@ -6894,14 +7029,14 @@ TARGET="_top" >Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P + smb.conf in their attach directory?</P ></LI ></UL ></LI ><LI ><P > <EM ->How do I get off the mailing lists ?</EM +>How do I get off the mailing lists?</EM > </P ><P @@ -6937,7 +7072,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1444" +NAME="AEN1464" >8.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -6949,8 +7084,10 @@ CLASS="NOTE" >Note: </B >The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe)</P +the material is based on what went into the book <EM +>Special +Edition, Using Samba</EM +>, by Richard Sharpe.</P ></BLOCKQUOTE ></DIV ><P @@ -6965,11 +7102,12 @@ other systems based on NT server support this, as does at least Samba TNG now).< server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support.</P +is totally orthogonal to logon support.</P ><P >Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.</P +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section.</P ><P >When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -6980,37 +7118,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.</P ><P ->Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.</P -><P ->Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. </P -><P ->Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.</P -><P ->With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).</P -><P ->With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.</P -><P >Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.</P ><P ->Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:</P +>Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:</P ><P ></P ><OL @@ -7018,7 +7131,7 @@ TYPE="1" ><LI ><P > The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -7073,122 +7186,27 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1474" +NAME="AEN1490" >8.8.1. Configuration Instructions: Network Logons</A ></H2 ><P ->To use domain logons and profiles you need to do the following:</P +>The main difference between a PDC and a Windows 9x logon +server configuration is that</P ><P ></P -><OL -TYPE="1" -><LI -><P -> Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </P -><P -> For example I have used: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no</PRE -></TD -></TR -></TABLE -></P -><P -> Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </P -></LI -><LI -><P -> in the [global] section of smb.conf set the following: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->domain logons = yes -logon script = %U.bat - </PRE -></TD -></TR -></TABLE -></P -><P -> The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->logon script = scripts\%U.bat - </PRE -></TD -></TR -></TABLE -></P -></LI +><UL ><LI ><P -> create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </P -><P -> In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </P +>Password encryption is not required for a Windows 9x logon server.</P ></LI ><LI ><P -> Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </P +>Windows 9x/ME clients do not possess machine trust accounts.</P ></LI -><LI +></UL ><P -> you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </P -></LI -></OL +>Therefore, a Samba PDC will also act as a Windows 9x logon +server.</P ><DIV CLASS="WARNING" ><P @@ -7228,7 +7246,7 @@ CLASS="CONSTANT" > mode security is really just a variation on SMB user level security.</P ><P ->Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -7262,7 +7280,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1508" +NAME="AEN1509" >8.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -7309,11 +7327,11 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1516" +NAME="AEN1517" >8.8.2.1. Windows NT Configuration</A ></H3 ><P ->To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):</P ><P ><TABLE @@ -7353,7 +7371,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1524" +NAME="AEN1525" >8.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -7393,7 +7411,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1532" +NAME="AEN1533" >8.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -7431,7 +7449,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1539" +NAME="AEN1540" >8.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7503,7 +7521,7 @@ the newest folders and short-cuts from each set.</P >If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.</P ><P @@ -7587,7 +7605,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1575" +NAME="AEN1576" >8.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7669,7 +7687,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1588" +NAME="AEN1589" >8.8.2.6. Windows NT Server</A ></H3 ><P @@ -7683,7 +7701,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1591" +NAME="AEN1592" >8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7748,7 +7766,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1601" +NAME="AEN1602" >8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7869,16 +7887,697 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A +NAME="SAMBA-LDAP-HOWTO" +>Chapter 9. Storing Samba's User/Machine Account information in an LDAP Directory</A +></H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1638" +>9.1. Purpose</A +></H1 +><P +>This document describes how to use an LDAP directory for storing Samba user +account information normally stored in the smbpasswd(5) file. It is +assumed that the reader already has a basic understanding of LDAP concepts +and has a working directory server already installed. For more information +on LDAP architectures and Directories, please refer to the following sites.</P +><P +></P +><UL +><LI +><P +>OpenLDAP - <A +HREF="http://www.openldap.org/" +TARGET="_top" +>http://www.openldap.org/</A +></P +></LI +><LI +><P +>iPlanet Directory Server - <A +HREF="http://iplanet.netscape.com/directory" +TARGET="_top" +>http://iplanet.netscape.com/directory</A +></P +></LI +></UL +><P +>Note that <A +HREF="http://www.ora.com/" +TARGET="_top" +>O'Reilly Publishing</A +> is working on +a guide to LDAP for System Administrators which has a planned release date of +early summer, 2002.</P +><P +>It may also be helpful to supplement the reading of the HOWTO with +the <A +HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html" +TARGET="_top" +>Samba-PDC-LDAP-HOWTO</A +> +maintained by Ignacio Coupeau.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1652" +>9.2. Introduction</A +></H1 +><P +>Traditionally, when configuring <A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +>"encrypt +passwords = yes"</A +> in Samba's <TT +CLASS="FILENAME" +>smb.conf</TT +> file, user account +information such as username, LM/NT password hashes, password change times, and account +flags have been stored in the <TT +CLASS="FILENAME" +>smbpasswd(5)</TT +> file. There are several +disadvantages to this approach for sites with very large numbers of users (counted +in the thousands).</P +><P +>The first is that all lookups must be performed sequentially. Given that +there are approximately two lookups per domain logon (one for a normal +session connection such as when mapping a network drive or printer), this +is non-optimal. What is needed is an indexed approach such as is used in +databases.</P +><P +>The second problem is that administrators who desired to replicate a +smbpasswd file to more than one Samba server were left to use external +tools such as <B +CLASS="COMMAND" +>rsync(1)</B +> and <B +CLASS="COMMAND" +>ssh(1)</B +> +and wrote custom, in-house scripts.</P +><P +>And finally, the amount of information which is stored in an +smbpasswd entry leaves no room for additional attributes such as +a home directory, password expiration time, or even a Relative +Identified (RID).</P +><P +>As a result of these defeciencies, a more robust means of storing user attributes +used by smbd was developed. The API which defines access to user accounts +is referred to as the samdb interface (previously this was called the passdb +API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support +for a samdb backend (e.g. <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> or +<TT +CLASS="PARAMETER" +><I +>--with-tdbsam</I +></TT +>) requires compile time support.</P +><P +>When compiling Samba to include the <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> autoconf +option, smbd (and associated tools) will store and lookup user accounts in +an LDAP directory. In reality, this is very easy to understand. If you are +comfortable with using an smbpasswd file, simply replace "smbpasswd" with +"LDAP directory" in all the documentation.</P +><P +>There are a few points to stress about what the <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> +does not provide. The LDAP support referred to in the this documentation does not +include:</P +><P +></P +><UL +><LI +><P +>A means of retrieving user account information from + an Windows 2000 Active Directory server.</P +></LI +><LI +><P +>A means of replacing /etc/passwd.</P +></LI +></UL +><P +>The second item can be accomplished by using LDAP NSS and PAM modules. LGPL +versions of these libraries can be obtained from PADL Software +(<A +HREF="http://www.padl.com/" +TARGET="_top" +>http://www.padl.com/</A +>). However, +the details of configuring these packages are beyond the scope of this document.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1677" +>9.3. Supported LDAP Servers</A +></H1 +><P +>The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP +2.0 server and client libraries. The same code should be able to work with +Netscape's Directory Server and client SDK. However, due to lack of testing +so far, there are bound to be compile errors and bugs. These should not be +hard to fix. If you are so inclined, please be sure to forward all patches to +<A +HREF="samba-patches@samba.org" +TARGET="_top" +>samba-patches@samba.org</A +> and +<A +HREF="jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +>.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1682" +>9.4. Schema and Relationship to the RFC 2307 posixAccount</A +></H1 +><P +>Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in +<TT +CLASS="FILENAME" +>examples/LDAP/samba.schema</TT +>. (Note that this schema +file has been modified since the experimental support initially included +in 2.2.2). The sambaAccount objectclass is given here:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL + DESC 'Samba Account' + MUST ( uid $ rid ) + MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ + logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ + displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ + description $ userWorkstations $ primaryGroupID ))</PRE +></TD +></TR +></TABLE +></P +><P +>The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are +owned by the Samba Team and as such is legal to be openly published. +If you translate the schema to be used with Netscape DS, please +submit the modified schema file as a patch to <A +HREF="jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +></P +><P +>Just as the smbpasswd file is mean to store information which supplements a +user's <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry, so is the sambaAccount object +meant to supplement the UNIX user account information. A sambaAccount is a +<TT +CLASS="CONSTANT" +>STRUCTURAL</TT +> objectclass so it can be stored individually +in the directory. However, there are several fields (e.g. uid) which overlap +with the posixAccount objectclass outlined in RFC2307. This is by design.</P +><P +>In order to store all user account information (UNIX and Samba) in the directory, +it is necessary to use the sambaAccount and posixAccount objectclasses in +combination. However, smbd will still obtain the user's UNIX account +information via the standard C library calls (e.g. getpwnam(), et. al.). +This means that the Samba server must also have the LDAP NSS library installed +and functioning correctly. This division of information makes it possible to +store all Samba account information in LDAP, but still maintain UNIX account +information in NIS while the network is transitioning to a full LDAP infrastructure.</P +><P +>To include support for the sambaAccount object in an OpenLDAP directory +server, first copy the samba.schema file to slapd's configuration directory.</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>cp samba.schema /etc/openldap/schema/</B +></P +><P +>Next, include the <TT +CLASS="FILENAME" +>samba.schema</TT +> file in <TT +CLASS="FILENAME" +>slapd.conf</TT +>. +The sambaAccount object contains two attributes which depend upon other schema +files. The 'uid' attribute is defined in <TT +CLASS="FILENAME" +>cosine.schema</TT +> and +the 'displayName' attribute is defined in the <TT +CLASS="FILENAME" +>inetorgperson.schema</TT +> +file. Bother of these must be included before the <TT +CLASS="FILENAME" +>samba.schema</TT +> file.</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## /etc/openldap/slapd.conf + +## schema files (core.schema is required by default) +include /etc/openldap/schema/core.schema + +## needed for sambaAccount +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/samba.schema + +## uncomment this line if you want to support the RFC2307 (NIS) schema +## include /etc/openldap/schema/nis.schema + +....</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1706" +>9.5. smb.conf LDAP parameters</A +></H1 +><P +>The following parameters are available in smb.conf only with <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> +was included with compiling Samba.</P +><P +></P +><UL +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSSL" +TARGET="_top" +>ldap ssl</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSERVER" +TARGET="_top" +>ldap server</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPADMINDN" +TARGET="_top" +>ldap admin dn</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSUFFIX" +TARGET="_top" +>ldap suffix</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPFILTER" +TARGET="_top" +>ldap filter</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPPORT" +TARGET="_top" +>ldap port</A +></P +></LI +></UL +><P +>These are described in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> man +page and so will not be repeated here. However, a sample smb.conf file for +use with an LDAP directory could appear as</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## /usr/local/samba/lib/smb.conf +[global] + security = user + encrypt passwords = yes + + netbios name = TASHTEGO + workgroup = NARNIA + + # ldap related parameters + + # define the DN to use when binding to the directory servers + # The password for this DN is not stored in smb.conf. Rather it + # must be set by using 'smbpasswd -w <TT +CLASS="REPLACEABLE" +><I +>secretpw</I +></TT +>' to store the + # passphrase in the secrets.tdb file. If the "ldap admin dn" values + # changes, this password will need to be reset. + ldap admin dn = "cn=Manager,dc=samba,dc=org" + + # specify the LDAP server's hostname (defaults to locahost) + ldap server = ahab.samba.org + + # Define the SSL option when connecting to the directory + # ('off', 'start tls', or 'on' (default)) + ldap ssl = start tls + + # define the port to use in the LDAP session (defaults to 636 when + # "ldap ssl = on") + ldap port = 389 + + # specify the base DN to use when searching the directory + ldap suffix = "ou=people,dc=samba,dc=org" + + # generally the default ldap search filter is ok + # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1734" +>9.6. Security and sambaAccount</A +></H1 +><P +>There are two important points to remember when discussing the security +of sambaAccount entries in the directory.</P +><P +></P +><UL +><LI +><P +><EM +>Never</EM +> retrieve the lmPassword or + ntPassword attribute values over an unencrypted LDAP session.</P +></LI +><LI +><P +><EM +>Never</EM +> allow non-admin users to + view the lmPassword or ntPassword attribute values.</P +></LI +></UL +><P +>These password hashes are clear text equivalents and can be used to impersonate +the user without deriving the original clear text strings.</P +><P +>To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults +to require an encrypted session (<B +CLASS="COMMAND" +>ldap ssl = on</B +>) using +the default port of 636 +when contacting the directory server. When using an OpenLDAP 2.0 server, it +is possible to use the use the StartTLS LDAP extended operation in the place of +LDAPS. In either case, you are strongly discouraged to disable this security +(<B +CLASS="COMMAND" +>ldap ssl = off</B +>).</P +><P +>The second security precaution is to prevent non-administrative users from +harvesting password hashes from the directory. This can be done using the +following ACL in <TT +CLASS="FILENAME" +>slapd.conf</TT +>:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## allow users to update their own password, but not to browse others +access to attrs=userPassword,lmPassword,ntPassword + by self write + by * auth</PRE +></TD +></TR +></TABLE +></P +><P +>You may of course, add in write access to administrative DN's as necessary.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1753" +>9.7. </A +></H1 +><P +>There are currently four sambaAccount attributes which map directly onto +<TT +CLASS="FILENAME" +>smb.conf</TT +> parameters.</P +><P +></P +><UL +><LI +><P +>smbHome -> "logon home"</P +></LI +><LI +><P +>profilePath -> "logon path"</P +></LI +><LI +><P +>homeDrive -> "logon drive"</P +></LI +><LI +><P +>scriptPath -> "logon script"</P +></LI +></UL +><P +>First of all, these parameters are only used when Samba is acting as a +PDC or a domain (refer to the <A +HREF="Samba-PDC-HOWTO.html" +TARGET="_top" +>Samba-PDC-HOWTO</A +> +for details on how to configure Samba as a Primary Domain Controller). +Furthermore, these attributes are only stored with the sambaAccount entry if +the values are non-default values. For example, assume TASHTEGO has now been +configured as a PDC and that <B +CLASS="COMMAND" +>logon home = \\%L\%u</B +> was defined in +its <TT +CLASS="FILENAME" +>smb.conf</TT +> file. When a user named "becky" logons to the domain, +the <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +> string is expanded to \\TASHTEGO\becky.</P +><P +>If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", +this value is used. However, if this attribute does not exist, then the value +of the <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +> parameter is used in its place. Samba +will only write the attribute value to the directory entry is the value is +something other than the default (e.g. \\MOBY\becky).</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1773" +>9.8. Example LDIF Entries for a sambaAccount</A +></H1 +><P +>The following is a working LDIF with the inclusion of the posixAccount objectclass:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>dn: uid=guest2, ou=people,dc=plainjoe,dc=org +ntPassword: 878D8014606CDA29677A44EFA1353FC7 +pwdMustChange: 2147483647 +primaryGroupID: 1201 +lmPassword: 552902031BEDE9EFAAD3B435B51404EE +pwdLastSet: 1010179124 +logonTime: 0 +objectClass: sambaAccount +uid: guest2 +kickoffTime: 2147483647 +acctFlags: [UX ] +logoffTime: 2147483647 +rid: 19006 +pwdCanChange: 0</PRE +></TD +></TR +></TABLE +></P +><P +>The following is an LDIF entry for using both the sambaAccount and +posixAccount objectclasses:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>dn: uid=gcarter, ou=people,dc=plainjoe,dc=org +logonTime: 0 +displayName: Gerald Carter +lmPassword: 552902031BEDE9EFAAD3B435B51404EE +primaryGroupID: 1201 +objectClass: posixAccount +objectClass: sambaAccount +acctFlags: [UX ] +userPassword: {crypt}BpM2ej8Rkzogo +uid: gcarter +uidNumber: 9000 +cn: Gerald Carter +loginShell: /bin/bash +logoffTime: 2147483647 +gidNumber: 100 +kickoffTime: 2147483647 +pwdLastSet: 1010179230 +rid: 19000 +homeDirectory: /home/tashtego/gcarter +pwdCanChange: 0 +pwdMustChange: 2147483647 +ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1781" +>9.9. Comments</A +></H1 +><P +>Please mail all comments regarding this HOWTO to <A +HREF="mailto:jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +>. This documents was +last updated to reflect the Samba 2.2.3 release. </P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="WINBIND" ->Chapter 9. Unified Logons between Windows NT and UNIX using Winbind</A +>Chapter 10. Unified Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1644" ->9.1. Abstract</A +NAME="AEN1810" +>10.1. Abstract</A ></H1 ><P >Integration of UNIX and Microsoft Windows NT through @@ -7900,8 +8599,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1648" ->9.2. Introduction</A +NAME="AEN1814" +>10.2. Introduction</A ></H1 ><P >It is well known that UNIX and Microsoft Windows NT have @@ -7954,8 +8653,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1661" ->9.3. What Winbind Provides</A +NAME="AEN1827" +>10.3. What Winbind Provides</A ></H1 ><P >Winbind unifies UNIX and Windows NT account management by @@ -7996,8 +8695,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1668" ->9.3.1. Target Uses</A +NAME="AEN1834" +>10.3.1. Target Uses</A ></H2 ><P >Winbind is targeted at organizations that have an @@ -8020,8 +8719,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1672" ->9.4. How Winbind Works</A +NAME="AEN1838" +>10.4. How Winbind Works</A ></H1 ><P >The winbind system is designed around a client/server @@ -8040,8 +8739,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1677" ->9.4.1. Microsoft Remote Procedure Calls</A +NAME="AEN1843" +>10.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P >Over the last two years, efforts have been underway @@ -8066,8 +8765,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1681" ->9.4.2. Name Service Switch</A +NAME="AEN1847" +>10.4.2. Name Service Switch</A ></H2 ><P >The Name Service Switch, or NSS, is a feature that is @@ -8146,8 +8845,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1697" ->9.4.3. Pluggable Authentication Modules</A +NAME="AEN1863" +>10.4.3. Pluggable Authentication Modules</A ></H2 ><P >Pluggable Authentication Modules, also known as PAM, @@ -8195,8 +8894,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1705" ->9.4.4. User and Group ID Allocation</A +NAME="AEN1871" +>10.4.4. User and Group ID Allocation</A ></H2 ><P >When a user or group is created under Windows NT @@ -8221,8 +8920,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1709" ->9.4.5. Result Caching</A +NAME="AEN1875" +>10.4.5. Result Caching</A ></H2 ><P >An active system can generate a lot of user and group @@ -8244,8 +8943,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1712" ->9.5. Installation and Configuration</A +NAME="AEN1878" +>10.5. Installation and Configuration</A ></H1 ><P >Many thanks to John Trostel <A @@ -8263,8 +8962,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1717" ->9.5.1. Introduction</A +NAME="AEN1883" +>10.5.1. Introduction</A ></H2 ><P >This HOWTO describes the procedures used to get winbind up and @@ -8314,17 +9013,24 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1730" ->9.5.2. Requirements</A +NAME="AEN1896" +>10.5.2. Requirements</A ></H2 ><P >If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <TT +using... <EM +>BACK IT UP!</EM +> If your system already uses PAM, +<EM +>back up the <TT CLASS="FILENAME" >/etc/pam.d</TT -> directory contents! If you -haven't already made a boot disk, MAKE ON NOW!</P +> directory +contents!</EM +> If you haven't already made a boot disk, +<EM +>MAKE ONE NOW!</EM +></P ><P >Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -8335,10 +9041,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)</P ><P ->The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.</P +>The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<A +HREF="http://samba.org/" +TARGET="_top" +>main SAMBA web page</A +> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.</P ><P >To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -8346,16 +9057,22 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.</P +means <TT +CLASS="FILENAME" +>pam-0.74-22</TT +>. For best results, it is helpful to also +install the development packages in <TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +>.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1738" ->9.5.3. Testing Things Out</A +NAME="AEN1910" +>10.5.3. Testing Things Out</A ></H2 ><P >Before starting, it is probably best to kill off all the SAMBA @@ -8385,19 +9102,26 @@ CLASS="FILENAME" >/usr/man</TT > entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <TT +CLASS="FILENAME" +>pam-0.74-22</TT +> and +<TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +> RPMs installed.</P ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1747" ->9.5.3.1. Configure and compile SAMBA</A +NAME="AEN1921" +>10.5.3.1. Configure and compile SAMBA</A ></H3 ><P >The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.</P ><P ><TABLE @@ -8410,35 +9134,56 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT -> autoconf +>root#</TT +> <B +CLASS="COMMAND" +>autoconf</B +> <TT CLASS="PROMPT" ->root# </TT -> make clean +>root#</TT +> <B +CLASS="COMMAND" +>make clean</B +> <TT CLASS="PROMPT" ->root# </TT -> rm config.cache +>root#</TT +> <B +CLASS="COMMAND" +>rm config.cache</B +> <TT CLASS="PROMPT" ->root# </TT -> ./configure --with-winbind +>root#</TT +> <B +CLASS="COMMAND" +>./configure --with-winbind</B +> <TT CLASS="PROMPT" ->root# </TT -> make +>root#</TT +> <B +CLASS="COMMAND" +>make</B +> <TT CLASS="PROMPT" ->root# </TT -> make install</PRE +>root#</TT +> <B +CLASS="COMMAND" +>make install</B +></PRE ></TD ></TR ></TABLE ></P ><P ->This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in <TT +CLASS="FILENAME" +>/usr/local/samba</TT +>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </P ></DIV ><DIV @@ -8446,24 +9191,37 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1759" ->9.5.3.2. Configure nsswitch.conf and the winbind libraries</A +NAME="AEN1940" +>10.5.3.2. Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></H3 ><P ->The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so</P +>The libraries needed to run the <B +CLASS="COMMAND" +>winbindd</B +> daemon +through nsswitch need to be copied to their proper locations, so</P ><P ><TT CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/libnss_winbind.so /lib</B +></P ><P >I also found it necessary to make the following symbolic link:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +>root#</TT +> <B +CLASS="COMMAND" +>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B +></P ><P >Now, as root you need to edit <TT CLASS="FILENAME" @@ -8473,11 +9231,11 @@ allow user and group entries to be visible from the <B CLASS="COMMAND" >winbindd</B > -daemon, as well as from your /etc/hosts files and NIS servers. My -<TT +daemon. My <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT -> file look like this after editing:</P +> file look like +this after editing:</P ><P ><TABLE BORDER="0" @@ -8488,7 +9246,7 @@ WIDTH="100%" ><PRE CLASS="PROGRAMLISTING" > passwd: files winbind - shadow: files winbind + shadow: files group: files winbind</PRE ></TD ></TR @@ -8497,13 +9255,20 @@ CLASS="PROGRAMLISTING" ><P > The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <B +CLASS="COMMAND" +>ldconfig</B +> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> /sbin/ldconfig -v | grep winbind</P +>root#</TT +> <B +CLASS="COMMAND" +>/sbin/ldconfig -v | grep winbind</B +></P ><P >This makes <TT CLASS="FILENAME" @@ -8516,8 +9281,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1778" ->9.5.3.3. Configure smb.conf</A +NAME="AEN1965" +>10.5.3.3. Configure smb.conf</A ></H3 ><P >Several parameters are needed in the smb.conf file to control @@ -8551,16 +9316,45 @@ CLASS="PROGRAMLISTING" >[global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <A +HREF="winbindd.8.html#WINBINDSEPARATOR" +TARGET="_top" +>winbind separator</A +> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDUID" +TARGET="_top" +>winbind uid</A +> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDGID" +TARGET="_top" +>winbind gid</A +> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <A +HREF="winbindd.8.html#WINBINDENUMUSERS" +TARGET="_top" +>winbind enum users</A +> = yes + <A +HREF="winbindd.8.html#WINBINDENUMGROUP" +TARGET="_top" +>winbind enum groups</A +> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash</PRE + <A +HREF="winbindd.8.html#TEMPLATEHOMEDIR" +TARGET="_top" +>template homedir</A +> = /home/winnt/%D/%U + <A +HREF="winbindd.8.html#TEMPLATESHELL" +TARGET="_top" +>template shell</A +> = /bin/bash</PRE ></TD ></TR ></TABLE @@ -8571,8 +9365,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1787" ->9.5.3.4. Join the SAMBA server to the PDC domain</A +NAME="AEN1981" +>10.5.3.4. Join the SAMBA server to the PDC domain</A ></H3 ><P >Enter the following command to make the SAMBA server join the @@ -8592,8 +9386,11 @@ a domain user who has administrative privileges in the domain.</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</B +></P ><P >The proper response to the command should be: "Joined the domain <TT @@ -8614,8 +9411,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1797" ->9.5.3.5. Start up the winbindd daemon and test it!</A +NAME="AEN1992" +>10.5.3.5. Start up the winbindd daemon and test it!</A ></H3 ><P >Eventually, you will want to modify your smb startup script to @@ -8626,25 +9423,37 @@ command as root:</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/winbindd</B +></P ><P >I'm always paranoid and like to make sure the daemon is really running...</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ps -ae | grep winbindd -3025 ? 00:00:00 winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>ps -ae | grep winbindd</B +></P +><P +>This command should produce output like this, if the daemon is running</P +><P +>3025 ? 00:00:00 winbindd</P ><P >Now... for the real test, try to get some information about the users on your PDC</P ><P ><TT CLASS="PROMPT" ->root# </TT -> # /usr/local/samba/bin/wbinfo -u</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -u</B +></P ><P > This should echo back a list of users on your Windows users on @@ -8669,7 +9478,13 @@ CEO+TsInternetUser</PRE ></TABLE ></P ><P ->Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +>Obviously, I have named my domain 'CEO' and my <TT +CLASS="PARAMETER" +><I +>winbindd +separator</I +></TT +> is '+'.</P ><P >You can do the same sort of thing to get group information from the PDC:</P @@ -8684,8 +9499,11 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/wbinfo -g +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -g</B +> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -8706,8 +9524,11 @@ Try the following command:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent passwd</P +>root#</TT +> <B +CLASS="COMMAND" +>getent passwd</B +></P ><P >You should get a list that looks like your <TT CLASS="FILENAME" @@ -8720,16 +9541,22 @@ directories and default shells.</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent group</P +>root#</TT +> <B +CLASS="COMMAND" +>getent group</B +></P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1824" ->9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files</A +NAME="AEN2028" +>10.5.3.6. Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></H3 ><P >The <B @@ -8835,47 +9662,81 @@ CLASS="PROGRAMLISTING" ></TR ></TABLE ></P +><P +>If you restart the <B +CLASS="COMMAND" +>smbd</B +>, <B +CLASS="COMMAND" +>nmbd</B +>, +and <B +CLASS="COMMAND" +>winbindd</B +> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.</P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1841" ->9.5.3.7. Configure Winbind and PAM</A +NAME="AEN2050" +>10.5.3.7. Configure Winbind and PAM</A ></H3 ><P ->If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <TT CLASS="FILENAME" >/etc/pam.d</TT > files? If not, do it now.)</P ><P ->To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the <TT +CLASS="FILENAME" +>../source/nsswitch</TT +> directory +by invoking the command</P +><P +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>make nsswitch/pam_winbind.so</B +></P +><P +>from the <TT +CLASS="FILENAME" +>../source</TT +> directory. The <TT CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file from</P +>pam_winbind.so</TT +> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<TT +CLASS="FILENAME" +>/lib/security</TT +> directory.</P ><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="100%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth</PRE -></TD -></TR -></TABLE +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B ></P ><P ->to</P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file does not need to be changed. I +just left this fileas it was:</P ><P ><TABLE BORDER="0" @@ -8885,9 +9746,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so +>auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth</PRE ></TD ></TR @@ -8978,10 +9837,11 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +>auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth</PRE ></TD @@ -9036,15 +9896,6 @@ CLASS="COMMAND" >winbind.so</B > line to get rid of annoying double prompts for passwords.</P -><P ->Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P ></DIV ></DIV ></DIV @@ -9053,8 +9904,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1882" ->9.6. Limitations</A +NAME="AEN2097" +>10.6. Limitations</A ></H1 ><P >Winbind has a number of limitations in its current @@ -9094,8 +9945,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1892" ->9.7. Conclusion</A +NAME="AEN2107" +>10.7. Conclusion</A ></H1 ><P >The winbind system, through the use of the Name Service @@ -9111,23 +9962,23 @@ CLASS="CHAPTER" ><HR><H1 ><A NAME="OS2" ->Chapter 10. OS2 Client HOWTO</A +>Chapter 11. OS2 Client HOWTO</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1906" ->10.1. FAQs</A +NAME="AEN2121" +>11.1. FAQs</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1908" ->10.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN2123" +>11.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 ><P @@ -9185,8 +10036,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1923" ->10.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN2138" +>11.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 ><P @@ -9238,8 +10089,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1932" ->10.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN2147" +>11.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 ><P @@ -9260,8 +10111,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1936" ->10.1.4. How do I get printer driver download working +NAME="AEN2151" +>11.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 ><P @@ -9309,15 +10160,15 @@ CLASS="CHAPTER" ><HR><H1 ><A NAME="CVS-ACCESS" ->Chapter 11. HOWTO Access Samba source code via CVS</A +>Chapter 12. HOWTO Access Samba source code via CVS</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1952" ->11.1. Introduction</A +NAME="AEN2167" +>12.1. Introduction</A ></H1 ><P >Samba is developed in an open environment. Developers use CVS @@ -9338,8 +10189,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1957" ->11.2. CVS Access to samba.org</A +NAME="AEN2172" +>12.2. CVS Access to samba.org</A ></H1 ><P >The machine samba.org runs a publicly accessible CVS @@ -9351,8 +10202,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1960" ->11.2.1. Access via CVSweb</A +NAME="AEN2175" +>12.2.1. Access via CVSweb</A ></H2 ><P >You can access the source code via your @@ -9372,8 +10223,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1965" ->11.2.2. Access via cvs</A +NAME="AEN2180" +>12.2.2. Access via cvs</A ></H2 ><P >You can also access the source code via a @@ -9478,12 +10329,12 @@ CLASS="COMMAND" ></DIV ><HR><H1 ><A -NAME="AEN1993" +NAME="AEN2208" >Index</A ></H1 ><DL ><DT ->Primary Domain Controller, +>Primary Domain Controller, <A HREF="x1098.htm" >Background</A diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html index f9bde088985..58f3989b4f0 100644 --- a/docs/htmldocs/Samba-PDC-HOWTO.html +++ b/docs/htmldocs/Samba-PDC-HOWTO.html @@ -68,32 +68,33 @@ CLASS="NOTE" >Note: </B ><I CLASS="EMPHASIS" ->Author's Note :</I +>Author's Note:</I > This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.</P ></BLOCKQUOTE ></DIV ><P ->Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A +>Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <A HREF="UNIX_INSTALL.html" TARGET="_top" > UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A +>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <A HREF="smb.conf.5.html" TARGET="_top" ->smb.conf(5) man +>smb.conf(5) man page</A ->. The following functionality should work in 2.2:</P +>. The following functionality should work in 2.2:</P ><P ></P ><UL @@ -120,36 +121,10 @@ page</A ></LI ><LI ><P -> Windows NT 4.0 style system policies +> Windows NT 4.0-style system policies </P ></LI ></UL -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Windows 2000 Service Pack 2 Clients</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </P -></TD -></TR -></TABLE -></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -181,7 +156,7 @@ ALIGN="LEFT" ><P >Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P @@ -214,7 +189,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN51" +NAME="AEN48" >Configuring the Samba Domain Controller</A ></H1 ><P @@ -229,7 +204,10 @@ man page</A >. For convenience, the parameters have been linked with the actual smb.conf description.</P ><P ->Here is an example smb.conf for acting as a PDC:</P +>Here is an example <TT +CLASS="FILENAME" +>smb.conf</TT +> for acting as a PDC:</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -335,10 +313,10 @@ TARGET="_top" >path</A > = /usr/local/samba/lib/netlogon <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = no +>read only</A +> = yes <A HREF="smb.conf.5.html#WRITELIST" TARGET="_top" @@ -358,10 +336,10 @@ TARGET="_top" >path</A > = /export/smb/ntprofile <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = yes +>read only</A +> = no <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" @@ -407,72 +385,89 @@ CLASS="FILENAME" ></LI ></UL ><P ->As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <A +>As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" ->domain -admin group</A -> smb.conf parameter for information of creating "Domain Admins" -style accounts.</P +>domain admin +group</A +> smb.conf parameter for information of creating "Domain +Admins" style accounts.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN93" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +NAME="AEN91" +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></H1 ><P ->A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC.</P -><P ->On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <TT +>A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</P +><P +>The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.</P +><P +>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<P +></P +><UL +><LI +><P +>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <TT CLASS="FILENAME" >smbpasswd</TT ->). -However, machine trust accounts only possess and use the NT password hash.</P +>). The Samba account + possesses and uses only the NT password hash.</P +></LI +><LI ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <TT +>A corresponding Unix account, typically stored in + <TT CLASS="FILENAME" >/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT +>. (Future releases will alleviate the need to + create <TT CLASS="FILENAME" >/etc/passwd</TT -> entries. </P +> entries.) </P +></LI +></UL +></P ><P ->There are two means of creating machine trust accounts.</P +>There are two ways to create machine trust accounts:</P ><P ></P ><UL ><LI ><P -> Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </P +> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</P ></LI ><LI ><P -> Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </P +> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </P ></LI ></UL ><DIV @@ -480,22 +475,28 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN107" ->Manually creating machine trust accounts</A +NAME="AEN110" +>Manual Creation of Machine Trust Accounts</A ></H2 ><P ->The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <B +>The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<TT +CLASS="FILENAME" +>/etc/passwd</TT +>. This can be done using +<B CLASS="COMMAND" >vipw</B -> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server:</P +> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:</P ><P -><TT +> <TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I @@ -507,28 +508,32 @@ CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$ </P +>$ </B +></P ><P ><TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$</P +>$</B +></P ><P >The <TT CLASS="FILENAME" >/etc/passwd</TT > entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an <TT CLASS="FILENAME" >/etc/passwd</TT -> entry like this :</P +> entry like this:</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -545,20 +550,22 @@ CLASS="REPLACEABLE" ><I >machine_nickname</I ></TT -> can be any descriptive name for the -pc i.e. BasementComputer. The <TT +> can be any +descriptive name for the client, i.e., BasementComputer. +<TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT -> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account</P -><P ->Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <A -HREF="smbpasswd.6.html" +> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.</P +><P +>Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <A +HREF="smbpasswd.8.html" TARGET="_top" ><B CLASS="COMMAND" @@ -570,11 +577,14 @@ as shown here:</P ><TT CLASS="PROMPT" >root# </TT -> smbpasswd -a -m <TT +><B +CLASS="COMMAND" +>smbpasswd -a -m <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT +></B ></P ><P >where <TT @@ -583,7 +593,8 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's NetBIOS -name. </P +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account.</P ><DIV CLASS="WARNING" ><P @@ -604,9 +615,9 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -622,41 +633,98 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN138" ->Creating machine trust accounts "on the fly"</A +NAME="AEN145" +>"On-the-Fly" Creation of Machine Trust Accounts</A ></H2 ><P ->The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <A +>The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </P +><P +>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A -> -parameter. Below is an example from a RedHat 6.2 Linux system.</P +> +option in <TT +CLASS="FILENAME" +>smb.conf</TT +>. This +method is not required, however; corresponding Unix accounts may also +be created manually.</P +><P +>Below is an example for a RedHat 6.2 Linux system.</P ><P ><PRE CLASS="PROGRAMLISTING" ->add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE +>[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE ></P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN154" +>Joining the Client to the Domain</A +></H2 ><P ->In Samba 2.2.1, <I -CLASS="EMPHASIS" ->only the root account</I -> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <I -CLASS="EMPHASIS" ->root</I ->. The password -<I +>The procedure for joining a client to the domain varies with the +version of Windows.</P +><P +></P +><UL +><LI +><P +><I CLASS="EMPHASIS" ->SHOULD</I -> be set to a different password that the -associated <TT +>Windows 2000</I +></P +><P +> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <TT CLASS="FILENAME" >/etc/passwd</TT -> entry for security reasons.</P +> entry, for security + reasons. </P +><P +>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>Windows NT</I +></P +><P +> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</P +><P +> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</P +></LI +></UL ></DIV ></DIV ><DIV @@ -664,7 +732,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN149" +NAME="AEN169" >Common Problems and Errors</A ></H1 ><P @@ -685,7 +753,7 @@ CLASS="FILENAME" >/etc/passwd</TT > of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </P ><P > The problem is only in the program used to make the entry, once @@ -695,7 +763,7 @@ CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </P ></LI ><LI @@ -704,11 +772,11 @@ CLASS="COMMAND" CLASS="EMPHASIS" >I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</I + existing set.." when creating a machine trust account.</I > </P ><P -> This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -762,17 +830,17 @@ CLASS="COMMAND" ><P > <I CLASS="EMPHASIS" ->The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.</I > </P ><P > When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </P ><P -> This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the <TT CLASS="PARAMETER" ><I @@ -785,7 +853,7 @@ CLASS="PARAMETER" ><P > Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -859,7 +927,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN197" +NAME="AEN217" >System Policies and Profiles</A ></H1 ><P @@ -881,7 +949,7 @@ Profiles and Policies in Windows NT 4.0</A ><P > <I CLASS="EMPHASIS" ->What about Windows NT Policy Editor ?</I +>What about Windows NT Policy Editor?</I > </P ><P @@ -943,7 +1011,7 @@ CLASS="COMMAND" ><P > <I CLASS="EMPHASIS" ->Can Win95 do Policies ?</I +>Can Win95 do Policies?</I > </P ><P @@ -975,7 +1043,7 @@ CLASS="EMPHASIS" </P ><P > Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </P ><P > Microsoft distributes a version of these tools called nexus for @@ -1021,8 +1089,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN241" ->What other help can I get ?</A +NAME="AEN261" +>What other help can I get?</A ></H1 ><P >There are many sources of information available in the form @@ -1086,7 +1154,7 @@ HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A >. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <A HREF="http://www.ethereal.com/" TARGET="_top" @@ -1286,7 +1354,7 @@ TARGET="_top" ><P > <I CLASS="EMPHASIS" ->How do I get help from the mailing lists ?</I +>How do I get help from the mailing lists?</I > </P ><P @@ -1379,7 +1447,7 @@ CLASS="EMPHASIS" >Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P + smb.conf in their attach directory?</P ></LI ></UL ></LI @@ -1387,7 +1455,7 @@ CLASS="EMPHASIS" ><P > <I CLASS="EMPHASIS" ->How do I get off the mailing lists ?</I +>How do I get off the mailing lists?</I > </P ><P @@ -1423,7 +1491,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN355" +NAME="AEN375" >Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -1435,8 +1503,11 @@ CLASS="NOTE" >Note: </B >The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe)</P +the material is based on what went into the book <I +CLASS="EMPHASIS" +>Special +Edition, Using Samba</I +>, by Richard Sharpe.</P ></BLOCKQUOTE ></DIV ><P @@ -1451,11 +1522,12 @@ other systems based on NT server support this, as does at least Samba TNG now).< server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support.</P +is totally orthogonal to logon support.</P ><P >Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.</P +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section.</P ><P >When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -1466,37 +1538,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.</P ><P ->Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.</P -><P ->Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. </P -><P ->Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.</P -><P ->With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).</P -><P ->With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.</P -><P >Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.</P ><P ->Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:</P +>Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:</P ><P ></P ><OL @@ -1504,7 +1551,7 @@ TYPE="1" ><LI ><P > The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1559,95 +1606,27 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN385" +NAME="AEN401" >Configuration Instructions: Network Logons</A ></H2 ><P ->To use domain logons and profiles you need to do the following:</P +>The main difference between a PDC and a Windows 9x logon +server configuration is that</P ><P ></P -><OL -TYPE="1" -><LI -><P -> Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </P -><P -> For example I have used: - </P -><P -><PRE -CLASS="PROGRAMLISTING" ->[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no</PRE -></P -><P -> Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </P -></LI -><LI -><P -> in the [global] section of smb.conf set the following: - </P -><P -><PRE -CLASS="PROGRAMLISTING" ->domain logons = yes -logon script = %U.bat - </PRE -></P -><P -> The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon script = scripts\%U.bat - </PRE -></P -></LI +><UL ><LI ><P -> create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </P -><P -> In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </P +>Password encryption is not required for a Windows 9x logon server.</P ></LI ><LI ><P -> Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </P +>Windows 9x/ME clients do not possess machine trust accounts.</P ></LI -><LI +></UL ><P -> you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </P -></LI -></OL +>Therefore, a Samba PDC will also act as a Windows 9x logon +server.</P ><DIV CLASS="WARNING" ><P @@ -1687,7 +1666,7 @@ CLASS="CONSTANT" > mode security is really just a variation on SMB user level security.</P ><P ->Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -1721,7 +1700,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN419" +NAME="AEN420" >Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -1769,11 +1748,11 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN427" +NAME="AEN428" >Windows NT Configuration</A ></H3 ><P ->To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):</P ><P ><PRE @@ -1804,7 +1783,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN435" +NAME="AEN436" >Windows 9X Configuration</A ></H3 ><P @@ -1835,7 +1814,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN443" +NAME="AEN444" >Win9X and WinNT Configuration</A ></H3 ><P @@ -1864,7 +1843,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN450" +NAME="AEN451" >Windows 9X Profile Setup</A ></H3 ><P @@ -1936,7 +1915,7 @@ the newest folders and short-cuts from each set.</P >If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.</P ><P @@ -2021,7 +2000,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN486" +NAME="AEN487" >Windows NT Workstation 4.0</A ></H3 ><P @@ -2103,7 +2082,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN499" +NAME="AEN500" >Windows NT Server</A ></H3 ><P @@ -2117,7 +2096,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN502" +NAME="AEN503" >Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -2182,7 +2161,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN512" +NAME="AEN513" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html index 31afa11cf89..b18ae23aa21 100644 --- a/docs/htmldocs/nmbd.8.html +++ b/docs/htmldocs/nmbd.8.html @@ -37,12 +37,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >nmbd</B -> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log file>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P +> [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN23" +NAME="AEN24" ></A ><H2 >DESCRIPTION</H2 @@ -112,7 +112,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN40" +NAME="AEN41" ></A ><H2 >OPTIONS</H2 @@ -152,6 +152,17 @@ CLASS="COMMAND" This is the default.</P ></DD ><DT +>-i</DT +><DD +><P +>If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit deamon mode when run from the + command line. + </P +></DD +><DT >-o</DT ><DD ><P @@ -275,22 +286,19 @@ CLASS="FILENAME" > file.</P ></DD ><DT ->-l <log file></DT +>-l <log directory></DT ><DD ><P ->The -l parameter specifies a path - and base filename into which operational data from - the running <B +>The -l parameter specifies a directory + into which the "log.nmbd" log file will be created + for operational data from the running + <B CLASS="COMMAND" >nmbd</B -> server will - be logged. The actual log file name is generated by - appending the extension ".nmb" to the specified base - name. For example, if the name specified was "log" - then the file log.nmb would contain the debugging data.</P +> server.</P ><P ->The default log file path is compiled into Samba as - part of the build process. Common defaults are <TT +>The default log directory is compiled into Samba + as part of the build process. Common defaults are <TT CLASS="FILENAME" > /usr/local/samba/var/log.nmb</TT >, <TT @@ -332,31 +340,30 @@ CLASS="FILENAME" ><DD ><P >UDP port number is a positive integer value. - This option changes the default UDP port number (normally 137) + This option changes the default UDP port number (normally 137) that <B CLASS="COMMAND" >nmbd</B -> responds to name queries on. Don't - use this option unless you are an expert, in which case you +> responds to name queries on. Don't + use this option unless you are an expert, in which case you won't need help!</P ></DD ><DT >-s <configuration file></DT ><DD ><P ->The default configuration file name +>The default configuration file name is set at build time, typically as <TT CLASS="FILENAME" > /usr/local/samba/lib/smb.conf</TT >, but this may be changed when Samba is autoconfigured.</P ><P ->The file specified contains the configuration details +>The file specified contains the configuration details required by the server. See <A HREF="smb.conf.5.html" TARGET="_top" -> - <TT +> <TT CLASS="FILENAME" >smb.conf(5)</TT ></A @@ -369,7 +376,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN125" +NAME="AEN130" ></A ><H2 >FILES</H2 @@ -385,13 +392,18 @@ CLASS="FILENAME" ></DT ><DD ><P ->If the server is to be run by the +>If the server is to be run by the <B CLASS="COMMAND" >inetd</B -> meta-daemon, this file - must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. +> meta-daemon, this file + must contain suitable startup information for the + meta-daemon. See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> document + for details. </P ></DD ><DT @@ -401,13 +413,17 @@ CLASS="FILENAME" ></DT ><DD ><P ->or whatever initialization script your +>or whatever initialization script your system uses).</P ><P ->If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below.</P +>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> document + for details.</P ></DD ><DT ><TT @@ -416,14 +432,19 @@ CLASS="FILENAME" ></DT ><DD ><P ->If running the server via the +>If running the server via the meta-daemon <B CLASS="COMMAND" >inetd</B ->, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below.</P +>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> + document for details.</P ></DD ><DT ><TT @@ -432,7 +453,7 @@ CLASS="FILENAME" ></DT ><DD ><P ->This is the default location of the +>This is the default location of the <A HREF="smb.conf.5.html" TARGET="_top" @@ -441,41 +462,38 @@ CLASS="FILENAME" >smb.conf</TT ></A > - server configuration file. Other common places that systems + server configuration file. Other common places that systems install this file are <TT CLASS="FILENAME" >/usr/samba/lib/smb.conf</TT -> +> and <TT CLASS="FILENAME" >/etc/smb.conf</TT >.</P ><P ->When run as a WINS server (see the +>When run as a WINS server (see the <A -HREF="smb.conf.5.html#winssupport" +HREF="smb.conf.5.html#WINSSUPPORT" TARGET="_top" >wins support</A > - parameter in the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT + parameter in the <TT CLASS="FILENAME" -> smb.conf(5)</TT -></A -> man page), <B +>smb.conf(5)</TT +> man page), + <B CLASS="COMMAND" >nmbd</B -> +> will store the WINS database in the file <TT CLASS="FILENAME" >wins.dat</TT -> +> in the <TT CLASS="FILENAME" >var/locks</TT -> directory configured under +> directory configured under wherever Samba was configured to install itself.</P ><P >If <B @@ -484,21 +502,18 @@ CLASS="COMMAND" > is acting as a <EM > browse master</EM > (see the <A -HREF="smb.conf.5.html#localmaster" +HREF="smb.conf.5.html#LOCALMASTER" TARGET="_top" >local master</A > - parameter in the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT + parameter in the <TT CLASS="FILENAME" -> smb.conf(5)</TT -></A -> man page), <B +>smb.conf(5)</TT +> man page, + <B CLASS="COMMAND" >nmbd</B -> +> will store the browsing database in the file <TT CLASS="FILENAME" >browse.dat @@ -516,7 +531,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN171" +NAME="AEN177" ></A ><H2 >SIGNALS</H2 @@ -524,21 +539,21 @@ NAME="AEN171" >To shut down an <B CLASS="COMMAND" >nmbd</B -> process it is recommended +> process it is recommended that SIGKILL (-9) <EM >NOT</EM -> be used, except as a last - resort, as this may leave the name database in an inconsistent state. +> be used, except as a last + resort, as this may leave the name database in an inconsistent state. The correct way to terminate <B CLASS="COMMAND" >nmbd</B -> is to send it +> is to send it a SIGTERM (-15) signal and wait for it to die on its own.</P ><P ><B CLASS="COMMAND" >nmbd</B -> will accept SIGHUP, which will cause +> will accept SIGHUP, which will cause it to dump out its namelists into the file <TT CLASS="FILENAME" >namelist.debug @@ -546,12 +561,12 @@ CLASS="FILENAME" > in the <TT CLASS="FILENAME" >/usr/local/samba/var/locks</TT -> +> directory (or the <TT CLASS="FILENAME" >var/locks</TT -> directory configured - under wherever Samba was configured to install itself). This will also +> directory configured + under wherever Samba was configured to install itself). This will also cause <B CLASS="COMMAND" >nmbd</B @@ -577,7 +592,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN187" +NAME="AEN193" ></A ><H2 >VERSION</H2 @@ -588,7 +603,7 @@ NAME="AEN187" ><DIV CLASS="REFSECT1" ><A -NAME="AEN190" +NAME="AEN196" ></A ><H2 >SEE ALSO</H2 @@ -653,7 +668,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN207" +NAME="AEN213" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/rpcclient.1.html b/docs/htmldocs/rpcclient.1.html index 53a0ea98dd2..98a19c6ea2d 100644 --- a/docs/htmldocs/rpcclient.1.html +++ b/docs/htmldocs/rpcclient.1.html @@ -197,7 +197,7 @@ CLASS="FILENAME" ><P >Sets the SMB username or username and password. </P ><P ->If %password is not specified, The user will be prompted. The +>If %password is not specified, the user will be prompted. The client will first check the <TT CLASS="ENVAR" >USER</TT diff --git a/docs/htmldocs/samba-pdc-faq.html b/docs/htmldocs/samba-pdc-faq.html deleted file mode 100644 index d9c204bf1b5..00000000000 --- a/docs/htmldocs/samba-pdc-faq.html +++ /dev/null @@ -1,1954 +0,0 @@ -<HTML -><HEAD -><TITLE ->The Samba 2.2 PDC FAQ</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="BOOK" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="BOOK" -><A -NAME="SAMBA-PDC-FAQ" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="SAMBA-PDC-FAQ" ->The Samba 2.2 PDC FAQ</A -></H1 -><H3 -CLASS="AUTHOR" -><A -NAME="AEN4" ->David Bannon</A -></H3 -><DIV -CLASS="AFFILIATION" -><SPAN -CLASS="ORGNAME" ->La Trobe University<BR></SPAN -></DIV -><HR></DIV -><HR><H1 -><A -NAME="AEN12" -></A -></H1 -><P -> This is the FAQ for Samba 2.2 as an NTDomain controller. - This document is derived from the original FAQ that was built and - maintained by Gerald Carter from the early days of Samba NTDomain development - up until recently. It is now being updated as significant changes are - made to 2.2.0. - </P -><P -> Please note it does not apply to the SAMBA_TNG nor the HEAD branch. - </P -><P -> Also available is a Samba 2.2 PDC <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HOWTO</A -> - that takes you, step by step, over the process of setting up a very basic Samba - 2.2 Primary Domain Controller - </P -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="#AEN19" ->Introduction</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN21" ->State of Play</A -></DT -><DT -><A -HREF="#AEN27" ->Introduction</A -></DT -></DL -></DD -><DT ->2. <A -HREF="#AEN33" ->General Information</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN35" ->What can we do ?</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN37" ->What can Samba 2.2.x Primary Domain Controller (PDC) do ?</A -></DT -><DT -><A -HREF="#AEN62" ->Can I have a Windows 2000 client logon to a Samba -controlled domain?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN65" ->CVS</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN68" ->What are the different Samba branches available in CVS ?</A -></DT -><DT -><A -HREF="#AEN91" ->What are the CVS commands ?</A -></DT -></DL -></DD -></DL -></DD -><DT ->3. <A -HREF="#AEN95" ->Establishing Connections</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN97" -></A -></DT -><DD -><DL -><DT -><A -HREF="#AEN99" ->How do I get my NT4 or W2000 Workstation to login to the Samba -controlled Domain?</A -></DT -><DT -><A -HREF="#AEN103" ->What is a 'machine account' ?</A -></DT -><DT -><A -HREF="#AEN110" ->"The machine account for this computer either does not -exist or is not accessible."</A -></DT -><DT -><A -HREF="#AEN116" ->How do I create machine accounts manually ?</A -></DT -><DT -><A -HREF="#AEN129" ->I cannot include a '$' in a machine name.</A -></DT -><DT -><A -HREF="#AEN135" ->I get told "You already have a connection to the Domain...." -when creating a machine account.</A -></DT -><DT -><A -HREF="#AEN139" ->I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."</A -></DT -><DT -><A -HREF="#AEN143" ->"The system can not log you on (C000019B)...."</A -></DT -></DL -></DD -></DL -></DD -><DT ->4. <A -HREF="#AEN147" ->User Account Management</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN149" ->Domain Admins</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN151" ->How do I configure an account as a domain administrator?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN155" ->Profiles</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN157" ->Why is it bad to set "logon path = \\%N\%U\profile" in -smb.conf?</A -></DT -><DT -><A -HREF="#AEN169" ->Why are all the users listed in the "domain admin users" using the -same profile?</A -></DT -><DT -><A -HREF="#AEN172" ->The roaming profiles do not seem to be updating on the -server.</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN180" ->Policies</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN182" ->What are 'Policies' ?</A -></DT -><DT -><A -HREF="#AEN188" ->I can't get system policies to work.</A -></DT -><DT -><A -HREF="#AEN203" ->What about Windows NT Policy Editor ?</A -></DT -><DT -><A -HREF="#AEN217" ->Can Win95 do Policies ?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN223" ->Passwords</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN225" ->What is password sync and should I use it ?</A -></DT -><DT -><A -HREF="#AEN239" ->How do I get remote password (unix and SMB) changing working ?</A -></DT -></DL -></DD -></DL -></DD -><DT ->5. <A -HREF="#AEN246" ->Miscellaneous</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN248" -></A -></DT -><DD -><DL -><DT -><A -HREF="#AEN250" ->What editor can I use in DOS/Windows that won't -mess with my unix EOF ?</A -></DT -><DT -><A -HREF="#AEN263" ->How do I get 'User Manager' and 'Server Manager' ?</A -></DT -><DT -><A -HREF="#AEN278" ->The time setting from a Samba server does not work.</A -></DT -><DT -><A -HREF="#AEN282" ->"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A -></DT -><DT -><A -HREF="#AEN286" ->How do I get my samba server to become a member ( not PDC ) of an NT domain ?</A -></DT -></DL -></DD -></DL -></DD -><DT ->6. <A -HREF="#AEN290" ->Troubleshooting and Bug Reporting</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN292" ->Diagnostic tools</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN294" ->What are some diagnostics tools I can use to debug the domain logon process and where can I - find them ?</A -></DT -><DT -><A -HREF="#AEN309" ->How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box ?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN338" ->What other help can I get ?</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN341" ->URLs and similar</A -></DT -><DT -><A -HREF="#AEN374" ->How do I get help from the mailing lists ?</A -></DT -><DT -><A -HREF="#AEN403" ->How do I get off the mailing lists ?</A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN19" ->Chapter 1. Introduction</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN21" ->State of Play</A -></H1 -><P ->Much of the related code does work. For example, if an NT is removed from the - domain and then rejoins, the <TT -CLASS="FILENAME" ->Create a Computer Account in the Domain</TT -> dialog - will let you reset the smbpasswd. That is you don't need to do it from - the unix box. However, at the present, you do need to have root as an - administrator and use the root username and password.</P -><P -><B -CLASS="COMMAND" ->Policies</B -> do work on a W2K machine. MS says that recent - builds of W2K don't observe an NT policy but it appears it does in 'legacy' - mode.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN27" ->Introduction</A -></H1 -><P -> This FAQ was originally compiled by Jerry Carter (gc) chiefly dealing - with the 'old HEAD' version of Samba and its NTDomain facilities. It is - being rewritten by David Bannon (drb) so that it addresses more - accurately the Samba 2.2.x release. - </P -><P -> This document probably still contains some material that does not apply - to Samba 2.2 but most (all?) of the really misleading stuff has been - removed. Some issues are not dealt with or are dealt with badly. Please - send corrections and additions to <A -HREF="mailto:D.Bannon@latrobe.edu.au" -TARGET="_top" ->David Bannon</A ->. - </P -><P ->Hopefully, as we all become familiar with the Samba 2.2 as a - PDC this document will become much more useful.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN33" ->Chapter 2. General Information</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN35" ->What can we do ?</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN37" ->What can Samba 2.2.x Primary Domain Controller (PDC) do ?</A -></H2 -><P -> If you wish to have Samba act as a PDC for Windows NT 4.0/2000 client, - then you will need to obtain the 2.2.0 version. Release of a stable, - full featured Samba PDC is currently slated for version 3.0. - </P -><P -> The following is a list of included features currently in - Samba 2.2: - </P -><P -></P -><UL -><LI -><P ->The ability to act as a limited PDC for - Windows NT and W2000 clients. This includes adding NT and - W2K machines to the domain and authenticating users logging - into the domain.</P -></LI -><LI -><P ->Domain account can be viewed using the User - Manager for Domains</P -></LI -><LI -><P ->Viewing/adding/deleting resources on the Samba - PDC via the Server Manager for Domains from the NT client. - </P -></LI -><LI -><P ->Windows 95/98/ME clients will allow user - level security to be set and browsing of domain accounts. - </P -></LI -><LI -><P ->Machine account password updates.</P -></LI -><LI -><P ->Changing of user passwords from an NT client. - </P -></LI -><LI -><P ->Partial support for Windows NT username mapping. - Group name mapping is slated for a later release.</P -></LI -></UL -><P -> These things are not expected to work in the foreseeable future: - </P -><P -></P -><UL -><LI -><P ->Trust relationships</P -></LI -><LI -><P ->PDC and BDC integration</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN62" ->Can I have a Windows 2000 client logon to a Samba -controlled domain?</A -></H2 -><P -> The 2.2 release branch of Samba supports Windows 2000 domain - clients in legacy mode, i.e. as if the PDC is a NTServer, not a - W2K server. - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN65" ->CVS</A -></H1 -><P -> CVS is a program (publicly available) that the Samba developers - use to maintain the central source code. Non developers can get - access to the source in a read only capacity. Many flavours of unix - now arrive with cvs installed.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN68" ->What are the different Samba branches available in CVS ?</A -></H2 -><P ->You can find out more about obtaining Samba's via anonymous - CVS from <A -HREF="http://pserver.samba.org/samba/cvs.html" -TARGET="_top" -> http://pserver.samba.org/samba/cvs.html</A ->. - </P -><P -> There are basically four branches to watch at the moment : - </P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->HEAD</DT -><DD -><P ->Samba 3.0 ? This code boasts all the main - development work in Samba. Due to its developmental - nature, it's not really suitable for production work. - </P -></DD -><DT ->SAMBA_2_0</DT -><DD -><P ->This branch contains the previous stable - release. At the moment it contains 2.0.8, a version that - will do some limited PDC stuff. If you are really going to - do PDC things, you consider 2.2 instead. - </P -></DD -><DT ->SAMBA_2_2</DT -><DD -><P ->The 2.2.x release branch which is a subset - of the features of the HEAD branch. This document addresses - only SAMBA_2_2. - </P -></DD -><DT ->SAMBA_TNG</DT -><DD -><P ->This branch is no longer maintained from the Samba - sites. Please see <A -HREF="http://www.samba-tng.org/" -TARGET="_top" -> http://www.samba-tng.org/</A ->. It has been requested - that questions about TNG are not posted to the regular Samba - mailing lists including samba-ntdom and samba-technical. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN91" ->What are the CVS commands ?</A -></H2 -><P -> See <A -HREF="http://pserver.samba.org/samba/cvs.html" -TARGET="_top" -> http://pserver.samba.org/samba/cvs.html</A -> for instructions - on obtaining the SAMBA_2_2 or HEAD cvs code. - </P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN95" ->Chapter 3. Establishing Connections</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN97" -></A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN99" ->How do I get my NT4 or W2000 Workstation to login to the Samba -controlled Domain?</A -></H2 -><P -> There is a comprehensive Samba PDC <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HOWTO</A -> accessible from the samba web - site under 'Documentation'. Read it. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN103" ->What is a 'machine account' ?</A -></H2 -><P -> Every NT, W2K or Samba machine that joins a Samba controlled - domain must be known to the Samba PDC. There are two entries - required, one in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> - and the other in (typically) <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->. - Under some circumstances these entries are made - <A -HREF="#AEN116" ->manually</A ->, the <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HOWTO</A -> - discusses ways of creating them automatically.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN110" ->"The machine account for this computer either does not -exist or is not accessible."</A -></H2 -><P -> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats - wrong ? - </P -><P -> This problem is caused by the PDC not having a suitable machine account. - If you are using the <B -CLASS="COMMAND" ->add user script =</B -> method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </P -><P -> Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine netbios name - with a '$' appended to it ( ie. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN116" ->How do I create machine accounts manually ?</A -></H2 -><P -> This was the only option until recently, now in version 2.2 better - means are available. You might still need to do it manually for a - couple of reasons. A machine account consists of two entries (assuming - a standard install and /etc/passwd use), one in /etc/passwd and the - other in /usr/local/samba/private/smbpasswd. The /etc/passwd - entry will list the machine name with a $ appended, won't have a - passwd, will have a null shell and no home directory. For example - a machine called 'doppy' would have an /etc/passwd entry like this :</P -><P -> <B -CLASS="COMMAND" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</B -> - </P -><P -> On a linux system for example, you would typically add it like - this : - </P -><P -> <B -CLASS="COMMAND" ->adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n - doppy$</B -> - </P -><P -> Then you need to add that entry to smbpasswd, assuming you have a suitable - path to the <B -CLASS="COMMAND" ->smbpasswd</B -> program, do this : - </P -><P -> <B -CLASS="COMMAND" ->smbpasswd -a -m doppy$</B -> - </P -><P -> The entry will be created with a well known password, so any machine that - says it's doppy could join the domain as long as it gets in first. So - don't create the accounts any earlier than you need them. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN129" ->I cannot include a '$' in a machine name.</A -></H2 -><P -> A 'machine name' in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> consists - of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. - </P -><P -> The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <B -CLASS="COMMAND" ->vipw</B -> to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique uid !</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN135" ->I get told "You already have a connection to the Domain...." -when creating a machine account.</A -></H2 -><P -> This happens if you try to create a machine account from the - machine itself and use a user name that does not work (for whatever - reason) and then try another (possibly valid) username. - Exit out of the network applet to close the initial connection - and try again. - </P -><P -> Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN139" ->I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."</A -></H2 -><P -> This is the same basic problem as mentioned above, <A -HREF="#AEN135" -> "You already have a connection..."</A -> - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN143" ->"The system can not log you on (C000019B)...."</A -></H2 -><P ->I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try again or consult your - system administrator" when attempting to logon. - </P -><P -> This occurs when the domain SID stored in private/WORKGROUP.SID is - changed. For example, you remove the file and smbd automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. - </P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN147" ->Chapter 4. User Account Management</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN149" ->Domain Admins</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN151" ->How do I configure an account as a domain administrator?</A -></H2 -><P -> See the NTDom <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HowTo</A ->. - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN155" ->Profiles</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN157" ->Why is it bad to set "logon path = \\%N\%U\profile" in -smb.conf?</A -></H2 -><P -> Sometimes Windows clients will maintain a connection to - the \\homes\ ( or [%U] ) share even after the user has logged out. - Consider the following scenario. - </P -><P -></P -><UL -><LI -><P -> user1 logs into the Windows NT machine. - Therefore the [homes] share is set to \\server\user1. - </P -></LI -><LI -><P -> user1 works for a while and then logs - out. </P -></LI -><LI -><P -> user2 logs into the same Windows NT - machine.</P -></LI -></UL -><P -> However, since the NT box has maintained a connection to [homes] - which was previously set to \\server\user1, when the operating system - attempts to get the profile and if it can read users1's profile, will - get it otherwise it will return an error. You get the picture. - </P -><P -> A better solution is to use a separate [profiles] share and - set the "logon path = \\%N\profiles\%U" - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN169" ->Why are all the users listed in the "domain admin users" using the -same profile?</A -></H2 -><P -> You are using a very very old development version of Samba. - Upgrade. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN172" ->The roaming profiles do not seem to be updating on the -server.</A -></H2 -><P -> There can be several reasons for this. - </P -><P -> Make sure that the time on the client and the PDC are synchronized. You - can accomplish this by executing a <B -CLASS="COMMAND" ->net time \\server /set /yes</B -> - replacing server with the name of your PDC (or another synchronized SMB server). - See <A -HREF="#AEN278" -> about Setting Time</A -> - </P -><P -> Make sure that the "logon path" is writable by the user and make sure - that the connection to the logon path location is by the current user. - Sometimes Windows clients do not drop the connection immediately upon - logoff. - </P -><P -> Some people have reported that the logon path location should - also be browseable. I (GC) have yet to empirically verify this, - but you can try.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN180" ->Policies</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN182" ->What are 'Policies' ?</A -></H2 -><P -> When a user logs onto the domain via a client machine, the PDC - sends the client machine a list of things contained in the - 'policy' (if it exists). This list may do things like suppress - a splash screen, format the dates the way you like them or perhaps - remove locally stored profiles. - </P -><P -> On a samba PDC this list is obtained from a file called - <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> and located in the [netlogon] - share. The file is created with a policy editor and must be readable - by anyone and writable by only root. See <A -HREF="#AEN203" -> below</A -> for how to get a suitable editor. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN188" ->I can't get system policies to work.</A -></H2 -><P -> There are two possible reasons for system policies not - functioning correctly. Make sure that you have the following - parameters set in smb.conf - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> [netlogon] - .... - locking = no - public = no - browseable = yes - .... - </PRE -></P -><P -> A policy file must be in the [netlogon] share and must be - readable by everyone and writable by only root. The file - must be created by an NTServer <A -HREF="#AEN203" ->Policy - Editor</A ->. - </P -><P -> Last time I (drb) looked in the source, it was looking for - <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> first then several other - combinations of upper and lower case. People have reported - success using <TT -CLASS="FILENAME" ->NTconfig.pol</TT ->, <TT -CLASS="FILENAME" ->NTconfig.POL</TT -> - and <TT -CLASS="FILENAME" ->ntconfig.pol</TT ->. These are the case settings that - I (GC) use with the filename <TT -CLASS="FILENAME" ->ntconfig.pol</TT ->: - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> case sensitive = no - case preserve = yes - short preserve case = no - default case = yes - </PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN203" ->What about Windows NT Policy Editor ?</A -></H2 -><P -> To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use - the NT Server Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which - is included with NT Server but <I -CLASS="EMPHASIS" ->not NT Workstation</I ->. - There is a Policy Editor on a NTws - but it is not suitable for creating <I -CLASS="EMPHASIS" ->Domain Policies</I ->. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because of the registry keys that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient - to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </P -><P ->The Windows NT policy editor is also included with the - Service Pack 3 (and later) for Windows NT 4.0. Extract the files using - <B -CLASS="COMMAND" ->servicepackname /x</B ->, i.e. that's <B -CLASS="COMMAND" ->Nt4sp6ai.exe - /x</B -> for service pack 6a. The policy editor, <B -CLASS="COMMAND" ->poledt.exe</B -> and the - associated template files (*.adm) should - be extracted as well. It is also possible to download the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN217" ->Can Win95 do Policies ?</A -></H2 -><P -> Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. - Install group policies on a Win9x client by double-clicking - <TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </P -><P -> If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN223" ->Passwords</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN225" ->What is password sync and should I use it ?</A -></H2 -><P -> NTws users can change their domain password by pressing Ctrl-Alt-Del - and choosing 'Change Password'. By default however, this does not change the unix password - (typically in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> or <TT -CLASS="FILENAME" ->/etc/shadow</TT ->). - In lots of situations that's OK, for example : - </P -><P -></P -><UL -><LI -><P ->The server is only accessible to the user via - samba.</P -></LI -><LI -><P ->Pam_smb or similar is installed so other applications - still refer to the samba password.</P -></LI -></UL -><P -> But sometimes you really do need to maintain two separate password - databases and there are good reasons to keep then in sync. Trying - to explain to users that they need to change their passwords in two - separate places or use two separate passwords is not fun. - </P -><P -> However do understand that setting up password sync is not without - problems either. The chief difficulty is the interface between Samba - and the <B -CLASS="COMMAND" ->passwd</B -> command, it can be a fiddle to set - up and if the password the user has entered fails, the resulting errors - are ambiguously reported and the user is confused. Further, you need - to take steps to ensure that users only ever change their passwords - via samba (or use <B -CLASS="COMMAND" ->smbpasswd</B ->), otherwise they will - only be changing the unix password.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN239" ->How do I get remote password (unix and SMB) changing working ?</A -></H2 -><P -> Have a practice changing a user's password (as root) to see - what discussion takes place and change the text in the 'passwd chat' - line below as necessary. The line as shown works for recent RH Linux - but most other systems seem to like to do something different. The '*' is - a wild card and will match anything (or nothing). - </P -><P -> Add these lines to smb.conf under [Global] - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> - - unix password sync = true - passwd program = /usr/bin/passwd %u - passwd chat = *password* %n\n *password* %n\n *successful* - </PRE -></P -><P -> As mentioned above, the change to the unix password happens as root, - not as the user, as is indicated in ~/smbd/chgpasswd.c If - you are using NIS, the Samba server must be running on the NIS - master machine. - </P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN246" ->Chapter 5. Miscellaneous</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN248" -></A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN250" ->What editor can I use in DOS/Windows that won't -mess with my unix EOF ?</A -></H2 -><P ->There are a number of Windows or DOS based editors that will - understand, and leave intact, the unix eof (as opposed to a DOS CR/LF). - List members suggested : - </P -><P -></P -><UL -><LI -><P ->UltraEdit at <A -HREF="http://www.ultraedit.com" -TARGET="_top" ->www.ultraedit.com</A -></P -></LI -><LI -><P ->VI for windows at <A -HREF="http://home.snafu.de/ramo/WinViEn.htm" -TARGET="_top" -> home.snafu.de/ramo/WinViEn.htm</A -></P -></LI -><LI -><P ->The author prefers PFE at <A -HREF="http://www.lancs.ac.uk/people/cpaap/pfe/" -TARGET="_top" -> www.lancs.ac.uk/people/cpaap/pfe/</A -> but it's no longer being developed...</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN263" ->How do I get 'User Manager' and 'Server Manager' ?</A -></H2 -><P -> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? - </P -><P -> Microsoft distributes a version of - these tools called nexus for installation on Windows 95 systems. The - tool set includes - </P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P -> Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -> - </P -><P -> The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -> - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN278" ->The time setting from a Samba server does not work.</A -></H2 -><P ->If it works OK when you log on as Domain Admin then the problem is that ordinary users - don't have permission to change the time. (The system is running with their permission - at logon time.) This is not a Samba problem, you will have the same problem where ever - you connect. You can give 'everyone' permission to change the time from the User Manager. - </P -><P ->Anyone know what the registry settings are so this could be done with a Policy ?</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN282" ->"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A -></H2 -><P ->I keep getting the message "trust account xxx should be in DOMAIN_GROUP_RID_USERS." - in the logs. What do I need to do?</P -><P ->You are using one of the old development versions. Upgrade. - (The message is unimportant, was a reminder to a developer)</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN286" ->How do I get my samba server to become a member ( not PDC ) of an NT domain ?</A -></H2 -><P -> Please refer to the <A -HREF="DOMAIN_MEMBER.html" -TARGET="_top" ->Domain Member - HOWTO</A -> for more information on this. - </P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN290" ->Chapter 6. Troubleshooting and Bug Reporting</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN292" ->Diagnostic tools</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN294" ->What are some diagnostics tools I can use to debug the domain logon process and where can I - find them ?</A -></H2 -><P -> One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specify what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </P -><P -> Another helpful method of debugging is to compile samba using the - <B -CLASS="COMMAND" ->gcc -g </B -> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing Ctrl-Alt-Del and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing Ctrl-Alt-Del, and actually - typing in your password, you can gdb attach and continue. - </P -><P -> Some useful samba commands worth investigating: - </P -><P -></P -><UL -><LI -><P ->testparam | more</P -></LI -><LI -><P ->smbclient -L //{netbios name of server}</P -></LI -></UL -><P -> An SMB enabled version of tcpdump is available from - <A -HREF="http://www.tcpdump.org/" -TARGET="_top" ->http://www.tcpdump.org/</A ->. - Ethereal, another good packet sniffer for UNIX and Win32 - hosts, can be downloaded from <A -HREF="http://www.ethereal.com/" -TARGET="_top" ->http://www.ethereal.com</A ->. - </P -><P -> For tracing things on Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (i.e. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN309" ->How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box ?</A -></H2 -><P -> Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </P -><P -> Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD - when prompted.</P -></LI -></UL -><P -> At this point the Netmon files should exist in - <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> - which contains the necessary DLL's for parsing the netmon packet - dump, and <TT -CLASS="FILENAME" ->captures\</TT ->. - </P -><P -> In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click - on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install - CD when prompted.</P -></LI -></UL -><P -> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </P -><P -> To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN338" ->What other help can I get ?</A -></H1 -><P -> There are many sources of information available in the form - of mailing lists, RFC's and documentation. The docs that come - with the samba distribution contain very good explanations of - general SMB topics such as browsing.</P -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN341" ->URLs and similar</A -></H2 -><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <I -CLASS="EMPHASIS" ->Development</I -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P -> Ignacio Coupeau has a very comprehensive look at LDAP with Samba at - <A -HREF="http://www.unav.es/cti/ldap-smb-howto.html" -TARGET="_top" -> http://www.unav.es/cti/ldap-smb-howto.html</A -> - Be a little careful however, I suspect that it does not specifically - address samba 2.2.x. The HEAD pre-2.1 may possibly be the best - stream to look at.</P -></LI -><LI -><P -> Lars Kneschke's site covers <A -HREF="http://www.samba-tng.org" -TARGET="_top" -> Samba-TNG</A -> at - <A -HREF="http://www.kneschke.de/projekte/samba_tng" -TARGET="_top" -> http://www.kneschke.de/projekte/samba_tng</A ->, but again, a - lot of it does not apply to the mainstream Samba.</P -></LI -><LI -><P ->See how Scott Merrill simulates a BDC behaviour at - <A -HREF="http://www.skippy.net/linux/smb-howto.html" -TARGET="_top" -> http://www.skippy.net/linux/smb-howto.html</A ->. </P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, I (drb) will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL -><P -> You should also refer to the MS archives at - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" ->ftp://ftp.microsoft.com/developr/drg/CIFS/"</A -> - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN374" ->How do I get help from the mailing lists ?</A -></H2 -><P -> There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->.</P -><P ->For questions relating to Samba TNG go to - <A -HREF="http://www.samba-tng.org/" -TARGET="_top" ->http://www.samba-tng.org/</A -> - It has been requested that you don't post questions about Samba-TNG to the - mainstream Samba lists.</P -><P -></P -><P -><B ->If you post a message to one of the lists please - observe the following guide lines :</B -></P -><UL -><LI -><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size it's html).</P -></LI -><LI -><P -> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, i.e. don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P -></LI -><LI -><P ->You might include <I -CLASS="EMPHASIS" ->partial</I -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P -></LI -><LI -><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN403" ->How do I get off the mailing lists ?</A -></H2 -><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://lists.samba.org/" -TARGET="_top" ->http://lists.samba.org</A ->, click - on your nearest mirror and then click on <B -CLASS="COMMAND" ->Support</B -> and - then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" -TARGET="_top" ->here</A -></P -><P -> Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></DIV -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/samba-pdc-howto.html b/docs/htmldocs/samba-pdc-howto.html deleted file mode 100644 index a2bca689efb..00000000000 --- a/docs/htmldocs/samba-pdc-howto.html +++ /dev/null @@ -1,1558 +0,0 @@ -<HTML -><HEAD -><TITLE ->The Samba 2.2 PDC HowTo </TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="BOOK" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="BOOK" -><A -NAME="SAMBA-PDC-HOWTO" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="SAMBA-PDC-HOWTO" ->The Samba 2.2 PDC HowTo</A -></H1 -><H3 -CLASS="AUTHOR" -><A -NAME="AEN4" ->David Bannon</A -></H3 -><DIV -CLASS="AFFILIATION" -><SPAN -CLASS="ORGNAME" ->La Trobe University<BR></SPAN -></DIV -><HR></DIV -><HR><H1 -><A -NAME="AEN10" -></A -></H1 -><P ->Comments, corrections and additions to <TT -CLASS="EMAIL" -><<A -HREF="mailto:dbannon@samba.org" ->dbannon@samba.org</A ->></TT -></P -><P -> This document explains how to setup Samba as a Primary Domain Controller and - applies to version 2.2.0. - Before - using these functions make sure you understand what the controller can and cannot do. - Please read the sections below in the Introduction. - As 2.2.0 is incrementally updated - this document will change or become out of date very quickly, make sure you are - reading the most current version. - </P -><P ->Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, - Samba 2.0.7, TNG nor HEAD branch.</P -><P ->It does apply to the current (post November 27th) cvs.</P -><P -> Also available is an updated version of Jerry Carter's NTDom <A -HREF="samba-pdc-faq.html" -TARGET="_top" -> FAQ</A -> that will answer lots of - the special 'tuning' questions that are not covered here. Over the next couple of weeks - some of the items here will be moved to the FAQ. - </P -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="#AEN20" ->Introduction</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN28" ->What can we do ?</A -></DT -><DT -><A -HREF="#AEN44" ->What can't we do ?</A -></DT -></DL -></DD -><DT ->2. <A -HREF="#AEN55" ->Installing</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN59" ->Start Up Script</A -></DT -><DT -><A -HREF="#AEN66" ->Config File</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN68" ->A sample conf file</A -></DT -><DT -><A -HREF="#AEN79" ->PDC Config Parameters</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN115" ->Special directories</A -></DT -></DL -></DD -><DT ->3. <A -HREF="#AEN126" ->User and Machine Accounts</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN128" ->Logon Accounts</A -></DT -><DT -><A -HREF="#MACHINEACCOUNT" ->Machine Accounts</A -></DT -><DT -><A -HREF="#AEN163" ->Joining the Domain</A -></DT -><DT -><A -HREF="#AEN211" ->User Accounts</A -></DT -><DT -><A -HREF="#AEN223" ->Domain Admin Accounts</A -></DT -></DL -></DD -><DT ->4. <A -HREF="#AEN231" ->Profiles, Policies and Logon Scripts</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN233" ->Profiles</A -></DT -><DT -><A -HREF="#AEN240" ->Policies</A -></DT -><DT -><A -HREF="#AEN251" ->Logon Scripts</A -></DT -></DL -></DD -><DT ->5. <A -HREF="#AEN272" ->Passwords and Authentication</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN278" -></A -></DT -><DD -><DL -><DT -><A -HREF="#AEN280" ->Syncing Passwords</A -></DT -><DT -><A -HREF="#AEN286" ->Using PAM</A -></DT -><DT -><A -HREF="#AEN292" ->Authenticating other Samba Servers</A -></DT -></DL -></DD -></DL -></DD -><DT ->6. <A -HREF="#AEN298" ->Background</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN300" -></A -></DT -><DD -><DL -><DT -><A -HREF="#AEN302" ->History</A -></DT -><DT -><A -HREF="#AEN310" ->The Future</A -></DT -><DT -><A -HREF="#AEN322" ->Getting further help</A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN20" ->Chapter 1. Introduction</A -></H1 -><P ->This document will show you one way of making Version 2.2.0 -of Samba perform some of the tasks of a -NT Primary Domain Controller. The facilities described are built into Samba as a result of -development work done over a number of years by a large number of people. These facilities -are only just beginning to be officially supported and although they do appear to work reliably, -if you use them then you take the risks upon your self. This document does not cover the -developmental versions of Samba, particularly -<A -HREF="http://www.samba-tng.org/" -TARGET="_top" -><I -CLASS="CITETITLE" ->Samba-TNG</I -></A -> - </P -><P ->Note that <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" ->Samba 2.0.7</A -> - supports significently less of the NT Domain facilities compared with 2.2.0 - </P -><P -> This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by - John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide - more detail and an insight to the development - cycle and should be considered 'further reading'. </P -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN28" ->What can we do ?</A -></H1 -><P -></P -><UL -><LI -><P ->Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central - password database. WRT W2K, please see the section about adding machine - accounts and the Intro in the <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A ->.</P -></LI -><LI -><P ->Grant Administrator privileges to particular domain users on an - NT or W2K workstation.</P -></LI -><LI -><P ->Apply policies from a domain policy file to NT and W2K (?) - workstation.</P -></LI -><LI -><P ->Run the appropriate logon script when a user logs on to the domain - .</P -></LI -><LI -><P ->Maintain a user's local profile on the server.</P -></LI -><LI -><P ->Validate a user using another system via smb (such as smb_pam) and - soon winbind (?).</P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN44" ->What can't we do ?</A -></H1 -><P -></P -><UL -><LI -><P -> Become or work with a Backup Domain Controller (a BDC).</P -></LI -><LI -><P -> Participate in any sort of trust relationship (with either Samba or NT - Servers).</P -></LI -><LI -><P -> Offer a list of domain users to User Manager for Domains - on the Security Tab etc).</P -></LI -><LI -><P ->Be a W2K type of Domain Controller. Samba PDC will behave like - an NT PDC, W2K workstations connect in legacy mode.</P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN55" ->Chapter 2. Installing</A -></H1 -><P ->Installing consists of the usual download, configure, make and make - install process. These steps are well documented elsewhere. - The <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> discusses getting pre-release versions via CVS. - Then you need to configure the server.</P -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN59" ->Start Up Script</A -></H1 -><P ->Skip this section if you have a working Samba already. - Everyone has their own favourite startup script. Here is mine, offered with no warrantee - at all !</P -><PRE -CLASS="PROGRAMLISTING" -> - - #!/bin/sh - # Script to control Samba server, David Bannon, 14-6-96 - # - # - PATH=/bin:/usr/sbin:/usr/bin - export PATH - case "$1" in - 'start') - if [ -f /usr/local/samba/bin/smbd ] - then - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - echo "Starting Samba Server" - fi - ;; - 'conf') - if [ -f /usr/local/samba/lib/smb.conf ] - then - vi /usr/local/samba/lib/smb.conf - fi - ;; - 'pw') - if [ -f /usr/local/samba/private/smbpasswd ] - then - vi /usr/local/samba/private/smbpasswd - fi - ;; - 'who') - /usr/local/samba/bin/smbstatus -b - ;; - 'restart') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -HUP $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - ;; - 'stop') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - psline=`/bin/ps x | grep nmbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped Name Server " - fi - echo "Stopped Name Servers" - ;; - *) - echo "usage: samba {start | restart |stop | conf | pw | who}" - ;; - esac - </PRE -><P -> Use this script, or some other one, you will need to ensure its used while the machine - is booting. (This typically involves <TT -CLASS="FILENAME" ->/etc/rc.d</TT ->, we'll be - assuming that there is a script called - samba in <TT -CLASS="FILENAME" ->/etc/rc.d/init.d</TT -> further down in this document.)</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN66" ->Config File</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN68" ->A sample conf file</A -></H2 -><P ->Here is a fairly minimal config file to do PDC. It will also make the server - become the browse master for the - specified domain (not necessary but usually desirable). You will need to change only - two parameters to make this - file work, <TT -CLASS="FILENAME" ->wins server</TT -> and <TT -CLASS="FILENAME" ->workgroup</TT ->, plus - you will need to put your own name (not mine!) in the <TT -CLASS="FILENAME" ->domain admin users</TT -> fields. - Some of the parameters are discussed further down this document.</P -><P ->Assuming you have used the default install directories, this file should appear as - <TT -CLASS="FILENAME" ->/usr/local/samba/lib/smb.conf</TT ->. It should not be - writable by anyone except root.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->The 'add user script' parameter is a work-around, watch for changes !</P -></BLOCKQUOTE -></DIV -><PRE -CLASS="PROGRAMLISTING" -> - - [global] - security = user - status = yes - workgroup = { Your domain name here } - wins server = { ip of a wins server if you have one } - encrypt passwords = yes - domain logons =yes - logon script = scripts\%U.bat - domain admin group = @adm - add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ - guest account = ftp - share modes=no - os level=65 - [homes] - guest ok = no - read only = no - create mask = 0700 - directory mask = 0700 - oplocks = false - locking = no - [netlogon] - path = /usr/local/samba/netlogon - writeable = no - guest ok = no - </PRE -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN79" ->PDC Config Parameters</A -></H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><P -><B ->There are a huge range of parameters that may appear in a smb.conf file. Some - that may be of interest to a PDC are :</B -></P -><DL -><DT ->add user script</DT -><DD -><P ->This parameter specifies a script (or program) that will be run - to add a user to the system. Here it is being used to add a machine, not a user. - This is probably not very nice and may change. But it does work !</P -><P ->For this example, I have a group called 'machines', entries can be added to - <TT -CLASS="FILENAME" ->/etc/passwd</TT -> using a programme called <TT -CLASS="FILENAME" ->/usr/adduser</TT -> and - the other parameters are chosen as suitable for a machine account. Works for - RH Linux, your system may require changes.</P -></DD -><DT ->domain admin group = @adm</DT -><DD -><P ->This parameter specifies a unix group whose members will be granted - admin privileges on a NT workstation when - logged onto that workstation. See the section called <A -HREF="#AEN223" -> Domain Admin</A -> Accounts.</P -></DD -><DT ->domain admin users = user1 users2</DT -><DD -><P ->It appears that this parameter does not funtion correctly at present. - Use the 'domain admin group' instread. This parameter specifies a unix user who will - be granted admin privileges - on a NT workstation when - logged onto that workstation. See the section called <A -HREF="#AEN223" -> Domain Admin</A -> Accounts.</P -></DD -><DT ->encrypt passwords = yes</DT -><DD -><P ->This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that - turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you - should) you must use encrypted passwords.</P -></DD -><DT ->logon script = scripts\%U.bat</DT -><DD -><P ->This will make samba look for a logon script named after the user - (eg joeblow.bat). - See the section further on called <A -HREF="#AEN251" ->Logon Scripts</A -></P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->Note that the slash is like this '\', not like this '/'. - NT is happy with both, win95 is not !</P -></BLOCKQUOTE -></DIV -></DD -><DT ->logon path</DT -><DD -><P ->Lets you specify where you would like users profiles kept. The default, that is in the users - home directory, does encourage a bit of fiddling.</P -></DD -></DL -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN115" ->Special directories</A -></H1 -><P ->You need to create a couple of special files and directories. Its nice - to have some of the binaries handy too, so I create links to them. Assuming - you have used the default samba location and have not - changed the locations mentioned in the sample config file, do the following :</P -><PRE -CLASS="PROGRAMLISTING" -> - - mkdir /usr/local/samba/netlogon - mkdir /usr/local/samba/netlogon/scripts - mkdir /usr/local/samba/private - touch /usr/local/samba/private/smbpasswd - chmod go-rwx /usr/local/samba/private/smbpasswd - cd /usr/local/sbin - ln -s /usr/local/samba/bin/smbpasswd - ln -s /usr/local/samba/bin/smbclient - ln -s /etc/rc.d/init.d/samba</PRE -><P ->Make sure permissions are appropriate !</P -><P ->OK, if you have used the scripts above and have a path to where the links are do this to start up - the Samba Server :</P -><P -><B -CLASS="COMMAND" ->samba start</B -></P -><P ->Instead, you might like to reboot the machine to make sure that you - got the init stuff right. Any way, a quick look in the logs - <TT -CLASS="FILENAME" ->/usr/local/samba/var/log.smbd</TT -> and <TT -CLASS="FILENAME" -> /usr/local/samba/var/log/nmbd</TT -> - will give you an idea of what's happening. Assuming all is well, lets create - some accounts...</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN126" ->Chapter 3. User and Machine Accounts</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN128" ->Logon Accounts</A -></H1 -><P -><I -CLASS="EMPHASIS" ->This section is very nearly out of date already !</I -> It - appears that while you are reading it, Jean Francois Micou is making it - redundant ! Jean Francois is adding facilities to add users - (via User Manager) and machines (when joining the domain) and it looks like these facilities will - make it into the official release of 2.2.</P -><P ->Every user and NTws (and other samba servers) that will be on the domain - must have its own passwd entry in both <TT -CLASS="FILENAME" ->/etc/passwd</TT -> and - <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT -> . - The <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry is really - only to reserve a user ID. The NT encrypted password is stored in - <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->. - (Note that win95/98 machines don't need an account as they don't do - any security aware things.)</P -><P ->Samba 2.2 will now create these entries for us. Carefull set up is required - and there may well be some changes to this system before its released. - </P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="MACHINEACCOUNT" ->Machine Accounts</A -></H1 -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->There is an entry in the ntdom <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> explaining how to create - machine entries manually.</P -></BLOCKQUOTE -></DIV -><P -></P -><DIV -CLASS="VARIABLELIST" -><P -><B -><I -CLASS="EMPHASIS" ->At present</I -> to have the machine accounts created when a machine joins - the domain a number of conditions must be met :</B -></P -><DL -><DT ->Only root can do it !</DT -><DD -><P ->There must be an entry in <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT -> - for root and root must be mentioned in <TT -CLASS="FILENAME" ->domain admins</TT ->. This may - be fixed some time in the future so any 'domain admin' can do it. If you don't - like having root as a windows logon account, make the machine - entries manually (both of them).</P -></DD -><DT ->Use the <TT -CLASS="FILENAME" ->add user script</TT -></DT -><DD -><P ->Again, this looks a bit like a 'work around'. Use a suitable - command line to add a machine account <A -HREF="#AEN68" ->see above</A ->, - and pass it %m$, that is %m to get machine name plus the '$'. Now, this - means you cannot use the <TT -CLASS="FILENAME" ->add user script</TT -> to really add users .... </P -></DD -><DT ->Only for W2K</DT -><DD -><P ->This automatic creation of machine accounts does not work for - NT4ws at present. Watch this space.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN163" ->Joining the Domain</A -></H1 -><P ->You must have either added the machine account entries manually (NT4 ws) - or set up the automatic system (W2K), <A -HREF="#MACHINEACCOUNT" ->see Machine Accounts</A -> - before proceeding.</P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><B -CLASS="COMMAND" ->Windows NT</B -></DT -><DD -><P -></P -><UL -><LI -><P -> (<I -CLASS="EMPHASIS" ->this step may not be necessary some time in the near future</I ->). - On the samba server that is the PDC, add a machine account manually - as per the instructions in the <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> - Then give the command <B -CLASS="COMMAND" ->smbpasswd -a -m {machine}</B -> substituting in the - client machine name.</P -></LI -><LI -><P -> Logon to the NTws in question as a local admin, go to the - <B -CLASS="COMMAND" ->Control Panel, Network IdentificationTag</B ->.</P -></LI -><LI -><P -> Press the <B -CLASS="COMMAND" ->Change</B -> button.</P -></LI -><LI -><P -> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) - in the Domain Field.</P -></LI -><LI -><P -> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. - Allow to reboot.</P -></LI -></UL -></DD -><DT -><B -CLASS="COMMAND" ->Windows 2000</B -></DT -><DD -><P -></P -><UL -><LI -><P ->Logon to the W2k machine as Administrator, go to the Control - Panel and double click on <B -CLASS="COMMAND" ->Network and Dialup Connections</B ->. - </P -></LI -><LI -><P ->Pull down the <B -CLASS="COMMAND" ->Advanced</B -> menu and choose - <B -CLASS="COMMAND" ->Network Identification</B ->. Press <B -CLASS="COMMAND" ->Properties - </B ->. </P -></LI -><LI -><P ->Choose <B -CLASS="COMMAND" ->Domain</B -> and enter the domain name. Press 'OK'.</P -></LI -><LI -><P ->Now enter a user name and password for a Domain Admin - <I -CLASS="EMPHASIS" ->(Who must be root until a pre-release bug is fixed)</I -> and press - 'OK'.</P -></LI -><LI -><P ->Wait for the confirmation, reboot when prompted.</P -></LI -></UL -><P ->To remove a W2K machine from the domain, follow the first two steps then - choose <B -CLASS="COMMAND" ->Workgroup</B ->, enter a work group name (or just WORKGROUP) and follow - the prompts.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN211" ->User Accounts</A -></H1 -><P -><I -CLASS="EMPHASIS" ->Again, doing it manually (cos' the auto way is not working pre-release). - </I -> - In our simple case every domain user should have an account on the PDC. The - account may have a null shell if they are not allowed to log on to the unix - prompt. Again they need an entry in both the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> and - <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->. Again a password is - not necessary in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> but the location - of the home directory is honoured. - To make an entry for a user called Joe Blow you would typically do the following :</P -><P -><B -CLASS="COMMAND" ->adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</B -></P -><P -><B -CLASS="COMMAND" ->smbpasswd -a joeblow</B -></P -><P ->And you will prompted to enter a password for Joe. Ideally he will be - hovering over your shoulder and will, when asked, type in a password of - his choice. There are a number of scripts and systems to ease the migration of users - from somewhere to samba. Better start looking !</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN223" ->Domain Admin Accounts</A -></H1 -><P ->Certain operations demand that the logged on user has Administrator - privileges, typically installing software and - doing maintenance tasks. It is very simple to appoint some users as Domain Admins, - most likely yourself. Make - sure you trust the appointee !</P -><P ->Samba 2.2 recognizes particular users as being - domain admins and tells the NTws when it thinks that it has got one logged on. - In the smb.conf file we declare - that the <TT -CLASS="FILENAME" ->Domain Admin group = @adm</TT ->. - Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when - logged onto the Domain. They will have full Administrator rights - including the rights to change permissions on files and run the system - utilities such as Disk Administrator. Add users to the group by editing <TT -CLASS="FILENAME" -> /etc/group/</TT ->. You do not need to use the 'adm' group, choose any one you like.</P -><P ->Further, and this is very new, they will be allowed to create a - new machine account when first connecting a new NT or W2K machine to - the domain. <I -CLASS="EMPHASIS" ->However, at present, ie pre-release, only a Domain Admin who - also happens to be root can do so. </I -></P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN231" ->Chapter 4. Profiles, Policies and Logon Scripts</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN233" ->Profiles</A -></H1 -><P ->NT Profiles should work if you have followed the setup so far. - A user's profile contains a whole lot of their personal settings, - the contents of their desktop, personal 'My Documents' and so on. - When they log off, all of the profile is copied to their directory - on the server and is downloaded again when they logon on again, possibly - on another client machine.</P -><P ->Sounds great but can be a bit of a bug bear sometimes. Users let - their profiles get too big and then complain about how long it takes - to log on each time. This sample setup only supports NT profiles, - rumor has it that it is also possible to do the same on Win95, my - users don't know and I'm not telling them.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->There is more info about Profiles (including for W95/98) - in the <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A ->.</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN240" ->Policies</A -></H1 -><P ->Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol - file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws. - Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or - maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles - on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor - that comes with NTws.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->See the <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> for pointers on how to get a suitable Policy Editor.</P -></BLOCKQUOTE -></DIV -><P ->The Policy Editor (and associated files) will create a - <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> file using the - parameters Microsoft thought of and parameters you specify by making your own - template file.</P -><P ->In our example configuration here, Samba will expect to find - the <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> file in - <TT -CLASS="FILENAME" ->/usr/local/samba/netlogon</TT ->. Needless to say (I hope !), - it is vitally important that ordinary users don't have - write permission to the Policy files.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN251" ->Logon Scripts</A -></H1 -><P ->In the sample config file above there is a line - <TT -CLASS="FILENAME" ->logon script = scripts\%U.bat</TT -></P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->Note that the slash is like this '\' not like this '/'. - NT is happy with both, win95 is not !</P -></BLOCKQUOTE -></DIV -><P ->This allows you to run a dos batch file every time someone logs on. The batch - file is located on the server, in the sample install mentioned here, - its in <TT -CLASS="FILENAME" ->/usr/local/samba/netlogon/scripts</TT -> and - is named after the user with <TT -CLASS="FILENAME" ->.bat</TT -> appended, eg Joe - Blow's script is called <TT -CLASS="FILENAME" ->/usr/local/samba/netlogon/scripts/joeblow.bat</TT ->.</P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->There is a suggestion that user names longer than 8 characters may cause - problems with some systems being unable to run logon scripts. This is confirmed in earlier - versions when connecting using W95, comments about other combinations ??</P -></BLOCKQUOTE -></DIV -><P ->You could use a line like this <TT -CLASS="FILENAME" ->logon script = default.bat</TT -> and samba - will supply <TT -CLASS="FILENAME" ->/usr/local/samba/netlogon/default.bat</TT -> for any client and every - user. Maybe you could use %m and get a client machine dependant logon script. - You get the idea...</P -><P ->Note that the file is a dos batch file not a Unix script. It runs dos commands on the client - computer with the logon user's permissions. It must be a dos file with each line ending with - the dos cr/lf not a nice clean newline. Generally, - its best to create the initial file on a DOS system and copy it across.</P -><P ->There is lots of very clever uses of the Samba replaceable variables such - ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to - give you control over which script runs when a particular person logs - on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</P -><P ->Again, it is vitally important that ordinary users don't have write - permission to other peoples, or even probably their own, logon script files.</P -><P ->A typical logon script is reproduced below. Note that it runs separate - commands for win95 and NT, that's because NT has slightly different behaviour - when using the <TT -CLASS="FILENAME" ->net use ..</TT -> command. Its useful for lots of - other situations too. I don't know what syntax to use for win98, I don't use it - here.</P -><PRE -CLASS="PROGRAMLISTING" -> - - rem Default logon script, create links to this file. - - net time \\bioserve /set /yes - @echo off - if %OS%.==Windows_NT. goto WinNT - - :Win95 - net use k: \\trillion\bio_prog - net use p: \\bcfile\homes - goto end - :WinNT - net use k: \\trillion\bio_prog /persistent:no - net use p: \\bcfile\homes /persistent:no - - :end - </PRE -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN272" ->Chapter 5. Passwords and Authentication</A -></H1 -><P ->So far our configuration assumes that ordinary users don't have unix logon access. A change - to the <A -HREF="#AEN211" -><TT -CLASS="FILENAME" ->adduser</TT -></A -> line above would allow unix logon - but it would be with passwords that may - be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users - that they need to change their passwords in two seperate places is not fun. - Further, even if they cannot do a unix logon there are other processes that - might require authentication. We have a nice securely encrypted password in - <TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->, why not use it ?</P -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN278" -></A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN280" ->Syncing Passwords</A -></H2 -><P ->Yes, its possible and seems the easiest way (initially anyway). - The <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> details how to - do so in the sections <I -CLASS="EMPHASIS" ->What is password sync and should I use it ?</I -> and <I -CLASS="EMPHASIS" -> How do I get remote password (unix and SMB) changing working ?</I -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN286" ->Using PAM</A -></H2 -><P ->Pam enabled systems have a much better solution available. The Samba - PDC server will offer to authenticate domain users to other processes - (either on this server or on the domain). With a suitable pam stack - such as <A -HREF="http://www.csn.ul.ie/~airlied/pam_smb/" -TARGET="_top" -> Pam_smb</A -> - you can get any pam aware application looking to the samba password and - can leave the password field in <TT -CLASS="FILENAME" ->/etc/shadow</TT -> - or <TT -CLASS="FILENAME" ->/etc/passwd</TT -> invalid.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN292" ->Authenticating other Samba Servers</A -></H2 -><P ->In a domain that has a number of servers you only need one password database. - The machines that don't have their own ask the PDC to check for them. - This will work fine for a domain controlled by either a Samba or NT machine.</P -><P ->To do so the Samba machine must be told to refer to the PDC and where the PDC is. - See the section in the NTDom <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> called <I -CLASS="EMPHASIS" ->How do I get my samba server to - become a member ( not PDC ) of an NT domain?</I -></P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN298" ->Chapter 6. Background</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN300" -></A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN302" ->History</A -></H2 -><P ->It might help you understand the limitations of the PDC in Samba if you - read something of its history. Well, the history as I understand it anyway.</P -><P ->For many years the Samba team have been developing Samba, some time ago - a number of people, possibly lead by Luke Leighton started contributing NT - PDC stuff. This was added to the 'head' stream (that would eventually - become the next version) and later to a seperate stream (NTDom). They did so - much that eventually this development stream was so mutated that it could not - be merged back into the main stream and was abandoned towards the end of 1999. - And that was very sad because many users, myself include had become heavily - dependant on the NTController facilities it offered. Oh well...</P -><P ->The NTDom team continued on with their new found knowledge however and - built the TNG stream. Intended to be carefully controlled so that it can be - merged back into the main stream and benefiting from what they learnt, it is - a very different product to the origional NTDom product. However, for a - number of reasons, the merge did not take place and now TNG is being developed - at <A -HREF="http://www.samba-tng.org" -TARGET="_top" ->http://www.samba-tng.org</A ->.</P -><P ->Now, the NTDom things that the main strean 2.0.x version does is based more - on the old (initial version) abandoned code than on the TNG ideas. It appears - that version 2.2.0 will also include an improved version of the 2.0.7 domain - controller charactistics, not the TNG ways. The developers have indicated - that 2.2.0 will be further developed incrementally and the ideas from TNG - incorporated into it.</P -><P ->One more little wriggle is worth mentioning. At one stage the NTDom - stream was called Samba 2.1.0-prealpha and similar names. This is most - unfortunate because at least one book published advises people who want to - use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon - be called 2.2.0 and NOT officially supporting NTDom Controlling functions, - the potential for confusion is certainly there.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN310" ->The Future</A -></H2 -><P ->There is a document on the Samba mirrors called <I -CLASS="EMPHASIS" ->'Development' - </I ->. It offers the 'best guess' of what is planned for future releases - of Samba.</P -><P ->The future of Samba as a Primary Domain Controller appears rosie, however - be aware that its the future, not the present. The developers are strongly committed - to building a full featured PDC into Samba but it will take time. If this - version does not meet your requirements then you should consider (in no particular - order) :</P -><P -></P -><UL -><LI -><P -> Wait. No, we don't know how long. Repeated asking won't help.</P -></LI -><LI -><P ->Investigate the development versions, TNG perhaps or HEAD where new code is being added - all the time. Realise that development code is often unstable, poorly documented and subject to change. - You will need to use cvs to download development versions.</P -></LI -><LI -><P ->Join one of the Samba mailing lists so that you can find out - what is happening on the 'bleeding edge'.</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN322" ->Getting further help</A -></H2 -><P ->This document cannot possibly answer all your questions. Please understand that its very - likely that someone has been confrounted by the same problem that you have. The - <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A -> - discusses a number of possible paths to take to get further help :</P -><P -></P -><UL -><LI -><P ->Documents on the Samba Sites.</P -></LI -><LI -><P ->Other web sites.</P -></LI -><LI -><P ->Mailing list.</P -></LI -></UL -><P ->There is some discussion about guide lines for using the Mailing Lists on the - accompanying <A -HREF="samba-pdc-faq.html" -TARGET="_top" ->FAQ</A ->, - please read them before posting.</P -></DIV -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 7f1a44c835c..aaf38a0cb2b 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -232,7 +232,7 @@ NAME="AEN50" ><P >parameters in this section apply to the server as a whole, or are defaults for sections which do not - specifically define certain items. See the notes + specifically define certain items. See the notes under PARAMETERS for more information.</P ></DIV ><DIV @@ -293,7 +293,7 @@ CLASS="USERINPUT" ><P >A similar process occurs if the requested section name is "homes", except that the share name is not - changed to that of the requesting user. This method of using + changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.</P ><P @@ -360,7 +360,7 @@ NAME="AEN79" >When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, but a [homes] section exists, it is used as described - above. Otherwise, the requested section name is treated as a + above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is found, a new printer share is created by cloning @@ -493,7 +493,7 @@ NAME="AEN102" the default behavior for all services.</P ><P >parameters are arranged here in alphabetical order - this may - not create best bedfellows, but at least you can find them! Where + not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.</P ></DIV @@ -638,8 +638,8 @@ CLASS="VARIABLELIST" ><P >the architecture of the remote machine. Only some are recognized, and those may not be - 100% reliable. It currently recognizes Samba, WfWg, - WinNT and Win95. Anything else will be known as + 100% reliable. It currently recognizes Samba, WfWg, Win95, + WinNT and Win2k. Anything else will be known as "UNKNOWN". If it gets it wrong then sending a level 3 log to <A HREF="mailto:samba@samba.org" @@ -2745,6 +2745,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#UNIXEXTENSIONS" +><TT +CLASS="PARAMETER" +><I +>unix extensions</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#UNIXPASSWORDSYNC" ><TT CLASS="PARAMETER" @@ -2999,7 +3011,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN970" +NAME="AEN974" ></A ><H2 >COMPLETE LIST OF SERVICE PARAMETERS</H2 @@ -3168,6 +3180,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#DEFAULTDEVMODE" +><TT +CLASS="PARAMETER" +><I +>default devmode</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#DELETEREADONLY" ><TT CLASS="PARAMETER" @@ -4430,7 +4454,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN1446" +NAME="AEN1454" ></A ><H2 >EXPLANATION OF EACH PARAMETER</H2 @@ -6582,16 +6606,67 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="DEFAULTDEVMODE" +></A +>default devmode (S)</DT +><DD +><P +>This parameter is only applicable to <A +HREF="#PRINTOK" +>printable</A +> services. When smbd is serving + Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. + </P +><P +>Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). + </P +><P +>This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting <B +CLASS="COMMAND" +>default devmode = yes</B +> + will instruct smbd to generate a default one. + </P +><P +>For more information on Windows NT/2k printing and Device Modes, + see the <A +HREF="http://msdn.microsoft.com/" +TARGET="_top" +>MSDN documentation</A +>. + </P +><P +>Default: <B +CLASS="COMMAND" +>default devmode = no</B +></P +></DD +><DT +><A NAME="DEFAULTSERVICE" ></A >default service (G)</DT ><DD ><P ->This parameter specifies the name of a service - which will be connected to if the service actually requested cannot +>This parameter specifies the name of a service + which will be connected to if the service actually requested cannot be found. Note that the square brackets are <EM >NOT</EM -> +> given in the parameter value (see example below).</P ><P >There is no default value for this parameter. If this @@ -7632,11 +7707,11 @@ CLASS="PARAMETER" > it is in. Samba 2.2 also has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see - the file DOMAINS.txt in the Samba documentation directory <TT + the Samba-PDC-HOWTO included in the <TT CLASS="FILENAME" ->docs/ - </TT -> shipped with the source code.</P +>htmldocs/</TT +> + directory shipped with the source code.</P ><P >Default: <B CLASS="COMMAND" @@ -8187,22 +8262,6 @@ CLASS="PARAMETER" > parameter is applied.</P ><P ->Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <A -HREF="#RESTRICTACLWITHMASK" -><TT -CLASS="PARAMETER" -><I ->restrict acl with - mask</I -></TT -></A -> to <TT -CLASS="CONSTANT" ->true</TT ->.</P -><P >See also the parameter <A HREF="#CREATEMASK" ><TT @@ -8262,22 +8321,6 @@ CLASS="PARAMETER" > is applied.</P ><P ->Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <A -HREF="#RESTRICTACLWITHMASK" -><TT -CLASS="PARAMETER" -><I ->restrict acl with - mask</I -></TT -></A -> to <TT -CLASS="CONSTANT" ->true</TT ->.</P -><P >See also the parameter <A HREF="#DIRECTORYMASK" ><TT @@ -9810,12 +9853,18 @@ CLASS="PARAMETER" ></TT ></A >. - The default is to use the stand LDAP port 389. + The default is to use the stand LDAPS port 636. + </P +><P +>See Also: <A +HREF="#LDAPSSL" +>ldap ssl</A +> </P ><P >Default : <B CLASS="COMMAND" ->ldap port = 389</B +>ldap port = 636</B ></P ></DD ><DT @@ -9897,30 +9946,30 @@ CLASS="PARAMETER" >ldap ssl</I ></TT > can be set to one of three values: - (a) <B -CLASS="COMMAND" ->on</B + (a) <TT +CLASS="CONSTANT" +>on</TT > - Always use SSL when contacting the <TT CLASS="PARAMETER" ><I >ldap server</I ></TT ->, (b) <B -CLASS="COMMAND" ->off</B +>, (b) <TT +CLASS="CONSTANT" +>off</TT > - - Never use SSL when querying the directory, or (c) <B -CLASS="COMMAND" ->start - tls</B -> - Use the LDAPv3 StartTLS extended operation + Never use SSL when querying the directory, or (c) <TT +CLASS="CONSTANT" +>start_tls</TT +> + - Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. </P ><P >Default : <B CLASS="COMMAND" ->ldap ssl = off</B +>ldap ssl = on</B ></P ></DD ><DT @@ -12334,7 +12383,7 @@ CLASS="COMMAND" > --with-msdfs</B > option. If set to <TT CLASS="CONSTANT" ->yes></TT +>yes</TT >, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. @@ -12414,7 +12463,7 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/nsswitch.conf</TT > - file). Note that this method is only used if the NetBIOS name + file. Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored.</P ></LI @@ -13203,7 +13252,7 @@ CLASS="PARAMETER" ></TT ></A > parameter is set to true, the chat pairs - may be matched in any order, and sucess is determined by the PAM result, + may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. </P ><P @@ -14098,8 +14147,14 @@ CLASS="PARAMETER" </I ></TT > will be replaced by the appropriate printer name. The - spool file name is generated automatically by the server, the printer - name is discussed below.</P + spool file name is generated automatically by the server. The + <TT +CLASS="PARAMETER" +><I +>%J</I +></TT +> macro can be used to access the job + name as transmitted by the client.</P ><P >The print command <EM >MUST</EM @@ -14189,7 +14244,7 @@ CLASS="COMMAND" ><P >For <B CLASS="COMMAND" ->printing = SYS or HPUX :</B +>printing = SYSV or HPUX :</B ></P ><P ><B @@ -14672,7 +14727,7 @@ CLASS="PARAMETER" > if specified in the [global] section.</P ><P ->Currently eight printing styles are supported. They are +>Currently nine printing styles are supported. They are <TT CLASS="CONSTANT" >BSD</TT @@ -15151,108 +15206,6 @@ CLASS="COMMAND" ></DD ><DT ><A -NAME="RESTRICTACLWITHMASK" -></A ->restrict acl with mask (S)</DT -><DD -><P ->This is a boolean parameter. If set to <TT -CLASS="CONSTANT" ->false</TT -> (default), then - creation of files with access control lists (ACLS) and modification of ACLs - using the Windows NT/2000 ACL editor will be applied directly to the file - or directory.</P -><P ->If set to <TT -CLASS="CONSTANT" ->true</TT ->, then all requests to set an ACL on a file will have the - parameters <A -HREF="#CREATEMASK" -><TT -CLASS="PARAMETER" -><I ->create mask</I -></TT -></A ->, - <A -HREF="#FORCECREATEMODE" -><TT -CLASS="PARAMETER" -><I ->force create mode</I -></TT -></A -> - applied before setting the ACL, and all requests to set an ACL on a directory will - have the parameters <A -HREF="#DIRECTORYMASK" -><TT -CLASS="PARAMETER" -><I ->directory - mask</I -></TT -></A ->, <A -HREF="#FORCEDIRECTORYMODE" -><TT -CLASS="PARAMETER" -><I ->force - directory mode</I -></TT -></A -> applied before setting the ACL. - </P -><P ->See also <A -HREF="#CREATEMASK" -><TT -CLASS="PARAMETER" -><I ->create mask</I -></TT -></A ->, - <A -HREF="#FORCECREATEMODE" -><TT -CLASS="PARAMETER" -><I ->force create mode</I -></TT -></A ->, - <A -HREF="#DIRECTORYMASK" -><TT -CLASS="PARAMETER" -><I ->directory mask</I -></TT -></A ->, - <A -HREF="#FORCEDIRECTORYMODE" -><TT -CLASS="PARAMETER" -><I ->force directory mode</I -></TT -></A -> - </P -><P ->Default: <B -CLASS="COMMAND" ->restrict acl with mask = no</B -></P -></DD -><DT -><A NAME="RESTRICTANONYMOUS" ></A >restrict anonymous (G)</DT @@ -15554,7 +15507,7 @@ CLASS="COMMAND" </B >.</P ><P ->In versions of Samba prior to 2..0, the default was +>In versions of Samba prior to 2.0.0, the default was <B CLASS="COMMAND" >security = share</B @@ -17712,6 +17665,25 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="UNIXEXTENSIONS" +></A +>unix extensions(G)</DT +><DD +><P +>This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. These + extensions enable CIFS to server UNIX clients to UNIX servers + better, and allow such things as symbolic links, hard links etc. + These extensions require a similarly enabled client, and are of + no current use to Windows clients.</P +><P +>Default: <B +CLASS="COMMAND" +>unix extensions = no</B +></P +></DD +><DT +><A NAME="UNIXPASSWORDSYNC" ></A >unix password sync (G)</DT @@ -18585,15 +18557,14 @@ WIDTH="90%" ><TD ><PRE CLASS="PROGRAMLISTING" -> ; Veto any files containing the word Security, - ; any ending in .tmp, and any directory containing the - ; word root. - veto files = /*Security*/*.tmp/*root*/ +>; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ - ; Veto the Apple specific files that a NetAtalk server - ; creates. - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - </PRE +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/</PRE ></TD ></TR ></TABLE @@ -19316,7 +19287,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN6086" +NAME="AEN6082" ></A ><H2 >WARNINGS</H2 @@ -19346,7 +19317,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN6092" +NAME="AEN6088" ></A ><H2 >VERSION</H2 @@ -19357,7 +19328,7 @@ NAME="AEN6092" ><DIV CLASS="REFSECT1" ><A -NAME="AEN6095" +NAME="AEN6091" ></A ><H2 >SEE ALSO</H2 @@ -19436,7 +19407,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN6115" +NAME="AEN6111" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbclient.1.html b/docs/htmldocs/smbclient.1.html index 16fc134405a..96448bc6b1a 100644 --- a/docs/htmldocs/smbclient.1.html +++ b/docs/htmldocs/smbclient.1.html @@ -556,7 +556,7 @@ CLASS="ENVAR" to read the password. </P ><P >A third option is to use a credentials file which - contains the plaintext of the username and password. This + contains the plaintext of the domain name, username and password. This option is mainly provided for scripts where the admin doesn't wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions @@ -589,7 +589,7 @@ CLASS="COMMAND" ><DD ><P >This option allows - you to specify a file from which to read the username and + you to specify a file from which to read the username, domain name, and password used in the connection. The format of the file is </P ><P @@ -603,13 +603,15 @@ WIDTH="90%" CLASS="PROGRAMLISTING" >username = <value> password = <value> +domain = <value> </PRE ></TD ></TR ></TABLE ></P ><P ->Make certain that the permissions on the file restrict +>If the domain parameter is missing the current workgroup name + is used instead. Make certain that the permissions on the file restrict access from unwanted users. </P ></DD ><DT @@ -1049,6 +1051,42 @@ CLASS="REPLACEABLE" </P ></DD ><DT +>altname file</DT +><DD +><P +>The client will request that the server return + the "alternate" name (the 8.3 name) for a file or directory. + </P +></DD +><DT +>cancel jobid0 [jobid1] ... [jobidN]</DT +><DD +><P +>The client will request that the server cancel + the printjobs identified by the given numeric print job ids. + </P +></DD +><DT +>chmod file mode in octal</DT +><DD +><P +>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX permissions to the given octal mode, in standard UNIX format. + </P +></DD +><DT +>chown file uid gid</DT +><DD +><P +>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX user and group ownership to the given decimal values. Note there is + currently no way to remotely look up the UNIX uid and gid values for a given name. + This may be addressed in future versions of the CIFS UNIX extensions. + </P +></DD +><DT >cd [directory name]</DT ><DD ><P @@ -1137,6 +1175,16 @@ CLASS="REPLACEABLE" </P ></DD ><DT +>link source destination</DT +><DD +><P +>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + create a hard link between the source and destination files. The source file + must not exist. + </P +></DD +><DT >lowercase</DT ><DD ><P @@ -1350,6 +1398,31 @@ CLASS="REPLACEABLE" privileges permitting) from the server. </P ></DD ><DT +>setmode <filename> <perm=[+|\-]rsha></DT +><DD +><P +>A version of the DOS attrib command to set + file permissions. For example: </P +><P +><B +CLASS="COMMAND" +>setmode myfile +r </B +></P +><P +>would make myfile read only. </P +></DD +><DT +>symlink source destination</DT +><DD +><P +>This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + create a symbolic hard link between the source and destination files. The source file + must not exist. Note that the server will not create a link to any path that lies + outside the currently connected share. This is enforced by the Samba server. + </P +></DD +><DT >tar <c|x>[IXbgNa]</DT ><DD ><P @@ -1389,27 +1462,13 @@ CLASS="REPLACEABLE" tar will reset the archive bit on all files it backs up (implies read/write share). </P ></DD -><DT ->setmode <filename> <perm=[+|\-]rsha></DT -><DD -><P ->A version of the DOS attrib command to set - file permissions. For example: </P -><P -><B -CLASS="COMMAND" ->setmode myfile +r </B -></P -><P ->would make myfile read only. </P -></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN477" +NAME="AEN501" ></A ><H2 >NOTES</H2 @@ -1430,7 +1489,7 @@ NAME="AEN477" ><DIV CLASS="REFSECT1" ><A -NAME="AEN482" +NAME="AEN506" ></A ><H2 >ENVIRONMENT VARIABLES</H2 @@ -1463,7 +1522,7 @@ CLASS="ENVAR" ><DIV CLASS="REFSECT1" ><A -NAME="AEN490" +NAME="AEN514" ></A ><H2 >INSTALLATION</H2 @@ -1501,7 +1560,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN500" +NAME="AEN524" ></A ><H2 >DIAGNOSTICS</H2 @@ -1517,7 +1576,7 @@ NAME="AEN500" ><DIV CLASS="REFSECT1" ><A -NAME="AEN504" +NAME="AEN528" ></A ><H2 >VERSION</H2 @@ -1528,7 +1587,7 @@ NAME="AEN504" ><DIV CLASS="REFSECT1" ><A -NAME="AEN507" +NAME="AEN531" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbcontrol.1.html b/docs/htmldocs/smbcontrol.1.html index 1f3b020c87b..c824a7cd093 100644 --- a/docs/htmldocs/smbcontrol.1.html +++ b/docs/htmldocs/smbcontrol.1.html @@ -140,6 +140,10 @@ CLASS="FILENAME" ><P >One of: <TT CLASS="CONSTANT" +>close-share</TT +>, + <TT +CLASS="CONSTANT" >debug</TT >, <TT @@ -166,6 +170,20 @@ CLASS="CONSTANT" ><P >The <TT CLASS="CONSTANT" +>close-share</TT +> message-type sends a + message to smbd which will then close the client connections to + the named share. Note that this doesn't affect client connections + to any other shares. This message-type takes an argument of the + share name for which client connections will be close, or the + "*" character which will close all currently open shares. + This message can only be sent to <TT +CLASS="CONSTANT" +>smbd</TT +>.</P +><P +>The <TT +CLASS="CONSTANT" >debug</TT > message-type allows the debug level to be set to the value specified by the @@ -252,7 +270,7 @@ CLASS="CONSTANT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN78" +NAME="AEN82" ></A ><H2 >VERSION</H2 @@ -263,7 +281,7 @@ NAME="AEN78" ><DIV CLASS="REFSECT1" ><A -NAME="AEN81" +NAME="AEN85" ></A ><H2 >SEE ALSO</H2 @@ -289,7 +307,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN88" +NAME="AEN92" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbd.8.html b/docs/htmldocs/smbd.8.html index be82ef6d4ec..2a7d6d59f8d 100644 --- a/docs/htmldocs/smbd.8.html +++ b/docs/htmldocs/smbd.8.html @@ -36,12 +36,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbd</B -> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-l <log file>] [-p <port number>] [-O <socket option>] [-s <configuration file>]</P +> [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN22" +NAME="AEN23" ></A ><H2 >DESCRIPTION</H2 @@ -84,7 +84,7 @@ CLASS="FILENAME" >smb.conf(5)</TT ></A > - manpage should be regarded as mandatory reading before + manpage should be regarded as mandatory reading before proceeding with installation.</P ><P >A session is created whenever a client requests one. @@ -106,7 +106,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN36" +NAME="AEN37" ></A ><H2 >OPTIONS</H2 @@ -144,6 +144,17 @@ CLASS="COMMAND" This is the default.</P ></DD ><DT +>-i</DT +><DD +><P +>If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit deamon mode when run from the + command line. + </P +></DD +><DT >-o</DT ><DD ><P @@ -203,7 +214,7 @@ CLASS="REPLACEABLE" logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for - day to day running - it generates a small amount of + day to day running - it generates a small amount of information about operations carried out.</P ><P >Levels above 1 will generate considerable @@ -228,17 +239,19 @@ CLASS="FILENAME" > file.</P ></DD ><DT ->-l <log file></DT +>-l <log directory></DT ><DD ><P ->If specified, <TT +>If specified, + <TT CLASS="REPLACEABLE" ><I ->log file</I +>log directory</I ></TT > - specifies a log filename into which informational and debug - messages from the running server will be logged. The log + specifies a log directory into which the "log.smbd" log + file will be created for informational and debug + messages from the running server. The log file generated is never removed by the server although its size may be controlled by the <A HREF="smb.conf.5.html#maxlogsize" @@ -252,8 +265,11 @@ TARGET="_top" CLASS="FILENAME" > smb.conf(5)</TT ></A -> file. The default log - file name is specified at compile time.</P +> file. + </P +><P +>The default log directory is specified at + compile time.</P ></DD ><DT >-O <socket options></DT @@ -283,14 +299,14 @@ CLASS="REPLACEABLE" ><I >port number</I ></TT -> is a positive integer +> is a positive integer value. The default value if this parameter is not specified is 139.</P ><P >This number is the port number that will be used when making connections to the server from client software. The standard (well-known) port number for the - SMB over TCP is 139, hence the default. If you wish to + SMB over TCP is 139, hence the default. If you wish to run the server as an ordinary user rather than as root, most systems will require you to use a port number greater than 1024 - ask your system administrator @@ -322,7 +338,7 @@ CLASS="FILENAME" > smb.conf(5)</TT ></A > for more information. - The default configuration file name is determined at + The default configuration file name is determined at compile time.</P ></DD ></DL @@ -331,7 +347,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN109" +NAME="AEN115" ></A ><H2 >FILES</H2 @@ -347,13 +363,18 @@ CLASS="FILENAME" ></DT ><DD ><P ->If the server is to be run by the +>If the server is to be run by the <B CLASS="COMMAND" >inetd</B > meta-daemon, this file must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. + meta-daemon. See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> + document for details. </P ></DD ><DT @@ -363,13 +384,17 @@ CLASS="FILENAME" ></DT ><DD ><P ->or whatever initialization script your +>or whatever initialization script your system uses).</P ><P ->If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below.</P +>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> + document for details.</P ></DD ><DT ><TT @@ -378,14 +403,19 @@ CLASS="FILENAME" ></DT ><DD ><P ->If running the server via the +>If running the server via the meta-daemon <B CLASS="COMMAND" >inetd</B ->, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below.</P +>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +> + document for details.</P ></DD ><DT ><TT @@ -394,7 +424,7 @@ CLASS="FILENAME" ></DT ><DD ><P ->This is the default location of the +>This is the default location of the <A HREF="smb.conf.5.html" TARGET="_top" @@ -403,17 +433,17 @@ CLASS="FILENAME" >smb.conf</TT ></A > - server configuration file. Other common places that systems + server configuration file. Other common places that systems install this file are <TT CLASS="FILENAME" >/usr/samba/lib/smb.conf</TT -> +> and <TT CLASS="FILENAME" >/etc/smb.conf</TT >.</P ><P ->This file describes all the services the server +>This file describes all the services the server is to make available to clients. See <A HREF="smb.conf.5.html" TARGET="_top" @@ -429,7 +459,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN142" +NAME="AEN151" ></A ><H2 >LIMITATIONS</H2 @@ -437,10 +467,10 @@ NAME="AEN142" >On some systems <B CLASS="COMMAND" >smbd</B -> cannot change uid back - to root after a setuid() call. Such systems are called - trapdoor uid systems. If you have such a system, - you will be unable to connect from a client (such as a PC) as +> cannot change uid back + to root after a setuid() call. Such systems are called + trapdoor uid systems. If you have such a system, + you will be unable to connect from a client (such as a PC) as two different users at once. Attempts to connect the second user will result in access denied or similar.</P @@ -448,10 +478,10 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN146" +NAME="AEN155" ></A ><H2 ->ENVIRONMENTVARIABLES</H2 +>ENVIRONMENT VARIABLES</H2 ><P ></P ><DIV @@ -479,328 +509,15 @@ CLASS="CONSTANT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN155" -></A -><H2 ->INSTALLATION</H2 -><P ->The location of the server and its support files - is a matter for individual system administrators. The following - are thus suggestions only.</P -><P ->It is recommended that the server software be installed - under the <TT -CLASS="FILENAME" ->/usr/local/samba/</TT -> hierarchy, - in a directory readable by all, writeable only by root. The server - program itself should be executable by all, as users may wish to - run the server themselves (in which case it will of course run - with their privileges). The server should NOT be setuid. On some - systems it may be worthwhile to make <B -CLASS="COMMAND" ->smbd</B -> setgid to an empty group. - This is because some systems may have a security hole where daemon - processes that become a user can be attached to with a debugger. - Making the <B -CLASS="COMMAND" ->smbd</B -> file setgid to an empty group may prevent - this hole from being exploited. This security hole and the suggested - fix has only been confirmed on old versions (pre-kernel 2.0) of Linux - at the time this was written. It is possible that this hole only - exists in Linux, as testing on other systems has thus far shown them - to be immune.</P -><P ->The server log files should be put in a directory readable and - writeable only by root, as the log files may contain sensitive - information.</P -><P ->The configuration file should be placed in a directory - readable and writeable only by root, as the configuration file - controls security for the services offered by the server. The - configuration file can be made readable by all if desired, but - this is not necessary for correct operation of the server and is - not recommended. A sample configuration file <TT -CLASS="FILENAME" ->smb.conf.sample - </TT -> is supplied with the source to the server - this may - be renamed to <TT -CLASS="FILENAME" ->smb.conf</TT -> and modified to suit - your needs.</P -><P ->The remaining notes will assume the following:</P -><P -></P -><UL -><LI -><P -><B -CLASS="COMMAND" ->smbd</B -> (the server program) - installed in <TT -CLASS="FILENAME" ->/usr/local/samba/bin</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->smb.conf</TT -> (the configuration - file) installed in <TT -CLASS="FILENAME" ->/usr/local/samba/lib</TT -></P -></LI -><LI -><P ->log files stored in <TT -CLASS="FILENAME" ->/var/adm/smblogs - </TT -></P -></LI -></UL -><P ->The server may be run either as a daemon by users - or at startup, or it may be run from a meta-daemon such as - <B -CLASS="COMMAND" ->inetd</B -> upon request. If run as a daemon, - the server will always be ready, so starting sessions will be - faster. If run from a meta-daemon some memory will be saved and - utilities such as the tcpd TCP-wrapper may be used for extra - security. For serious use as file server it is recommended - that <B -CLASS="COMMAND" ->smbd</B -> be run as a daemon.</P -><P ->When you've decided, continue with either</P -><P -></P -><UL -><LI -><P ->RUNNING THE SERVER AS A DAEMON or</P -></LI -><LI -><P ->RUNNING THE SERVER ON REQUEST.</P -></LI -></UL -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN188" -></A -><H2 ->RUNNING THE SERVER AS A DAEMON</H2 -><P ->To run the server as a daemon from the command - line, simply put the <EM ->-D</EM -> option on the - command line. There is no need to place an ampersand at - the end of the command line - the <EM ->-D</EM -> - option causes the server to detach itself from the tty - anyway.</P -><P ->Any user can run the server as a daemon (execute - permissions permitting, of course). This is useful for - testing purposes, and may even be useful as a temporary - substitute for something like ftp. When run this way, however, - the server will only have the privileges of the user who ran - it.</P -><P ->To ensure that the server is run as a daemon whenever - the machine is started, and to ensure that it runs as root - so that it can serve multiple clients, you will need to modify - the system startup files. Wherever appropriate (for example, in - <TT -CLASS="FILENAME" ->/etc/rc</TT ->), insert the following line, - substituting port number, log file location, configuration file - location and debug level as desired:</P -><P -><B -CLASS="COMMAND" ->/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log - -s /usr/local/samba/lib/smb.conf</B -></P -><P ->(The above should appear in your initialization script - as a single line. Depending on your terminal characteristics, - it may not appear that way in this man page. If the above appears - as more than one line, please treat any newlines or indentation - as a single space or TAB character.)</P -><P ->If the options used at compile time are appropriate for - your system, all parameters except <EM ->-D</EM -> may - be omitted. See the section OPTIONS above.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN201" -></A -><H2 ->RUNNING THE SERVER ON REQUEST</H2 -><P ->If your system uses a meta-daemon such as <B -CLASS="COMMAND" ->inetd - </B ->, you can arrange to have the <B -CLASS="COMMAND" ->smbd</B -> server started - whenever a process attempts to connect to it. This requires several - changes to the startup files on the host machine. If you are - experimenting as an ordinary user rather than as root, you will - need the assistance of your system administrator to modify the - system files.</P -><P ->You will probably want to set up the NetBIOS name server - <A -HREF="nmbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->nmbd</B -></A -> at - the same time as <B -CLASS="COMMAND" ->smbd</B ->. To do this refer to the - man page for <A -HREF="nmbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->nmbd(8)</B -> - </A ->.</P -><P ->First, ensure that a port is configured in the file - <TT -CLASS="FILENAME" ->/etc/services</TT ->. The well-known port 139 - should be used if possible, though any port may be used.</P -><P ->Ensure that a line similar to the following is in - <TT -CLASS="FILENAME" ->/etc/services</TT ->:</P -><P -><B -CLASS="COMMAND" ->netbios-ssn 139/tcp</B -></P -><P ->Note for NIS/YP users - you may need to rebuild the - NIS service maps rather than alter your local <TT -CLASS="FILENAME" ->/etc/services - </TT -> file.</P -><P ->Next, put a suitable line in the file <TT -CLASS="FILENAME" ->/etc/inetd.conf - </TT -> (in the unlikely event that you are using a meta-daemon - other than inetd, you are on your own). Note that the first item - in this line matches the service name in <TT -CLASS="FILENAME" ->/etc/services - </TT ->. Substitute appropriate values for your system - in this line (see <B -CLASS="COMMAND" ->inetd(8)</B ->):</P -><P -><B -CLASS="COMMAND" ->netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd - -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf</B -></P -><P ->(The above should appear in <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - as a single line. Depending on your terminal characteristics, it may - not appear that way in this man page. If the above appears as more - than one line, please treat any newlines or indentation as a single - space or TAB character.)</P -><P ->Note that there is no need to specify a port number here, - even if you are using a non-standard port number.</P -><P ->Lastly, edit the configuration file to provide suitable - services. To start with, the following two services should be - all you need:</P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="100%" -><TR -><TD -><PRE -CLASS="SCREEN" -> <TT -CLASS="COMPUTEROUTPUT" -> [homes] - writeable = yes - - [printers] - writeable = no - printable = yes - path = /tmp - public = yes - </TT -> - </PRE -></TD -></TR -></TABLE -><P ->This will allow you to connect to your home directory - and print to any printer supported by the host (user privileges - permitting).</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN233" +NAME="AEN164" ></A ><H2 >PAM INTERACTION</H2 ><P ->Samba uses PAM for authentication (when presented with a plaintext +>Samba uses PAM for authentication (when presented with a plaintext password), for account checking (is this account disabled?) and for session management. The degree too which samba supports PAM is restricted - by the limitations of the SMB protocol and the + by the limitations of the SMB protocol and the <A HREF="smb.conf.5.html#OBEYPAMRESRICTIONS" TARGET="_top" @@ -826,7 +543,7 @@ TARGET="_top" ><EM >Session Management</EM >: When not using share - level secuirty, users must pass PAM's session checks before access + level secuirty, users must pass PAM's session checks before access is granted. Note however, that this is bypassed in share level secuirty. Note also that some older pam configuration files may need a line added for session support. @@ -837,99 +554,41 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN244" -></A -><H2 ->TESTING THE INSTALLATION</H2 -><P ->If running the server as a daemon, execute it before - proceeding. If using a meta-daemon, either restart the system - or kill and restart the meta-daemon. Some versions of - <B -CLASS="COMMAND" ->inetd</B -> will reread their configuration - tables if they receive a HUP signal.</P -><P ->If your machine's name is <TT -CLASS="REPLACEABLE" -><I ->fred</I -></TT -> and your - name is <TT -CLASS="REPLACEABLE" -><I ->mary</I -></TT ->, you should now be able to connect - to the service <TT -CLASS="FILENAME" ->\\fred\mary</TT ->. - </P -><P ->To properly test and experiment with the server, we - recommend using the <B -CLASS="COMMAND" ->smbclient</B -> program (see - <A -HREF="smbclient.1.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbclient(1)</B -></A ->) - and also going through the steps outlined in the file - <TT -CLASS="FILENAME" ->DIAGNOSIS.txt</TT -> in the <TT -CLASS="FILENAME" ->docs/</TT -> - directory of your Samba installation.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN258" +NAME="AEN175" ></A ><H2 >VERSION</H2 ><P ->This man page is correct for version 2.2 of +>This man page is correct for version 2.2 of the Samba suite.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN261" +NAME="AEN178" ></A ><H2 >DIAGNOSTICS</H2 ><P ->Most diagnostics issued by the server are logged - in a specified log file. The log file name is specified +>Most diagnostics issued by the server are logged + in a specified log file. The log file name is specified at compile time, but may be overridden on the command line.</P ><P ->The number and nature of diagnostics available depends - on the debug level used by the server. If you have problems, set +>The number and nature of diagnostics available depends + on the debug level used by the server. If you have problems, set the debug level to 3 and peruse the log files.</P ><P ->Most messages are reasonably self-explanatory. Unfortunately, - at the time this man page was created, there are too many diagnostics - available in the source code to warrant describing each and every - diagnostic. At this stage your best bet is still to grep the - source code and inspect the conditions that gave rise to the +>Most messages are reasonably self-explanatory. Unfortunately, + at the time this man page was created, there are too many diagnostics + available in the source code to warrant describing each and every + diagnostic. At this stage your best bet is still to grep the + source code and inspect the conditions that gave rise to the diagnostics you are seeing.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN266" +NAME="AEN183" ></A ><H2 >SIGNALS</H2 @@ -937,29 +596,29 @@ NAME="AEN266" >Sending the <B CLASS="COMMAND" >smbd</B -> a SIGHUP will cause it to +> a SIGHUP will cause it to reload its <TT CLASS="FILENAME" >smb.conf</TT -> configuration +> configuration file within a short period of time.</P ><P >To shut down a user's <B CLASS="COMMAND" >smbd</B -> process it is recommended +> process it is recommended that <B CLASS="COMMAND" >SIGKILL (-9)</B > <EM >NOT</EM -> +> be used, except as a last resort, as this may leave the shared - memory area in an inconsistent state. The safe way to terminate + memory area in an inconsistent state. The safe way to terminate an <B CLASS="COMMAND" >smbd</B -> is to send it a SIGTERM (-15) signal and wait for +> is to send it a SIGTERM (-15) signal and wait for it to die on its own.</P ><P >The debug log level of <B @@ -975,7 +634,7 @@ CLASS="COMMAND" </B ></A > program (SIGUSR[1|2] signals are no longer used in - Samba 2.2). This is to allow transient problems to be diagnosed, + Samba 2.2). This is to allow transient problems to be diagnosed, whilst still running at a normally low log level.</P ><P >Note that as the signal handlers send a debug write, @@ -994,7 +653,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN283" +NAME="AEN200" ></A ><H2 >SEE ALSO</H2 @@ -1060,7 +719,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN300" +NAME="AEN217" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbrun.1.html b/docs/htmldocs/smbrun.1.html deleted file mode 100644 index 95de5bebdf5..00000000000 --- a/docs/htmldocs/smbrun.1.html +++ /dev/null @@ -1,215 +0,0 @@ -<HTML -><HEAD -><TITLE ->smbrun</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="FINDSMB" ->smbrun</A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN5" -></A -><H2 ->Name</H2 ->smbrun -- interface program between smbd and external - programs</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN8" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->smbrun</B -> {<shell command>}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN12" -></A -><H2 ->DESCRIPTION</H2 -><P ->This tool is part of the <A -HREF="samba.7.html" -TARGET="_top" -> Samba</A -> suite.</P -><P -><B -CLASS="COMMAND" ->smbrun</B -> is a very small 'glue' program, - which runs shell commands for the <A -HREF="smbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" -> smbd(8)</B -></A -> daemon.</P -><P ->It first changes to the highest effective user and group - ID that it can, then runs the command line provided using the - system() call. This program is necessary to allow some operating - systems to run external programs as non-root.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN21" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->shell command</DT -><DD -><P ->The shell command to execute. The - command should have a fully-qualified path.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN28" -></A -><H2 ->ENVIRONMENT VARIABLES</H2 -><P ->The <TT -CLASS="PARAMETER" -><I ->PATH</I -></TT -> variable set for the - environment in which <B -CLASS="COMMAND" ->smbrun</B -> is executed will affect - what executables are located and executed if a fully-qualified path - is not given in the command.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN33" -></A -><H2 ->DIAGNOSTICS</H2 -><P ->If <B -CLASS="COMMAND" ->smbrun</B -> cannot be located or cannot - be executed by <A -HREF="smbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbd(8)</B -> - </A ->, then appropriate messages will be found in the <B -CLASS="COMMAND" -> smbd</B -> logs. Other diagnostics are dependent on the shell-command - being run. It is advisable for your shell commands to issue suitable - diagnostics to aid trouble-shooting.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN40" -></A -><H2 ->VERSION</H2 -><P ->This man page is correct for version 2.2 of - the Samba suite.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN43" -></A -><H2 ->SEE ALSO</H2 -><P -><A -HREF="nmbd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->nmbd(8)</B -></A ->, - <A -HREF="smbclient.1.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbclient(1) - </B -></A ->, and <A -HREF="nmblookup.1.html" -TARGET="_top" -> <B -CLASS="COMMAND" ->nmblookup(1)</B -></A -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN52" -></A -><H2 ->AUTHOR</H2 -><P ->The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</P -><P ->The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - <A -HREF="ftp://ftp.icce.rug.nl/pub/unix/" -TARGET="_top" -> ftp://ftp.icce.rug.nl/pub/unix/</A ->) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter</P -></DIV -></BODY -></HTML ->
\ No newline at end of file diff --git a/docs/htmldocs/smbsh.1.html b/docs/htmldocs/smbsh.1.html index 66081bbe22c..ba2cc7b4928 100644 --- a/docs/htmldocs/smbsh.1.html +++ b/docs/htmldocs/smbsh.1.html @@ -37,12 +37,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbsh</B -> </P +> [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logfile] [-L libdir]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN11" +NAME="AEN18" ></A ><H2 >DESCRIPTION</H2 @@ -72,6 +72,223 @@ CLASS="COMMAND" >smbsh</B > to work correctly.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN28" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-W WORKGROUP</DT +><DD +><P +>Override the default workgroup specified in the + workgroup parameter of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file + for this session. This may be needed to connect to some + servers. </P +></DD +><DT +>-U username[%pass]</DT +><DD +><P +>Sets the SMB username or username and password. + If this option is not specified, the user will be prompted for + both the username and the password. If %pass is not specified, + the user will be prompted for the password. + </P +></DD +><DT +>-P prefix</DT +><DD +><P +>This option allows + the user to set the directory prefix for SMB access. The + default value if this option is not specified is + <EM +>smb</EM +>. + </P +></DD +><DT +>-R <name resolve order></DT +><DD +><P +>This option is used to determine what naming + services and in what order to resolve + host names to IP addresses. The option takes a space-separated + string of different name resolution options.</P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". + They cause names to be resolved as follows :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : + Lookup an IP address in the Samba lmhosts file. If the + line in lmhosts has no name type attached to the + NetBIOS name + (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> + for details) then any name type matches for lookup. + </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : + Do a standard host name to IP address resolution, using + the system <TT +CLASS="FILENAME" +>/etc/hosts</TT +>, NIS, or DNS + lookups. This method of name resolution is operating + system dependent, for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf + </TT +> file). Note that this method is only used + if the NetBIOS name type being queried is the 0x20 + (server) name type, otherwise it is ignored. + </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : + Query a name with the IP address listed in the + <TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> parameter. If no + WINS server has been specified this method will be + ignored. + </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : + Do a broadcast on each of the known local interfaces + listed in the <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> + parameter. This is the least reliable of the name + resolution methods as it depends on the target host + being on a locally connected subnet. + </P +></LI +></UL +><P +>If this parameter is not set then the name resolve order + defined in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file parameter + (name resolve order) will be used. </P +><P +>The default order is lmhosts, host, wins, bcast. Without + this parameter or any entry in the <TT +CLASS="PARAMETER" +><I +>name resolve order + </I +></TT +> parameter of the <TT +CLASS="FILENAME" +>smb.conf</TT +> + file, the name resolution methods will be attempted in this + order. </P +></DD +><DT +>-d <debug level></DT +><DD +><P +>debug level is an integer from 0 to 10.</P +><P +>The default value if this parameter is not specified + is zero.</P +><P +>The higher this value, the more detail will be logged + about the activities of <B +CLASS="COMMAND" +>nmblookup</B +>. At level + 0, only critical errors and serious warnings will be logged. + </P +></DD +><DT +>-l logfilename</DT +><DD +><P +>If specified causes all debug messages to be + written to the file specified by <TT +CLASS="REPLACEABLE" +><I +>logfilename + </I +></TT +>. If not specified then all messages will be + written to<TT +CLASS="REPLACEABLE" +><I +>stderr</I +></TT +>. + </P +></DD +><DT +>-L libdir</DT +><DD +><P +>This parameter specifies the location of the + shared libraries used by <B +CLASS="COMMAND" +>smbsh</B +>. The default + value is specified at compile time. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN91" +></A +><H2 +>EXAMPLES</H2 ><P >To use the <B CLASS="COMMAND" @@ -158,7 +375,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN40" +NAME="AEN112" ></A ><H2 >VERSION</H2 @@ -169,7 +386,7 @@ NAME="AEN40" ><DIV CLASS="REFSECT1" ><A -NAME="AEN43" +NAME="AEN115" ></A ><H2 >BUGS</H2 @@ -202,7 +419,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN52" +NAME="AEN124" ></A ><H2 >SEE ALSO</H2 @@ -225,7 +442,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN58" +NAME="AEN130" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/wbinfo.1.html b/docs/htmldocs/wbinfo.1.html index badeb6961e6..fe218a8f676 100644 --- a/docs/htmldocs/wbinfo.1.html +++ b/docs/htmldocs/wbinfo.1.html @@ -36,12 +36,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >wbinfo</B -> [-u] [-g] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m]</P +> [-u] [-g] [-h name] [-i ip] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m] [-r user] [-a user%password] [-A user%password]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN21" +NAME="AEN26" ></A ><H2 >DESCRIPTION</H2 @@ -78,7 +78,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN32" +NAME="AEN37" ></A ><H2 >OPTIONS</H2 @@ -122,6 +122,52 @@ CLASS="COMMAND" >. </P ></DD ><DT +>-h name</DT +><DD +><P +>The <TT +CLASS="PARAMETER" +><I +>-h</I +></TT +> option + queries <B +CLASS="COMMAND" +>winbindd(8)</B +> to query the WINS + server for the IP address associated with the NetBIOS name + specified by the <TT +CLASS="PARAMETER" +><I +>name</I +></TT +> parameter. + </P +></DD +><DT +>-i ip</DT +><DD +><P +>The <TT +CLASS="PARAMETER" +><I +>-i</I +></TT +> option + queries <B +CLASS="COMMAND" +>winbindd(8)</B +> to send a node status + request to get the NetBIOS name associated with the IP address + specified by the <TT +CLASS="PARAMETER" +><I +>ip</I +></TT +> parameter. + </P +></DD +><DT >-n name</DT ><DD ><P @@ -227,13 +273,41 @@ CLASS="COMMAND" NT domain the server is a Primary Domain Controller for. </P ></DD +><DT +>-r username</DT +><DD +><P +>Try to obtain the list of UNIX group ids + to which the user belongs. This only works for users + defined on a Domain Controller. + </P +></DD +><DT +>-a username%password</DT +><DD +><P +>Attempt to authenticate a user via winbindd. + This checks both authenticaion methods and reports its results. + </P +></DD +><DT +>-A username%password</DT +><DD +><P +>Store username and password used by winbindd + during session setup to a domain controller. This enables + winbindd to operate in a Windows 2000 domain with Restrict + Anonymous turned on (a.k.a. Permissions compatiable with + Windows 2000 servers only). + </P +></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN88" +NAME="AEN119" ></A ><H2 >EXIT STATUS</H2 @@ -252,7 +326,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN93" +NAME="AEN124" ></A ><H2 >VERSION</H2 @@ -263,7 +337,7 @@ NAME="AEN93" ><DIV CLASS="REFSECT1" ><A -NAME="AEN96" +NAME="AEN127" ></A ><H2 >SEE ALSO</H2 @@ -281,7 +355,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN101" +NAME="AEN132" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index addf74935c1..5148b4bc85f 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -473,12 +473,22 @@ NAME="AEN89" ></H2 ><P >If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <TT +using... <I +CLASS="EMPHASIS" +>BACK IT UP!</I +> If your system already uses PAM, +<I +CLASS="EMPHASIS" +>back up the <TT CLASS="FILENAME" >/etc/pam.d</TT -> directory contents! If you -haven't already made a boot disk, MAKE ON NOW!</P +> directory +contents!</I +> If you haven't already made a boot disk, +<I +CLASS="EMPHASIS" +>MAKE ONE NOW!</I +></P ><P >Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -489,10 +499,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)</P ><P ->The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.</P +>The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<A +HREF="http://samba.org/" +TARGET="_top" +>main SAMBA web page</A +> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.</P ><P >To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -500,15 +515,21 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.</P +means <TT +CLASS="FILENAME" +>pam-0.74-22</TT +>. For best results, it is helpful to also +install the development packages in <TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +>.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN97" +NAME="AEN103" >Testing Things Out</A ></H2 ><P @@ -539,51 +560,79 @@ CLASS="FILENAME" >/usr/man</TT > entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <TT +CLASS="FILENAME" +>pam-0.74-22</TT +> and +<TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +> RPMs installed.</P ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN106" +NAME="AEN114" >Configure and compile SAMBA</A ></H3 ><P >The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.</P ><P ><PRE CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT -> autoconf +>root#</TT +> <B +CLASS="COMMAND" +>autoconf</B +> <TT CLASS="PROMPT" ->root# </TT -> make clean +>root#</TT +> <B +CLASS="COMMAND" +>make clean</B +> <TT CLASS="PROMPT" ->root# </TT -> rm config.cache +>root#</TT +> <B +CLASS="COMMAND" +>rm config.cache</B +> <TT CLASS="PROMPT" ->root# </TT -> ./configure --with-winbind +>root#</TT +> <B +CLASS="COMMAND" +>./configure --with-winbind</B +> <TT CLASS="PROMPT" ->root# </TT -> make +>root#</TT +> <B +CLASS="COMMAND" +>make</B +> <TT CLASS="PROMPT" ->root# </TT -> make install</PRE +>root#</TT +> <B +CLASS="COMMAND" +>make install</B +></PRE ></P ><P ->This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in <TT +CLASS="FILENAME" +>/usr/local/samba</TT +>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </P ></DIV ><DIV @@ -591,24 +640,37 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN118" ->Configure nsswitch.conf and the winbind libraries</A +NAME="AEN133" +>Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></H3 ><P ->The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so</P +>The libraries needed to run the <B +CLASS="COMMAND" +>winbindd</B +> daemon +through nsswitch need to be copied to their proper locations, so</P ><P ><TT CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/libnss_winbind.so /lib</B +></P ><P >I also found it necessary to make the following symbolic link:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +>root#</TT +> <B +CLASS="COMMAND" +>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B +></P ><P >Now, as root you need to edit <TT CLASS="FILENAME" @@ -618,28 +680,35 @@ allow user and group entries to be visible from the <B CLASS="COMMAND" >winbindd</B > -daemon, as well as from your /etc/hosts files and NIS servers. My -<TT +daemon. My <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT -> file look like this after editing:</P +> file look like +this after editing:</P ><P ><PRE CLASS="PROGRAMLISTING" > passwd: files winbind - shadow: files winbind + shadow: files group: files winbind</PRE ></P ><P > The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <B +CLASS="COMMAND" +>ldconfig</B +> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> /sbin/ldconfig -v | grep winbind</P +>root#</TT +> <B +CLASS="COMMAND" +>/sbin/ldconfig -v | grep winbind</B +></P ><P >This makes <TT CLASS="FILENAME" @@ -652,7 +721,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN137" +NAME="AEN158" >Configure smb.conf</A ></H3 ><P @@ -681,16 +750,45 @@ CLASS="PROGRAMLISTING" >[global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <A +HREF="winbindd.8.html#WINBINDSEPARATOR" +TARGET="_top" +>winbind separator</A +> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDUID" +TARGET="_top" +>winbind uid</A +> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDGID" +TARGET="_top" +>winbind gid</A +> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <A +HREF="winbindd.8.html#WINBINDENUMUSERS" +TARGET="_top" +>winbind enum users</A +> = yes + <A +HREF="winbindd.8.html#WINBINDENUMGROUP" +TARGET="_top" +>winbind enum groups</A +> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash</PRE + <A +HREF="winbindd.8.html#TEMPLATEHOMEDIR" +TARGET="_top" +>template homedir</A +> = /home/winnt/%D/%U + <A +HREF="winbindd.8.html#TEMPLATESHELL" +TARGET="_top" +>template shell</A +> = /bin/bash</PRE ></P ></DIV ><DIV @@ -698,7 +796,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN146" +NAME="AEN174" >Join the SAMBA server to the PDC domain</A ></H3 ><P @@ -719,8 +817,11 @@ a domain user who has administrative privileges in the domain.</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</B +></P ><P >The proper response to the command should be: "Joined the domain <TT @@ -741,7 +842,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN156" +NAME="AEN185" >Start up the winbindd daemon and test it!</A ></H3 ><P @@ -753,25 +854,37 @@ command as root:</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/winbindd</B +></P ><P >I'm always paranoid and like to make sure the daemon is really running...</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ps -ae | grep winbindd -3025 ? 00:00:00 winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>ps -ae | grep winbindd</B +></P +><P +>This command should produce output like this, if the daemon is running</P +><P +>3025 ? 00:00:00 winbindd</P ><P >Now... for the real test, try to get some information about the users on your PDC</P ><P ><TT CLASS="PROMPT" ->root# </TT -> # /usr/local/samba/bin/wbinfo -u</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -u</B +></P ><P > This should echo back a list of users on your Windows users on @@ -787,7 +900,13 @@ CEO+krbtgt CEO+TsInternetUser</PRE ></P ><P ->Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +>Obviously, I have named my domain 'CEO' and my <TT +CLASS="PARAMETER" +><I +>winbindd +separator</I +></TT +> is '+'.</P ><P >You can do the same sort of thing to get group information from the PDC:</P @@ -796,8 +915,11 @@ the PDC:</P CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/wbinfo -g +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -g</B +> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -815,8 +937,11 @@ Try the following command:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent passwd</P +>root#</TT +> <B +CLASS="COMMAND" +>getent passwd</B +></P ><P >You should get a list that looks like your <TT CLASS="FILENAME" @@ -829,16 +954,22 @@ directories and default shells.</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent group</P +>root#</TT +> <B +CLASS="COMMAND" +>getent group</B +></P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN183" ->Fix the /etc/rc.d/init.d/smb startup files</A +NAME="AEN221" +>Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></H3 ><P >The <B @@ -926,44 +1057,85 @@ CLASS="PROGRAMLISTING" return $RETVAL }</PRE ></P +><P +>If you restart the <B +CLASS="COMMAND" +>smbd</B +>, <B +CLASS="COMMAND" +>nmbd</B +>, +and <B +CLASS="COMMAND" +>winbindd</B +> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.</P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN200" +NAME="AEN243" >Configure Winbind and PAM</A ></H3 ><P ->If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <TT CLASS="FILENAME" >/etc/pam.d</TT > files? If not, do it now.)</P ><P ->To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the <TT +CLASS="FILENAME" +>../source/nsswitch</TT +> directory +by invoking the command</P +><P +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>make nsswitch/pam_winbind.so</B +></P +><P +>from the <TT +CLASS="FILENAME" +>../source</TT +> directory. The <TT CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file from</P +>pam_winbind.so</TT +> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<TT +CLASS="FILENAME" +>/lib/security</TT +> directory.</P ><P -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth</PRE +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B ></P ><P ->to</P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file does not need to be changed. I +just left this fileas it was:</P ><P ><PRE CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so +>auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth</PRE ></P ><P @@ -1027,10 +1199,11 @@ changed to look like this:</P ><P ><PRE CLASS="PROGRAMLISTING" ->auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +>auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth</PRE ></P @@ -1073,15 +1246,6 @@ CLASS="COMMAND" >winbind.so</B > line to get rid of annoying double prompts for passwords.</P -><P ->Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P ></DIV ></DIV ></DIV @@ -1090,7 +1254,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN241" +NAME="AEN290" >Limitations</A ></H1 ><P @@ -1131,7 +1295,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN251" +NAME="AEN300" >Conclusion</A ></H1 ><P diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index ad54228a6f4..5d76dae2fdc 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -77,6 +77,30 @@ CLASS="COMMAND" Windows NT server. The service can also provide authentication services via an associated PAM module. </P ><P +> The <TT +CLASS="FILENAME" +>pam_winbind</TT +> module in the 2.2.2 release only + supports the <TT +CLASS="PARAMETER" +><I +>auth</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>account</I +></TT +> + module-types. The latter is simply + performs a getpwnam() to verify that the system can obtain a uid for the + user. If the <TT +CLASS="FILENAME" +>libnss_winbind</TT +> library has been correctly + installed, this should always suceed. + </P +><P >The following nsswitch databases are implemented by the winbindd service: </P ><P @@ -85,6 +109,22 @@ CLASS="COMMAND" CLASS="VARIABLELIST" ><DL ><DT +>hosts</DT +><DD +><P +>User information traditionally stored in + the <TT +CLASS="FILENAME" +>hosts(5)</TT +> file and used by + <B +CLASS="COMMAND" +>gethostbyname(3)</B +> functions. Names are + resolved through the WINS server or by broadcast. + </P +></DD +><DT >passwd</DT ><DD ><P @@ -145,11 +185,22 @@ group: files winbind ></TR ></TABLE ></P +><P +>The following simple configuration in the + <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file can be used to initially + resolve hostnames from <TT +CLASS="FILENAME" +>/etc/hosts</TT +> and then from the + WINS server.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN43" +NAME="AEN57" ></A ><H2 >OPTIONS</H2 @@ -188,7 +239,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN56" +NAME="AEN70" ></A ><H2 >NAME AND ID RESOLUTION</H2 @@ -219,7 +270,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN62" +NAME="AEN76" ></A ><H2 >CONFIGURATION</H2 @@ -484,7 +535,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN144" +NAME="AEN158" ></A ><H2 >EXAMPLE SETUP</H2 @@ -662,7 +713,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN183" +NAME="AEN197" ></A ><H2 >NOTES</H2 @@ -720,7 +771,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN199" +NAME="AEN213" ></A ><H2 >SIGNALS</H2 @@ -771,7 +822,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN216" +NAME="AEN230" ></A ><H2 >FILES</H2 @@ -847,7 +898,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN245" +NAME="AEN259" ></A ><H2 >VERSION</H2 @@ -858,7 +909,7 @@ NAME="AEN245" ><DIV CLASS="REFSECT1" ><A -NAME="AEN248" +NAME="AEN262" ></A ><H2 >SEE ALSO</H2 @@ -886,7 +937,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN255" +NAME="AEN269" ></A ><H2 >AUTHOR</H2 |